A virtual private cloud (VPC) firewall can monitor and control the traffic between two VPCs. By default, a VPC firewall allows all traffic. If you want to control traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources. This topic describes how to create an access control policy for a VPC firewall.

Prerequisites

A VPC firewall is created and enabled. An access control policy for a VPC firewall takes effect only after the VPC firewall is enabled. For more information, see Configure a VPC firewall.

Limits

Cloud Firewall Enterprise Edition and Ultimate Edition support VPC Firewall. Cloud Firewall Premium Edition does not support VPC Firewall. The number of access control policies that you can create for a VPC firewall varies based on the edition of Cloud Firewall.
  • If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.

    If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 100000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.

  • If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies.

    If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 200000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.

Procedure

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > VPC Border.
  2. On the VPC Border page, click Create Policy.
  3. In the Create VPC Firewall Policy dialog box, configure the parameters for a policy.
    ParameterDescription
    Source TypeThe type of the traffic source. Valid values:
    • IP: If you select this option, enter a CIDR block for Source.
    • Address Book: If you select this option, select a preconfigured address book.
      Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
    SourceThe source of the traffic.
    • If you set Source Type to IP, specify a CIDR block for Source.
      Note You can enter only one CIDR block.
    • If you set Source Type to Address Book, select a preconfigured address book.
      Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    Destination TypeThe type of the traffic destination. Valid values:
    • IP: If you select this option, enter an IP address for Destination.
    • Address Book: If you select this option, select an address book.
    • Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
    DestinationThe address of the traffic destination.
    • If you set Destination Type to IP, enter a CIDR block.
      Note You can enter only one CIDR block.
    • If you set Destination Type to Address Book, find the required address book and click Select in the Actions column.
      Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    • If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
    ProtocolThe protocol of the traffic. Valid values:
    • ANY: any protocol
    • TCP
    • UDP
    • ICMP
    Port TypeThe type of the port. Valid values:
    • Ports: If you select this option, you can enter only one port range for Ports.
    • Address Book: If you select this option, you need to only select a preconfigured port address book. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
    PortsThe ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column.
    Note
    • You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    • If you set Protocol to ICMP, the destination ports you specify do not take effect. If you set Protocol to ANY, the destination ports you specify do not take effect in ICMP traffic control.
    ApplicationThe type of the application.

    If you set Protocol to TCP, you can use all the valid values of Application. If you set Protocol to a value other than TCP, you can set Application only to ANY.

    Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, Cloud Firewall allows the packet.
    Policy ActionThe action on the traffic that reaches the VPC firewall. Valid values:
    • Allow: If traffic meets the conditions that you specify for the policy, the traffic is allowed.
      Note By default, a VPC firewall allows all traffic.
    • Deny: If traffic meets the conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
    • Monitor: If traffic meets the conditions that you specify for the policy, the traffic is recorded and allowed. After you observe the traffic for a period of time, you can change the policy action to Allow or Deny based on your business requirements.
    DescriptionThe description of the policy. Enter a description that can help identify the policy.
    PriorityThe priority of the policy. Default value: Lowest. Valid values:
    • Lowest: The policy has the lowest priority and is the last one to take effect.
    • Highest: The policy has the highest priority and is the first one to take effect.
    Note After you change the priority of an access control policy, the priorities of access control policies with lower priorities decrease.
  4. Click Submit.

What to do next

After an access control policy is created, you can click Modify, Delete, or Copy in the Actions column of the policy. You can also click Move to change the priority of the policy. After you change the priority of the policy, the priorities of access control policies with lower priorities decrease.
Important After you delete an access control policy, Cloud Firewall does not control the traffic to which the policy applies. Proceed with caution.