Internal firewalls can control inbound and outbound traffic between ECS instances to block unauthorized access. The access control policies you configured and published for internal firewalls in the Cloud Firewall console are synchronized to ECS security groups.
Background information
- You can publish multiple policies at a time.
- If no policy is set to allow in a policy group, the ECS instances in the policy group cannot communicate with each other.
- Access control policies can be set to monitor mode.
- Cloud Firewall creates security groups based on application groups.
- You can manage access control policies in the Cloud Firewall console without the need to switch between different regions of ECS instances.
Policy group types
Policy groups are classified into common and enterprise policy groups. The following table describes the differences between the two policy group types.
Policy group type | Supported policy | Policy priority | Scenario |
---|---|---|---|
Common policy group |
|
The default priority is 1. You can change the priority.
The priority ranges from 1 to 100. A smaller value indicates a higher priority. |
Business that requires fine-grained network control on a moderate number of network connections. |
Enterprise policy group |
|
The priority is 1 and cannot be changed. | Business that requires efficient O&M. |
Create a policy group
Configure a policy in a policy group
Publish a policy in a policy group
Video tutorial on how to configure an internal firewall
References
Why does Cloud Firewall provide three types of firewalls?
What are the differences between Cloud Firewall and ECS security groups?