Enforce Access Control on Internet & VPC Firewalls - Cloud Firewall

This topic provides common configuration examples for creating access control policies for an internet firewall, VPC firewall, and internal firewall.

Internet firewall policy examples

The inbound and outbound traffic in Cloud Firewall is internet-facing traffic, which is also known as north-south traffic. You can use the access control feature of Cloud Firewall to customize access control policies for north-south traffic. This allows you to implement fine-grained control over access traffic and protect your network security. For more information about the parameters of internet firewall policies, see Configure access control policies for an internet firewall.

Allow inbound public traffic to a specific port

Example: An ECS instance has the private IP address 10.1.XX.XX and is associated with an elastic IP address (EIP) of 200.2.XX.XX/32. This example shows how to configure a policy that allows all inbound internet traffic (from 0.0.0.0/0) to access only TCP port 80 of the instance.

Log on to the Cloud Firewall console.
In the navigation pane on the left, choose Protection Configuration > Access Control > Internet Border.

On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, on the Create Policy tab, configure the following policies.

Configure a policy to allow public traffic to TCP port 80 of the instance, and then click OK.

The key parameters are described in the following table.

Parameter	Description	Example value
Source Type	The source of the network traffic. You must select a source type and enter the corresponding source address.	IP
Source		`0.0.0.0/0` Note `0.0.0.0/0` represents all public IP addresses.
Destination Type	The destination of the network traffic. You must select a destination type and enter the corresponding destination address.	IP
Destination		`200.2.XX.XX/32`
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you are unsure of the specific protocol, select ANY.	TCP
Port Type	The destination port type and destination port.	Port
Port	The destination port type and destination port.	`80/80`
Application	The application type of the traffic.	ANY
Action	The action to take on traffic that matches the policy.	Allow
Priority	The priority of the policy. The default value is Lowest, which indicates the lowest priority.	Highest
Status	Set whether to enable the policy. If you do not enable the policy when you create it, you can enable it in the policy list.	Enabled

Configure a policy to deny all public traffic to all instances, and then click OK.
Create the Deny policy with the following key parameters:
- Destination: 0.0.0.0/0
  Note
  0.0.0.0/0 represents the IP addresses of all instances.
- Protocol Type: ANY
- Port: 0/0
  Note
  0/0 represents all ports of the instance.
- Application: ANY
- Action: Deny
- Priority: Lowest

After the configuration is complete, you need to confirm that the policy to Allow inbound traffic to TCP port 80 of the host has a higher priority than the policy to Deny all inbound traffic to the host.

VPC firewall policy examples

A VPC firewall can be used to detect and control traffic between two VPCs, also known as east-west traffic. When you manage traffic between two VPCs, you need to deny suspicious or malicious traffic, or first allow trusted traffic and then deny access from other addresses. For information about the settings for VPC firewall policies, see Configure access control policies for a VPC firewall.

Deny traffic between ECS instances in different VPCs

Note

By default, ECS instances in two VPCs can communicate with each other if the VPCs are connected by a CEN instance or an Express Connect circuit.

Example: VPC1 and VPC2 are connected by the same CEN instance. ECS1, with the IP address 10.33.XX.XX/32, is deployed in VPC1. ECS2, with the IP address 10.66.XX.XX/32, is deployed in VPC2. This example denies access from ECS1 to ECS2.

Log on to the Cloud Firewall console
In the left-side navigation pane, choose Prevention Configuration > Access Control > Policy Configuration > VPC Border.
On the VPC Border page, click Create Policy.

In the Create Policy - VPC Border panel, configure the policy as described in the following table, and then click Confirm.

The key parameters are described in the following table.

Parameter	Description	Example value
Source Type	The type of the traffic source.	IP
Source	The address of the traffic source.	`10.33.XX.XX/32`
Destination Type	The type of the traffic destination.	IP
Destination	The address of the traffic destination.	`10.66.XX.XX/32`
Protocol Type	The protocol of the traffic.	TCP
Port Type	The type of the port.	Port
Port	Configure the ports that you want to allow or restrict. You can manually enter a single port based on the Port Type setting, or click Select to choose a pre-configured Port Address Book from the address book.	`0/0`
Application	The application type of the traffic.	ANY
Action	The action to take on the traffic. You can allow or deny traffic through the VPC firewall.	Deny

Internal firewall policy examples

The internal firewall controls inbound and outbound traffic between ECS instances to restrict unauthorized access. Access control policies for the internal firewall are automatically synchronized to ECS security groups and take effect after they are published. For more information about the configuration of internal firewall policies, see Security group configuration.

Enable ECS communication within a policy group

Note

Unlike standard ECS security groups, which allow communication between instances in the same group by default, the Cloud Firewall internal firewall requires you to explicitly create a policy to enable such traffic.

Example: ECS1 (IP address 10.33.XX.XX) and ECS2 (IP address 10.66.XX.XX) are in the policy group sg-test. This example shows how to enable communication between them.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Prevention Configuration > Security Group Control > Security Group Configuration.
On the Security Group Configuration page, find the target policy group and click Configure Policy in the Actions column.

On the Inbound tab, click Create Policy.

Configure an inbound Allow policy. The key parameters are as follows:

Parameter	Description	Example value
Policy Type:	The type of the policy.	Allow
Protocol Type	The protocol type of the traffic.	TCP
Port Range	The port range used by the traffic.	`0/0`
Source Type, Source	Select the source of the access traffic. This parameter is required when the policy direction is set to Inbound. You can select the type of the source address and set the source object based on the source type.	Source Type: Policy Group Source Object: sg-test
Destination	The destination of the traffic. This parameter is required for inbound policies.	Address Segment Access (CIDR block: 10.66.XX.XX) Note To enable communication among all ECS instances in the policy group, set Destination to All ECS Instances. To enable communication among specific ECS instances in the policy group, set Destination to CIDR Block and enter the CIDR block of the peer ECS instance.

If you use an advanced security group, you also need to configure an outbound Allow policy.
A basic security group allows all outbound traffic by default. No outbound policy is needed for a basic security group.
You can configure the outbound policy similarly to the inbound policy. The key parameters are as follows:
- Source Type: IP
- Source: 10.66.XX.XX
- CIDR Block: 10.33.XX.XX

Enable ECS communication between policy groups

Example: ECS1 (IP address 10.33.XX.XX) and ECS2 (IP address 10.66.XX.XX) are in different internal firewall policy groups. This example shows how to enable communication between them.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Prevention Configuration > Security Group Control > Security Group Configuration.
On the Security Group Configuration page, find the policy group that contains ECS1 and click Configure Policy in the Actions column.

On the Inbound tab, click Create Policy.

Configure an inbound Allow policy. The key parameters are as follows:

Parameter	Description	Example value
Policy Type	The type of the policy.	Allow
Protocol Type	The protocol type of the traffic.	TCP
Port Range	The port range used by the traffic.	`0/0`
Source Type, Source	The source of the traffic. This parameter is required for inbound policies. You must select the source type and then specify the source object.	Source Type: IP Source Object: `10.66.XX.XX`
Destination	The destination of the traffic. This parameter is required for inbound policies.	Address Segment Access (CIDR block: 10.33.XX.XX) Note If you want ECS instances in the sg-test2 policy group to access all ECS instances in the sg-test1 policy group, set Destination to All ECS Instances. If you want ECS instances in the sg-test2 policy group to access specific ECS instances in the sg-test1 policy group, set Destination to CIDR Block and enter the CIDR blocks of the ECS instances in the sg-test1 policy group.

If you use an advanced security group, you also need to configure an outbound Allow policy.
A basic security group allows all outbound traffic by default. No outbound policy is needed for a basic security group.
You can configure the outbound policy similarly to the inbound policy. The key parameters are as follows:
- Source Type: IP
- Source: 10.33.XX.XX
- CIDR Block: 10.66.XX.XX
Similarly, configure the corresponding inbound and outbound Allow policies for ECS2.