Create an access control policy for a VPC firewall - Cloud Firewall

A virtual private cloud (VPC) firewall can monitor and control the traffic between two VPCs. By default, a VPC firewall allows all traffic. You can create an access control policy to deny traffic from suspicious or malicious sources and allow traffic from trusted sources. This topic describes how to create an access control policy for a VPC firewall.

Feature description

VPC firewalls help you detect and control east-west traffic between VPCs and between VPCs and data centers that are connected by using Enterprise Edition transit routers or Basic Edition transit routers of Cloud Enterprise Network (CEN) instances or Express Connect circuits. This protects internal network traffic between VPCs connected by using virtual border routers (VBRs), between VPCs and data centers connected by using VBRs, between VPCs and third-party clouds, and between VPCs and virtual private networks (VPNs).

Diagram of a VPC firewall

Traffic that is protected

For more information about the traffic that can be protected, see Overview.

Prerequisites

A VPC firewall is created and enabled. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.
The quota for access control policies is sufficient. You can choose Access Control > VPC Border to view the usage of the quota for access control policies. For more information about how to calculate the quota that is consumed by access control policies, see Overview of access control policies.
If the quota is insufficient, you can click Increase Quota to increase the value of Quota for Additional Policy. For more information, see Purchase Cloud Firewall.

Procedure

To manage the traffic between two VPCs, you can use the blacklist mode or whitelist mode. In blacklist mode, you need to configure a policy to deny traffic that is not trusted or is not required in your workloads and a policy to allow other traffic. In whitelist mode, you need to configure a policy to allow traffic that is trusted or is required in your workloads and a policy to deny other traffic. For more information about the examples of configuring an access control policy for a VPC firewall, see Configure access control policies.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Access Control > VPC Border.
On the VPC Border page, click Switchover to select a Cloud Enterprise Network (CEN) instance or an Express Connect circuit.

Click Create Policy. Then, configure the policy parameters based on the following table and click OK.

Parameter	Description
Source Type	The initiator of the network connection. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books. If you set Source Type to Region, select one or more regions of traffic sources for Source. You can select one or more regions in or outside China.
Source
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IPv4 or domain name address book is configured. For more information about how to create an address book, see Manage address books. If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.
Destination
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
Port Type	The port type and port number of the destination. If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application. If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application. If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, or SMTPS for Application. Note Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications are sent. Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description	The description of the access control policy. Enter a description that can help identify the policy.
Priority	The priority of the access control policy. Default value:Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only within the validity period.

What to do next

After your service runs for a period of time, you can view the number of hits of the policy in the policy list. You can click the number to go to the Traffic Logs tab and view the logs of traffic that passes through the VPC firewall. For more information about how to view traffic logs, see Log audit.

Related operations

After an access control policy is created, you can click Modify, Delete, or Copy in the Actions column of the policy. You can also click Move to change the priority of the policy. After you change the priority of the policy, the priorities of access control policies with lower priorities decrease.

Important

After you delete an access control policy, Cloud Firewall does not control the traffic to which the policy applies. Proceed with caution.