A virtual private cloud (VPC) firewall can monitor and control the traffic between two VPCs. By default, a VPC firewall allows all traffic. If you want to control traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources. This topic describes how to create an access control policy for a VPC firewall.
Prerequisites
A VPC firewall is created and enabled. An access control policy for a VPC firewall takes effect only after the VPC firewall is enabled. For more information, see Configure a VPC firewall.Limits
- If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.
If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 100000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.
- If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies.
If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 200000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.
Procedure
- Log on to the Cloud Firewall console. In the left-side navigation pane, choose .
- On the VPC Border page, click Create Policy.
- In the Create VPC Firewall Policy dialog box, configure the parameters for a policy.
Parameter Description Source Type The type of the traffic source. Valid values: - IP: If you select this option, enter a CIDR block for Source.
- Address Book: If you select this option, select a preconfigured address book. Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
Source The source of the traffic. - If you set Source Type to IP, specify a CIDR block for Source. Note You can enter only one CIDR block.
- If you set Source Type to Address Book, select a preconfigured address book. Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
Destination Type The type of the traffic destination. Valid values: - IP: If you select this option, enter an IP address for Destination.
- Address Book: If you select this option, select an address book.
- Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
Destination The address of the traffic destination. - If you set Destination Type to IP, enter a CIDR block. Note You can enter only one CIDR block.
- If you set Destination Type to Address Book, find the required address book and click Select in the Actions column. Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
- If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
Protocol The protocol of the traffic. Valid values: - ANY: any protocol
- TCP
- UDP
- ICMP
Port Type The type of the port. Valid values: - Ports: If you select this option, you can enter only one port range for Ports.
- Address Book: If you select this option, you need to only select a preconfigured port address book. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
Ports The ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column. Note- You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
- If you set Protocol to ICMP, the destination ports you specify do not take effect. If you set Protocol to ANY, the destination ports you specify do not take effect in ICMP traffic control.
Application The type of the application. If you set Protocol to TCP, you can use all the valid values of Application. If you set Protocol to a value other than TCP, you can set Application only to ANY.
Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, Cloud Firewall allows the packet.Policy Action The action on the traffic that reaches the VPC firewall. Valid values: - Allow: If traffic meets the conditions that you specify for the policy, the traffic is allowed. Note By default, a VPC firewall allows all traffic.
- Deny: If traffic meets the conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
- Monitor: If traffic meets the conditions that you specify for the policy, the traffic is recorded and allowed. After you observe the traffic for a period of time, you can change the policy action to Allow or Deny based on your business requirements.
Description The description of the policy. Enter a description that can help identify the policy. Priority The priority of the policy. Default value: Lowest. Valid values: - Lowest: The policy has the lowest priority and is the last one to take effect.
- Highest: The policy has the highest priority and is the first one to take effect.
Note After you change the priority of an access control policy, the priorities of access control policies with lower priorities decrease. - Click Submit.