Cloud Firewall allows you to centrally manage east-west traffic between ECS instances and north-south traffic between the Internet and ECS instances. This topic describes how to configure Cloud Firewall and view business relationships.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the account registration page.
  • Cloud Firewall is granted permissions on cloud resources. For more information, see Authorize Cloud Firewall.
  • Cloud Firewall is of the Enterprise Edition or Ultimate Edition. For more information, see Billing method.

Background information

Cloud Firewall features quick switch for firewalls, intrusion detection, outbound connection blocking, traffic analysis, and logging. Cloud Firewall contains internal firewalls, Internet firewalls, and VPC firewalls. For more information about Cloud Firewall terms, see Cloud Firewall and Glossary.

Internal firewalls are used to control east-west traffic and use security group capabilities at the underlying layer. To control east-west traffic between ECS instances, you can create policy groups for internal firewalls in the Cloud Firewall console or add rules to security groups in the ECS console. The configurations of Cloud Firewall and ECS security groups are automatically synchronized. You can also configure application groups to view the access relationships between ECS instances. Based on the access status, you can optimize the policies.

Internet firewalls are used to control north-south traffic between the Internet and ECS instances. You can create inbound or outbound policies and implement policy hardening based on intrusion prevention. For more information, see Traffic analysis overview and Overview of access control policies.

You can use Cloud Firewall in the following scenarios:
  • Domain name-based access control.
  • Application-based access control.
  • Automatic interception of outbound connections started by victim servers.
  • Provides access logs of the last six months in compliance with Multi-Level Protection Scheme (MLPS) requirements.

Configure internal firewalls

After you publish a policy group in the Cloud Firewall console, the data of the policy group is immediately synchronized to the corresponding ECS security group. After you configure a security group in the ECS console, data in the security group is synchronized to the corresponding policy group on a daily basis. You can view the synchronization result only the next day. After you purchase Cloud Firewall Enterprise Edition or Ultimate Edition, you can centrally manage the east-west access control policies in the Cloud Firewall console.

Perform the following operations to configure an internal firewall:

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, click Access Control.
  3. On the page that appears, click Internal Firewall.
    • Source indicates the source of the policy group.
    • Custom indicates the policy group is created in Cloud Firewall.
    • Security Group Synchronization indicates that the policy group is synchronized from an ECS security group.
    • Application Group Synchronization indicates that the policy group is synchronized from an application group.
  4. Click Create Policy Group.
  5. Configure Name, VPC, Instance ID, Description, and Template, and then click Submit.
    Note After you configure VPC, the policy group is assigned to the region to which the specified VPC belongs, such as in China (Hangzhou).
  6. Optional:Find the target policy group and click Configure Policy in the Actions column to create a policy.
  7. Click Publish in the corresponding Actions column. After the policy is published, it is synchronized to an ECS security group. Follow these steps to view the synchronization result:
    1. Log on to the ECS console.
    2. Select the region where the policy group resides, such as China (Hangzhou).
    3. In the left-side navigation pane, choose Network & Security > Security Groups.
    4. Set the filter condition to Security Group Name. Enter the policy group name in the search bar and click Search. If a security group with the same name as the policy group is displayed, the synchronization is successful.

After you configure the internal firewall, you can control the access between ECS instances. You can also configure application groups in Cloud Firewall to visualize business relationships.

View business relationships

In Cloud Firewall, a business group contains all application groups related to a specific business. For example, a web portal business group contains the web application groups and database application groups. An application group is a collection of applications that provide the same or similar services. For example, you can add all ECS instances that are deployed with MySQL to a database application group.

Perform the following operations to view the relationship between ECS instances:

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Business Visualization > Application Groups.
  3. Create a business group.
    1. Click the Business Groups tab.
    2. Click Create Business Group.
    3. Specify the Name parameter. For example, you can specify the name as database business or web business.
    4. Specify the Description parameter.
    5. Specify the Importance Degree parameter. For example, you can set this parameter to Important.
  4. Create an application group.
    1. Click the Application Groups tab.
    2. Click Create Application Group.
    3. Specify the Name parameter. For example, you can specify the name as database business or web business.
    4. Specify the Description parameter.
    5. Specify the Importance Degree parameter. For example, you can set this parameter to Important.
    6. Specify the Business Group parameter. For example, you can set this parameter to Select Existing Business Group.
    7. Select a business group, such as database business or web business.
  5. Assign applications.
    1. Select a VPC, such as China (Hangzhou) - vpc-xxx.
    2. Assign applications based on business requirements. For example, assign all ECS instances that are deployed with MySQL to a web application group.
  6. In the left-side navigation pane, click Applications Group.
  7. Select a VPC, such as China (Hangzhou) - vpc-xxx to view the access relationships between business groups. You can also go to application groups to view the access relationships.