All Products
Search

This Product

    Cloud Firewall:Configure access to a specific domain name

    Document Center

    Cloud Firewall:Configure access to a specific domain name

    Last Updated:Apr 01, 2026

    If you need fine-grained control over traffic from your private assets to the Internet, you can configure nat firewall access control policies. These policies block unauthorized access to the Internet from your private assets to reduce risks such as the leakage of core business data. This tutorial shows how to configure an access control policy that allows a private instance to access only a specific domain name.

    Scenario

    This tutorial uses the following scenario: An ECS instance with the private IP address 10.10.XX.XX accesses the Internet through a nat gateway. For security, you will configure a policy that allows the instance to access only the www.aliyun.com website.

    Procedure

    1. Log on to the Cloud Firewall console.

    2. In the navigation pane on the left, choose Protection Configuration > Access Control > NAT Border.

    3. On the NAT Border page, select the NAT Gateway that you want to configure and click Create Policy.

      Cloud Firewall automatically syncs the NAT gateways that are associated with your Alibaba Cloud account. You can click the drop-down list to select the NAT Gateway that you want to configure.

      image..png

    4. In the Create Policy - NAT Border panel, create two policies: a high-priority policy that allows the instance to access www.aliyun.com and a low-priority policy that denies the instance from accessing all other Internet destinations.

      1. Create a policy that allows the instance to access www.aliyun.com. Use the following key settings:

        • Source: 10.10.XX.XX/32

        • Destination Type: Domain Name

        • Destination: www.aliyun.com

        • Domain Name Identification Mode: FQDN-based Resolution (Extract Host or SNI Field in Packets)

        • Protocol Type: TCP

        • Port: 443/443

        • Application: HTTPS

        • Action: Allow

        • Priority: Highest

      2. Create a policy to deny the instance access to all public IP addresses. Use the following key settings:

        • Source: 10.10.XX.XX/32

        • Destination: 0.0.0.0/0, which represents all IP addresses

        • Protocol Type: ANY

        • Port: 0/0, which represents all ports

        • Application: ANY

        • Action: Deny

        • Priority: Lowest

      After configuring the policies, ensure the policy allowing access to www.aliyun.com has a higher priority than the policy denying access to all Internet destinations.

    Next steps

    After your service has been running for a period of time, you can view the hit count and last hit time of access control policies in the Hits / Last Hit At column of the access control policy list.

    Click the hit count to view the traffic logs on the Traffic Logs page. For more information, see Log audit.

    image.png

    Related documentation