You can apply the default allow policies to security groups with a few clicks, so you do not need to configure a policy for each ECS instance. This topic describes how to apply the default allow policies to security groups associated with an ECS IP address.

Background information

By default, security group rules deny inbound traffic from the Internet to ECS instances. Cloud Firewall provides default allow policies so you can quickly change the default action from deny to allow. This way, you do not have to configure a security group rule for each ECS instance.

How it works

Cloud Firewall issues four access control policies (security group rules) with the lowest priority (priority 100) to a security group associated with the public IP address of an ECS instance. These policies allow traffic between the ECS instance and the Internet. The four policies are automatically created. You only need to confirm and save them for the security groups.

Note The default allow policies take effect only on traffic allowed by security group rules and do not take effect on denied traffic.

Limits

  • Advanced security groups do not support default allow policies. For more information, see Advanced security groups. If a VPC contains an advanced security group, default allow policies are also not supported for other security groups in the VPC.
  • Default allow policies can be configured only for security groups associated with public IP addresses or EIPs of ECS instances. They cannot be configured for Internet SLB instances.
  • To better protect your assets, we recommend that you do not apply default allow policies to IP addresses with the Internet firewall disabled. You must enable the firewall for IP addresses to which you have applied default allow policies. Otherwise, these IP addresses may be exposed to the Internet.

Apply default allow policies

Follow these steps:

Warning To avoid serious security risks to your business, take note of the following:
  • Do not apply the default allow policies to IP addresses not protected by the Internet firewall.
  • If no traffic distribution component (for example, an Internet SLB instance) is configured for the public IP address of an ECS instance, do not apply the default allow policies to that IP address.
  • If your Cloud Firewall service has expired and you plan not to renew it, go to the Security Groups page in the ECS console to delete the four policies added by Cloud Firewall.
  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, click Firewall Settings.
  3. On the Internet Firewall page, find the security group you want to configure and click Apply.
    Apply default allow policies
  4. In the Default Allow Policy dialog box that appears, find the target security group.
    • If the existing rules do not conflict with the default allow policies, click One-click Apply and go to step 5.
    • If there are configuration conflicts, the One-click Apply button is unavailable.Configuration Conflicts

      The following table lists solutions to the conflicts.

      Scenario Description Solution
      The conflicts can be resolved. The security group has rules with priorities greater than or equal to 100, which conflict with the default allow policies.

      Cloud Firewall increases the priorities of the existing rules to resolve the conflicts.

      In the Default Allow Policy dialog box, click Adjust with One Click and OK.

      Cloud Firewall then adjusts the priorities of the existing rules, and the One-click Apply button becomes available in the Actions column in the IP-associated Security Group list.

      The conflicts cannot be resolved. The security group has rules with priorities greater than or equal to 100, which conflict with the default allow policies. However, Cloud Firewall cannot adjust the priorities of the existing rules to resolve the conflicts. In this case, the Adjust with One Click button is unavailable. Adjust the priorities of the security group rules on the Security Group pages in the ECS console, or contact Cloud Firewall technical support on DingTalk.
  5. In the dialog box that appears after you click One-click Apply, check the four policies added by Cloud Firewall. Confirm them and click OK and Submit. Traffic between the security group and the Internet is allowed.
    Note All traffic between ECS instances in the security group and the Internet is allowed. Therefore, we recommend that you check the public IP addresses of the ECS instances. Make sure that appropriate access control policies are configured for these IP addresses in Cloud Firewall.

    After you click One-click Apply for all security groups associated with an IP address, the policies take effect, and the status in the Default Allow Policy becomes Applied. Click View to view details of the associated security groups.

    Notice After you apply the default allow policies, take note of the following:
    • Enable the firewall for the IP address in the Cloud Firewall console and add inbound policies on the Internet Firewall tab of the Access Control page.
    • Configure ECS instances in the security groups to limit the number of IP addresses exposed to the Internet.
    • If your Cloud Firewall service has expired, the security groups to which you have applied the default allow policies are no longer protected. Renew your Cloud Firewall service after you receive an expiration reminder. Otherwise, re-configure security group rules to protect your ECS instances. After you apply the default allow policies, Cloud Firewall adds four inbound rules to the security groups. The rules continue to work even after your Cloud Firewall service expires. If you do not want to renew your Cloud Firewall service, go to the Security Groups page in the ECS console and delete these rules.

What to do next

Check the status of the default allow policies

Navigate to Firewall Settings > Internet Firewall. Check the status of the default allow policies to determine whether they are applied to the security groups of your ECS instance.

The status may be the following:

  • Applied: The policies have been applied to all security groups associated with the IP address of the ECS instance. Inbound traffic between all ECS instances in these security groups and the Internet is allowed. If an ECS instance is added to multiple security groups, you must apply the default allow policies to all of them so that the policies can take effect.
  • Not Applied: The policies have not been applied to all security groups associated with the IP address of the ECS instance. Inbound traffic between all ECS instances in these security groups and the Internet is still denied. In this case, there may be configuration conflicts among security group rules, or you have not performed the One-click Apply operation.
  • -: This type of asset does not support default allow policies. Only EIP and ECS Public IP are supported. Other asset types, such as SLB EIP, ENI EIP, NAT EIP are not supported.