Cloud Firewall supports access control on the Internet firewall. You can configure policies to control the traffic between the Internet and your ECS instances.
Prerequisites

Background information
Outbound access control
Inbound access control
Export policies

Search for a specific policy based on the policy ID
Each access control policy for the Internet firewall has a policy ID. You can use this policy ID to identify a specific access control policy. This gives you the ability to know the status of the policy and adjust the policy based on your business requirements.


Check whether access traffic hits a control policy
By default, an access control policy takes effect immediately after it is created. However, if the policy parameters are incorrectly configured or the Internet firewall is disabled, the policy does not take effect.

Parameters in an access control policy
Parameter | Description |
---|---|
Source Type | The type of the source address. Valid values:
|
Source | The source CIDR block of the traffic.
Note You can enter only one CIDR block, for example, 1.1.1.1/32.
If you set Source Type to Address Book, select a preconfigured address book.
Note
|
Destination Type | Set this parameter in the following way:
|
Destination | If you set Destination Type to IP, the destination must be set to a CIDR block. Only
one CIDR block can be configured.
If you set Destination Type to Domain Name, set the destination to a domain name. Wildcard domain names are supported. Note
|
Protocol | Valid values:
|
Port Type | Set this parameter in the following way:
|
Ports | Specify the ports on which you want to control traffic. If Port Type is set to Ports,
enter a port number range. If Port Type is set to Address Book, find the required
port address book and click Select in the Actions column.
Note
|
Application | Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP,
SMTPS, SSH, and VNC.
If Protocol is set to TCP, the preceding protocols are supported. If Protocol is set to another value, you can select only ANY. Note Cloud Firewall identifies applications based on packet characteristics, instead of
port numbers. If Cloud Firewall fails to identify an application in a packet, it allows
the packet. If you want to block traffic from unknown applications, we recommend that
you enable the strict mode. For more information, see Strict mode of the Internet firewall.
|
Policy Action | Specifies whether the Internet firewall allows or denies the traffic. Set this parameter
in the following way:
|
Description | Enter a description to identify the policy. |
Priority | The priority of a policy, Set this parameter in the following way:
The default value is Lowest. |