Cloud Firewall:Create an access control policy for an internal firewall to control the traffic of ECS instances

Diagram of an internal firewall

Policy group types

Policy groups are classified into common policy groups and enterprise policy groups.

Scenarios

• A common policy group corresponds to a basic security group of ECS instances and functions as a virtual firewall to provide stateful packet inspection (SPI) and packet filtering capabilities. You can use a common policy group to isolate security domains in the cloud. You can configure a common policy group to allow or block inbound and outbound traffic between ECS instances in the common policy group. A common policy group is suitable for business that has high requirements for network control on a moderate number of network connections.

• An enterprise policy group corresponds to an advanced security group of ECS instances and supports more ECS instances than a common policy group. You can configure access control policies for an unlimited number of private IP addresses. Enterprise policy groups are best suited to enterprises that require efficient O&M on large-scale networks.

Differences

For more information about the differences between basic and advanced security groups, see Basic security groups and advanced security groups.

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.

Configure an access control policy for an internal firewall

Before you configure access control policies for an internal firewall, you must create a policy group that contains default access control policies. Then, you can configure inbound and outbound access control policies in the policy group. After you configure access control policies in the policy group, you must publish the policies. This way, the policies can be synchronized to ECS security groups and take effect.

Step 1: Create a policy group

1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internal Border.

2. On the Internal Border page, click Create Policy Group.

3. In the Create Policy Group dialog box, configure the following parameters and click Confirm.

   Parameter	Description
   Policy Group Type	Select a type for the policy group. Valid values: Common Policy Group Enterprise Policy Group
   Policy Group Name	Enter a name for the policy group. We recommend that you enter an informative name for easy identification.
   VPC	Select a VPC to which you want to apply the policy group from the VPC drop-down list. A policy group can be applied to only one VPC.
   Instance ID	Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list. Note The Instance ID drop-down list contains only ECS instances within the selected VPC.
   Description	Enter a description for the policy group.
   Template	Select a template that you want to use from the Template drop-down list. default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic. default-accept-all: allows all inbound and outbound traffic. default-drop-all: denies all inbound and outbound traffic. Note Enterprise policy groups do not support the default-drop-all template.

Step 2: Create a policy in the policy group

1. On the Internal Border page, find the policy group that you want to manage and click Configure Policy in the Actions column.

2. On the Inbound or Outbound tab, click Create Policy.

3. In the Create Policy dialog box, configure the following parameters and click Submit.

   Parameter	Description
   NIC Type	The default value is Internal Network. This value specifies that the policy controls the inbound and outbound traffic of ECS instances.
   Direction	The direction of traffic to which you want to apply the policy. Valid values: Inbound: traffic from other ECS instances to the ECS instances specified in the policy group. Outbound: traffic from the ECS instances specified in the policy group to other ECS instances.
   Policy Type	The type of the policy. Valid values: Allow: allows the traffic that hits the policy. Deny: denies the traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect. Note Enterprise policy groups do not support the Deny policy type.
   Protocol Type	The protocol type of traffic to which you want to apply the policy. If you select ANY, the policy is applied to all traffic. If you do not know the protocol type, select ANY.
   Port Range	The destination port range of traffic to which you want to apply the policy. If you enter a port range, the policy takes effect on all ports within the port range. For example, if you enter 1/200, the policy takes effect on ports 1 to 200. If you enter a port, the policy takes effects only on the port. For example, if you enter 80/80, the policy takes effect on port 80.
   Priority	The priority of the policy. The priority must be an integer within the range of 1 to 100. A smaller value indicates a higher priority. Different policies can have the same priority. If an Allow policy and a Deny policy have the same priority, the Deny policy takes precedence.
   Source Type and Source	The source of traffic. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. CIDR Block If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block. Policy Group If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed. Note Enterprise policy groups do not support the Policy Group type. Prefix List If you select this type, you must select a prefix list from the Source drop-down list. Then, Cloud Firewall controls the traffic of all ECS instances in the security groups with which the prefix list is associated. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
   Destination	The destination of traffic. If you set Direction to Inbound, you must configure this parameter. Valid values: All ECS Instances: all ECS instances specified in the current policy group. CIDR Block: If you select this option, you must enter a CIDR block. The ECS instances that correspond to the CIDR block are the destination of traffic. Cloud Firewall controls only the inbound traffic of ECS instances that correspond to the CIDR block.
   Select Source	The type of the traffic source. If you set Direction to Outbound, you must configure this parameter. Valid values: All ECS Instances: all ECS instances specified in the current policy group. CIDR Block: If you select this option, you must enter a source IP address or CIDR block. The ECS instances that correspond to the IP address or CIDR block are the source of traffic.
   Destination Type and Destination	The type of the traffic destination and the destination addresses. If you set Direction to Outbound, you must configure these parameters. Valid destination types: CIDR Block If you select this type, you must enter a destination CIDR block. You can enter only one CIDR block. Policy Group If you select this type, you must select a policy group. Traffic destined for all ECS instances in the policy group is managed. Note Enterprise policy groups do not support the Policy Group type. Prefix List If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
   Description	The description of the policy.

4. Wait until the policy is created. Then, you can view the policy in the policy list of the internal firewall.

Step 3: Publish the policy in the policy group

1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internal Border.

2. On the Internal Border page, find the policy group whose policy you want to publish and click Publish in the Actions column.

3. In the Publish Policy dialog box, configure Remarks, confirm the policy changes, and then click OK.

   The policies are synchronized to ECS security groups and take effect only after you publish the policies. You can log on to the ECS console and choose Network & Security > Security Groups to view the policies that you published in the Cloud Firewall console. The default name of the policy group created by Cloud Firewall in the ECS console is Cloud_Firewall_Security_Group.

Synchronize ECS security group rules

• Manual synchronization: On the Internal Border page, click Synchronize Security Group to synchronize the security group rules from ECS to Cloud Firewall. The process requires 2 to 3 minutes to complete.

• Automatic synchronization: Cloud Firewall automatically synchronizes the information about ECS security group rules every 2 hours.

What to do next

You can perform the following operations on the policy group:

• Edit: Change the ECS instances specified in the policy group and modify the policy group description.

• Delete: Delete the policy group.

  Warning

  After you delete a policy group, its access control policies become invalid. Proceed with caution. A deleted policy group is retained in the list, but you can no longer perform operations on it.

  If you want to delete policy groups that are no longer required, you can set the policy group source to Custom to query all custom policy groups and determine whether to delete them.