All Products
Search
Document Center

Cloud Firewall:Access policies for Cloud Firewall and Bastionhost

Last Updated:Jun 17, 2026

Configure access control policies to prevent Cloud Firewall from blocking Bastionhost traffic when the two products are deployed together.

Scenarios

Cloud Firewall may block traffic from Bastionhost and prevent it from accessing the internet. To avoid this, configure access control policies for the internet firewall so that Cloud Firewall can protect Bastionhost traffic without disrupting its services.

The following figure shows how Cloud Firewall provides security protection for Bastionhost.

原理图

Without these policies, you may be unable to access Bastionhost service ports, import assets and users, or use web-based O&M and session playback.

Prerequisites

Workflow

lucheng

Step 1: Configure an inbound allow policy

Configure an inbound policy for the internet firewall to allow internet traffic to access the open ports of Bastionhost.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > Access Control > Policy Configuration > Internet Border.

  3. On the Inbound tab, click Create Policy.

  4. In the Create Inbound Policy panel, on the Create Policy tab, refer to the Inbound Policy Configuration Parameters to create a policy that allows traffic from internet sources. Then, click OK.

    Parameter

    Description

    Source Type

    Select IP. Enter the public CIDR blocks that are allowed to access Bastionhost.

    Destination Type

    Select IP. Enter the IP address that your Bastionhost O&M domain name resolves to.

    Note

    You can go to the internet firewall page and filter by Asset Type to find the IP address of your Bastionhost instance without switching to the Bastionhost console.

    Protocol Type

    Select TCP.

    Application

    Select ANY.

    Port

    Select Port or Address Book.

    To open multiple service ports for Bastionhost, add the ports to an address book and then select the address book here.

    Note

    An address book groups multiple IP addresses or ports for batch configuration. If you only need to open a single port, you do not need to create an address book.

    If you select Port, specify the service ports for Bastionhost. Common Bastionhost services and ports include:

    • SSH O&M: 60022

    • RDP O&M: 63389

    • Session playback port: 9443

    • Host O&M and O&M portal: 443

    • Single Sign-on Assistant port: 20045

    Action

    Select Allow to grant internet traffic access to the specified ports of Bastionhost.

    Priority

    Set the priority of the access control policy to Highest.

    Status

    Enable the policy.

    Description

    Enter a description to identify the purpose of this policy.

  5. Create a policy to deny all other inbound internet traffic.

    Refer to the Inbound Policy Configuration Item Description Table, set the source to 0.0.0.0/0, and set the priority to Lowest.

Step 2: Configure an outbound allow policy

Bastionhost requires internet access to connect to cloud services. Configure an outbound policy for the internet firewall to allow this access.

  1. On the Outbound tab, click Create Policy.

  2. On the Create Policy tab in the Create Outbound Policy panel, create a policy to allow access for Bastionhost users by referring to the Outbound Policy Configuration Parameters table. Then, click OK.

    Parameter

    Description

    Source Type

    Select IP. Enter the egress IP address of Bastionhost.

    Destination Type

    Select Address Book. In the Select Address Book panel, select Cloud Service Domain Address Book and search for Alibaba credible domains.

    Protocol Type

    Select TCP.

    Application

    Select HTTP and HTTPS.

    Port

    Select Port or Address Book.

    To open multiple ports for cloud services, add the ports to an address book and then select the address book here.

    Note

    An address book groups multiple IP addresses or ports for batch configuration. If you only need to open a single port, you do not need to create an address book.

    If you select Port, set the ports to 443 and 80.

    Action

    Select Allow to permit Bastionhost to access internet destinations on the specified ports.

    Priority

    Set the priority of the access control policy to Highest.

    Status

    Enable the policy.

    Description

    Enter a description to identify the purpose of this policy.

  3. Create a policy to deny all other internet traffic from Bastionhost.

    Refer to Outbound policy settings, set Source to 0.0.0.0/0, and set Priority to Lowest.

Step 3: Enable Cloud Firewall protection for Bastionhost

After configuring the policies, enable the internet firewall to activate protection for Bastionhost.

  1. In the left-side navigation pane, click Firewall.

  2. On the Internet Firewall tab, find the IP address of your Bastionhost instance, and in the Actions column, click Enable.

    Note

    A newly purchased Bastionhost instance takes about 15 to 30 minutes to be synchronized to Cloud Firewall.

    Cloud Firewall now protects Bastionhost without disrupting its operations. You can log on to Bastionhost to import assets and users for O&M and auditing.

Step 4: Verify the configuration

Verify that you can access Bastionhost service ports, import assets and users, perform web-based O&M, and play back session recordings. You can view traffic logs between Bastionhost and the internet on the Traffic Logs tab of the internet firewall. For more information, see log audit.