This topic provides examples on how to configure access control policies for the Internet firewall, a virtual private cloud (VPC) firewall, and an internal firewall.

Configure an access control policy for the Internet firewall

In Cloud Firewall, inbound and outbound traffic is also referred to as north-south traffic or Internet traffic. You can configure access control policies in the Cloud Firewall console to manage north-south traffic. After you create access control policies, Cloud Firewall performs precise access control to ensure network security. For more information about the parameters of an access control policy that you can configure for the Internet firewall, see Create access control policies for the Internet firewall on outbound and inbound traffic.

Configure an inbound policy to allow Internet traffic destined for a specified port

For example, you want to create an inbound policy to allow Internet traffic that is destined only for TCP port 80 of an Elastic Compute Service (ECS) instance. The IP address of the ECS instance is 10.1.XX.XX, and the elastic IP address (EIP) is 200.2.XX.XX/32.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Internet Border.
  3. On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure a policy.
    1. Configure a policy to allow Internet traffic destined for the ECS instance and click OK.
      The following table describes the parameters.
      ParameterDescriptionExample
      Source TypeSpecify the type of the traffic source. Valid values:
      • IP
      • Address Book
      • Region (This value can be specified only when you create an inbound policy.)
      IP
      SourceSpecify the address of the traffic source.
      • If you set Source Type to IP, specify one or more CIDR blocks for Source. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
      • If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.

        An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.

      • If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.
      0.0.0.0/0
      Note The value 0.0.0.0/0 indicates all public IP addresses.
      Destination Type

      Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.

      IP
      DestinationSpecify the address of the traffic destination.
      • If you set Destination Type to IP, specify one or more CIDR blocks for Destination. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
      • If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
      • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. For more information, see Resolve domain names specified in outbound access control policies.

        You can set Destination Type to Domain Name only when you create an outbound policy.

      • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions inside or outside China.
      200.2.XX.XX/32
      ProtocolSelect the protocol of the traffic on which you want the policy to take effect. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol, select ANY. The value ANY indicates all protocols. TCP
      Port TypeSpecify the type of the port. Valid values:
      • Ports: If you select this option, you can enter one or more port ranges. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.
      • Address Book: If you select this option, select the preconfigured port address book that you want to use. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
      Ports
      PortsSpecify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column. 80/80
      ApplicationSelect the type of the application on which you want the policy to take effect.

      Cloud Firewall supports various types of applications. For more information, go to the Internet Firewall page in the Cloud Firewall console.

      If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application.

      If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.

      Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
      ANY
      Policy ActionSelect the action on the traffic.
      • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
      • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.

        To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This setting denies all unauthorized access requests.

      • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
      Allow
      PrioritySelect the priority of the policy. Default value: Lowest. Valid values:
      • Highest: The policy has the highest priority.
      • Lowest: The policy has the lowest priority.
      Highest
      EnabledSpecify whether to enable the policy. Enable
    2. Configure a policy to deny Internet traffic destined for all ECS instances and click OK.
      Repeat the preceding steps to configure the policy. The following list describes the parameters:
      • Destination: Enter 0.0.0.0/0.
        Note The value 0.0.0.0/0 indicates the IP addresses of all ECS instances.
      • Protocol: Select ANY.
      • Ports: Enter 0/0.
        Note The value 0/0 indicates all ports of ECS instances.
      • Application: Select ANY.
      • Policy Action: Select Deny.
      • Priority: Select Lowest.
    After you complete the configurations, make sure that the priority of the Allow policy is higher than the priority of the Deny policy.

Configure an outbound policy to allow an ECS instance to access a specified domain name

For example, you want to create an outbound policy to allow an ECS instance to access the www.aliyundoc.com domain name. The IP address of the ECS instance is 10.1.XX.XX, and the EIP is 47.100.XX.XX/32.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Internet Border.
  3. On the Outbound tab, click Create Policy. In the Create Outbound Policy panel, click the Create Policy tab and configure a policy.
    1. Configure a policy to allow the ECS instance to access the www.aliyundoc.com domain name and click OK.
      The following table describes the parameters.
      ParameterDescriptionExample
      Source TypeSpecify the type of the traffic source. Valid values:
      • IP
      • Address Book
      • Region (This value can be specified only when you create an inbound policy.)
      IP
      SourceSpecify the address of the traffic source.
      • If you set Source Type to IP, specify one or more CIDR blocks for Source. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
      • If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.

        An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.

      • If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.
      47.100.X.X/32
      Destination Type

      Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.

      Domain Name
      DestinationSpecify the address of the traffic destination.
      • If you set Destination Type to IP, specify one or more CIDR blocks for Destination. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
      • If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
      • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. For more information, see Resolve domain names specified in outbound access control policies.

        You can set Destination Type to Domain Name only when you create an outbound policy.

      • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions inside or outside China.
      www.aliyundoc.com
      Note You can also resolve the domain name into an IP address.
      ProtocolSelect the protocol of the traffic on which you want the policy to take effect. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol, select ANY. The value ANY indicates all protocols. TCP
      Port TypeSpecify the type of the port. Valid values:
      • Ports: If you select this option, you can enter one or more port ranges. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.
      • Address Book: If you select this option, select the preconfigured port address book that you want to use. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
      Ports
      PortsSpecify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column. 0/0
      Note The value 0/0 indicates all ports.
      ApplicationSelect the type of the application on which you want the policy to take effect.

      Cloud Firewall supports various types of applications. For more information, go to the Internet Firewall page in the Cloud Firewall console.

      If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application.

      If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.

      Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
      ANY
      Policy ActionSelect the action on the traffic.
      • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
      • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.

        To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This setting denies all unauthorized access requests.

      • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
      Allow
      PrioritySelect the priority of the policy. Default value: Lowest. Valid values:
      • Highest: The policy has the highest priority.
      • Lowest: The policy has the lowest priority.
      Highest
      EnabledSpecify whether to enable the policy. Enable
    2. Configure a policy to deny the ECS instance to access the Internet and click OK.

      Repeat the preceding steps to configure the policy. The following list describes the parameters:

      • Source: Enter 47.100.X.X/32.
      • Destination: Enter 0.0.0.0/0.
        Note The value 0.0.0.0/0 indicates the IP addresses of all ECS instances.
      • Protocol: Select ANY.
      • Ports: Enter 0/0.
        Note The value 0/0 indicates all ports of ECS instances.
      • Application: Select ANY.
      • Policy Action: Select Deny.
      • Priority: Select Lowest.
    After you complete the configurations, make sure that the priority of the Allow policy is higher than the priority of the Deny policy.

Configure an inbound policy to deny traffic destined for an ECS instance from regions outside China

For example, you want to create an inbound policy to deny traffic destined for an ECS instance from regions outside China. The IP address of the ECS instance is 10.1.XX.XX, and the EIP is 47.100.XX.XX.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Internet Border.
  3. On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure a policy.

    The following table describes the parameters.

    ParameterDescriptionExample
    Source TypeSpecify the type of the traffic source. Valid values:
    • IP
    • Address Book
    • Region (This value can be specified only when you create an inbound policy.)
    Region
    SourceSpecify the address of the traffic source.
    • If you set Source Type to IP, specify one or more CIDR blocks for Source. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
    • If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.

      An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.

    • If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.
    Regions outside China
    Destination Type

    Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.

    IP
    DestinationSpecify the address of the traffic destination.
    • If you set Destination Type to IP, specify one or more CIDR blocks for Destination. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
    • If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
    • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. For more information, see Resolve domain names specified in outbound access control policies.

      You can set Destination Type to Domain Name only when you create an outbound policy.

    • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions inside or outside China.
    47.100.XX.XX
    ProtocolSelect the protocol of the traffic on which you want the policy to take effect. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol, select ANY. The value ANY indicates all protocols. ANY
    Port TypeSpecify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column. Ports
    PortsSpecify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column. 0/0
    Note The value 0/0 indicates all ports.
    ApplicationSelect the type of the application on which you want the policy to take effect.

    Cloud Firewall supports various types of applications. For more information, go to the Internet Firewall page in the Cloud Firewall console.

    If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application.

    If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.

    Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
    ANY
    Policy ActionSelect the action on the traffic.
    • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
    • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.

      To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This setting denies all unauthorized access requests.

    • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
    Deny
    PrioritySelect the priority of the policy. Default value: Lowest. Valid values:
    • Highest: The policy has the highest priority.
    • Lowest: The policy has the lowest priority.
    Highest
    EnabledSpecify whether to enable the policy. Enable

Configure an access control policy for a VPC firewall

A VPC firewall can monitor and control the traffic between two VPCs. The traffic is also referred to as east-west traffic. If you want to manage traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources. For more information about the parameters of an access control policy that you can configure for a VPC firewall, see Create an access control policy for a VPC firewall.

Deny traffic between ECS instances that reside in different VPCs

Note If two VPCs are attached to the same Cloud Enterprise Network (CEN) instance or connected by using an Express Connect circuit, the ECS instances that reside in the VPCs can communicate with each other.

For example, you want to deny access from ECS 1 to ECS 2. ECS 1 resides in VPC 1, and ECS 2 resides in VPC 2. The VPCs are attached to the same CEN instance. The IP address of ECS 1 is 10.33.XX.XX/32, and the IP address of ECS 2 is 10.66.XX.XX/32.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > VPC Border.
  3. On the VPC Border page, click Create Policy.
  4. In the Create VPC Firewall Policy dialog box, configure the parameters and click Submit.

    The following table describes the parameters.

    ParameterDescriptionExample
    Source TypeSelect the type of the traffic source. Valid values:
    • IP: If you select this option, enter a CIDR block for Source.
    • Address Book: If you select this option, select a preconfigured address book.
      Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
    IP
    SourceSpecify the address of the traffic source.
    • If you set Source Type to IP, specify a CIDR block for Source.
      Note You can enter only one CIDR block.
    • If you set Source Type to Address Book, select a preconfigured address book.
      Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    10.33.XX.XX/32
    Destination TypeSelect the type of the traffic destination. Valid values:
    • IP: If you select this option, enter an IP address for Destination.
    • Address Book: If you select this option, select an address book.
    • Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
    IP
    DestinationSpecify the address of the traffic destination.
    • If you set Destination Type to IP, enter a CIDR block.
      Note You can enter only one CIDR block.
    • If you set Destination Type to Address Book, find the required address book and click Select in the Actions column.
      Note You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    • If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
    10.66.XX.XX/32
    ProtocolSelect the protocol of the traffic on which you want the policy to take effect. Valid values:
    • ANY: any protocol
    • TCP
    • UDP
    • ICMP
    TCP
    Port TypeSelect the type of the port. Valid values:
    • Ports: If you select this option, you can enter only one port range for Ports.
    • Address Book: If you select this option, you need to only select a preconfigured port address book. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
    Ports
    PortsSpecify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column.
    • You can select only one address book at a time. If you want to use multiple address books, you can create multiple policies. To create a policy, click Create Policy.
    • If you set Protocol to ICMP, the destination ports you specify do not take effect. If you set Protocol to ANY, the destination ports you specify do not take effect in ICMP traffic control.
    0/0
    ApplicationSelect the type of the application. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

    If you set Protocol to TCP, you can use all the valid values of Application. If you set Protocol to a value other than TCP, you can set Application only to ANY.

    Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, Cloud Firewall allows the packet.
    ANY
    Policy ActionSelect the action on the traffic. Valid values:
    • Allow: If traffic meets the conditions that you specify for the policy, the traffic is allowed.
      Note By default, a VPC firewall allows all traffic.
    • Deny: If traffic meets the conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
    • Monitor: If traffic meets the conditions that you specify for the policy, the traffic is recorded and allowed. After you observe the traffic for a period of time, you can change the policy action to Allow or Deny based on your business requirements.
    Deny

Configure an access control policy for an internal firewall

An internal firewall can manage inbound and outbound traffic between ECS instances to block unauthorized access. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. For more information about the parameters of an access control policy that you can configure for an internal firewall, see Create an access control policy for an internal firewall between ECS instances.

Allow traffic between ECS instances in the same policy group

Note

If you configure security group rules in the ECS console, ECS instances in the same ECS security group can communicate with each other. This is different from internal firewalls of Cloud Firewall. A policy group created for an internal firewall can contain multiple ECS instances but the instances cannot communicate with each other by default.

For example, you want to allow traffic between ECS 1 and ECS 2 that reside in the sg-test policy group. The IP address of ECS 1 is 10.33.XX.XX, and the IP address of ECS 2 is 10.66.XX.XX.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Internal Border.
  3. On the Internal Border page, find the required policy group and click Configure Policy in the Actions column.
  4. On the Inbound tab, click Create Policy.

    The following table describes the parameters of an inbound policy.

    ParameterDescriptionExample
    Policy TypeSelect the type of the policy. Valid values:
    • Allow: allows traffic that hits the policy.
    • Deny: denies traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configuration but different policy types, the policy whose type is Deny takes effect.
      Note Enterprise policy groups do not support the Deny policy type.
    Allow
    Protocol TypeSelect the protocol of the traffic on which you want the policy to take effect. Valid values:
    • TCP
    • UDP
    • ICMP
    • ANY (If you do not know the traffic protocol, select ANY.)
    TCP
    Port RangeSpecify the destination port range of traffic to which the policy is applied. 0/0
    Source Type and SourceSpecify the address of the traffic source. If you set Direction to Inbound, you must configure this parameter. You can configure Source based on the value of Source Type.
    Valid source types:
    • CIDR Block

      If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block.

    • Policy Group

      If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is controlled.

      Note Enterprise policy groups do not support the Policy Group type.
    • Source Type: Policy Group
    • Source: sg-test
    DestinationSpecify the address of the traffic destination. If you set Direction to Inbound, you must configure this parameter. Valid values:
    • All ECS Instances: all ECS instances specified in the current policy group.
    • CIDR Block: If you select this option, you must enter a destination CIDR block. The ECS instances that correspond to this CIDR block are the destination of traffic.
    CIDR Block: 10.66.XX.XX
    Note
    • If you want all ECS instances in the policy group to communicate with each other, set Destination to All ECS instances.
    • If you want specific ECS instances in the policy group to communicate with each other, set Destination to CIDR Block and enter the CIDR blocks of the peer ECS instances.
  5. If you use an advanced security group, you must configure an outbound policy.
    By default, a basic security group allows outbound traffic. If you use a basic security group, you do not need to configure an outbound policy.
    To configure an outbound policy, repeat the steps that you perform to configure the inbound policy. The following list describes the parameters:
    • Source Type: IP
    • Source: 10.66.XX.XX
    • CIDR Block: 10.33.XX.XX

Allow traffic between ECS instances in different policy groups

For example, you want to allow traffic between ECS 1 and ECS 2 that reside in different policy groups of an internal firewall. The IP address of ECS 1 is 10.33.XX.XX, and the IP address of ECS 2 is 10.66.XX.XX.

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Internal Border.
  3. On the Internal Border page, find the policy group in which ECS 1 resides and click Configure Policy in the Actions column.
  4. On the Inbound tab, click Create Policy.

    The following table describes the parameters of an inbound policy.

    ParameterDescriptionExample
    Policy TypeSelect the type of the policy. Valid values:
    • Allow: allows traffic that hits the policy.
    • Deny: denies traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configuration but different policy types, the policy whose type is Deny takes effect.
      Note Enterprise policy groups do not support the Deny policy type.
    Allow
    Protocol TypeSelect the protocol of the traffic on which you want the policy to take effect. Valid values:
    • TCP
    • UDP
    • ICMP
    • ANY (If you do not know the traffic protocol, select ANY.)
    TCP
    Port RangeSpecify the destination port range of traffic to which the policy is applied. 0/0
    Source Type and SourceSpecify the address of the traffic source. If you set Direction to Inbound, you must configure this parameter. You can configure Source based on the value of Source Type.
    Valid source types:
    • CIDR Block

      If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block.

    • Policy Group

      If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is controlled.

      Note Enterprise policy groups do not support the Policy Group type.
    • Source Type: IP
    • Source: 10.66.XX.XX
    DestinationSpecify the address of the traffic destination. If you set Direction to Inbound, you must configure this parameter. Valid values:
    • All ECS Instances: all ECS instances specified in the current policy group.
    • CIDR Block: If you select this option, you must enter a destination CIDR block. The ECS instances that correspond to this CIDR block are the destination of traffic.
    CIDR Block: 10.33.XX.XX
    Note
    • If you want the ECS instances in the sg-test2 policy group to access all ECS instances in the sg-test1 policy group, set Destination to All ECS Instances.
    • If you want the ECS instances in the sg-test2 policy group to access specific ECS instances in the sg-test1 policy group, set Destination to CIDR block and enter the CIDR blocks of the specific ECS instances in the sg-test1 policy group.
  5. If you use an advanced security group, you must configure an outbound policy.
    By default, a basic security group allows outbound traffic. If you use a basic security group, you do not need to configure an outbound policy.
    To configure an outbound policy, repeat the steps that you perform to configure the inbound policy. The following list describes the parameters:
    • Source Type: IP
    • Source: 10.33.XX.XX
    • CIDR Block: 10.66.XX.XX
  6. Configure the inbound and outbound policies to allow traffic to and from ECS 2 based on the preceding configurations.