If you want to manage traffic from internal-facing assets to the Internet in a fine-grained manner, you can configure access control policies for NAT firewalls to block unauthorized access from the internal-facing assets to the Internet. This helps reduce risks such as data leaks in your core business. This topic describes how to configure access control policies for a NAT firewall to allow traffic from an internal-facing asset only to a specific website.
Example scenario
In this example, your asset is an internal-facing Elastic Compute Service (ECS) instance whose private IP address is 10.10.XX.XX. The ECS instance accesses the Internet over an Internet-facing NAT gateway. To ensure the security of the ECS instance, you must configure access control policies to allow traffic from the ECS instance only to the website www.aliyun.com.
Procedure
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the NAT Border page, find the NAT gateway for which you want to create an access control policy and click Create Policy.
The NAT gateways within the current Alibaba Cloud account are automatically synchronized to Cloud Firewall.
In the Create Policy - NAT Border panel, configure an access control policy that allows traffic from the ECS instance to www.aliyun.com and has the highest priority and an access control policy that denies traffic from the ECS instance to all public IP addresses and has the lowest priority.
Configure the access control policy that allows traffic from the ECS instance to www.aliyun.com. The following list describes the parameters:
Source: Enter 10.10.X.X/32.
Destination Type: Select Domain Name.
Destination: Enter www.aliyun.com.
Domain Name Identification Mode: Select FQDN-based Resolution (Extract Host or SNI Field in Packets).
Protocol Type: Select TCP.
Port: Enter 443/443.
Application: Select HTTPS.
Action: Select Allow.
Priority: Select Highest.
Configure the access control policy to deny traffic from the ECS instance to all public IP addresses. The following list describes the parameters:
Source: Enter 10.10.X.X/32.
Destination: Enter 0.0.0.0/0, which indicates the IP addresses of all servers.
Protocol Type: Select ANY.
Port: Enter 0/0, which indicates all ports of servers.
Application: Select ANY.
Action: Select Deny.
Priority: Select Lowest.
After you create the access control policies, make sure that the priority of the policy that allows traffic from the ECS instance to www.aliyun.com is higher than the priority of the policy that denies traffic from the ECS instance to all public IP addresses.
What to do next
After your service runs for a period of time, you can view the hit details about an access control policy in the Hits/Last Hit At column in the list of access control policies.
You can click the number of hits to go to the Log Audit page to view traffic logs. For more information, see Log audit.
References
For more information, see Create an access control policy for a NAT firewall.
For more information, see Configure access control policies.
For more information about how to configure and use access control policies, see FAQ about access control policies.