This topic describes how to configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost to prevent the access traffic of your bastion host from being blocked by Cloud Firewall. If the access traffic is blocked, your business cannot run as expected.

Scenarios

You can deploy Cloud Firewall together with Bastionhost to protect traffic from the Internet and ensure the security of your business. If you deploy Cloud Firewall together with Bastionhost, the access traffic of your bastion host may be blocked by Cloud Firewall. As a result, the bastion host cannot access the Internet as expected. Therefore, you must configure access control policies for the Internet firewall in Cloud Firewall to ensure that the firewall protects the traffic between the bastion host and the Internet and does not affect the business of the bastion host.

The following figure shows how Cloud Firewall provides security protection for a bastion host.

architecture

If you do not configure access control policies based on the following procedures, the following issues may occur: The service ports of the bastion host become inaccessible, assets and users cannot be imported, web page-based O&M cannot be performed, and videos cannot be played.

Prerequisites

Step 1: Configure a policy to allow inbound traffic

Configure an inbound policy for the Internet firewall to allow Internet access to the open ports of the bastion host.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Internet Border.
  3. On the Inbound tab, click Create Policy.
  4. In the Create Inbound Policy panel, click the Create Policy tab, and configure the parameters to create a policy that allows access from the Internet. For more information, see Parameters of an inbound policy. Then, click OK.
    ParameterDescription
    Source TypeSelect IP.
    SourceEnter the public CIDR blocks that are allowed to access the bastion host.
    Destination TypeSelect IP.
    DestinationEnter the IP address to which the O&M address of the bastion host is resolved.
    Note To view the IP address of the bastion host, go to the Internet Border page and set Asset Type as the filter condition. You do not need to log on to the Bastionhost console.
    ProtocolSelect TCP.
    Port TypeSelect the port type. Valid values: Ports and Address Book.

    If you want to enable multiple ports of the bastion host, you can create an address book that contains the ports in advance. This way, you can select the address book when you configure the Port Type parameter.

    Note You can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to enable only one port, you do not need to create an address book.
    PortsIf you set Port Type to Ports, you must configure this parameter. The following list describes the commonly used services and ports of a bastion host. You can specify ports based on your business requirements.
    • SSH-based O&M: port 60022
    • RDP-based O&M: port 63389
    • Video playback: port 9443
    • Host O&M and O&M portal: port 443
    ApplicationSelect ANY.
    Policy ActionSelect Allow, which indicates that the specified CIDR blocks are allowed to access the open ports of the bastion host.
    Description Enter a description that can help you identify the policy.
    PrioritySelect Highest.
    EnabledTurn on the switch, which indicates that the policy is enabled after it is created.
  5. Create another policy to deny access to the bastion host from all public IP addresses.
    Configure the parameters based on Parameters of an outbound policy. Set Source to 0.0.0.0/0 and Priority to Lowest.

Step 2: Configure a policy to allow outbound traffic

The bastion host needs to access cloud services over the Internet. Therefore, you must configure an outbound policy for the Internet firewall to allow the bastion host to access the Internet.

  1. On the Outbound tab, click Create Policy.
  2. In the Create Outbound Policy panel, click the Create Policy tab, and configure the parameters to create a policy that allows access from the bastion host. For more information, see Parameters of an outbound policy. Then, click OK.
    ParameterDescription
    Source TypeSelect IP.
    SourceEnter the egress IP addresses of the bastion host.
    Destination TypeSelect Domain Name.
    DestinationEnter the endpoints of cloud services. The following list describes the commonly used cloud services and their endpoints.
    • O&M portal: afs.aliyuncs.com
    • RAM user import: ram.aliyuncs.com
    • Elastic Compute Service (ECS) instance import: ecs.aliyuncs.com and ecs.[region-id].aliyuncs.com
    • ApsaraDB RDS instance import: rds.aliyuncs.com, rds.[region-id].aliyuncs.com
    Note [region-id] specifies the ID of the region where the instance resides. For example, the ID of the China (Shanghai) region is cn-shanghai.
    ProtocolSelect TCP.
    Port TypeSelect the port type. Valid values: Ports and Address Book.

    If you want to enable multiple ports of a cloud service, you can create an address book that contains the ports in advance. This way, you can select the address book when you configure the Port Type parameter.

    Note You can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to enable only one port, you do not need to create an address book.
    PortsIf you set Port Type to Ports, you must specify the following ports of your bastion host: 443 and 80.
    ApplicationSelect HTTP and HTTPS.
    Policy ActionSelect Allow, which indicates that the open ports of your bastion host are allowed to access the endpoints of cloud services.
    DescriptionEnter a description that can help you identify the policy.
    PrioritySelect Highest.
    EnabledTurn on the switch, which indicates that the policy is enabled after it is created.
  3. Create a policy to deny access to the Internet from all addresses of the bastion host.
    Configure the parameters based on Parameters of an outbound policy. Set Source to 0.0.0.0/0 and Priority to Lowest.

Step 3: Enable the Internet firewall for the bastion host

After the policies are configured, you must enable the Internet firewall for the bastion host.

  1. In the left-side navigation pane, click Firewall Settings.
  2. On the Internet Border tab, find the IP address of the bastion host and click Enable Firewall in the Actions column.
    Note If your bastion host is newly purchased, the information about the bastion host is synchronized to Cloud Firewall after approximately 15 to 30 minutes.
    After you complete the preceding configurations, the bastion host is protected by Cloud Firewall, and the workload of the bastion host is not affected by Cloud Firewall. You can log on to the bastion host to import assets and users for O&M and audit.

Step 4: Verify whether the configurations take effect

If you can access the service ports of the bastion host, import assets and users, perform web page-based O&M, and play videos, the configurations take effect. You can go to the Traffic Logs tab on the Log Audit page of the Cloud Firewall console to view the logs of traffic between the bastion host and the Internet. For more information, see Traffic logs.