Configure access control policies to prevent Cloud Firewall from blocking Bastionhost traffic when the two products are deployed together.
Scenarios
Cloud Firewall may block traffic from Bastionhost and prevent it from accessing the internet. To avoid this, configure access control policies for the internet firewall so that Cloud Firewall can protect Bastionhost traffic without disrupting its services.
The following figure shows how Cloud Firewall provides security protection for Bastionhost.

Without these policies, you may be unable to access Bastionhost service ports, import assets and users, or use web-based O&M and session playback.
Prerequisites
-
You have purchased Cloud Firewall. For more information, see Purchase Cloud Firewall.
-
You have purchased and enabled Bastionhost. For more information, see Purchase a Bastionhost instance and Enable a bastion host.
Workflow

Step 1: Configure an inbound allow policy
Configure an inbound policy for the internet firewall to allow internet traffic to access the open ports of Bastionhost.
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, choose .
-
On the Inbound tab, click Create Policy.
-
In the Create Inbound Policy panel, on the Create Policy tab, refer to the Inbound Policy Configuration Parameters to create a policy that allows traffic from internet sources. Then, click OK.
Parameter
Description
Source Type
Select IP. Enter the public CIDR blocks that are allowed to access Bastionhost.
Destination Type
Select IP. Enter the IP address that your Bastionhost O&M domain name resolves to.
NoteYou can go to the internet firewall page and filter by Asset Type to find the IP address of your Bastionhost instance without switching to the Bastionhost console.
Protocol Type
Select TCP.
Application
Select ANY.
Port
Select Port or Address Book.
To open multiple service ports for Bastionhost, add the ports to an address book and then select the address book here.
NoteAn address book groups multiple IP addresses or ports for batch configuration. If you only need to open a single port, you do not need to create an address book.
If you select Port, specify the service ports for Bastionhost. Common Bastionhost services and ports include:
-
SSH O&M: 60022
-
RDP O&M: 63389
-
Session playback port: 9443
-
Host O&M and O&M portal: 443
-
Single Sign-on Assistant port: 20045
Action
Select Allow to grant internet traffic access to the specified ports of Bastionhost.
Priority
Set the priority of the access control policy to Highest.
Status
Enable the policy.
Description
Enter a description to identify the purpose of this policy.
-
-
Create a policy to deny all other inbound internet traffic.
Refer to the Inbound Policy Configuration Item Description Table, set the source to 0.0.0.0/0, and set the priority to Lowest.
Step 2: Configure an outbound allow policy
Bastionhost requires internet access to connect to cloud services. Configure an outbound policy for the internet firewall to allow this access.
-
On the Outbound tab, click Create Policy.
-
On the Create Policy tab in the Create Outbound Policy panel, create a policy to allow access for Bastionhost users by referring to the Outbound Policy Configuration Parameters table. Then, click OK.
Parameter
Description
Source Type
Select IP. Enter the egress IP address of Bastionhost.
Destination Type
Select Address Book. In the Select Address Book panel, select Cloud Service Domain Address Book and search for Alibaba credible domains.
Protocol Type
Select TCP.
Application
Select HTTP and HTTPS.
Port
Select Port or Address Book.
To open multiple ports for cloud services, add the ports to an address book and then select the address book here.
NoteAn address book groups multiple IP addresses or ports for batch configuration. If you only need to open a single port, you do not need to create an address book.
If you select Port, set the ports to 443 and 80.
Action
Select Allow to permit Bastionhost to access internet destinations on the specified ports.
Priority
Set the priority of the access control policy to Highest.
Status
Enable the policy.
Description
Enter a description to identify the purpose of this policy.
-
Create a policy to deny all other internet traffic from Bastionhost.
Refer to Outbound policy settings, set Source to 0.0.0.0/0, and set Priority to Lowest.
Step 3: Enable Cloud Firewall protection for Bastionhost
After configuring the policies, enable the internet firewall to activate protection for Bastionhost.
-
In the left-side navigation pane, click Firewall.
-
On the Internet Firewall tab, find the IP address of your Bastionhost instance, and in the Actions column, click Enable.
NoteA newly purchased Bastionhost instance takes about 15 to 30 minutes to be synchronized to Cloud Firewall.
Cloud Firewall now protects Bastionhost without disrupting its operations. You can log on to Bastionhost to import assets and users for O&M and auditing.
Step 4: Verify the configuration
Verify that you can access Bastionhost service ports, import assets and users, perform web-based O&M, and play back session recordings. You can view traffic logs between Bastionhost and the internet on the Traffic Logs tab of the internet firewall. For more information, see log audit.