Apply default allow policies to security groups

How default allow policies work

Cloud Firewall applies four access control policies with the lowest priority to the security groups of an ECS instance that has a public IP address. These policies allow traffic from the Internet to the public IP address. The access control policies are considered security group rules. The lowest priority is 100. The four policies are automatically created. You need only to confirm and save them for the security groups.

Limits

• Advanced security groups do not support default allow policies. For more information, see Advanced security groups. If an advanced security group contains ECS instances in a VPC, default allow policies cannot be applied to the security groups that contain the ECS instances in the VPC.
• Default allow policies can be applied only to security groups of an ECS instance that has a public IP address or an elastic IP address (EIP) to allow inbound traffic from the Internet to the public IP address or EIP. You cannot apply default allow policies to security groups to allow inbound traffic from the Internet to Internet-facing Server Load Balancer (SLB) instances.
• To better protect your assets, we recommend that you do not apply default allow policies to IP addresses for which the firewalls provided by Cloud Firewall are disabled. We recommend that you do not disable the firewalls for IP addresses to which you have applied default allow policies. Otherwise, the IP addresses may be exposed to the Internet.

Apply default allow policies

To apply default allow policies, perform the following steps:

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
3. On the Internet Firewall tab, find the IP address of an ECS instance to which you want to apply default allow policies and click Apply.
   
4. In the Default Allow Policy dialog box, find the security group to which the IP address is added.
   • If the existing rules of the security group do not conflict with the default allow policies, click One-click Apply and go to Step 5.
   • If the existing rules of the security group conflict with the default allow policies, the One-click Apply button is unavailable.

     The following table describes solutions to the conflicts.

     Scenario	Description	Solution
     The conflicts can be resolved.	The security group has existing rules whose priorities are greater than or equal to 100. This results in conflicts with the default allow policies. Cloud Firewall can increase the priorities of the existing rules to resolve the conflicts.	Cloud Firewall automatically increase the priorities of the existing rules. You need to click Adjust with One Click and click OK in the Default Allow Policy dialog box. Then, Cloud Firewall adjusts the priorities of the existing rules. In the Actions column of the IP-associated Security Group list, the One-click Apply button becomes available.
     The conflicts cannot be resolved.	The security group has existing rules whose priorities are greater than or equal to 100. This results in conflicts with the default allow policies. Cloud Firewall cannot adjust the priorities of the existing rules to resolve the conflicts.	If the conflicts cannot be resolved, the Adjust with One Click button is unavailable. We recommend that you go to the Security Groups page in the ECS console to adjust the priorities of the existing rules, or contact Cloud Firewall technical support by using DingTalk.

5. In the Default Allow Policy dialog box, click One-click Apply. In the dialog box that appears, view the four default allow policies that are automatically created by Cloud Firewall. Confirm the policies and click OK. In the message that appears, click Submit. The inbound traffic from the Internet to the security group are allowed.
   Note After you click Submit, all inbound traffic from the Internet to the ECS instances in the security group are allowed. We recommend that you check whether the public IP addresses of the ECS instances in the security group are exposed to the Internet. If the public IP addresses are exposed, make sure that access control policies are applied to these IP addresses in Cloud Firewall.

   After you click One-click Apply for all security groups to which the IP address is added, the policies take effect, and the status in the Default Allow Policy column becomes Applied. You can click View to view details about all the security groups.

   Notice After you apply the default allow policies, the security groups allow inbound traffic from the Internet by default. Take note of the following descriptions:

   • After you apply the default allow policies, make sure that the firewall for the IP address in the Cloud Firewall console is enabled and create inbound access control policies on the Internet Firewall tab of the Access Control page.
   • After you apply the default allow policies to the security groups of an ECS instance that has the public IP address, the inbound traffic from the Internet to the ECS instances in the security groups is allowed by default. We recommend that you configure an appropriate number of ECS instances when you configure a security group. This helps limit the number of ECS instances that are exposed to the Internet.
   • If Cloud Firewall expires, the security groups to which you have applied the default allow policies are no longer protected by Cloud Firewall. We recommend that you renew Cloud Firewall after you receive a renewal notification or re-configure the inbound rules of the security groups to protect your ECS instances. After you apply the default allow policies, Cloud Firewall applies four inbound rules to the security groups. The policies are retained in the security groups and are in effect. If you no longer use Cloud Firewall, go to the Network & Security > Security Groups page in the ECS console to delete the policies.