If you want to block access to your assets from regions outside China, you can go to the Cloud Firewall console and configure an access control policy. This topic describes how to configure a policy to block access from regions outside China in the Cloud Firewall console.
Create an access control policy
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- On the Internet Firewall tab, click Inbound Policies.
- On the Inbound Policies tab, click Create Policy.
- In the Create Inbound Policy dialog box, configure the parameters.
Set Source Type to Region, Source to Regions Outside China, and Policy Action to Deny. Then, click Submit. The following table describes the parameters.
|Source Type||The type of the source address. Valid values:
|Source||The source CIDR block of the traffic.
Note You can enter only one CIDR block, for example, 18.104.22.168/32.
If you set Source Type to Address Book, select a preconfigured address book.
|Destination Type||Set this parameter in the following way:
|Destination||If you set Destination Type to IP, the destination must be set to a CIDR block. Only one CIDR block can be configured.
If you set Destination Type to Domain Name, set the destination to a domain name. Wildcard domain names are supported.
|Port Type||Set this parameter in the following way:
|Ports||Specify the ports on which you want to control traffic. If Port Type is set to Ports, enter a port number range. If Port Type is set to Address Book, find the required port address book and click Select in the Actions column.
|Application||Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.
If Protocol is set to TCP, the preceding protocols are supported. If Protocol is set to another value, you can select only ANY.
Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify an application in a packet, it allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode. For more information, see Strict mode of the Internet firewall.
|Policy Action||Specifies whether the Internet firewall allows or denies the traffic. Set this parameter in the following way:
|Description||Enter a description to identify the policy.|
|Priority||The priority of a policy, Set this parameter in the following way:
The default value is Lowest.
Check whether access traffic hits a control policy
By default, an access control policy takes effect immediately after it is created. However, if the policy parameters are incorrectly configured or the Internet firewall is disabled, the policy does not take effect.
Modify an access control policy
After an access control policy is created, you can modify the access control policy based on your business requirements.
To modify an access control policy, find the access control policy on the Inbound Policies tab and click Modify in the Actions column. In the Modify Policy panel, modify the parameters of the access control policy.