Control inbound and outbound traffic of a VPC - Cloud Firewall

A virtual private cloud (VPC) firewall can be used to monitor and control the traffic between network instances that are connected by using a transit router of a Cloud Enterprise Network (CEN) instance or an Express Connect circuit. By default, a VPC firewall allows all traffic. You can create an access control policy to deny traffic from suspicious or malicious sources and allow traffic from trusted sources. This topic describes how to create an access control policy for a VPC firewall.

Feature description

VPC firewalls help you detect and control east-west traffic between VPCs and between VPCs and data centers that are connected by using Enterprise Edition transit routers or Basic Edition transit routers of CEN instances or Express Connect circuits. This protects internal network traffic between VPCs connected by using virtual border routers (VBRs), between VPCs and data centers connected by using VBRs, between VPCs and third-party clouds, and between VPCs and virtual private networks (VPNs).

Diagram of a VPC firewall

In this diagram, Cloud Firewall controls traffic from VPC1 to VPC2. Cloud Firewall controls traffic from VPC2 to VPC1 in the same manner.

Traffic that is protected

For more information about the traffic that can be protected, see Overview.

Prerequisites

A VPC firewall is created and enabled. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.
The quota for access control policies is sufficient. You can choose Access Control > VPC Border to view the usage of the quota for access control policies. For more information about how to calculate the quota that is consumed by access control policies, see Overview of access control policies.
If the quota is insufficient, you can click Increase Quota to increase the value of Quota for Additional Policy. For more information, see Purchase Cloud Firewall.

Procedure

To manage the traffic between two VPCs, you can use the blacklist mode or whitelist mode. In blacklist mode, you need to configure a policy to deny traffic that is not trusted or is not required in your workloads and a policy to allow other traffic. In whitelist mode, you need to configure a policy to allow traffic that is trusted or is required in your workloads and a policy to deny other traffic. For more information about the examples of configuring an access control policy for a VPC firewall, see Configure access control policies.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Access Control > VPC Border.
On the VPC Border page, click Switchover to select the network instance for which you want to configure a policy.

Click Create Policy. Then, configure the policy parameters based on the following table and click OK.

Parameter	Description
Source Type	The initiator of the network connection. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.
Source
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, you can select an IPv4 or domain address book that you create. You can select multiple address books. If you have not created an address book, click Create Address Book to create an IPv4 or domain address book. For more information about address books, see Manage address books. If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
Destination
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
Port Type	The port type and port number of the destination. If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. You can select multiple application types. If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application. If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application. If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, or SMTPS for Application. Note Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications are sent. Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description	The description of the access control policy. Enter a description that can help identify the policy.
Priority	The priority of the access control policy. Default value: Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only within the validity period.

What to do next

After your service runs for a period of time, you can view the number of hits of the policy in the policy list. You can click the number to go to the Traffic Logs tab and view the logs of traffic that passes through the VPC firewall. For more information about how to view traffic logs, see Log audit.

Related operations

Change the priority of a policy

On the Access Control > VPC Border page, find the required policy and click Move in the Actions column.
Specify a new priority for the policy and click OK.
A valid priority value ranges from 1 to the number of existing policies. A smaller value indicates a higher priority. After you change the priority of the policy, the priorities of access control policies with lower priorities decrease.

View the hit details about an access control policy

By default, an access control policy immediately takes effect after it is created. In the list of access control policies, view the hit details about an access control policy in the Hits/Last Hit At column.

The Hits/Last Hit At column displays the number of hits and the time when the policy was last hit. Click the number of hits to go to the Log Audit page. On the Traffic Logs tab, view the hit details. For more information, see Log audit.

Download the policies

In the upper-right corner of the Access Control > VPC Border page, click the icon.
After the policies are packaged, click Download Task Management in the upper-right corner of the VPC Border page.
In the Tasks panel, select the required task type, find the task whose file you want to download, and then click Download in the Actions column.

Delete a policy

Warning

After you delete an access control policy, Cloud Firewall does not control the traffic to which the policy applies. Proceed with caution.

If you no longer require an access control policy that is created for a VPC firewall, go to the Access Control > VPC Border page, find the policy that you want to delete, click the icon in the Actions column, and then click Delete.

References

Can I increase the protected VPC traffic bandwidth?
For more information about how to configure an access control policy, see Configure access control policies.
For more information about how access control policies work, see Overview of access control policies.
For more information about how to view and manage IP address books, port address books, and domain address books in access control policies, see Manage address books.
For more information about how to configure and use an access control policy, see FAQ about access control policies.