Internal firewalls can control inbound and outbound traffic between Elastic Compute Service (ECS) instances to block unauthorized access. The access control policies that you configured and published for internal firewalls in the Cloud Firewall console are synchronized to ECS security groups.
Background information
- You can publish multiple policies at a time.
- You can set access control policies to the monitor mode.
- Cloud Firewall creates security groups based on application groups.
- You can manage access control policies in the Cloud Firewall console without the need to switch between different regions of ECS instances.
By default, you can create up to 100 policy groups and 100 policies in each group. The policies include those synchronized from ECS security groups to Cloud Firewall and those created in the Cloud Firewall console. If you need more policies, we recommend that you delete unnecessary policies in time or configure access control policies for VPC firewalls.
Supported editions
Only Enterprise Edition and Ultimate Edition of Cloud Firewall support Internal Firewall.
Policy group types
Policy groups are classified into common and enterprise policy groups. The following list describes the scenarios for the two types of policy groups.
- A common policy group takes effect on the basic security groups of ECS instances. It functions as a virtual firewall to monitor connection status and filter data packets, and can be used to isolate security domains on the cloud. You can configure access control policies to allow or deny inbound and outbound traffic between ECS instances in a common policy group.
- An enterprise policy group takes effect on the advanced security groups of ECS instances. It supports more ECS instances than a common policy group. You can configure access control policies for a large number of private IP addresses. Enterprise policy groups are ideal for enterprises that require efficient O&M on large-scale networks.
Feature | Common policy group | Enterprise policy group |
---|---|---|
VPC | Supported | Supported |
Policy priority configuration | Supported | Not supported |
Authorization of other policy groups | Supported | Not supported |
Custom policy configuration to allow traffic | Supported | Supported |
Custom policy configuration to deny traffic | Supported | Not supported (Enterprise policy groups deny all traffic by default.) |
Number of private IP addresses | 2,000 | 65,536 |
Communication between ECS instances in the same policy group | Not supported (You must manually create policies to allow the communication.) | Not supported (You must manually create policies to allow the communication.) |
Create a policy group
Configure a policy in a policy group
After you create a policy group, you must configure a policy for the policy group.
Publish a policy in a policy group
To apply a created policy, you must publish the policy. Then, the policy can control inbound or outbound traffic.