Create an access control policy for an internal firewall between ECS instances - Cloud Firewall

An internal firewall can control inbound and outbound traffic between Elastic Compute Service (ECS) instances to block unauthorized access. The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized with ECS security groups. This topic describes how to create an access control policy for an internal firewall.

Diagram of an internal firewall

Benefits

Access control policies for internal firewalls outperform rules of ECS security groups in the following aspects:

You can publish multiple policies at a time.
Cloud Firewall creates security groups based on application groups.
You can manage access control policies in the Cloud Firewall console without the need to switch between different regions of ECS instances.

By default, you can create up to 100 policy groups and 100 policies in each group. The policies include those synchronized from ECS security groups to Cloud Firewall and those created in the Cloud Firewall console. If you need more policies, we recommend that you delete unnecessary policies in time or configure access control policies for virtual private cloud (VPC) firewalls.

Policy group types

Policy groups are classified into common and enterprise policy groups. The following list describes the scenarios for the two types of policy groups.

A common policy group corresponds to a basic security group of ECS instances and functions as a virtual firewall to provide stateful packet inspection (SPI) and packet filtering capabilities. You can use a common policy group to isolate security domains on the cloud. You can configure a common policy group to allow or block inbound and outbound traffic between ECS instances in the common policy group. A common policy group is suitable for business that has high requirements for network control on a moderate number of network connections.
An enterprise policy group corresponds to an advanced security group of ECS instances and supports more ECS instances than a common policy group. You can configure access control policies for an unlimited number of private IP addresses. Enterprise policy groups are best suited to enterprises that require efficient O&M on large-scale networks.

The following table describes the differences between the two types of policy groups.

Feature	Common policy group (basic security group)	Enterprise policy group (advanced security group)
Network type	VPC and classic network.	VPC.
Support for all instance types	Yes.	No, only instance types with the network type of VPC are supported.
Number of private IP addresses supported in the classic network	1,000^①.	The classic network is not supported.
Number of private IP addresses supported in VPCs	2,000^②. You can apply to raise the limit to 6,000. Note You can go to the Quota Center console and find the Maximum Number of Private IP Addresses in a Basic Security Group of the VPC Type quota to request a quota increase. For more information, see Submit an application to increase a quota.	65,536^③.
Support for security group rules that allow or deny access	Yes.	Yes.
Support for specifying a rule priority	Yes.	Yes.
Support for being specified as authorization objects in rules of other security groups	Yes.	No.
Control policy for mutual access between resources within the same security group when no security rules are created	Instances or elastic network interfaces (ENIs) within the same basic security group can communicate with each other over the internal network. Note This control policy has a higher priority than other custom security group rules. Instances and ENIs within a basic security group are isolated from instances and ENIs within other basic security groups over the internal network. By default, all inbound access requests are denied.	Instances or ENIs within the same advanced security group are isolated from each other over the internal network. Instances and ENIs within an advanced security group are isolated from instances and ENIs within other advanced security groups over the internal network. By default, all access requests are denied.
Default rules that are automatically created when you create security groups in the ECS console	Inbound: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows Internet Control Message Protocol version 4 (ICMPv4) access from all IP addresses to all ports. Outbound: none.	Inbound: four inbound rules that allow TCP access from all IP addresses to ports 80 (HTTP), 443 (HTTPS), 22 (SSH), and 3389 (RDP) and one inbound rule that allows ICMPv4 access from all IP addresses to all ports. Outbound: one outbound rule that allows access from all IP addresses over all protocols to all ports. This helps prevent network connectivity issues.

Note

For more information about the limits marked with ^①, ^②, and ^③, see the "Security group limits" section in Limits. For more information about ECS security groups, see Overview.

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.

Configuration process

Before you configure access control policies for an internal firewall, you must create a policy group, which contains default access control policies. Then, you can configure inbound and outbound access control policies in the policy group. After you configure access control policies in the policy group, you must publish the policies, so that they can be synchronized to ECS security groups and take effect. A policy group is suitable for business that requires efficient O&M.

Step 1: Create a policy group

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internal Border.
On the Internal Border page, click Create Policy Group.

In the Create Policy Group dialog box, configure the following parameters and click Confirm.

Parameter	Description
Policy Group Type	Select a type for the policy group. Valid values: Common Policy Group Enterprise Policy Group
Policy Group Name	Enter a name for the policy group. We recommend that you enter an informative name for easy identification.
VPC	Select a VPC to which you want to apply the policy group from the VPC drop-down list. A policy group can be applied to only one VPC.
Instance ID	Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list. Note The Instance ID drop-down list contains only ECS instances within the selected VPC.
Description	Enter a description for the policy group.
Template	Select a template that you want to use from the Template drop-down list. default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic. default-accept-all: allows all inbound and outbound traffic. default-drop-all: denies all inbound and outbound traffic. Note Enterprise policy groups do not support the default-drop-all template.

Step 2: Create a policy in the policy group

On the Internal Border page, find the policy group that you want to manage and click Configure Policy in the Actions column.
On the page that appears, click Create Policy.

In the Create Policy dialog box, configure the following parameters and click Submit.

Parameter	Description
NIC Type	The default value is Internal Network and cannot be changed. This value indicates that the policy is applied to ECS instances.
Direction	The direction of traffic to which you want to apply the policy. Valid values: Inbound: traffic from other ECS instances to the ECS instances specified in the policy group. Outbound: traffic from the ECS instances specified in the policy group to other ECS instances.
Policy Type	The type of the policy. Valid values: Allow: allows the traffic that hits the policy. Deny: denies the traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect.Allow Note Enterprise policy groups do not support the Deny policy type.
Protocol Type	The protocol type of traffic to which you want to apply the policy. If you select ANY, the policy is applied to all traffic. If you do not know the protocol type, select ANY.
Port Range	The destination port range of traffic to which you want to apply the policy. Example: 22/22.
Priority	The priority of the policy. The priority must be an integer within the range of 1 to 100. A smaller value indicates a higher priority. Different policies can have the same priority. If an Allow policy and a Deny policy have the same priority, the Deny policy takes precedence.
Source Type and Source	The source of traffic. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. CIDR Block If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block. Policy Group If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed. Note Enterprise policy groups do not support the Policy Group type. Prefix List If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
Destination	The destination of traffic. If you set Direction to Inbound, you must configure this parameter. Valid values: All ECS Instances: all ECS instances specified in the current policy group. CIDR Block: If you select this option, you must enter a destination CIDR block. The ECS instances that correspond to this CIDR block are the destination of traffic.
Select Source	The type of the traffic source. If you set Direction to Outbound, you must configure this parameter. Valid values: All ECS Instances: all ECS instances specified in the current policy group. CIDR Block: If you select this option, you must enter a source CIDR block. The ECS instances that correspond to this CIDR block are the source of traffic.
Destination Type and Destination	The type of the traffic destination and the destination addresses. If you set Direction to Outbound, you must configure these parameters. Valid destination types: CIDR Block If you select this type, you must enter a destination CIDR block. You can enter only one CIDR block. Policy Group If you select this type, you must select a policy group. Traffic destined for all ECS instances in the policy group is managed. Note Enterprise policy groups do not support the Policy Group type. Prefix List If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
Description	The description of the policy.

Wait until the policy is created. Then, you can view the policy in the policy list of the internal firewall.

Step 3: Publish the policy in the policy group

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internal Border.
On the Internal Border page, find the policy group whose policy you want to publish and click Publish in the Actions column.
In the Publish Policy dialog box, configure Remarks, confirm policy changes, and then click OK.
The policies are synchronized to ECS security groups and take effect only after you publish them. You can log on to the ECS console and choose Network & Security > Security Groups to view the policies that you published in the Cloud Firewall console. The default name of the policy group that you create in the Cloud Firewall console is Cloud_Firewall_Security_Group in the ECS console.

What to do next

You can perform the following operations on the policy group:

Edit: Change the ECS instances specified in the policy group and modify the policy group description.
Delete: Delete the policy group.
Warning
After you delete a policy group, its access control policies become invalid. Proceed with caution. A deleted policy group is retained in the list, but you can no longer perform operations on it.
If you want to delete policy groups that are no longer required, you can set the policy group source to Custom to query all custom policy groups and determine whether to delete them.
Synchronize Security Group: Synchronize the security group rules from ECS to Cloud Firewall. The process requires 2 to 3 minutes. Cloud Firewall automatically synchronizes the security group rules from ECS every 2 hours.