A virtual private cloud (VPC) firewall can detect and control the traffic between two VPCs. You can create access control policies to block unauthorized access between two VPCs.

Prerequisites

VPC firewalls are not automatically created. Before you create an access control policy for a VPC firewall, you must create and enable a VPC firewall.

An access control policy for a VPC firewall takes effect only after the VPC firewall is enabled. VPC firewall

Limits

Cloud Firewall Enterprise Edition and Ultimate Edition support VPC Firewall. Cloud Firewall Premium Edition does not support VPC Firewall. The number of access control policies that you can create for a VPC firewall varies based on the edition of Cloud Firewall.
  • If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.
  • If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies. You can submit a ticket to increase the quota.

Create an access control policy

By default, a VPC firewall allows all traffic. If you want to control traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Access Control page, click the VPC Firewall tab and click Create Policy. Create Policy
  4. In the Create VPC Firewall Policy dialog box, configure the parameters for a policy. Create VPC Firewall Policy

    The following table describes the parameters:

    Parameter Description
    Source Type The type of the traffic source. Valid values:
    • IP: If you select this option, enter a CIDR block for Source.
    • Address Book: If you select this option, select a preconfigured address book.
      Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
    Source The source CIDR block of the traffic source.
    Note You can enter only one CIDR block.
    If you set Source Type to Address Book, you need only to select a preconfigured address book.
    Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    Destination Type The type of the traffic destination. Valid values:
    • IP: If you select this option, enter an IP address for Destination.
    • Address Book: If you select this option, select an address book.
    • Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
    Destination The address of the traffic destination.
    • If you set Destination Type to IP, enter a CIDR block.
    • If you set Destination Type to Address Book, find the required address book and click Select in the Actions column.
      Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    • If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
    Protocol The protocol of the traffic. Valid values:
    • ANY: any protocol
    • TCP
    • UDP
    • ICMP
    Port Type The type of the port. Valid values:
    • Ports: If you select this option, you can enter only one port range for Ports.
    • Address Book: If you select this option, you need only to select a preconfigured port address book. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
    Ports The ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column.
    Note
    • You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    • If you set Protocol to ICMP, the destination ports you specify do not take effect. If you set Protocol to ANY, the destination ports you specify do not take effect in ICMP traffic control.
    Application The type of the application. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

    If you set Protocol to TCP, you can use all the valid values of Application. If you set Protocol to a value other than TCP, you can set Application only to ANY.

    Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, Cloud Firewall allows the packet.
    Policy Action The action on the traffic that reaches the VPC firewall. Valid values:
    • Allow: If traffic meets the conditions that you specify for the policy, the traffic is allowed.
    • Deny: If traffic meets the conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
    • Monitor: If traffic meets the conditions that you specify for the policy, the traffic is recorded and allowed. After you observe the traffic for a period of time, you can change the policy action to Allow or Deny based on your business requirements.
    Description The description of the policy. Enter a description that can help identify the policy.
    Priority The priority of the policy. Default value: Lowest. Valid values:
    • Lowest: The policy has the lowest priority and is the last one to take effect.
    • Highest: The policy has the highest priority and is the first one to take effect.
    You can configure the Policy Action parameter based on your business requirements.
    • Deny: denies suspicious or malicious traffic.
    • Allow: allows trusted traffic. If you use the allow action, you can create an Allow policy to allow trusted traffic. Then, create a Deny policy to deny all other traffic. Make sure that the priority of the Allow policy is higher than that of the Deny policy. For more information about policy priorities, see Change the priority of an access control policy.
    Note A VPC firewall allows all traffic by default.