Cloud Firewall:Configure an access control policy for a VPC Firewall

Configure an access control policy

To manage traffic between two VPCs, you can use either a blacklist or a whitelist. In blacklist mode, you configure a policy to deny untrusted or unnecessary traffic for your workloads and another policy to allow all other traffic. In whitelist mode, you configure a policy to allow trusted or required traffic for your workloads and another policy to deny all other traffic. For examples of how to configure access control policies for VPC firewalls, see Examples of access control policy configurations.

1. Log on to the Cloud Firewall console.

2. In the navigation pane on the left, choose Protection Configuration > Access Control > VPC Border.

3. On the VPC Border page, switch to the business instance where you want to configure a policy.

   

4. Click Create Policy, configure the policy according to the following table, and then click OK.

   Configuration item	Description
   Source Type	The initiator of the network connection. Select a source type and specify the source address that sends traffic based on the source type. If you set Source Type to IP, you must enter CIDR blocks. Enter CIDR blocks in standard format, such as 192.168.0.0/16. You can enter up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, you must create an address book in advance. For more information, see Address book management.
   Source
   Destination Type	The receiver of the network traffic. Select a destination type and specify the destination address based on the destination type. If you set Source Type to IP, you must enter CIDR blocks. Enter CIDR blocks in standard format, such as 192.168.0.0/16. You can enter up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Destination Type to Address Book, you can select an existing address book, such as an IPv4 address book or a domain name address book. If you have not created an address book, you can click Create Address Book to create an IPv4 address book or a domain name address book for this policy. For more information about address books, see Address book management. If you set Destination Type to Domain Name, you need to select a domain name recognition mode. Three modes are available: FQDN-based Resolution (Extract Host or SNI Field in Packets): We recommend that you select this mode to manage traffic of the HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS protocols. DNS-based Dynamic Resolution: We recommend that you select this mode to manage traffic of protocols other than HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS. Important This mode does not support wildcard domain names or wildcard domain names in address books. FQDN-based And DNS-based Dynamic Resolution: We recommend that you select this mode to manage traffic of the HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS protocols if some or all of the traffic does not contain HOST or SNI fields. Important This mode takes effect only when the strict mode is enabled for ACL Engine Management. This mode does not support wildcard domain names or wildcard domain names in address books.
   Destination
   Protocol Type	The transport-layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you are not sure about the protocol, select ANY.
   Port Type	Set the destination port type and destination port. If you set Port Type to Port, you need to enter a port range. Separate the start port and end port with a forward slash (/). Examples: 22/22 and 80/88. You can add up to 2,000 port ranges. Separate multiple port ranges with commas (,). If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. Address Book: If you set Port Type to Address Book, you must create a port address book in advance. For more information, see Address book management.
   Port
   Application	Set the application type of the access traffic. You can select multiple application types. If you set Protocol Type to TCP: If you set Destination Type to IP or IP Address Book, you can select all applications. If you set Destination Type to Domain Name or Domain Name Address Book: If you set Domain Name Mode to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), you can select only HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS. If you set Domain Name Mode to DNS-based Dynamic Resolution, you can select all applications. If you set Protocol Type to UDP, you can set Application to ANY or DNS. If you set Protocol Type to ICMP or ANY, you can set Application only to ANY. Note Cloud Firewall identifies applications based on packet features. The protocol is not identified based on the port. If Cloud Firewall fails to identify an application, the session traffic is allowed. If you want to block traffic of unknown application types, enable the strict mode for the Internet firewall. For more information, see Introduction to modes of the access control engine.
   Action	Set the action on the traffic that matches the policy. Allow: allows the traffic. Deny: blocks the traffic and does not send a notification. Monitor: In this mode, traffic is allowed by default. You can filter and observe this traffic using the relevant fields in traffic logs. After a period of observation, you can change the action to Allow or Deny as needed.
   Description	Enter a description for the policy. This helps you quickly identify the purpose of each policy.
   Priority	Select the priority of the policy. The default value is Last, which indicates the lowest priority. First: The access control policy has the highest priority and takes effect first. Last: The access control policy has the lowest priority and takes effect last.
   Policy Validity Period	Set the validity period for the policy. The policy can match traffic only within the validity period. Always One-Time: Select a single time period. Recurring: Select a recurring time period and effective dates. Note The start time of the effective date must be earlier than the end time. The policy is expected to take effect in 3 to 5 minutes. If you select Repeat Indefinitely, the end time is automatically set to 2099-12-31. Related FAQ: Does a policy take effect if the recurrence cycle spans multiple days?
   Status	Set whether to enable the policy. If you do not enable the policy when you create it, you can enable it in the policy list.

View policy hits