Cloud Firewall provides access control, IPS analysis, and network traffic analysis for a bastion host and allows you to implement unified management and protection on public IP addresses. A bastion host can perform operation audit, permission control, security authentication, and efficient operations, administration and management (OAM).

Recommended configurations
- Configure Inbound policies for the Internet firewall to allow the Internet or a regional Internet (function to be provided soon) to access the open ports of a bastion host.
- Configure Outbound policies for the Internet firewall to allow a bastion host to access the Internet.
- Enable the Cloud Firewall service for the bastion host so that inbound and outbound traffic of the bastion host all pass Cloud Firewall.
Procedure
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- Create an Inbound access control policy to allow the Internet or a regional Internet to access the
open ports of the target bastion host.
- Click the Inbound Policies tab.
- Optional. Choose Note You can add multiple IP addresses or ports to an address book for batch configuration, which simplifies the configuration. If you want to open only one port of the bastion host, you do not need to create an address book.
.
- In the Modify Address Book dialog box, specify the bastion host port that you want to open, set other parameters,
and click Submit.
In this example, ports 60022 (SSH), 63389 (RDP), and 443 (bastion host OAM) are opened. Add ports on the Port Address Books page based on your business needs. Separate multiple ports with commas (,). You can add up to 50 ports.
- Create an Inbound access control policy to allow the Internet to access specified ports of the bastion
host.Parameters for creating an inbound access control policy are as follows:
- Source Type: Select IP.
- Source: To allow all public IP addresses to access the open ports of a bastion host, enter 0.0.0.0/0. To allow some public IP addresses to access the open ports, enter the CIDR blocks of these IP addresses.
- Destination Type: Select IP.
- Destination: Enter the IP address of the bastion host.
Note You can choose Asset Type to check the IP address of the bastion host. You do not need to log on to the bastion host console.from the left-side navigation pane of the Cloud Firewall console and set
- Protocol: Select TCP.
- Port Type: To open multiple ports of the bastion host, select Address Book and select the address book that contains the ports you want to open for Ports.
- Application: Select ANY.
- Policy Action: Select ALLOW, which indicates that public IP addresses are allowed to access opened ports of the bastion host.
- Create another Inbound access control policy that denies access to non-open ports of the bastion host from
any public IP address.
Ports: Enter 0/0, which indicates all ports of the bastion host.
Policy Action: Select DENY, which indicates that access to non-open ports of the bastion host from any public IP address is not allowed.
- Allow the bastion host to access the Internet.
If a bastion host needs to access Alibaba Cloud from the Internet, an ECS instance in another VPC, or a host outside the cloud, you must allow the bastion host to access Alibaba Cloud services over the Internet.
- In the left-side navigation pane of the Cloud Firewall console, choose Internet Firewall page, click the Outbound Policies tab. . On the
- Click Create Policy and set the parameters.
- Choose Enable Firewall.Note A bastion host is synchronized to the Cloud Firewall console within 15 to 30 minutes after it is purchased.
, find the bastion host for which you want to enable the firewall service, and click