Create access control policies for the Internet firewall on outbound and inbound traffic - Cloud Firewall

The Internet firewall controls the outbound and inbound traffic of your web assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your web assets and the Internet. This topic describes how to create access control policies for the Internet firewall on outbound and inbound traffic.

Prerequisites

The Internet firewall is enabled. If the Internet firewall is disabled, the access control policies that are created for the Internet firewall do not take effect. For more information, see Enable firewalls.

Background information

The Internet firewall allows you to create both outbound policies and inbound policies. You can also export the policies that you created.

The Internet firewall supports both IPv4 and IPv6 access control policies. An IPv4 access control policy uses IPv4 addresses for both the source and destination. An IPv6 access control policy uses IPv6 addresses for both the source and destination. Whether the Internet firewall supports IPv4 and IPv6 access control policies is determined based on the edition of Cloud Firewall. For more information, see Functions and features.

Limits

The following list describes the limit and default quotas on access control policies for the Internet firewall:

If you use Cloud Firewall Premium Edition, you can create up to 4,000 access control policies.
If the quota cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall. Valid values for the quota on additional access control policies: 0~50000.
If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.
If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 100000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.
If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies.
If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 200000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.
If you set Destination Type to Domain Name and Application to a value other than HTTP, HTTPS, SMTP, SMTPS, or SSL when you create outbound access control policies, you can create up to 200 policies.

If the default quota cannot meet your business requirements, you can increase the quota.

The number of configured access control policies is calculated based on the following formula: Number of configured access control policies = Number of outbound access control policies + Number of inbound access control policies.

The quota that is consumed by an access control policy is calculated based on the following formula: Quota that is consumed by an access control policy = Number of source CIDR blocks × Number of destination CIDR blocks, regions, or resolved domain names × Number of applications × Number of ports.

The total consumed quota is equal to the sum of the quota that is consumed by each policy.

Create a custom policy

The Internet firewall allows you to create both outbound policies and inbound policies.

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border.
On the Internet Border page, click the Outbound Policies or Inbound Policies tab.
On the Outbound Policies or Inbound Policies tab, click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.

Create a policy. Configure the following parameters and click OK.


Parameter	Description
Source Type	Specify the type of the traffic source. Valid values: IP Address Book Region (This value can be specified only when you create an inbound policy.)
Source	Specify the sources that are allowed. If you set Source Type to IP, specify one or more CIDR blocks for Source. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks. If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source. An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy. If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.
Destination Type	Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.
Destination	Specify the destinations that can be accessed. If you set Destination Type to IP, specify one or more CIDR blocks for Destination. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks. If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination. If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. For more information, see Resolve domain names specified in outbound access control policies. You can set Destination Type to Domain Name only when you create an outbound policy. If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions inside or outside China.
Protocol	Select the protocol for the policy. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol for the policy, select ANY. The value ANY specifies that all protocols are matched.
Port Type	Specify the type of the port. Valid values: Ports: If you select this option, you can enter one or more port ranges. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. Address Book: If you select this option, select the preconfigured port address book that you want to use. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
Ports	Specify the port ranges on which you want to control traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
Application	Select the type of application on which you want the policy to take effect. Cloud Firewall supports various types of applications. For more information, go to the Internet Firewall page in the Cloud Firewall console. If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application. If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL. Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
Policy Action	Select the action on the traffic. In this example, select Allow. Valid values: Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed. Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent. To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This setting denies all unauthorized access requests. Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description	Enter a description that can help you identify the policy.
Priority	Select the priority of the policy. Default value: Lowest. Valid values: Highest: The policy has the highest priority. Lowest: The policy has the lowest priority.
Enabled	Specify whether to enable the policy.

If you enter more than one source IP address, destination IP address, or port range, the Create Address Book dialog box appears after you click OK. You must specify the name and description for the address book. After the address book is created, the address book is automatically referenced by the policy. For more information about how to configure an address book, see Manage address books.

If you want to create policies to allow traffic from only trusted IP addresses and deny traffic from other sources, perform the following steps:

Create a policy that allows traffic from trusted IP addresses.
Create a policy that denies traffic from all sources to the Internet.
Make sure that the priority of the allow policy is higher than the priority of the deny policy.

After a custom policy is created, you can find the policy in the list of custom policies and click Edit, Delete, or Copy in the Actions column to manage the policy. You can delete multiple policies at a time. You can also click Move to change the priority of the policy. After you change the priority of a policy, the priorities of policies with lower priorities decrease.

Important After you delete a policy, Cloud Firewall does not control the traffic to which the policy applies. Proceed with caution.

Apply recommended intelligent policies

Cloud Firewall automatically learns your traffic from the last 30 days and recommends multiple intelligent policies based on the traffic risks it identifies. You must promptly view the details of the recommended policies in the Cloud Firewall console and determine whether to apply the intelligent policies. You can apply both outbound and inbound intelligent policies that are recommended.

Important Before you apply an intelligent policy, make sure that you understand its meaning and the possible impacts on services.

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border.
On the Internet Border page, click the Outbound Policies or Inbound Policies tab.
On the Outbound Policies or Inbound Policies tab, click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click the Recommended Intelligent Policy tab.
On the Recommended Intelligent Policy tab, find the required policy and click Apply Policy on the right side.
The Recommended Intelligent Policy panel lists the inbound and outbound access control policies that Cloud Firewall recommends. If a large number of policies are recommended, you can specify a recommendation type and destination to filter policies.
We recommend that you allow access to the open ports that provide services for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.
You can select multiple recommended intelligent policies and click Batch Dispatch to apply multiple policies at a time.

Apply recommended common policies

Cloud Firewall recommends common policies for you. If the recommended common policies meet your business requirements, you can apply the policies.

Important Before you apply a common policy, make sure that you understand its meaning and the possible impacts on services.

The recommended common policies can be ignored. After a policy is ignored, the policy cannot be restored. Proceed with caution. If all common policies are ignored, the Recommended Common Policy tab is not displayed.

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border.
On the Internet Border page, click the Outbound Policies or Inbound Policies tab.
On the Outbound Policies or Inbound Policies tab, click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click the Recommended Common Policy tab.
On the Recommended Common Policy tab, find and click Quick Dispatch below a policy.
The Recommended Common Policy panel lists the common inbound and outbound access control policies that Cloud Firewall recommends.

Check whether access traffic hits an access control policy

By default, an access control policy immediately takes effect after it is created.

In the access control policy list, if the number in the Hits/Last Hit At column is greater than 0 for an access control policy and time information is displayed in the column, access traffic hits the policy. The number and time information in the Hits/Last Hit At column indicate the cumulative number of times that access traffic hits the policy and the time when the policy was last hit.

You can click the number to go to the Traffic Logs tab. On the Traffic Logs tab, the name of an access control policy that the access traffic hits is displayed in the Policy Name column.

Note The Traffic Logs tab displays information about the traffic that was generated within the last seven days. If the last hit of the access control policy was more than seven days ago, the information about the traffic is not displayed on the Traffic Logs tab.

Resolve domain names specified in outbound access control policies

Cloud Firewall allows you to specify domain names as destinations for outbound traffic in access control policies. Cloud Firewall resolves domain names, displays resolution results, and controls the access to IP addresses that are mapped to the domain names.

Cloud Firewall uses dynamic Domain Name System (DNS) resolution to optimize outbound access control policies for domain names. You can view the IP addresses that are mapped to the destination domain names and manually update the IP addresses.

If the destination in an outbound access control policy is set to a domain name, Cloud Firewall resolves the domain name into IP addresses and implements access control on the IP addresses. However, if the protocol type is set to TCP and the application type is set to HTTP, HTTPS, SSL, SMTP, or SMTPS, Cloud Firewall does not implement domain name resolution or access control. A domain name can be resolved to up to 500 IP addresses.

Note

If the application type is HTTP or SMTP, Cloud Firewall first uses the Host field to implement access control for domain names.
If the application type is HTTPS, SMTPS, or SSL, Cloud Firewall first uses the SNI field to implement access control for domain names.
If an application type other than HTTP, HTTPS, SSL, SMTP, or SMTPS is specified, Cloud Firewall dynamically resolves the domain names and implements access control. You can view the resolution results, which are the IP addresses mapped to the domain names.

Cloud Firewall does not apply access control policies for domain names in the following scenarios:

Access control policies are configured for inbound traffic.
Only access control policies for outbound traffic are supported.
The destination is a wildcard domain name. Example: *.example.com.
Domain Address Books is selected for the destination type.

Important When you configure access control policies for domain names, take note of the following items:

The default DNS server (ADNS) is used to resolve the external domain names that an Elastic Compute Service (ECS) instance requests. Custom DNS servers are not supported. If you change the DNS server of the ECS instance, the outbound access control policy for your ECS instance becomes invalid.
If multiple domain names are mapped to the same IP address, access control may be compromised.
For example, you configure an access control policy to allow FTP traffic that is destined for the domain name example1.aliyun.com. If the A record for the domain name example1.aliyun.com is 1.*.*.1, the FTP traffic destined for 1.*.*. 1 is allowed. If the A record for the domain name example2.aliyun.com is also 1.*.*.1, the FTP traffic destined for example2.aliyun.com is also allowed.
If the IP addresses mapped to a domain name are changed, Cloud Firewall uses the up-to-date IP addresses and automatically updates the access control policy for the domain name.
If the IP address mapped to the domain name example1.aliyun.com is changed from 1.*.*.1 to 2.*.*.2, Cloud Firewall automatically updates the access control policy for the domain name. Cloud Firewall uses the IP address 2.*.*.2 to ensure that the access control policy takes effect as expected. Cloud Firewall automatically updates the access control policy every 30 minutes, which means that a resolution record change is applied to the access control policy in 30 minutes.
If you need to update your access control policy based on dynamic resolution records, click DNS on the policy editing page to manually trigger DNS resolution and obtain the up-to-date IP addresses. Then, click OK to save the policy updates.