Cloud Firewall helps you understand the access relationships between your services through traffic visualization, helping you determine which access control policy to implement.
Prerequisites
Before you can visualize traffic, you must create business groups and application groups, and add applications to these groups to establish the relationships between applications, application groups, and business groups.
Background
Familiarize yourself with the following concepts:
Business Zone: In east-west traffic visualization, a business group is a collection of application groups that represent a specific business. Business groups are typically categorized based on your business types. For example, a portal website business group can contain web and database application groups.
Application Group: In east-west traffic visualization, an application group is a set of applications that provide the same or similar services. For example, all ECS instances deployed with MySQL can belong to the same database application group.
Application: An application is the smallest unit in east-west traffic visualization. By default, an application corresponds to all open ports on an ECS instance. You can create a new application by cloning an existing one and specifying a port.
Step 1: Create a business group
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Custom Groups page, click the Business Zone tab.
On the Business Zone tab, select the VPC for the business group.
ImportantVPC here refers to your existing VPCs and classic networks. Each business group must belong to a single VPC.
Click Create Business Group.
In the Create Business Group dialog box, configure the business group.
Name: Enter a name for the business group. The name must be 1 to 40 characters long.
Remarks: Enter a description for the business group.
Importance Degree: Select the importance level of the business group. This helps you visually distinguish business groups in the business relations graph. You can select moderate, important, or critical.
On the Application Groups page, you can filter and view business groups based on their importance level.
Click OK to create the business group.
After a business group is created, it is added to the selected VPC. In the business group list, you can Edit its basic information or Delete it.
NoteYou cannot delete a business group that contains application groups.
Step 2: Create an application group
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Custom Groups page, click the Application Group tab.
On the Application Group tab, select the VPC to which the application group belongs.
Click Create Application Group.
In the Create Application Group dialog box, configure the application group settings.
Name: Enter a name for the application group. The name must be 1 to 40 characters long.
Remarks: Enter a description for the application group.
Importance Degree: Select the importance level of the application group. This helps you visually distinguish application groups in the business relations graph. You can select moderate, important, or critical.
On the Application Groups page, double-click a business group and then filter its application groups by importance level.
Business Zone: You can either Select Existing Business Group or Create New Business Group.
If you select Select Existing Business Group, choose a previously created business group from the Name drop-down list.
ImportantAfter the application group is created, it is automatically added to the same VPC as its parent business group.
If you select Create New Business Group, you must specify the Name, Remarks, and Importance Degree for the new business group.
Click OK to create the application group.
(Optional) In the Actions column, click Assign to move the application group to a different business group.
This action updates the Application Groups on the business group page.
After an application group is created, you can also Edit its basic information or Delete it from the application group list.
NoteYou cannot delete an application group that contains applications.
Step 3: Assign an application
On the Application tab, you can view the number of existing business groups, application groups, applications, and ECS instances.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Custom Groups page, click the Application tab.
Use the search feature to find the application that you want to manage.
In the Actions column, click Assign to add the application to a business group and an application group.
NoteThis action updates the application count for the corresponding Business Zone and Application Group.
(Optional) You can also clone an existing application by clicking Clone in the Actions column of the application list.
When Cloud Firewall is enabled, it automatically creates a default application for each ECS instance. Traffic to an ECS instance is mapped to its default application. If an ECS instance hosts multiple services that belong to different business types, you can use the Clone feature to create a new application and assign it to a different business group and application group. When you clone an application, you can modify its ECS instance ID, listening Port, and Process Name.