All Products
Search
Document Center

Cloud Firewall:Configure access to a specific domain name

Last Updated:Jun 17, 2026

Configure a NAT Firewall access control policy to restrict a private instance's outbound traffic to a specific domain name, reducing the risk of unauthorized internet access and data leakage.

Scenario

This tutorial uses the following scenario: An ECS instance with the private IP address 10.10.XX.XX accesses the Internet through a nat gateway. For security, you will configure a policy that allows the instance to access only the www.aliyun.com website.

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, select Prevention Configuration > Access Control > Policy Configuration > NAT Border.

  3. On the NAT Border page, select the NAT gateway to configure, and Click Create Policy.

    Cloud Firewall automatically synchronizes the NAT gateways associated with your current account, You can select the NAT gateway to configure from the drop-down list.

    image..png

  4. In the Create Policy - NAT Border panel, create two policies: a high-priority policy that allows the instance to access www.aliyun.com and a low-priority policy that denies the instance from accessing all other Internet destinations.

    1. Create a policy that allows the instance to access www.aliyun.com. Use the following key settings:

      • Source: 10.10.XX.XX/32

      • Destination Type: Domain Name

      • Destination: www.aliyun.com

      • Domain Name Identification Mode: FQDN-based Resolution (Extract Host or SNI Field in Packets)

      • Protocol Type: TCP

      • Port: 443/443

      • Application: HTTPS

      • Action: Allow

      • Priority: Highest

    2. Create a policy to deny the instance access to all public IP addresses. Use the following key settings:

      • Source: 10.10.XX.XX/32

      • Destination: 0.0.0.0/0, which represents all IP addresses

      • Protocol Type: ANY

      • Port: 0/0, which represents all ports

      • Application: ANY

      • Action: Deny

      • Priority: Lowest

    After configuring the policies, ensure the policy allowing access to www.aliyun.com has a higher priority than the policy denying access to all Internet destinations.

Next steps

After your business has been running for a period, you can view the hit count of access control policies in the Hits/Last Hit At column in the access control policy list.

Click the hit count to go to the Traffic Logs page to view traffic logs. For information about how to view traffic logs, see Traffic Logs.

image.png

Related documentation