Control inbound and outbound traffic of ECS instances by using access control policies - Cloud Firewall

The ECS Firewall controls inbound and outbound traffic of your ECS instances to prevent unauthorized access. When you publish an access control policy, the firewall automatically synchronizes it with the corresponding ECS Security Group, where it takes effect.

How the ECS Firewall works

Benefits of using ECS Firewall policies

Using ECS Firewall policies provides the following advantages over creating Security Group rules directly in the ECS console:

Publishing policies in a batch.
Automatically creating Security Groups when used with application groups.
Managing policies for all regions in the Cloud Firewall console without switching between regions.

By default, you can create a maximum of 500 Policy Groups, and each Policy Group can contain up to 500 policies. This limit includes policies created directly in the ECS Firewall and policies synchronized from ECS Security Groups. If these limits are insufficient, you can remove unnecessary policies. Alternatively, you can configure access control policies for the VPC border to reduce the need for ECS Firewall policies.

Policy Group types

Policy Groups are available in two types: Standard Policy Groups and Enterprise Policy Groups.

Use cases

A Standard Policy Group corresponds to a standard Security Group in ECS. It acts as a virtual firewall with Stateful Inspection and packet filtering capabilities to create security domains in the cloud. You can configure a Policy Group to allow or deny inbound and outbound traffic for the ECS instances within it. This type of policy group is suitable for scenarios that require a high degree of network control and a moderate number of network connections.
An Enterprise Policy Group corresponds to an enterprise Security Group in ECS. It is a new type of policy group that supports a significantly larger number of instances than a Standard Policy Group. It removes the limit on the number of Private IP addresses within a group and simplifies rule configuration for easier maintenance. This type is ideal for enterprise users who require large-scale deployments and high operational efficiency.

Differences

For a detailed comparison between standard and enterprise Security Groups, see Standard Security Groups and enterprise-level Security Groups.

Prerequisites

You must have an active Cloud Firewall Enterprise Edition or Ultimate Edition subscription. For more information, see Purchase Cloud Firewall.

Configure an access control policy

To configure an access control policy for a ECS Firewall, you first create a Policy Group, which includes default policies. Then, you configure inbound or outbound access control policies within that group. After you configure the group and its policies, you must publish the Policy Group to synchronize the policies to the associated ECS Security Group and activate them.

Step 1: Create a policy group

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Protection Configuration > Internal Border. Then, click Create Policy Group.

In the Create Policy Group dialog box, configure the parameters for the policy group and click Confirm.

Parameter	Description
Policy Group Type	Select the type of the policy group: Common Policy Group Enterprise Policy Group
Policy Group Name	Enter a name for the policy group. A descriptive name helps with identification and management.
VPC	Select the Virtual Private Cloud (VPC) to which the policy group applies. Each policy group can be associated with only one VPC.
Instance ID	From the Instance ID drop-down list, select one or more ECS instances to which the policy group applies. Note The list contains only ECS instances within the selected VPC.
Description	Enter a brief description for the policy group.
Template	From the Template drop-down list, select a template to apply: default-accept-login: Allows Inbound traffic on TCP port 22 and TCP port 3389, and allows all Outbound traffic. default-accept-all: Allows all Inbound and Outbound traffic. default-drop-all: Denies all Inbound and Outbound traffic. Note The default-drop-all option is not supported for Enterprise Policy Groups.

Step 2: Configure a policy

On the Internal Border page, find the policy group and click Configure Policy in the Actions column.
On the Inbound or Outbound tab, click Create Policy.

In the Create Policy dialog box, configure the policy parameters and click Submit.

Parameter	Description
NIC Type	The default value is Internal Network. This setting applies to the inbound and outbound traffic of the ECS instance.
Direction	Select the direction in which the policy takes effect. Inbound: Controls traffic from other ECS instances to the ECS instances associated with the policy group. Outbound: Controls traffic from the ECS instances within the policy group to other ECS instances.
Policy Type	Select the policy action. Allow: Permits the corresponding traffic. Deny: Drops packets directly without sending any response. If two policies are identical except for the action, the Deny policy takes precedence over the Allow policy. Note The Deny option is not supported for Enterprise Policy Groups.
Protocol Type	Select the protocol type for the traffic. Select ANY if you are unsure of the protocol type.
Port Range	Enter the destination port range for the traffic. To specify a range, such as all ports from 1 to 200, enter 1/200. To specify a single port, such as port 80, enter 80/80.
Priority	A number from 1 to 100 that determines the policy's evaluation order. A smaller value indicates a higher priority. If policies share the same priority, a Deny policy takes precedence over an Allow policy.
Source Type, Source	Specify the source of the traffic. This parameter is required when Policy Direction is set to Inbound. You can select the source type and then specify the source object accordingly. CIDR Block Enter a single source CIDR block. Policy Group Select another policy group from the Source list. This controls traffic from all ECS instances in the selected source policy group. Note This option is not supported for Enterprise Policy Groups. Prefix List Select a prefix list from the Source list. Cloud Firewall controls traffic from the IP addresses in the specified prefix list to the ECS instance. For more information about prefix lists, see Use prefix lists and port lists to efficiently manage security group rules.
Destination	Specify the destination of the traffic. This parameter is available when Policy Direction is set to Inbound. It allows you to specify a destination within the current policy group. The available destination types are: All ECS Instances: All ECS instances associated with the current policy group. CIDR Block: Enter the IP address of an ECS instance associated with the current policy group. Use CIDR notation. This controls inbound traffic for only the specified ECS instance.
Select Source	Specify the source of the traffic. This parameter is available when Policy Direction is set to Outbound. It allows you to specify a source within the current policy group. The available source types are: All ECS Instances: All ECS instances associated with the current policy group. CIDR Block: Enter a source IP address or CIDR block. This identifies the source ECS instances within the current policy group that match the specified address.
Destination Type, Destination	Specify the destination type and destination object. This parameter is required when Policy Direction is set to Outbound. The available destination types are: CIDR Block Enter a single destination CIDR block. Policy Group Select a policy group from the list. This controls traffic from the local host to all ECS instances in the destination policy group. Note This option is not supported for Enterprise Policy Groups. Prefix List Select a prefix list from the list. This controls traffic to all ECS instances in the security group associated with the prefix list. For more information about prefix lists, see Use prefix lists and port lists to efficiently manage security group rules.
Description	Enter a description of the policy.

After the policy group is created, you can view the new policy group in the policy group list on the ECS Firewall page.

Step 3: Publish the policy group

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Protection Configuration > Internal Border. Find the policy group and click Publish Policy in the Actions column.
In the Publish Policy dialog box, enter a Update Remarks, confirm the Update Policy, and click OK.
Policies take effect only after you publish the policy group. In the ECS console, navigate to the Security Group > Security Groups page to view the access control policies synchronized from Cloud Firewall. Security Groups created by Cloud Firewall are named Cloud_Firewall_Security_Group by default.

Synchronize Security Group policies

Manual Synchronization: On the Internal Border page, you can click Synchronize Security Group to import policies from ECS Security Groups into Cloud Firewall. The synchronization takes 2 to 3 minutes.
Automatic synchronization: Cloud Firewall automatically synchronizes policies from ECS Security Groups every two hours.

Related operations

From the list of policy groups on the ECS Firewall page, you can perform the following operations:

Edit: Modify the ECS instances and description of a policy group.
Delete: Delete a policy group.
Warning
Deleting a policy group permanently invalidates all policies within it. This action cannot be undone. While the record of the deleted group remains, you cannot perform any further operations on it.
To find and remove policy groups that are no longer needed, filter the list by setting the source of the policy groups to Custom. This filters for all policy groups that were manually created in the Cloud Firewall console, allowing you to decide whether to keep them.