Cloud Firewall allows you to centrally manage east-west traffic between ECS instances and north-south traffic between the Internet and ECS instances. This topic describes how to configure Cloud Firewall and view business relationships.
Prerequisites
- An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Create Your Alibaba Cloud Account page.
- Cloud Firewall is granted permissions on cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.
- Cloud Firewall is of the Enterprise Edition or Ultimate Edition. For more information, see Billing method.
Background information
Cloud Firewall features quick switch for firewalls, intrusion detection, outbound connection blocking, traffic analysis, and logging. Cloud Firewall contains internal firewalls, Internet firewalls, and VPC firewalls. For more information about Cloud Firewall terms, see Cloud Firewall and Glossary.
Internal firewalls are used to control east-west traffic and use security group capabilities at the underlying layer. To control east-west traffic between ECS instances, you can create policy groups for internal firewalls in the Cloud Firewall console or add rules to security groups in the ECS console. The configurations of Cloud Firewall and ECS security groups are automatically synchronized. You can also configure application groups to view the access relationships between ECS instances. Based on the access status, you can optimize the policies.
Internet firewalls are used to control north-south traffic between the Internet and ECS instances. You can create inbound or outbound policies and implement policy hardening based on intrusion prevention. For more information, see Traffic analysis overview and Overview of access control policies.
- Domain name-based access control.
- Application-based access control.
- Automatic interception of outbound connections started by victim servers.
- Provides access logs of the last six months in compliance with Multi-Level Protection Scheme (MLPS) requirements.
Configure internal firewalls
After you publish a policy group in the Cloud Firewall console, the data of the policy group is immediately synchronized to the corresponding ECS security group. After you configure a security group in the ECS console, data in the security group is synchronized to the corresponding policy group on a daily basis. You can view the synchronization result only the next day. After you purchase Cloud Firewall Enterprise Edition or Ultimate Edition, you can centrally manage the east-west access control policies in the Cloud Firewall console.
Perform the following operations to configure an internal firewall:
After you configure the internal firewall, you can control the access between ECS instances. You can also configure application groups in Cloud Firewall to visualize business relationships.
View business relationships
In Cloud Firewall, a business group contains all application groups related to a specific business. For example, a web portal business group contains the web application groups and database application groups. An application group is a collection of applications that provide the same or similar services. For example, you can add all ECS instances that are deployed with MySQL to a database application group.
Perform the following operations to view the relationship between ECS instances:
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- Create a business group.
- Click the Business Groups tab.
- Click Create Business Group.
- Specify the Name parameter. For example, you can specify the name as database business or web business.
- Specify the Description parameter.
- Specify the Importance Degree parameter. For example, you can set this parameter to Important.
- Create an application group.
- Click the Application Groups tab.
- Click Create Application Group.
- Specify the Name parameter. For example, you can specify the name as database business or web business.
- Specify the Description parameter.
- Specify the Importance Degree parameter. For example, you can set this parameter to Important.
- Specify the Business Group parameter. For example, you can set this parameter to Select Existing Business Group.
- Select a business group, such as database business or web business.
- Assign applications.
- Select a VPC, such as China (Hangzhou) - vpc-xxx.
- Assign applications based on business requirements. For example, assign all ECS instances that are deployed with MySQL to a web application group.
- In the left-side navigation pane, click Applications Group.
- Select a VPC, such as China (Hangzhou) - vpc-xxx to view the access relationships between business groups. You can also go to application groups to view the access relationships.