Configure a NAT Firewall access control policy to restrict a private instance's outbound traffic to a specific domain name, reducing the risk of unauthorized internet access and data leakage.
Scenario
This tutorial uses the following scenario: An ECS instance with the private IP address 10.10.XX.XX accesses the Internet through a nat gateway. For security, you will configure a policy that allows the instance to access only the www.aliyun.com website.
Procedure
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, select .
-
On the NAT Border page, select the NAT gateway to configure, and Click Create Policy.
Cloud Firewall automatically synchronizes the NAT gateways associated with your current account, You can select the NAT gateway to configure from the drop-down list.

-
In the Create Policy - NAT Border panel, create two policies: a high-priority policy that allows the instance to access www.aliyun.com and a low-priority policy that denies the instance from accessing all other Internet destinations.
-
Create a policy that allows the
instanceto access www.aliyun.com. Use the following key settings:-
Source: 10.10.XX.XX/32
-
Destination Type: Domain Name
-
Destination: www.aliyun.com
-
Domain Name Identification Mode: FQDN-based Resolution (Extract Host or SNI Field in Packets)
-
Protocol Type: TCP
-
Port: 443/443
-
Application: HTTPS
-
Action: Allow
-
Priority: Highest
-
-
Create a policy to deny the
instanceaccess to all public IP addresses. Use the following key settings:-
Source: 10.10.XX.XX/32
-
Destination: 0.0.0.0/0, which represents all IP addresses
-
Protocol Type: ANY
-
Port: 0/0, which represents all ports
-
Application: ANY
-
Action: Deny
-
Priority: Lowest
-
After configuring the policies, ensure the policy allowing access to www.aliyun.com has a higher priority than the policy denying access to all Internet destinations.
-
Next steps
After your business has been running for a period, you can view the hit count of access control policies in the Hits/Last Hit At column in the access control policy list.
Click the hit count to go to the Traffic Logs page to view traffic logs. For information about how to view traffic logs, see Traffic Logs.

Related documentation
-
For detailed instructions on configuring
access control policiesfor anat firewall, see Configure NAT Border Access Control Policies. -
For more principles and examples of configuring
access control policies, see Access control policy configuration examples. -
For more information about configuring and using
access control policies, see FAQ about access control policies.