All Products
Search

This Product

    Cloud Firewall:Custom groups

    Document Center

    Cloud Firewall:Custom groups

    Last Updated:Mar 31, 2026

    To visualize east-west traffic between your workloads and define access control policies, Cloud Firewall needs to know how your workloads relate to each other. Custom groups let you organize your ECS instances into a three-tier hierarchy—business groups, application groups, and applications—so that Cloud Firewall can map traffic flows and display access relationships on the business relations graph.

    Group hierarchy

    Cloud Firewall uses three levels to organize workloads:

    LevelTermDefinition
    1 (top)Business groupA collection of application groups that belong to the same type of business. Example: an e-commerce business group that contains a web-tier application group and a database application group.
    2 (middle)Application groupA collection of applications that provide the same or similar services. Example: all Elastic Compute Service (ECS) instances running MySQL grouped into one database application group.
    3 (bottom)ApplicationThe smallest unit in traffic visualization. By default, one application is created per ECS instance, representing all open ports on that instance. Clone an application to isolate a specific port or process.

    Prerequisites

    Before you can visualize traffic, you must create business groups and application groups and add applications to these groups.

    Step 1: Create a business group

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose System Settings > Business Visualization.

    3. On the Custom Groups page, click the Business Group tab.

    4. On the Business Group tab, select a virtual private cloud (VPC) in which you want to create the business group.

      You can select an existing VPC or a classic network-type instance. You can specify only one VPC for each business group.

    5. Click Create Business Group.

    6. In the Create Business Group dialog box, configure the following parameters:

      ParameterDescription
      NameA name for the business group. Must be 1 to 40 characters in length.
      DescriptionAn optional description of the business group.
      Importance degreeThe priority level of the group in the business relations graph. Valid values: Moderate, Important, and Critical. On the Application Groups page, you can filter groups by importance degree.

    7. Click OK.

    The new business group appears in the list. Click Modify to rename it, or Delete to remove it.

    You cannot delete a business group that contains application groups.

    Step 2: Create an application group

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose System Settings > Business Visualization.

    3. On the Custom Groups page, click the Application Groups tab.

    4. Select the VPC in which you want to create the application group.

    5. Click Create Application Group.

    6. In the Create Application Group dialog box, configure the following parameters:

      Important

      If you select an existing business group, the new application group is placed in the VPC of that business group automatically.

      ParameterDescription
      NameA name for the application group. Must be 1 to 40 characters in length.
      DescriptionAn optional description of the application group.
      Importance degreeThe priority level of the group in the business relations graph. Valid values: Moderate, Important, and Critical.
      Business groupSelect Select existing business group and choose a business group from the Name drop-down list. Alternatively, select Create business group and configure the Name, Description, and Importance degree fields for the new group.

    7. Click OK.

    8. (Optional) In the Actions column, click Assign to move the application group to a different business group. The Application groups count on the Business Group tab updates automatically.

    After the group is created, click Modify or Delete to manage it.

    You cannot delete an application group that contains applications.

    Step 3: Specify an application group and a business group for an application

    On the Applications tab, you can view the numbers of business groups, application groups, applications, and ECS instances in Cloud Firewall.

    After you activate Cloud Firewall, one default application is created per ECS instance. The traffic bound to an ECS instance is automatically mapped to its default application.

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Business Visualization > Custom Groups.

    3. Click the Applications tab.

    4. Search for the application you want to assign.

    5. In the Actions column, click Assign and select a business group and an application group. The group counts on the Business Group tab update automatically.

    6. (Optional) If an ECS instance runs workloads that belong to different business types, clone the default application to create a separate entry for each business type:

      1. In the Actions column, choose More > Clone.

      2. Modify the ECS Instance ID, Port, and Process Name parameters as needed.

      3. Click Assign on the cloned application to place it in the appropriate business group and application group.

    What's next

    Visualize application groups