All Products
Search
Document Center

Cloud Firewall:Create inbound and outbound access control policies for the Internet firewall

Last Updated:Sep 25, 2023

The Internet firewall controls the inbound and outbound traffic of your Internet-facing assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your web assets and the Internet. This topic describes how to create inbound and outbound access control policies for the Internet firewall.

Internet firewall-based protection

互联网边界ACL原理图..png

Protected asset types

The Internet firewall can protect the north-south traffic of the following assets: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Server Load Balancer (SLB) instances, EIPs of SLB instances, public IP addresses of Application Load Balancer (ALB) instances, EIPs of ALB instances, public IP addresses of Network Load Balancer (NLB) instances, EIPs of NLB instances, high-availability virtual IP addresses (HAVIPs), EIPs (including Layer 2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, IPv6 addresses of SLB instances, IPv6 addresses of ECS instances, and IP addresses of bastion hosts.

Quota for access control policies

The Internet firewall supports both IPv4 and IPv6 access control policies. An IPv4 access control policy uses IPv4 addresses for both the source and destination. An IPv6 access control policy uses IPv6 addresses for both the source and destination. The Internet firewall supports IPv4 or IPv6 access control policies based on the edition of Cloud Firewall. For more information, see Functions and features.

The following list describes the default quota for access control policies that you can create for the Internet firewall in each edition of Cloud Firewall:

  • If you use Cloud Firewall Premium Edition, you can create up to 4,000 access control policies.

  • If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.

  • If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies.

  • If you set Destination Type to Domain Name and Application to a value other than HTTP, HTTPS, SMTP, SMTPS, or SSL when you create outbound access control policies, you can create up to 200 access control policies.

Prerequisites

The Internet firewall is enabled. If the Internet firewall is disabled, the access control policies that are created for the Internet firewall do not take effect. For more information, see Enable or disable the Internet firewall.

View statistics

Cloud Firewall displays the statistics of the access control policies that are created for the Internet firewall within the current account.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border.

  2. On the Internet Border page, view the following statistics within the current account: Intelligent Policies to be Applied, Configured Policies, Used Quota, Quota in Current Edition, and Quota for Additional Policies. You can also view the hits of access control policies whose Policy Action is Block, Allow, or Monitor.

    If the default quota is exhausted, you can purchase a quota for additional policies. You can purchase the quota for additional policies based on your business requirements. To purchase the quota, click Increase Quota.

    Note

    The number of configured access control policies is calculated by using the following formula: Number of configured access control policies = Number of outbound access control policies + Number of inbound access control policies.

    The quota consumed by an access control policy is calculated by using the following formula: Quota consumed by an access control policy = Number of source addresses (number of CIDR blocks or regions) × Number of destination addresses (number of CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.

    The total consumed quota is equal to the sum of the quota that is consumed by each access control policy.

    image..png

Create a custom policy for the Internet firewall

The Internet firewall allows you to create both outbound and inbound policies. For more information about how to configure an access control policy for the Internet firewall, see Configure access control policies. If you want to create policies to allow traffic from only trusted IP addresses and deny traffic from other sources, perform the following steps:

Create a policy that allows traffic from trusted IP addresses. Then, create a policy that denies traffic from all sources to the Internet. Make sure that the priority of the Allow policy is higher than the priority of the Deny policy.

  1. On the Internet Border page, click the Outbound or Inbound tab.

  2. On the Outbound or Inbound tab, click Create Policy.

  3. In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.

  4. Create a policy. Configure the following parameters and click OK.

    Parameter

    Description

    Source Type

    Specify the type of the traffic source. Valid values:

    • IP

    • Address Book

    • Region (You can set Source Type to Region only when you create an inbound policy.)

    Source

    Specify the address of the traffic source.

    • If you set Source Type to IP, specify one or more CIDR blocks for Source, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

    • If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.

      An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.

    • If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.

    Destination Type

    Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.

    Destination

    Specify the address of the traffic destination.

    • If you set Destination Type to IP, specify one or more CIDR blocks for Destination, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

    • If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.

    • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. You can set Destination Type to Domain Name only when you create an outbound policy.

    • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions in or outside China.

    Protocol

    Select the protocol of the traffic on which you want the policy to take effect. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol, select ANY. The value ANY indicates all protocols.

    Port Type

    Specify the type of the port. Valid values:

    • Ports: If you select this option, you can enter one or more port ranges. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

    • Address Book: If you select this option, you can select the preconfigured port address book that you want to use. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.

    Ports

    Specify the port ranges on which you want to control traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.

    Application

    Select the application type of the traffic on which you want the policy to take effect.

    Cloud Firewall supports various application types. For more information, go to the Internet Border page in the Cloud Firewall console.

    If you set Protocol to TCP, you can select all application types. If you set Protocol to a different value, you can select only ANY for Application.

    If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Policy Action

    Select the action on the traffic.

    • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.

    • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.

      To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This denies all unauthorized access requests.

    • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    Enter a description that can help identify the policy.

    Priority

    Select the priority of the policy. Default value: Lowest. Valid values:

    • Highest: The policy has the highest priority.

    • Lowest: The policy has the lowest priority.

    Enabled

    Specify whether to enable the policy.

    If you do not enable the policy when you create the policy, you can enable the policy in the policy list.

    If you enter more than one source IP address, destination IP address, or port range, the Create Address Book dialog box appears after you click OK. You must specify the name and description for the address book. After the address book is created, the address book is automatically referenced by the policy. For more information about how to configure an address book, see Manage address books.

    After a custom policy is created, you can find the policy in the list of custom policies and click Edit, Delete, or Copy in the Actions column to manage the policy. You can download the list of custom policies, delete multiple policies at a time, and click Move to change the priority of the policy. After you change the priority of a policy, the priorities of policies that have lower priorities decrease.

    Warning

    After you delete a policy, Cloud Firewall no longer controls traffic on which the policy is originally in effect. Proceed with caution.

Apply recommended intelligent policies

Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. You must promptly view the details of the recommended policies in the Cloud Firewall console and determine whether to apply the intelligent policies. You can apply both outbound and inbound intelligent policies that are recommended.

Warning

Before you apply a policy, make sure that you understand its meaning and the possible impacts on services.

  1. On the Internet Border page, click the Outbound or Inbound tab.

  2. On the Outbound or Inbound tab, click Create Policy.

  3. In the Create Outbound Policy or Create Inbound Policy panel, click the Recommended Intelligent Policy tab.

  4. On the Recommended Intelligent Policy tab, find the required policy and click Apply Policy on the right side.

    The Recommended Intelligent Policy tab lists the inbound and outbound policies that are recommended by Cloud Firewall. If a large number of policies are recommended, you can specify a recommendation type and a destination to filter policies.

    We recommend that you allow access to the open ports on which services are provided for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.

    You can select multiple recommended intelligent policies and click Batch Dispatch to apply multiple policies at a time.

Apply recommended common policies

Cloud Firewall also recommends common policies. If the recommended common policies meet your business requirements, you can apply the policies.

Warning

Before you apply a policy, make sure that you understand its meaning and the possible impacts on services.

You can ignore the recommended common policies. After you ignore a policy, the policy cannot be restored. Proceed with caution. If you ignore all common policies, the Recommended Common Policy tab is no longer displayed.

  1. On the Internet Border page, click the Outbound or Inbound tab.

  2. On the Outbound or Inbound tab, click Create Policy.

  3. In the Create Outbound Policy or Create Inbound Policy panel, click the Recommended Common Policy tab.

  4. On the Recommended Common Policy tab, find and click Quick Dispatch below a policy.

    The Recommended Common Policy tab lists the common inbound and outbound policies that are recommended by Cloud Firewall.

Check whether access traffic hits an access control policy

By default, an access control policy immediately takes effect after it is created.

In the access control policy list, if the number in the Hits/Last Hit At column is greater than 0 for an access control policy and time information is displayed in the column, access traffic hits the policy. The number and time information in the Hits/Last Hit At column indicate the cumulative number of times that access traffic hits the policy and the time when the policy was last hit.

You can click the number to go to the Traffic Logs tab. On the Traffic Logs tab, the name of the access control policy that is hit by the access traffic is displayed in the Policy Name column.

Note

The Traffic Logs tab displays information about the traffic that is generated within the previous seven days. If an access control policy was last hit more than seven days ago, traffic information is not displayed on the Traffic Logs tab.

Resolve domain names that are specified in outbound access control policies

Cloud Firewall allows you to specify domain names as destinations in outbound access control policies. Cloud Firewall resolves domain names, displays resolution results, and controls access to IP addresses to which the domain names are resolved.

Cloud Firewall uses dynamic Domain Name System (DNS) resolution to optimize outbound access control policies in which domain names are specified as destinations. You can view the IP addresses to which the destination domain names are resolved and manually update the IP addresses.

If the destination in an outbound access control policy is set to a domain name, Cloud Firewall resolves the domain name into IP addresses and implements access control on the IP addresses. However, if the protocol type is set to TCP and the application type is set to HTTP, HTTPS, SSL, SMTP, or SMTPS, Cloud Firewall does not implement domain name resolution or access control. A domain name can be resolved to up to 500 IP addresses.

Note
  • If the application type is HTTP or SMTP, Cloud Firewall preferentially uses the Host field to implement access control for domain names.

  • If the application type is HTTPS, SMTPS, or SSL, Cloud Firewall preferentially uses the SNI field to implement access control for domain names.

  • If an application type other than HTTP, HTTPS, SSL, SMTP, or SMTPS is specified, Cloud Firewall dynamically resolves domain names and implements access control. You can view the IP addresses to which the domain names are resolved.

DNS resolution is not supported if an access control policy meets the following conditions:

  • The access control policy is configured for inbound traffic.

    DNS resolution is supported only for outbound access control policies.

  • The destination is a wildcard domain name. Example: *.example.com.

  • Domain Address Books is selected for the destination type.

Important

When you configure an access control policy and set the destination to a domain name, take note of the following items:

  • If a request is initiated from an ECS instance to an external domain name, only the default Authoritative DNS (ADNS) server of the ECS instance is supported for domain name resolution. A user-specified DNS server is not supported. If you change the address of the ADNS server of the ECS instance, the outbound access control policy for your ECS instance becomes invalid.

  • If multiple domain names are resolved to the same IP address, access control may be compromised.

    For example, you configure an access control policy to allow FTP traffic that is destined for the domain name example1.aliyun.com. If the A record of the domain name example1.aliyun.com is 1.1.XX.XX, the FTP traffic that is destined for 1.1.XX.XX is allowed. If the A record of the domain name example2.aliyun.com is also 1.1.XX.XX, the FTP traffic that is destined for example2.aliyun.com is also allowed.

  • If the IP addresses to which a domain name is resolved change, Cloud Firewall uses the new IP addresses to automatically update the access control policy.

    If the IP address to which the domain name example1.aliyun.com is resolved changes from 1.1.XX.XX to 2.2.XX.XX, Cloud Firewall automatically updates the access control policy. Then, the policy takes effect on the IP address 2.2.XX.XX. This way, the access control policy always takes effect on the IP address to which the domain name is dynamically resolved. Cloud Firewall automatically updates an access control policy every 30 minutes. If a domain name is resolved to a different IP address, the access control policy takes effect on the new IP address after 30 minutes.

    If you want to update your access control policy based on dynamic DNS resolution results, click DNS on the policy editing page to manually trigger DNS resolution and obtain the updated IP addresses. Then, click OK to save the policy updates.