Cloud Firewall provides default allow policies. You can apply the default allow policies to security groups of Elastic Compute Service (ECS) instances with a few clicks. This topic describes how to apply default allow policies to security groups.

Background information

By default, ECS security groups deny the inbound traffic from the Internet to ECS instances. If you want to allow the inbound traffic, you can apply default allow policies to a security group in the Cloud Firewall console. You do not need to log on to the ECS console to modify the rules for the security group on the Security Groups page.

How default allow policies work

Cloud Firewall applies four access control policies with the lowest priority to the security groups of an ECS instance that has a public IP address. These policies allow traffic from the Internet to the public IP address. The access control policies are considered security group rules. The lowest priority is 100. The four policies are automatically created. You need only to confirm and save them for the security groups.

Note The default allow policies take effect only on traffic allowed by security group rules. The policies do not take effect on denied traffic.

Limits

  • Advanced security groups do not support default allow policies. For more information, see Advanced security groups. If an advanced security group contains ECS instances in a VPC, default allow policies cannot be applied to the security groups that contain the ECS instances in the VPC.
  • Default allow policies can be applied only to security groups of an ECS instance that has a public IP address or an elastic IP address (EIP) to allow inbound traffic from the Internet to the public IP address or EIP. You cannot apply default allow policies to security groups to allow inbound traffic from the Internet to Internet-facing Server Load Balancer (SLB) instances.
  • To better protect your assets, we recommend that you do not apply default allow policies to IP addresses for which the firewalls provided by Cloud Firewall are disabled. We recommend that you do not disable the firewalls for IP addresses to which you have applied default allow policies. Otherwise, the IP addresses may be exposed to the Internet.

Apply default allow policies

To apply default allow policies, perform the following steps:

Warning To avoid serious security risks to your business, take note of the following descriptions:
  • Do not apply the default allow policies to IP addresses for which the firewalls provided by Cloud Firewall are disabled.
  • If traffic redirection is not supported for the public IP address of an ECS instance or an Internet-facing SLB instance, we recommend that you do not apply the default allow policies to that IP address.
  • If your Cloud Firewall expires and you no longer need it, you can go to the Network & Security > Security Groups page in the ECS console to delete the four default allow policies.
  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
  3. On the Internet Firewall tab, find the IP address of an ECS instance to which you want to apply default allow policies and click Apply.
    Apply default allow policies
  4. In the Default Allow Policy dialog box, find the security group to which the IP address is added.
    • If the existing rules of the security group do not conflict with the default allow policies, click One-click Apply and go to Step 5. Without configuration conflicts
    • If the existing rules of the security group conflict with the default allow policies, the One-click Apply button is unavailable. With configuration conflicts

      The following table describes solutions to the conflicts.

      Scenario Description Solution
      The conflicts can be resolved. The security group has existing rules whose priorities are greater than or equal to 100. This results in conflicts with the default allow policies.

      Cloud Firewall can increase the priorities of the existing rules to resolve the conflicts.

      Cloud Firewall automatically increase the priorities of the existing rules. You need to click Adjust with One Click and click OK in the Default Allow Policy dialog box. Then, Cloud Firewall adjusts the priorities of the existing rules. In the Actions column of the IP-associated Security Group list, the One-click Apply button becomes available.
      The conflicts cannot be resolved. The security group has existing rules whose priorities are greater than or equal to 100. This results in conflicts with the default allow policies. Cloud Firewall cannot adjust the priorities of the existing rules to resolve the conflicts. If the conflicts cannot be resolved, the Adjust with One Click button is unavailable. We recommend that you go to the Security Groups page in the ECS console to adjust the priorities of the existing rules, or contact Cloud Firewall technical support by using DingTalk.
  5. In the Default Allow Policy dialog box, click One-click Apply. In the dialog box that appears, view the four default allow policies that are automatically created by Cloud Firewall. Confirm the policies and click OK. In the message that appears, click Submit. The inbound traffic from the Internet to the security group are allowed.
    Note After you click Submit, all inbound traffic from the Internet to the ECS instances in the security group are allowed. We recommend that you check whether the public IP addresses of the ECS instances in the security group are exposed to the Internet. If the public IP addresses are exposed, make sure that access control policies are applied to these IP addresses in Cloud Firewall.

    After you click One-click Apply for all security groups to which the IP address is added, the policies take effect, and the status in the Default Allow Policy column becomes Applied. You can click View to view details about all the security groups.

    Notice After you apply the default allow policies, the security groups allow inbound traffic from the Internet by default. Take note of the following descriptions:
    • After you apply the default allow policies, make sure that the firewall for the IP address in the Cloud Firewall console is enabled and create inbound access control policies on the Internet Firewall tab of the Access Control page.
    • After you apply the default allow policies to the security groups of an ECS instance that has the public IP address, the inbound traffic from the Internet to the ECS instances in the security groups is allowed by default. We recommend that you configure an appropriate number of ECS instances when you configure a security group. This helps limit the number of ECS instances that are exposed to the Internet.
    • If Cloud Firewall expires, the security groups to which you have applied the default allow policies are no longer protected by Cloud Firewall. We recommend that you renew Cloud Firewall after you receive a renewal notification or re-configure the inbound rules of the security groups to protect your ECS instances. After you apply the default allow policies, Cloud Firewall applies four inbound rules to the security groups. The policies are retained in the security groups and are in effect. If you no longer use Cloud Firewall, go to the Network & Security > Security Groups page in the ECS console to delete the policies.

What to do next

Check the status of the default allow policies

After you apply the default allow policies, you can go to the Firewall Settings > Internet Firewall page to check whether the policies are applied to the security groups of your ECS instance. If the policies fail to be applied, troubleshoot the failure in time.

The default allow policies can be in the following state:

  • Applied: The policies are applied to all security groups of the ECS instance that has the IP address. All inbound traffic from the Internet to the ECS instances in the security groups are allowed. If an ECS instance is added to multiple security groups, you must apply the default allow policies to all the security groups before the policies can take effect.
  • Not Applied: The policies are applied only to some security groups of the ECS instance that has the IP address. In this case, the security group rules control inbound traffic from the Internet to the ECS instance. If configuration conflicts among security group rules exist or you did not perform the One-click Apply operation, the policies may be in the Not Applied state.
  • -: This type of asset does not support default allow policies. Default allow policies are supported only for public IP addresses and EIPs of ECS instances. IP addresses such as IP addresses of SLB instances, EIPs of elastic network interfaces (ENIs), and EIPs of network address translation (NAT) gateways are not supported.