Cloud Firewall uses internal firewalls to control inbound and outbound traffic between ECS instances. You can configure access control policies to restrict unauthorized access between ECS instances. The access control policies you configure and publish in the Cloud Firewall console are synchronized to ECS security groups.

Background information

Compared with creating security group rules for ECS instances, creating access control policies on an internal firewall has the following advantages:
  • You can publish multiple policies at a time.
  • You can create policy groups by using templates to allow or deny all traffic by default.
  • Cloud Firewall automatically creates security group rules based on application groups.

For more information about the differences between internal firewalls and ECS security groups, see Differences between Cloud Firewall and Security groups.

Before you configure access control policies on an internal firewall, you must create a policy group, which contains default access control policies. Then, you can configure fine-grained inbound and outbound access control policies in the policy group. After you configure access control policies in the policy group, you must publish the policies, so they can be synchronized to ECS security groups and take effect. The procedure is as follows:
  1. Create a policy group
  2. Create an access control policy
  3. Publish policies in a policy group

By default, you can create up to 100 policy groups and 100 policies in each group. The policies include both those synchronized from ECS security groups to Cloud Firewall and those created in the Cloud Firewall console. If you want to create more than 100 policies, delete unnecessary policies or submit a ticket.

Policy group types

Policy groups are classified into common and enterprise policy groups. The following table lists the differences between the two types of policy groups.

Policy group type Policy type Policy priority Inbound policy Outbound policy Scenario
Common policy group Default policy Determined by the policy group template. Allows or denies traffic based on the policy group template. Allows or denies traffic based on the policy group template. Businesses that require fine-grained network control on a moderate number of network connections.
Custom policy A value within the range of 1 to 100. A smaller value indicates a higher priority. Allows or denies traffic based on your business needs. Allows or denies traffic based on your business needs.
Enterprise policy group Default policy The value is 1 and cannot be changed. Allows traffic based on the policy group template. Allows traffic based on the policy group template. Businesses that require efficient O&M.
Custom policy Allows traffic based on your business needs. Allows traffic based on your business needs.

Create a policy group

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Security Policies > Access Control.
  3. On the Access Control page, click the Internal Firewall tab. Then, click Create Policy Group in the upper-right corner.
  4. In the Create Policy Group dialog box that appears, configure policy group parameters.Create Policy Group
    Parameter Description
    Policy Group Type Valid values:
    • Common Policy Group: suitable for businesses that require fine-grained network control on a moderate number of network connections.
    • Enterprise Policy Group: suitable for businesses that require efficient O&M.
    Name Enter a name that helps identify the policy group.
    VPC Select a VPC to which you want to apply the policy group from the VPC drop-down list.
    Note A policy group can be applied to only one VPC.
    Instance ID Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list.
    Note The Instance ID drop-down list only contains ECS instances within the selected VPC.
    Description Enter a description for the policy group.
    Template Select a template from the Template drop-down list.
    • default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic.
    • default-accept-all: allows all inbound and outbound traffic.
    • default-drop-all: denies all inbound and outbound traffic.
      Note Enterprise policy groups do not support the default-drop-all template.
  5. Click Submit.
    The created policy group is displayed on the Internal Firewall tab. You can perform the following operations on the policy group:
    • Configure Policy: Configure fine-grained access control policies in the policy group.
    • Publish: Synchronize the access control policies in the policy group to ECS security groups.
    • Modify: Change the ECS instances to which the policy group is applied and modify the group description.
    • Delete: Delete the policy group.
      Warning After you delete a policy group, its access control policies are also deleted. Exercise caution when you perform this operation.
      If you want to delete policy groups that are no longer needed, set the source to Custom and click Search to view all custom policy groups and determine whether to delete them.Filter custom policy groups

Create an access control policy

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Security Policies > Access Control.
  3. On the Access Control page, click the Internal Firewall tab, find the target policy group, and click Configure Policy in the Actions column.
  4. On the Policies page, click Create Policy.
  5. In the Create Policy dialog box that appears, configure the policy parameters.Policy parameters
    Parameter Description
    Network Type The default value is Internal and cannot be changed. This value indicates that the policy is applied to an internal network.
    Direction Valid values:
    • Inbound: traffic from other ECS instances to the ECS instances specified in the policy group.
    • Outbound: traffic from the ECS instances specified in the policy group to other ECS instances.
    Policy Type Valid values:
    • Allow: allows traffic that matches the policy.
    • Deny: denies traffic that matches the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configuration but different policy types, the deny policy takes effect, and the allow policy does not.
      Note Enterprise policy groups do not support the Deny policy type.
    Protocol Type Select the traffic protocol from the Protocol Type drop-down list.
    • TCP
    • UDP
    • ICMP
    • ANY (You can select ANY if you do not know which protocol is used.)
    Port Range The destination port of traffic controlled by the policy, for example, 22/22.
    Priority Enter the priority of the policy. The priority must be an integer within the range of 1 to 100. A smaller value indicates a higher priority.

    Different policies can have the same priority. If an allow policy and a deny policy have the same priority, the deny policy takes precedence.

    Note The priorities of policies in an enterprise policy group are fixed to 1 and cannot be changed. The value 1 indicates the highest priority.
    Source Type and Source For an inbound policy, configure the source type and source of traffic.
    Valid source types:
    • CIDR Block

      If you select this type, you can enter only one CIDR block as the traffic source.

    • Policy Group

      If you select this type, you must select a policy group. All ECS instances in the policy group are the traffic sources.

      Note Enterprise policy groups do not support the Policy Group option.
    Destination For an inbound policy, select the destination of traffic.
    • All ECS Instances: All ECS instances under your Alibaba Cloud account are the traffic destinations.
    • CIDR Block: Enter a destination CIDR block.
    Select Source For an outbound policy, select the source of the traffic.
    • CIDR Block: Enter a source CIDR block.
    • All ECS Instances: All ECS instances under your Alibaba Cloud account are the traffic sources.
    Destination Type and Destination For an outbound policy, configure the destination type and destination of traffic.
    Valid destination types:
    • CIDR Block

      If you select this type, you can enter only one CIDR block as the traffic destination.

    • Policy Group

      If you select this type, you must select a policy group. All ECS instances in the policy group are the traffic destinations.

      Note Enterprise policy groups do not support the Policy Group option.
    Description Enter a description for the policy.
  6. Click Submit.
    The created policy is displayed in the policy list. You can edit or delete policies in the list.
    Warning After you delete a policy, its access control configuration becomes invalid. Exercise caution when you delete a policy. A deleted policy is retained in the list, but you cannot perform operations on it.

Publish policies in a policy group

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Security Policies > Access Control.
  3. On the Access Control page, click the Internal Firewall tab, find the target policy group, and click Publish in the Actions column.Publish policies
  4. In the Publish Policy dialog box that appears, confirm the content of the policies, enter remarks, and click OK.Publish policies
    The policies take effect on ECS security groups after you publish them. You can log on to the ECS console and navigate to Network & Security > Security Groups to view the policies you have published in the Cloud Firewall console. The default policy name is Cloud_Firewall_Security_Group.Security Groups