If you want to manage traffic between your asset and a specific region, you can configure an access control policy for the Internet firewall and set the Source Type or Destination Type parameter to Region. For example, you can configure an access control policy to allow traffic from your asset only to a specific region or deny traffic from a specific region to your asset. This topic describes how to configure an access control policy to deny traffic from regions outside China.
Example scenario
In this example, your asset is an Elastic Compute Service (ECS) instance with which the elastic IP address (EIP) 47.100.XX.XX is associated. Your business is intended for users in regions in China. You do not require traffic from regions outside China to the ECS instance. To achieve this goal, you must configure an access control policy to deny traffic from all regions outside China.
Prerequisites
Cloud Firewall is activated, and the Internet Firewall feature is enabled. For more information, see Purchase Cloud Firewall and Internet firewall.
Procedure
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure the parameters. The following table describes the parameters.
Parameter
Description
Example
Source Type
The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.
Region
Source
All Geographical Regions Outside China
Destination Type
The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.
IP
Destination
47.100.XX.XX/32, which is the public IP address of the ECS instance
Protocol Type
The type of the transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
ANY
Port Type
The port type and port number of the destination.
Port
Port
0/0, which indicates all ports
Application
The application type of the traffic.
ANY
Action
The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values:
Allow: The traffic is allowed.
Deny: The traffic is denied, and no notifications are sent.
Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Deny
Priority
The priority of the access control policy. Default value: Lowest.
Highest
Policy Validity Period
The validity period of the access control policy. The policy can be used to match traffic only during the validity period.
Always
Status
Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.
Enabled
What to do next
By default, an access control policy immediately takes effect after it is created. In the list of access control policies, view the hit details about an access control policy in the Hits/Last Hit At column.
The Hits/Last Hit At column displays the number of hits and the time when the policy was last hit. Click the number of hits to go to the Log Audit page. On the Traffic Logs tab, view the hit details. For more information, see Log audit.
References
For more information about how to configure an access control policy for the Internet firewall, see Create inbound and outbound access control policies for the Internet firewall.
For more information about how to configure an access control policy, see Configure access control policies.
For more information about how to configure and use an access control policy, see FAQs about access control policies.