You can apply the default allow policies to security groups with a few clicks, so you do not need to configure a policy for each ECS instance. This topic describes how to apply the default allow policies to security groups associated with an ECS IP address.
Background information
How it works
Cloud Firewall issues four access control policies (security group rules) with the lowest priority (priority 100) to a security group associated with the public IP address of an ECS instance. These policies allow traffic between the ECS instance and the Internet. The four policies are automatically created. You only need to confirm and save them for the security groups.
Limits
- Advanced security groups do not support default allow policies. For more information, see Advanced security groups. If a VPC contains an advanced security group, default allow policies are also not supported for other security groups in the VPC.
- Default allow policies can be configured only for security groups associated with public IP addresses or EIPs of ECS instances. They cannot be configured for Internet SLB instances.
- To better protect your assets, we recommend that you do not apply default allow policies to IP addresses with the Internet firewall disabled. You must enable the firewall for IP addresses to which you have applied default allow policies. Otherwise, these IP addresses may be exposed to the Internet.
Apply default allow policies
Follow these steps:
- Do not apply the default allow policies to IP addresses not protected by the Internet firewall.
- If no traffic distribution component (for example, an Internet SLB instance) is configured for the public IP address of an ECS instance, do not apply the default allow policies to that IP address.
- If your Cloud Firewall service has expired and you plan not to renew it, go to the Security Groups page in the ECS console to delete the four policies added by Cloud Firewall.
What to do next
Navigate to
. Check the status of the default allow policies to determine whether they are applied to the security groups of your ECS instance.The status may be the following:
- Applied: The policies have been applied to all security groups associated with the IP address of the ECS instance. Inbound traffic between all ECS instances in these security groups and the Internet is allowed. If an ECS instance is added to multiple security groups, you must apply the default allow policies to all of them so that the policies can take effect.
- Not Applied: The policies have not been applied to all security groups associated with the IP address of the ECS instance. Inbound traffic between all ECS instances in these security groups and the Internet is still denied. In this case, there may be configuration conflicts among security group rules, or you have not performed the One-click Apply operation.
- -: This type of asset does not support default allow policies. Only EIP and ECS Public IP are supported. Other asset types, such as SLB EIP, ENI EIP, NAT EIP are not supported.