Cloud Firewall provides access control, IPS analysis, and network traffic analysis for a bastion host and allows you to implement unified management and protection on public IP addresses. A bastion host can perform operation audit, permission control, security authentication, and efficient operations, administration and management (OAM).

The following figure shows how Cloud Firewall protects a bastion host.Photo

Recommended configurations

  • Configure Inbound policies for the Internet firewall to allow the Internet or a regional Internet (function to be provided soon) to access the open ports of a bastion host.
  • Configure Outbound policies for the Internet firewall to allow a bastion host to access the Internet.
  • Enable the Cloud Firewall service for the bastion host so that inbound and outbound traffic of the bastion host all pass Cloud Firewall.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Security Policies > Access Control > Internet Firewall.
  3. Create an Inbound access control policy to allow the Internet or a regional Internet to access the open ports of the target bastion host.
    1. Click the Inbound Policies tab.
    2. Optional. Choose Address Books > Port Address Books > Create Address Book.Port Address Books
      Note You can add multiple IP addresses or ports to an address book for batch configuration, which simplifies the configuration. If you want to open only one port of the bastion host, you do not need to create an address book.
    3. In the Modify Address Book dialog box, specify the bastion host port that you want to open, set other parameters, and click Submit.Modify Address Book

      In this example, ports 60022 (SSH), 63389 (RDP), and 443 (bastion host OAM) are opened. Add ports on the Port Address Books page based on your business needs. Separate multiple ports with commas (,). You can add up to 50 ports.

    4. Create an Inbound access control policy to allow the Internet to access specified ports of the bastion host.Allow public IP addresses to access bastion host ports
      Parameters for creating an inbound access control policy are as follows:
      • Source Type: Select IP.
      • Source: To allow all public IP addresses to access the open ports of a bastion host, enter 0.0.0.0/0. To allow some public IP addresses to access the open ports, enter the CIDR blocks of these IP addresses.
      • Destination Type: Select IP.
      • Destination: Enter the IP address of the bastion host.
        Note You can choose Firewall Settings > Internet Firewall from the left-side navigation pane of the Cloud Firewall console and set Asset Type to check the IP address of the bastion host. You do not need to log on to the bastion host console.
      • Protocol: Select TCP.
      • Port Type: To open multiple ports of the bastion host, select Address Book and select the address book that contains the ports you want to open for Ports.
      • Application: Select ANY.
      • Policy Action: Select ALLOW, which indicates that public IP addresses are allowed to access opened ports of the bastion host.
    5. Create another Inbound access control policy that denies access to non-open ports of the bastion host from any public IP address.Not allow public IP addresses to access bastion host ports

      Ports: Enter 0/0, which indicates all ports of the bastion host.

      Policy Action: Select DENY, which indicates that access to non-open ports of the bastion host from any public IP address is not allowed.

  4. Allow the bastion host to access the Internet.

    If a bastion host needs to access Alibaba Cloud from the Internet, an ECS instance in another VPC, or a host outside the cloud, you must allow the bastion host to access Alibaba Cloud services over the Internet.

    1. In the left-side navigation pane of the Cloud Firewall console, choose Security Policies > Access Control. On the Internet Firewall page, click the Outbound Policies tab.
    2. Click Create Policy and set the parameters.Create an outbound access control policy
  5. Choose Firewall Settings > Internet Firewall, find the bastion host for which you want to enable the firewall service, and click Enable Firewall.Firewall switch
    Note A bastion host is synchronized to the Cloud Firewall console within 15 to 30 minutes after it is purchased.

References