Cloud Firewall:Configure Cloud Firewall

Prerequisites

Cloud Firewall is purchased. For more information, see Purchase Cloud Firewall.

Step 1: Enable firewalls

Cloud Firewall provides the following types of firewalls: Internet firewall, virtual private cloud (VPC) firewall, and internal firewall. If you do not configure an access control policy or enable a block mode of the threat detection engine after you enable the firewalls of Cloud Firewall, Cloud Firewall cannot protect your service traffic.

You are charged for using the enabled firewalls. For more information, see Subscription.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, click Firewall Settings.
3. Enable firewalls based on your business requirements.

   Firewall type	Description	Operation
   Internet firewall	The Internet firewall protects traffic between the Internet and your public IP addresses in a centralized manner.	Enable the Internet firewall. For more information, see Internet firewall.
   VPC firewall	A VPC firewall protects traffic between VPCs and traffic between a VPC and a data center in a centralized manner. Note Only Cloud Firewall Enterprise Edition and Ultimate Edition support VPC firewalls.	Enable a VPC firewall. For more information, see Configure a VPC firewall.
   Internal firewall	An internal firewall protects inbound and outbound traffic between ECS instances to block unauthorized access. The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. You do not need to enable internal firewalls. Note Only Cloud Firewall Enterprise Edition and Ultimate Edition support internal firewalls.	Configure access control policies for an internal firewall. For more information, see Create an access control policy for an internal firewall between ECS instances.

   After the Internet firewall or a VPC firewall is enabled or disabled for your assets, the firewall status changes to Enabled or Disabled in the Firewall Status column. The value Enabled indicates that the firewall takes effect. The value Disabled indicates that the firewall no longer protects your assets. The system requires several seconds to update the firewall status.

Step 2: Configure intrusion prevention policies

Cloud Firewall provides an intrusion prevention system (IPS) to defend against intrusions in real time.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Intrusion Prevention > Prevention Configuration.
3. On the Prevention Configuration page, configure Threat Engine Mode, Whitelist, Threat Intelligence, Intelligent Defense, Basic Protection, and Virtual Patches.

   Parameter	Description	Operation
   Threat Engine Mode	The threat detection engine supports the following modes: Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and generates alerts for malicious traffic. Block Mode: If you enable this mode, Cloud Firewall blocks malicious traffic and intrusion attempts. You can also select one of the following levels for this mode based on your business requirements: Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the false positive rate to be minimized. Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M. This level delivers a lower false positive rate than the Strict level. Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the false negative rate to be minimized. This level may cause a higher false positive rate than the Medium level. Note After Cloud Firewall is purchased, Block Mode is enabled by default. Cloud Firewall automatically determines a level based on your traffic condition. The threat intelligence, basic protection, and virtual patching features block threats only after you enable Block Mode. If you do not enable Block Mode, these features only monitor threats and malicious traffic.	Configure a working mode for the threat detection engine. For more information, see Working modes of the threat detection engine.
   Whitelist	Cloud Firewall allows you to add trusted source IPv4 and IPv6 addresses or trusted destination IPv4 and IPv6 addresses to an inbound or outbound whitelist. After you add IP addresses to a whitelist, the basic protection, virtual patching, and intelligent defense features allow the traffic of the IP addresses. The whitelist that you configure does not take effect for the threat intelligence feature.	Configure an intrusion prevention whitelist. For more information, see Advanced settings.
   Threat Intelligence	After you turn on Threat Intelligence, Cloud Firewall scans for threat intelligence and blocks malicious behavior that is initiated from central control systems based on the threat intelligence. The threat intelligence feature synchronizes malicious IP addresses that are detected across Alibaba Cloud to Cloud Firewall, and then implements precise intrusion prevention. The malicious IP addresses are used to initiate malicious access, scans, or brute-force attacks. This feature provides up-to-date information about threat sources.	Configure threat intelligence. For more information, see Advanced settings.
   Basic Protection	After you turn on Basic Policies, Cloud Firewall detects common threats based on detection rules. The basic protection feature protects your assets against common intrusions, such as brute-force attacks and attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a command-and-control (C&C) server and provides basic protection for your assets. We recommend that you enable the basic protection feature.	Configure basic protection. For more information, see Advanced settings.
   Intelligent Defense	After you turn on Intelligent Defense, Cloud Firewall learns a large amount of data about attacks in the cloud to improve the accuracy of threat detection and attack detection. Intelligent defense is available only when Monitor Mode is selected.	Configure intelligent defense. For more information, see Advanced settings.
   Virtual Patches	After you turn on Patches, Cloud Firewall protects your assets against common high-severity vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-severity vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevent business interruption when vulnerabilities are being fixed. Note Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to configure virtual patching policies.	Configure virtual patching. For more information, see Advanced settings.

Step 3: View traffic statistics

The traffic analysis feature provides real-time traffic statistics, such as the statistics of outbound connections, Internet exposures, and VPC access. This allows you to control traffic in a visualized manner and identify unusual traffic.

Traffic statistics are essential information for you to configure appropriate access control policies. Before you configure access control policies, we recommend that you view the traffic statistics of your assets.

Outbound Connection

After the Internet firewall of Cloud Firewall is enabled for your network assets, the Outbound Connection page displays real-time information about outbound connections initiated by your servers. This helps you identify suspicious servers.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Traffic Analysis > Outbound Connection.
3. On the Outbound Connection page, view the details of outbound connections from your assets within a specified period of time.

   Parameter	Description	Supported operation
   Outbound Domains	The number of risky domain names and the total number of domain names in outbound connections. The outbound connections are initiated from your business to the domain names, which are located on the Internet.	You can click Outbound Domains in the Data Statistics section to go to the Outbound Domains tab or click Outbound IP Addresses in the Data Statistics section to go to the Outbound IP Addresses tab. You can perform the following operations on a risky domain name or IP address based on your business requirements to protect your assets: Configure an access control policy On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address and click Configure Access Control Policy in the Actions column. In the Create Outbound Policy panel, create an outbound access control policy. For more information, see Create inbound and outbound access control policies for the Internet firewall. View the details of an outbound domain name On the Outbound Domains tab, find an outbound domain name and click Details in the Actions column. In the Outbound Domains panel, view the details of the domain name. On the Outbound Connection Initiated over EIP and Outbound Connection Initiated over Private IP Address of NAT Gateway tabs of the panel, view the information about the Elastic Compute Service (ECS) instances that initiated outbound connections. You can also click View Logs in the Actions column to go to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs. Add a domain name or an IP address to an address book On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click Add to Address Book. The system redirects to the Create Address Book panel of the Address Books page. For more information, see Manage address books. Mark a domain name or an IP address as followed On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click Mark as Followed. Unfollow a domain name or an IP address On the Outbound Domains or Outbound IP Addresses tab, click Followed in the upper-right corner. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address. Add a domain name or an IP address to the whitelist On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click Add to Whitelist to add the domain name or IP address to the whitelist. This way, Cloud Firewall no longer analyzes the domain name or IP address, and the information about the domain name or IP address is no longer displayed. Remove a domain name or an IP address from the whitelist On the Outbound Domains or Outbound IP Addresses tab, click Ignored in the upper-right corner. In the Ignored panel, remove a domain name or an IP address from the whitelist. This way, the information about the domain name or IP address is displayed on the Outbound Connection page again. View logs On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click View Logs. The system redirects to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs.
   Outbound IP Addresses	The number of risky destination IP addresses and the total number of destination IP addresses in outbound connections. The outbound connections are initiated from your business to the IP addresses, which are located on the Internet.
   Outbound Public IP Addresses	The number of risky assets and the total number of assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the public addresses of the assets, such as elastic IP addresses (EIPs).	You can click Outbound Public IP Addresses in the Data Statistics section to go to the Outbound Public IP Addresses tab and click Outbound Private IP Addresses in the Data Statistics section to go to the Outbound Private IP Addresses tab. You can perform the following operations on the tabs: Mark an IP address as followed Find an IP address and click Mark as Followed in the Actions column. Unfollow a domain name or an IP address In the upper-right corner, click Followed. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address. View logs Find an IP address and click View Logs in the Actions column. The Traffic Logs tab of the Log Audit page is displayed. For more information, see Traffic logs.
   Outbound Private IP Addresses	The number of risky private assets and the total number of private assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the IP addresses of NAT gateways.
   Outbound Connection Protocol	The analysis results of protocols that are used in outbound connections. The outbound connections are initiated from your business to the Internet. The results include the number of unidentified protocols, the total number of used protocols, and the proportion of unidentified protocols to all used protocols.	You can click Protocol Analysis to go to the Outbound Connection Protocol tab. You can perform the following operations on the tab: View logs: Find a protocol and click View Logs in the Actions column. The Traffic Logs tab of the Log Audit page is displayed. For more information, see Traffic logs.

Internet Exposure

The Internet Exposure page of the Cloud Firewall console provides an overview of the normal and unusual inbound traffic of your assets, including the information about open applications, open ports, open public IP addresses, and cloud services to which inbound traffic flows.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Traffic Analysis > Internet Exposure.
3. On the Internet Exposure page, view the traffic rankings of IP addresses, traffic trends, and details of Internet access.

   Parameter	Description	Supported operation
   Open Public IP Addresses	The total number of open public IP addresses and the number of risky open public IP addresses.	View the traffic statistics of a public IP address that is accessed: On the Open Public IP Addresses tab, find the IP address and click View Details in the Actions column. In the Open Public IP Addresses panel, view the access information about the IP address. This helps you identify the traffic of malicious behavior.
   Open Ports	The total number of open ports and the number of risky open ports.	View the traffic statistics of an open port: On the Open Ports tab, find the open port and click View Details in the Actions column. In the Open Ports panel, view the access information about the open port. This helps you identify the traffic of malicious behavior.
   Open Applications	The total number of open applications and the number of risky open applications.	View the traffic statistics of an open application: On the Open Applications tab, find the open application and click View Details in the Actions column. In the Open Applications panel, view the access information about the application. This helps you identify the traffic of malicious behavior.
   Details	The traffic statistics of all assets.	View the traffic statistics of an asset: On the Details tab, find the asset and click View Details in the Actions column. In the Details panel, view the access information about the asset. This helps you identify the traffic of malicious behavior.
   Cloud Products	The number of public IP addresses to which inbound traffic flows to access cloud services.	None.

VPC Access

The VPC Access page displays information about the traffic between VPCs to help you detect unusual traffic and potential attacks.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Traffic Analysis > VPC Access.
3. On the VPC Access page, view information about the traffic between VPCs, rankings of sessions between VPCs, open ports, and assets.

   Section or tab	Description	Supported operation
   Traffic Between VPCs	This section displays the following data: peak traffic in both the inbound and outbound directions, average traffic in both the inbound and outbound directions, and trend charts for both inbound and outbound traffic.	View traffic-based rankings: On a traffic trend chart, click a point in time. The top IP addresses that are involved in the traffic at that point in time are displayed in the Ranking of IP Addresses by Traffic section.
   Ranking of IP Addresses by Traffic	This section displays the rankings of top 10, top 20, or top 50 IP addresses by traffic. You can view IP, and Inbound, Outbound. By default, the rankings of top 50 IP addresses are displayed.	View logs: Find the IP address that you want to manage and click View Logs in the Actions column. On the VPC Border page, view the log details of the VPC to which the IP address belongs.
   Ranking of Sessions Between VPCs by Visits and Traffic	This section displays the rankings of sessions between VPCs. You can view Ranking, Session, Sessions, Traffic, Port, and Ratio.	View the proportion of ports by session: Find the session data record of an IP address and click View in the Ratio column. In the Open Ports by Traffic section, view the proportion of ports that are involved in the session.
   Open Ports by Traffic	By default, this section displays the distribution of all open ports.	None.
   Open Ports	This tab displays the data of open ports that are used for the traffic between VPCs. You can view Open Port, Protocol, Application, Traffic, Requests, Asset IP, and Risk Level.	View the details of an open port: Find the local open port that you want to manage and click View Details in the Actions column. In the Port Details panel, view the details of the port. View logs: In the Port Details panel, find the peer IP address that corresponds to the local open port and click View Logs in the Actions column. On the VPC Firewall tab of the Traffic Logs tab, view the log details of the IP address. Note To download the data of open ports to a CSV file on your computer, you can click the icon in the upper-right corner above the port list. This way, you can view the data or use the data for analysis in a more convenient manner.
   Assets	This tab displays the data of assets that are involved in traffic between VPCs. You can view Asset IP, Instance ID/Name, Port, Traffic, Requests, and Risk Level.	View the details of an asset: Find the local asset that you want to manage and click View Details in the Actions column. In the Asset Access Details panel, view the details of the asset. View logs: In the Asset Access Details panel, find the peer IP address that corresponds to the asset and click View Logs in the Actions column. On the VPC Firewall tab of the Traffic Logs tab, view the log details of the IP address. Note To download the data of assets to a CSV file on your computer, you can click the icon in the upper-right corner above the asset list. This way, you can view the data or use the data for analysis in a more convenient manner.

Step 4: Create access control policies

Cloud Firewall allows you to create access control policies for inbound and outbound traffic over the Internet and mutual traffic over an internal network. This can reduce the risk of intrusions into your assets.

Create access control policies for the Internet firewall on outbound and inbound traffic

The Internet firewall controls the outbound and inbound traffic of your web assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your web assets and the Internet.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Access Control > Internet Border.
3. Create access control policies for the Internet firewall.
   • Create access control policies to protect outbound traffic over the Internet

     On the Internet Border page, create an outbound policy to allow traffic from trusted IP addresses and specify the Highest priority for the policy. Then, create a second outbound policy to deny traffic from all sources to the Internet and specify the Lowest priority for the policy. If you want to specify multiple sources, destinations, and ports, you can use an address book or create multiple policies. For more information, see Configure access control policies.

     Important

     We recommend that you set the actions of outbound policies to Deny. This does not apply if the policies are used to allow outbound connections that are required for your business.

   • Create access control policies to protect inbound traffic over the Internet

     On the Internet Border page, create an inbound policy to allow traffic from trusted IP addresses and specify the Highest priority for the policy. Then, create a second inbound policy to deny traffic from all sources to the internal network and specify the Lowest priority for the policy. If you want to specify multiple sources, destinations, and ports, you can use an address book or create multiple policies. For more information, see Configure access control policies.

   Parameter	Description
   Source Type	Specify the type of the traffic source. Valid values: IP Address Book Region (You can set Source Type to Region only when you create an inbound policy.)
   Source	Specify the address of the traffic source. If you set Source Type to IP, specify one or more CIDR blocks for Source. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks. If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source. An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy. If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.
   Destination Type	Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.
   Destination	Specify the address of the traffic destination. If you set Destination Type to IP, specify one or more CIDR blocks for Destination. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks. If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination. If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. You can set Destination Type to Domain Name only when you create an outbound policy. If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions inside or outside China.
   Protocol	Select the protocol of the traffic on which you want the policy to take effect. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol, select ANY. The value ANY indicates all protocols.
   Port Type	Specify the type of the port. Valid values: Ports: If you select this option, you can enter one or more port ranges. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. Address Book: If you select this option, you can select the preconfigured port address book that you want to use. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
   Ports	Specify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
   Application	Select the type of the application on which you want the policy to take effect. Cloud Firewall supports various types of applications. For more information, go to the Internet Border page in the Cloud Firewall console. If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application. If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL. Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
   Policy Action	Select the action on the traffic. In this example, select Allow. Valid values: Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed. Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent. To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This setting denies all unauthorized access requests. Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
   Description	Enter a description that can help identify the policy.
   Priority	Select the priority of the policy. Default value: Lowest. Valid values: Highest: The policy has the highest priority. Lowest: The policy has the lowest priority.
   Enabled	Specify whether to enable the policy.

Create an access control policy for a VPC firewall

A VPC firewall can monitor and control the traffic between two VPCs. By default, a VPC firewall allows all traffic. You must create an Allow policy for a VPC firewall to allow traffic from trusted sources and specify the Highest priority for the policy. Then, create a second Deny policy for the VPC firewall to deny traffic from all sources to the internal network and specify the Lowest priority for the policy.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Access Control > VPC Border.
3. On the VPC Border page, create an access control policy for a VPC firewall.
   Note Only Cloud Firewall Enterprise Edition and Ultimate Edition support VPC firewalls.

   Parameter	Description
   Source Type	Select the type of the traffic source. Valid values: IP: If you select this option, enter a CIDR block for Source. Address Book: If you select this option, select a preconfigured address book. Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
   Source	Specify the address of the traffic source. If you set Source Type to IP, specify a CIDR block for Source. Note You can enter only one CIDR block. If you set Source Type to Address Book, select a preconfigured address book. Note You can select only one address book at a time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.
   Destination Type	Select the type of the traffic destination. Valid values: IP: If you select this option, enter an IP address for Destination. Address Book: If you select this option, select an address book. Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
   Destination	Specify the address of the traffic destination. If you set Destination Type to IP, enter a CIDR block. Note You can enter only one CIDR block. If you set Destination Type to Address Book, find the required address book and click Select in the Actions column. Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy. If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
   Protocol	Select the protocol of the traffic on which you want the policy to take effect. Valid values: ANY: any protocol TCP UDP ICMP
   Port Type	Select the type of the port. Valid values: Ports: If you select this option, you can enter only one port range for Ports. Address Book: If you select this option, you need only to select a preconfigured port address book. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
   Ports	Specify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column. Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy. If you set Protocol to ICMP, the destination ports you specify do not take effect. If you set Protocol to ANY, the destination ports that you specify do not take effect in ICMP traffic control.
   Application	Select the type of the application. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC. If you set Protocol to TCP, you can use all the valid values of Application. If you set Protocol to a value other than TCP, you can set Application only to ANY. Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, Cloud Firewall allows the packet.
   Policy Action	Select the action on the traffic that reaches the VPC firewall. Valid values: Allow: If traffic meets the conditions that you specify for the policy, the traffic is allowed. Note By default, a VPC firewall allows all traffic. Deny: If traffic meets the conditions that you specify for the policy, the traffic is denied, and no notifications are sent. Monitor: If traffic meets the conditions that you specify for the policy, the traffic is recorded and allowed. After you observe the traffic for a period of time, you can change the policy action to Allow or Deny based on your business requirements.
   Description	Enter a description for the policy to help identify the policy.
   Priority	Select the priority of the policy. Default value: Lowest. Valid values: Lowest: The policy has the lowest priority and is the last one to take effect. Highest: The policy has the highest priority and is the first one to take effect. Note After you change the priority of an access control policy, the priorities of access control policies with lower priorities decrease.

Create an access control policy for an internal firewall between ECS instances

An internal firewall can control inbound and outbound traffic between ECS instances to block unauthorized access. The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized with ECS security groups. We recommend that you first create an Allow policy to allow traffic to ECS instances and then create a Deny policy to deny traffic from all sources, protocols, ports, and applications. The Allow policy has a higher priority than the Deny policy.

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Access Control > Internal Border.
3. On the Internal Border page, create an access control policy for an internal firewall.

   Parameter	Description
   Policy Group Type	Select a type for the policy group. Valid values: Common Policy Group Enterprise Policy Group
   Name	Enter a name for the policy group. We recommend that you enter an informative name for easy identification.
   VPC	Select a VPC to which you want to apply the policy group from the VPC drop-down list. Note A policy group can be applied to only one VPC.
   Instance ID	Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list. Note The Instance ID drop-down list contains only ECS instances within the selected VPC.
   Description	Enter a description for the policy group.
   Template	Select a template that you want to use from the Template drop-down list. default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic. default-accept-all: allows all inbound and outbound traffic. default-drop-all: denies all inbound and outbound traffic. Note Enterprise policy groups do not support the default-drop-all template.

Step 5: Handle exceptions