Cloud Firewall is used to ensure network security for workloads that you migrate to Alibaba Cloud. Cloud Firewall provides core features such as network-wide traffic identification, centralized policy management, and intrusion detection. Cloud Firewall protects traffic from the Internet to your Elastic Compute Service (ECS) instances, traffic from your ECS instances to the Internet, and traffic between your ECS instances. This topic describes the features of Cloud Firewall. This topic also describes how to use the features.
Features
Module | Feature | Default status | Whether manual operation is required |
Firewall settings | Internet firewall (mutual) | The Internet firewall is enabled for all assets within the available quota. | No. If the quota is insufficient to enable the Internet firewall for all assets, increase the quota. |
Virtual private cloud (VPC) firewall | No firewall is created or enabled. | You must manually create a firewall and enable it. | |
NAT firewall | No firewall is created or enabled. | You must manually create a firewall and enable it. | |
Intrusion prevention | Internet boundary | By default, the Block - Medium mode is enabled. The system automatically selects a mode based on your business. | We recommend that you retain the default settings. |
VPC boundary | N/A. | When you create a VPC firewall, you can configure a mode for intrusion prevention. The specified mode is automatically enabled when you enable the VPC firewall. | |
Access control | Internet boundary | All traffic is allowed. | You can modify the settings based on your business requirements. |
VPC boundary | N/A. | After you enable a VPC firewall, you can modify the settings based on your business requirements. | |
NAT boundary | N/A. | After you enable a NAT firewall, you can modify the settings based on your business requirements. | |
Internal boundary | N/A. | You can modify the settings. | |
Notifications | Notifications | Notifications are enabled. You must configure notification recipients. | You must configure notification recipients. |
Multi-account management | Multi-account management | N/A. | You must configure the multi-account management feature. |
Procedure
Prerequisites
Cloud Firewall is purchased. For more information, see Purchase Cloud Firewall.
Step 1: Enable firewalls
Cloud Firewall provides the following types of firewalls: Internet firewall, VPC firewall, internal firewall, and NAT firewall. If you do not configure an access control policy or enable a mode of the threat detection engine after you purchase Cloud Firewall, Cloud Firewall cannot protect your services.
Firewall type | Description | References |
Internet firewall | The Internet firewall can protect traffic between public IP addresses in a centralized manner. | Enable the Internet firewall. For more information, see Internet Firewall. |
VPC firewall | A VPC firewall can protect traffic between network instances that are connected by using a transit router of a Cloud Enterprise Network (CEN) instance or an Express Connect circuit. For more information about the protection scope, see Overview. Note Only Cloud Firewall Enterprise Edition and Ultimate Edition support VPC firewalls. | Enable a VPC firewall. For more information, see Configure a VPC firewall for an Enterprise Edition transit router. |
Internal firewall | An internal firewall can protect inbound and outbound traffic between ECS instances and blocks unauthorized access. The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. You do not need to enable internal firewalls. Note Only Cloud Firewall Enterprise Edition and Ultimate Edition support internal firewalls. | Configure access control policies for an internal firewall. For more information, see Create an access control policy for an internal firewall. |
NAT firewall | A NAT firewall can control and protect traffic of private IP addresses that are used to access the Internet. | Enable a NAT firewall. For more information, see NAT firewalls. |
After you enable or disable a firewall for your assets, the status of the firewall changes to Enabled or Disabled in the Firewall Status column. The value Enabled indicates that the firewall is in effect. The value Disabled indicates that the firewall no longer protects your assets. The system requires several seconds to update the status of the firewall.
Step 2: Configure the intrusion prevention feature
(Optional) Configure intrusion prevention policies
Cloud Firewall has a built-in intrusion prevention system (IPS) that can detect and intercept malicious traffic and attacks, such as request payloads and malicious files that contain trojans and webshells, in real time. Cloud Firewall can intelligently block intrusions based on threat intelligence. The IPS detects attacks based on the threat intelligence feature, intrusion prevention rules, intelligent model-based recognition algorithms, and virtual patching feature. For more information, see IPS configuration.
The working modes of the threat detection engine are Monitor Mode and Block Mode. In Monitor working mode, Cloud Firewall only generates alerts for malicious traffic. In Block working mode, Cloud Firewall generates alerts and automatically blocks attack payloads. Cloud Firewall also provides different levels of Block Mode for different types of attacks. The following table describes the usage scenarios of the levels.
When you modify prevention configurations, we recommend that you enable the Monitor working mode. After a trial runs, analyze false positives and then enable the Block working mode based on the analysis result.
For more information about intrusion prevention, see the following topics:
View protection results
You can perform the following operations to view the intrusion blocking information: Log on to the Cloud Firewall console. In the left-side navigation pane, choose Detection and Response > Intrusion Prevention. On the Intrusion Prevention page, click the Protection Status or VPC Protection tab. The intrusion blocking information includes the source IP address, destination IP address, blocked application, blocked source, and blocking event details. For more information, see Intrusion prevention.
Step 3: View traffic statistics
The traffic analysis feature provides real-time traffic statistics, such as statistics about outbound connections, Internet exposures, and VPC access, to allow you to control traffic in a visualized manner and identify unusual traffic.
Outbound Connection
You can view the domain names and IP addresses of cloud assets on the Outbound Connection page. You can check the configured outbound access control policies based on intelligence tags, access details, and logs. For more information, see Outbound Connection.
Internet Exposure
You can view the services, ports, public IP addresses, and cloud service information that are exposed on the Internet. You can reinforce the access control policies based on recommended intelligent policies and the information about open public IP addresses. For more information, see Internet Exposure.
VPC Access
The VPC Access page displays traffic trend charts, sessions, and open ports between VPCs. You can view and troubleshoot unusual traffic and reinforce access control policies for VPCs. For more information, see VPC Access.
Traffic statistics are essential information that you can use to configure appropriate access control policies. Before you configure access control policies, we recommend that you view traffic statistics about your assets.
Step 4: Create access control policies
Cloud Firewall allows you to create access control policies for inbound and outbound traffic over the Internet and mutual access traffic over an internal network to reduce the risk of intrusions into your assets.
If you do not configure an access control policy, Cloud Firewall allows all traffic. For more information about how to configure access control policies, see the following topics:
Configure access control policies
We recommend that you set the actions of outbound policies to Deny. If the policies are used to allow outbound connections that are required for your business, do not set the actions of outbound policies to Deny.
If the source address of an outbound access control policy is a private IP address, make sure that a NAT firewall is created. Otherwise, the outbound access control policy does not take effect. For more information, see NAT Firewall.
Boundary | Direction | Description | References |
Internet boundary | Outbound | An outbound access control policy that is created for the Internet firewall can manage outbound traffic from cloud assets to the Internet. We recommend that you configure a policy to allow traffic to the Internet, and then configure a policy to deny traffic from all cloud assets to the Internet. This allows traffic from specific cloud assets to the Internet and denies all outbound traffic from cloud assets in internal networks. This facilitates the management of risks in outbound connections. Before you configure an access control policy for the Internet firewall, make sure that the Internet firewall is enabled. Otherwise, the policy does not take effect. You must configure an inbound policy to allow traffic from trusted IP addresses to the Internet and specify the Highest priority for the policy. Then, create a second outbound policy to deny traffic from all sources to the Internet and specify the Lowest priority for the policy. If you want to specify multiple sources, destinations, and ports, you can use an address book or create multiple policies. | |
Inbound | An access control policy that is created for the Internet firewall can manage inbound traffic from a user to a cloud service. We recommend that you create an Allow policy to allow traffic to the cloud service, and then create a Deny policy to deny traffic from all sources, protocols, ports, and applications. This allows trusted traffic and blocks suspicious or malicious traffic. This facilitates the management of risks from external networks. Before you configure an access control policy for the Internet firewall, make sure that the Internet firewall is enabled. Otherwise, the policy does not take effect. You must create an inbound policy to allow traffic from trusted IP addresses to the internal network and specify the Highest priority for the policy. Then, create a second inbound policy to deny traffic from all sources to the internal network and specify the Lowest priority for the policy. If you want to specify multiple sources, destinations, and ports, you can use an address book or create multiple policies. | ||
NAT boundary | Outbound | After you enable a NAT firewall or a NAT gateway, the NAT firewall monitors all outbound traffic from internal-facing resources in VPCs to the NAT gateway, including resources in the same VPC and resources across VPCs. The NAT firewall matches information about traffic against user-defined access control policies and the built-in threat intelligence library to determine whether to allow the traffic. The information includes the source address, destination address, port, protocol, application, and domain name. This way, unauthorized access to the Internet is blocked. | |
VPC boundary | Mutual | An access control policy that is created for a VPC firewall can control traffic between two VPCs. We recommend that you configure a policy to allow traffic from trusted IP addresses to a VPC, and then configure another policy to deny traffic from other IP addresses to the VPC. A VPC firewall can monitor and control traffic between two VPCs. By default, after you enable a VPC firewall, the VPC firewall allows all traffic. You must create an Allow policy for a VPC firewall to allow traffic from trusted sources and specify the Highest priority for the policy. Then, create a second Deny policy for the VPC firewall to deny traffic from all sources and specify the Lowest priority for the policy. | |
Internal boundary | Inbound and outbound | An internal firewall can manage inbound and outbound traffic between ECS instances to block unauthorized access in a fine-grained manner. The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. We recommend that you configure an access control policy to allow traffic to a cloud service, and then configure an access control policy to deny all sources, protocols, ports, and applications. Policy groups are classified into common and enterprise policy groups. If you have a small number of ECS instances, you can use common policy groups, which are ECS security groups. If you have a large number of ECS instances, we recommend that you use enterprise policy groups. Compared with common policy groups, enterprise policy groups can contain more instances. The number of private IP addresses that can be contained in an enterprise policy group is unlimited. You can configure security group rules for and maintain an enterprise security group in a simpler and easier manner. Enterprise security groups are suitable for enterprises that require efficient O&M on large-scale networks. |
View the hit details of access control policies
By default, an access control policy immediately takes effect after it is created. You can perform the following operations to view the hit details of an access control policy: Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border. In the access control policy list, find the access control policy and view the hit status of the policy in the Hits/Last Hit At column. For more information, see Create access control policies for the Internet firewall.
The Hits/Last Hit At column displays the number of hits and the time when the policy was last hit. If a value is displayed in the column, the policy was hit. You can click the value to go to the Traffic Logs tab to view details. For more information, see Log audit.
Step 5: Configure notifications
You can configure notifications to receive notifications when asset attack risks occur or assets are added. This way, you can analyze the status of assets and handle exceptions at the earliest opportunity to ensure asset security.
For more information about the notification types that are supported by Cloud Firewall and how to configure notifications, see Notifications.
References
For information about how to troubleshoot exceptions on network traffic analysis, see FAQ about network traffic analysis.
For information about how to troubleshoot exceptions on attack prevention, see FAQ about attack prevention.
The log analysis feature allows you to collect, query, analyze, process, and consume the traffic logs of protected assets in real time. For more information, see Log analysis.
The multi-account management feature allows you to manage resources in a centralized manner. For more information, see Use the multi-account management feature.