Access control policies let you define what traffic Cloud Firewall allows, monitors, or blocks. Without a policy, Cloud Firewall allows all traffic by default. Configure policies to protect your assets from unauthorized access and enforce traffic isolation across your Internet firewall, NAT firewalls, virtual private cloud (VPC) firewalls, and internal firewalls.
This topic covers access control policies for the Internet firewall, NAT firewalls, and VPC firewalls. For internal firewalls between ECS instances, see Create an access control policy for an internal firewall.
For more information about how to configure an access control policy for an internal firewall, see Configure access control policies for the ECS Firewall.
How it works
Each access control policy defines a traffic pattern using five items — source, destination, protocol type, port, and application — and assigns one of three actions: Allow, Monitor, or Deny.
When traffic arrives, Cloud Firewall evaluates policies in priority order:
Match against the highest-priority policy. A lower priority number means higher priority. If the traffic matches, Cloud Firewall applies the specified action and stops evaluating further policies.
Continue to the next policy if no match. Cloud Firewall moves down the priority list and repeats the match check.
Allow traffic if no policy matches. After all configured policies are evaluated without a match, traffic is allowed by default.
After you create, modify, or delete a policy, Cloud Firewall takes approximately 3 minutes to send the update to the engine. Assign higher priorities to frequently matched and more specific policies to maximize their effectiveness.
The following diagram illustrates the matching process:
Policy items
Each policy is built from five items. The supported types for source and destination vary by firewall type and traffic direction.
Source
The source is the initiator of the network connection.
| Firewall type | Supported source types |
|---|---|
| Internet firewall, NAT firewalls, VPC firewalls | IP address, IP address book |
| Internal firewalls | IP address, IP address book, region |
Destination
The destination is the receiver of the network connection.
| Firewall type and direction | Supported destination types |
|---|---|
| Outbound — Internet firewall, NAT firewalls | IP address, IP address book, domain name, region |
| VPC firewalls | IP address, IP address book, domain name |
| Inbound — Internet firewall | IP address, IP address book |
Protocol type
Specifies the transport layer protocol: TCP, UDP, ICMP, or ANY. Select ANY to match all protocol types.
Port
Specifies the destination port or port range (port or address book format).
If you select ICMP as the protocol type, the port field is not applicable.
To match ICMP traffic when the protocol is set to ANY, specify a port range that includes 0, for example,
0/80.
Application
Specifies the application layer protocol. Supported values: HTTP, HTTPS, SMTP, SMTPS, SSL, FTP, IMAPS, POP3, and ANY. Select ANY to match all application types.
Cloud Firewall identifies the application of SSL or TLS traffic based on the port:
| Port | Identified as |
|---|---|
| 443 | HTTPS |
| 465 | SMTPS |
| 993 | IMAPS |
| 995 | POPS |
| Other ports | SSL |
Policy actions
Each policy specifies one of three actions:
| Action | Effect |
|---|---|
| Allow | Traffic matching the policy is permitted. |
| Deny | Traffic matching the policy is blocked. |
| Monitor | Traffic matching the policy is permitted, and the match is logged. Use this action to observe traffic behavior before committing to Allow or Deny. |
View matched traffic on the Traffic Logs page. For more information, see Log audit.
Quota consumed by access control policies
Cloud Firewall calculates the quota consumed by each policy based on the combination of items configured.
Calculation method
Quota consumed by a policy =
Number of source addresses × Number of destination addresses × Number of port ranges × Number of applicationswhere source addresses refers to the number of CIDR blocks or regions, and destination addresses refers to the number of CIDR blocks, regions, or domain names.
Total quota consumed = Quota consumed by outbound policies + Quota consumed by inbound policiesView the quota consumed by each policy in the Consumed Quota column of the access control policy list:
View the total quota consumed per firewall type in the header area of each firewall's policy page:
DNS-based domain name policies
For policies where Destination Type is Domain Name and Domain Name Identification Mode is set to DNS-based Dynamic Resolution or FQDN and DNS-based Dynamic Resolution, the consumed quota is calculated per firewall boundary using a tiered formula:
If the total quota consumed by such policies on a firewall boundary is ≤ 200: actual consumed quota = total quota.
If the total quota consumed is > 200: actual consumed quota = 200 + (excess quota × 10).
Example: You have two policies on the Internet firewall boundary, both using DNS-based dynamic resolution. Policy A consumes 185 quota units and Policy B consumes 16 quota units. The total would be 201, which exceeds 200, so the actual consumed quota is: 200 + (185 + 16 − 200) × 10 = 210.
Calculation examples
| Example | Policy configuration | Quota consumed |
|---|---|---|
| Example 1 | Source: 19.16.XX.XX/32, 17.6.XX.XX/32 (2 IP addresses)<br>Destination: www.aliyun.com (1 domain name)<br>Protocol: TCP<br>Port: 80/88, 443/443 (2 port ranges)<br>Application: HTTP, HTTPS (2 types) | 2 × 1 × 2 × 2 = 8 |
| Example 2 | Source: Beijing, Zhejiang (2 regions)<br>Destination: 19.18.XX.XX/32 (1 IP address)<br>Protocol: TCP<br>Port: 80/80 (1 port range)<br>Application: HTTP (1 type) | 2 × 1 × 1 × 1 = 2 |
Billing
Subscription
Premium Edition, Enterprise Edition, and Ultimate Edition include a base quota for access control policies. Purchase additional quota if the included amount does not meet your needs. The additional quota applies to the Internet firewall, NAT firewalls, and VPC firewalls. For details, see Subscription.
Pay-as-you-go
Pay-as-you-go instances have the following fixed policy limits, which cannot be increased:
| Firewall type | Maximum policies |
|---|---|
| Internet firewall | 2,000 |
| NAT firewalls | 2,000 |
| VPC firewalls | 10,000 |
For details, see Pay-as-you-go.
What's next
Manage traffic between Internet-facing assets and the Internet: Create access control policies for the Internet firewall
Manage traffic from internal assets to the Internet: Create an access control policy for a NAT firewall
Manage traffic between VPCs and between VPCs and data centers: Create an access control policy for a VPC firewall
Manage traffic between ECS instances: Create an access control policy for an internal firewall between ECS instances
Practical configuration guidance and use cases: Configure access control policies
Cloud Firewall deployed with Bastionhost: Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost