This topic describes how to configure access control policies on VPC firewalls. Cloud Firewall uses VPC firewalls to detect and control traffic between VPCs.
Prerequisites
VPC firewalls are not enabled by default. Before you configure access control policies for VPCs, you must create and enable a VPC firewall.

How it works
A VPC firewall allows all traffic by default. If you want to control traffic between VPCs, you can configure access control policies to deny traffic from untrusted sources. You can also allow traffic from trusted sources and deny traffic from all other sources.
Procedure
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- On the VPC Firewall tab, click Create.
- In the Create VPC Firewall Policy dialog box, configure the policy. For information about parameters in a policy, see
the Policy parameters table in this topic.You can choose one of the following configuration methods based on your needs:
- Create a policy to deny traffic from untrusted sources.
- Create a policy to allow traffic from trusted sources, and then create another to deny traffic from all other sources. Make sure that the allow policy has a higher priority than the deny policy. For more information about policy priorities, see Change the priority of an access control policy.
Note A VPC firewall allows all traffic by default.
Policy parameters
Parameter | Description |
---|---|
Source Type | The type of the traffic source. You can select IP or Address Book.
|
Source | The source CIDR block of the traffic.
Note You can enter only one CIDR block, for example, 1.1.1.1/32.
If you set Source Type to Address Book, select a pre-configured address book. |
Destination Type |
|
Destination | The destination of the traffic. You can enter only one CIDR block.
If you set Destination Type to Domain Name, enter a domain name. Wildcard domain names are supported, for example, *.aliyun.com. |
Protocol |
|
Port Type | You can select Ports or Address Book.
|
Ports | You can specify a port range. 0/0 indicates all ports can be matched.
Note If you set Protocol to ICMP, the destination ports are not required. If you set Protocol
to ANY, the destination ports you specify do not take effect in ICMP traffic control.
|
Application | You can set the application to ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP,
Redis, SMTP, SMTPS, SSH, or VNC.
If Protocol is set to TCP, multiple applications are available. Otherwise, you can only set the application to ANY. Note Cloud Firewall identifies applications based on packet characteristics, instead of
port numbers. If Cloud Firewall fails to identify the application in a packet, it
allows the packet.
|
Policy Action | Specify whether the VPC firewall allows or denies traffic.
|
Description | Enter a description to identify the policy. |
Priority | The priority of a policy, which defaults to Lowest.
|