All Products
Search

This Product

    Cloud Firewall:Configure access control policies

    Document Center

    Cloud Firewall:Configure access control policies

    Last Updated:Apr 12, 2024

    This topic provides examples on how to configure access control policies for the Internet firewall, a virtual private cloud (VPC) firewall, and an internal firewall.

    Configure an access control policy for the Internet firewall

    In Cloud Firewall, inbound and outbound traffic is also referred to as north-south traffic and Internet traffic. You can configure access control policies in the Cloud Firewall console to manage north-south traffic. After you create access control policies, Cloud Firewall performs precise access control to ensure network security. For more information about the parameters of an access control policy that you can configure for the Internet firewall, see Create inbound and outbound access control policies for the Internet firewall.

    Configure an inbound policy to allow Internet traffic destined for a specified port

    For example, you want to create an inbound policy to allow Internet traffic that is destined only for TCP port 80 of an Elastic Compute Service (ECS) instance. The IP address of the ECS instance is 10.1.XX.XX, and the elastic IP address (EIP) is 200.2.XX.XX/32.

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Access Control > Internet Border.

    3. On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure a policy.

      1. Configure a policy to allow Internet traffic from all sources to the ECS instance and click OK.

        The following table describes the parameters.

        Parameter

        Description

        Example

        Source Type

        The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

        • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

          If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

        • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

        • If you set Source Type to Region, select one or more regions of traffic sources for Source. You can select one or more regions in or outside China.

        IP

        Source

        0.0.0.0/0

        Note

        The value 0.0.0.0/0 specifies all public IP addresses.

        Destination Type

        The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

        • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

          If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

        • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

        IP

        Destination

        200.2.XX.XX/32

        Protocol Type

        The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

        TCP

        Port Type

        The port type and port number of the destination.

        • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

          If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

        • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

        Port

        Port

        80/80

        Application

        The application type of the traffic.

        • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

        • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

        • If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL for Application.

        Note

        Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

        ANY

        Action

        The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

        • Allow: The traffic is allowed.

        • Deny: The traffic is denied, and no notifications are sent.

        • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

        Allow

        Priority

        The priority of the access control policy. Default value:Lowest. Valid values:

        • Highest: The access control policy has the highest priority.

        • Lowest: The access control policy has the lowest priority.

        Highest

        Status

        Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

        Enabled

      2. Configure a policy to deny Internet traffic destined for all ECS instances and click OK.

        Configure the Deny policy based on the descriptions for the preceding Allow policy. The following list describes the parameters:

        • Destination: Enter 0.0.0.0/0.

          Note

          The value 0.0.0.0/0 specifies the IP addresses of all ECS instances.

        • Protocol Type: Select ANY.

        • Port: Enter 0/0.

          Note

          The value 0/0 specifies all ports of the ECS instance.

        • Application: Select ANY.

        • Action: Select Deny.

        • Priority: Select Lowest.

      After you complete the configurations, make sure that the priority of the Allow policy is higher than that of the Deny policy.

    Configure an outbound policy to allow an ECS instance to access a specified domain name

    For example, you want to create an outbound policy to allow an ECS instance to access www.aliyundoc.com. The IP address of the ECS instance is 10.1.XX.XX, and the EIP is 47.100.XX.XX/32.

    1. Log on to the Cloud Firewall console

    2. In the left-side navigation pane, choose Access Control > Internet Border.

    3. On the Outbound tab, click Create Policy. In the Create Outbound Policy panel, click the Create Policy tab and configure a policy.

      1. Configure a policy to allow the ECS instance to access www.aliyundoc.com and click OK.

        The following table describes the parameters.

        Parameter

        Description

        Example

        Source Type

        The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

        • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

          If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

        • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

        IP

        Source

        47.100.X.X/32

        Destination Type

        The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

        • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

          If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

        • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

        • If you set Destination Type to Domain Name, enter a domain name for Destination. Wildcard domain names are supported.

          Cloud Firewall can resolve domain names, display resolution results, and control access to IP addresses to which the domain names are resolved. A domain name can be resolved to up to 500 IP addresses. For more information, see Domain name resolution.

          Note

          Cloud Firewall cannot resolve wildcard domain names.

        • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can select one or more regions in or outside China.

        Domain name

        Destination

        www.aliyundoc.com

        Note

        You can also resolve the domain name to an IP address.

        Protocol Type

        The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

        TCP

        Port Type

        The port type and port number of the destination.

        • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

          If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

        • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

        Port

        Port

        0/0

        Note

        The value 0/0 specifies all ports.

        Application

        The application type of the traffic.

        • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

        • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

        • If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL for Application.

        Note

        Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

        ANY

        Action

        The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

        • Allow: The traffic is allowed.

        • Deny: The traffic is denied, and no notifications are sent.

        • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

        Allow

        Priority

        The priority of the access control policy. Default value:Lowest. Valid values:

        • Highest: The access control policy has the highest priority.

        • Lowest: The access control policy has the lowest priority.

        Highest

        Status

        Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

        Enabled

      2. Configure a policy to deny access from the ECS instance to all ECS instances on the Internet and click OK.

        Configure the Deny policy based on the descriptions for the preceding Allow policy. The following list describes the parameters:

        • Source: Enter 47.100.X.X/32.

        • Destination: Enter 0.0.0.0/0.

          Note

          The value 0.0.0.0/0 specifies the IP addresses of all ECS instances.

        • Protocol Type: Select ANY.

        • Port: Enter 0/0.

          Note

          The value 0/0 specifies all ports of the ECS instance.

        • Application: Select ANY.

        • Action: Select Deny.

        • Priority: Select Lowest.

      After you complete the configurations, make sure that the priority of the Allow policy is higher than that of the Deny policy.

    Configure an inbound policy to deny traffic destined for an ECS instance from regions outside China

    For example, you want to create an inbound policy to deny traffic destined for an ECS instance from regions outside China. The IP address of the ECS instance is 10.1.XX.XX, and the EIP is 47.100.XX.XX.

    1. Log on to the Cloud Firewall console

    2. In the left-side navigation pane, choose Access Control > Internet Border.

    3. On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure a policy.

      The following table describes the parameters.

      Parameter

      Description

      Example

      Source Type

      The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

      • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

        If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

      • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

      • If you set Source Type to Region, select one or more regions of traffic sources for Source. You can select one or more regions in or outside China.

      Region

      Source

      Regions outside China

      Destination Type

      The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

      • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

        If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

      • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

      IP

      Destination

      47.100.XX.XX

      Protocol Type

      The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

      ANY

      Port Type

      The port type and port number of the destination.

      • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

        If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

      • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

      Port

      Port

      0/0

      Note

      The value 0/0 specifies all ports.

      Application

      The port type and port number of the destination.

      • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

        If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

      • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

      ANY

      Action

      The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

      • Allow: The traffic is allowed.

      • Deny: The traffic is denied, and no notifications are sent.

      • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

      Deny

      Priority

      The priority of the access control policy. Default value:Lowest. Valid values:

      • Highest: The access control policy has the highest priority.

      • Lowest: The access control policy has the lowest priority.

      Highest

      Status

      Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

      Enabled

    Configure an access control policy for a VPC firewall

    A VPC firewall can monitor and control traffic between two VPCs. The traffic is also referred to as east-west traffic. If you want to manage traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources. For more information about the parameters of an access control policy that you can configure for a VPC firewall, see Create an access control policy for a VPC firewall.

    Deny traffic between ECS instances that reside in different VPCs

    Note

    If two VPCs are attached to the same Cloud Enterprise Network (CEN) instance or connected by using an Express Connect circuit, the ECS instances that reside in the VPCs can communicate with each other.

    For example, you want to deny access from ECS 1 to ECS 2. ECS 1 resides in VPC 1, and ECS 2 resides in VPC 2. The VPCs are attached to the same CEN instance. The IP address of ECS 1 is 10.33.XX.XX/32, and the IP address of ECS 2 is 10.66.XX.XX/32.

    1. Log on to the Cloud Firewall console

    2. In the left-side navigation pane, choose Access Control > VPC Border.

    3. On the VPC Border page, click Create Policy.

    4. In the Create Policy - VPC Border dialog box, configure the parameters and click OK.

      The following table describes the parameters.

      Parameter

      Description

      Example

      Source Type

      Select the type of the traffic source. Valid values:

        IP

        Source

        Specify the address of the traffic source.

          10.33.XX.XX/32

          Destination Type

          Select the type of the traffic destination. Valid values:

            IP

            Destination

            Specify the address of the traffic destination.

              10.66.XX.XX/32

              Protocol Type

              Select the protocol type of the traffic. Valid values:

                TCP

                Port Type

                Select the type of the port. Valid values:

                  Port

                  Port

                  Specify the port ranges on which you want to manage traffic. If you set Port Type to Port, enter a port range. If you set Port Type to Address Book, configure the Port Address Book parameter and click Select.

                    0/0

                    Application

                    Select the application type of the traffic. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

                    Note

                    ANY

                    Action

                    Select the action on the traffic. Valid values:

                      Deny

                    Configure an access control policy for an internal firewall

                    An internal firewall can manage inbound and outbound traffic between ECS instances to block unauthorized access. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. For more information about the parameters of an access control policy that you can configure for an internal firewall, see Create an access control policy for an internal firewall between ECS instances.

                    Allow traffic between ECS instances in the same policy group

                    Note

                    If you configure security group rules in the ECS console, ECS instances in the same ECS security group can communicate with each other. This is different from the internal firewalls of Cloud Firewall. By default, a policy group that is created for an internal firewall can contain multiple ECS instances, but the instances cannot communicate with each other.

                    For example, you want to allow traffic between ECS 1 and ECS 2 that reside in the sg-test policy group. The IP address of ECS 1 is 10.33.XX.XX, and the IP address of ECS 2 is 10.66.XX.XX.

                    1. Log on to the Cloud Firewall console.

                    2. In the left-side navigation pane, choose Access Control > Internal Border.

                    3. On the Internal Border page, find the required policy group and click Configure Policy in the Actions column.

                    4. On the Inbound tab, click Create Policy.

                      The following table describes the parameters of an inbound policy.

                      Parameter

                      Description

                      Example

                      Policy Type:

                      Select the type of the policy. Valid values:

                      • Allow: allows traffic that hits the policy.

                      • Deny: denies traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect.

                        Note

                        Enterprise policy groups do not support the Deny policy type.

                      Allow

                      Protocol Type

                      Select the protocol type of the traffic.

                      TCP

                      Port Range

                      Specify the port ranges on which you want to manage traffic.

                      0/0

                      Source Type and Source

                      Specify the address of the traffic source. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. Valid source types:

                      • CIDR Block

                        If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block.

                      • Policy Group

                        If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed.

                        Note

                        Enterprise policy groups do not support the Policy Group type.

                      • Prefix List

                        If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed.

                      • Source Type: Policy Group

                      • Source: sg-test

                      Destination

                      Specify the address of the traffic destination. If you set Direction to Inbound, you must configure this parameter. Valid values:

                      • All ECS Instances: all ECS instances specified in the current policy group.

                      • CIDR Block: If you select this option, you must enter a CIDR block. The ECS instances that correspond to the CIDR block are the destination of traffic. Cloud Firewall controls only the inbound traffic of ECS instances that correspond to the CIDR block.

                      CIDR Block: 10.66.XX.XX

                      Note

                      • If you want all ECS instances in the policy group to communicate with each other, set Destination to All ECS Instances.

                      • If you want specific ECS instances in the policy group to communicate with each other, set Destination to CIDR Block and enter the CIDR blocks of the peer ECS instances.

                    5. Configure an outbound policy. This step is required if you use an advanced security group.

                      By default, a basic security group allows outbound traffic. If you use a basic security group, you do not need to configure an outbound policy.

                      Configure the outbound policy based on the descriptions for the inbound policy. The following list describes the parameters:

                      • Source Type: IP

                      • Source: 10.66.XX.XX

                      • CIDR Block: 10.33.XX.XX

                    Allow traffic between ECS instances in different policy groups

                    For example, you want to allow traffic between ECS 1 and ECS 2 that reside in different policy groups of an internal firewall. The IP address of ECS 1 is 10.33.XX.XX, and the IP address of ECS 2 is 10.66.XX.XX.

                    1. Log on to the Cloud Firewall console.

                    2. In the left-side navigation pane, choose Access Control > Internal Border.

                    3. On the Internal Border page, find the policy group in which ECS 1 resides and click Configure Policy in the Actions column.

                    4. On the Inbound tab, click Create Policy.

                      The following table describes the parameters of an inbound policy.

                      Parameter

                      Description

                      Example

                      Policy Type

                      Select the type of the policy. Valid values:

                      • Allow: allows the traffic that hits the policy.

                      • Deny: denies the traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect.

                        Note

                        Enterprise policy groups do not support the Deny policy type.

                      Allow

                      Protocol Type

                      Select the protocol type of the traffic.

                      TCP

                      Port Range

                      Specify the port ranges on which you want to manage traffic.

                      0/0

                      Source Type and Source

                      Specify the address of the traffic source. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. Valid source types:

                      • CIDR Block

                        If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block.

                      • Policy Group

                        If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed.

                        Note

                        Enterprise policy groups do not support the Policy Group type.

                      • Prefix List

                        If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.

                      • Source Type: IP

                      • Source: 10.66.XX.XX

                      Destination

                      Specify the address of the traffic destination. If you set Direction to Inbound, you must configure this parameter. Valid values:

                      • All ECS Instances: all ECS instances specified in the current policy group.

                      • CIDR Block: If you select this option, you must enter a CIDR block. The ECS instances that correspond to the CIDR block are the destination of traffic. Cloud Firewall controls only the inbound traffic of ECS instances that correspond to the CIDR block.

                      CIDR Block: 10.33.XX.XX

                      Note

                      • If you want the ECS instances in the sg-test2 policy group to access all ECS instances in the sg-test1 policy group, set Destination to All ECS Instances.

                      • If you want the ECS instances in the sg-test2 policy group to access specific ECS instances in the sg-test1 policy group, set Destination to CIDR block and enter the CIDR blocks of the specific ECS instances in the sg-test1 policy group.

                    5. Configure an outbound policy. This step is required if you use an advanced security group.

                      By default, a basic security group allows outbound traffic. If you use a basic security group, you do not need to configure an outbound policy.

                      Configure the outbound policy based on the descriptions for the inbound policy. The following list describes the parameters:

                      • Source Type: IP

                      • Source: 10.33.XX.XX

                      • CIDR Block: 10.66.XX.XX

                    6. Configure the inbound and outbound policies to allow traffic of ECS 2 based on the preceding configurations.