The Internet firewall controls the outbound and inbound traffic of your Internet-facing assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your web assets and the Internet. This topic describes how to create inbound and outbound access control policies for the Internet firewall.
Internet firewall-based protection
Protected asset types
The Internet firewall can protect the north-south traffic of the following assets: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Server Load Balancer (SLB) instances, EIPs of SLB instances, public IP addresses of Application Load Balancer (ALB) instances, EIPs of ALB instances, high-availability virtual IP addresses (HAVIPs), EIPs (including L2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, IPv6 addresses of SLB instances, IPv6 addresses of ECS instances, and IP addresses of bastion hosts.
Quota for access control policies
The Internet firewall supports both IPv4 and IPv6 access control policies. An IPv4 access control policy uses IPv4 addresses for both the source and destination. An IPv6 access control policy uses IPv6 addresses for both the source and destination. Whether the Internet firewall supports IPv4 and IPv6 access control policies is determined based on the edition of Cloud Firewall. For more information, see Functions and features.
The following list describes the default quotas for access control policies for the Internet firewall in different editions of Cloud Firewall:
If you use Cloud Firewall Premium Edition, you can create up to 4,000 access control policies.
If the quota cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall. Valid values for the quota on additional access control policies: 0~50000.
If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.
If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 100000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.
If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies.
If the quotas cannot meet your business requirements, you can purchase the quota on additional access control policies to create additional access control policies for the Internet firewall and VPC firewalls. Valid values for the quota on additional access control policies: 0 to 200000. The quota is applicable to access control policies for both the Internet firewall and VPC firewalls.
If you set Destination Type to Domain Name and Application to a value other than HTTP, HTTPS, SMTP, SMTPS, or SSL when you create outbound access control policies, you can create up to 200 policies.
Prerequisites
The Internet firewall is enabled. If the Internet firewall is disabled, the access control policies that are created for the Internet firewall do not take effect. For more information, see Enable firewalls.
View statistics
Cloud Firewall displays the statistics of the access control policies that are created for the Internet firewall within the current account.
Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Border.
On the Internet Border page, view the following statistics within the current account: Intelligent Policies to be Delivered, Configured Policies, Consumed Quota, Quota in Current Edition, and Quota for Additional Policies. You can also view the hits of access control policies whose Policy Action is Block, Allow, or Monitor.
If the default quota is used up, you can purchase a quota for additional policies. You can increase the quota for additional policies based on your business requirements. To increase the quota, click Increase Quota for Policies.
NoteThe number of configured access control policies is calculated based on the following formula: Number of configured access control policies = Number of outbound access control policies + Number of inbound access control policies.
The quota occupied by a policy is calculated based on the following formula: Quota occupied by a policy = Number of source addresses (number of CIDR blocks or regions) × Number of destination addresses (number of CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.
The total consumed quota is equal to the sum of the quota that is consumed by each policy.
Create a custom policy for the Internet firewall
The Internet firewall allows you to create both outbound and inbound policies. For more information about how to configure an access control policy for the Internet firewall, see Configure access control policies. If you want to create policies to allow traffic from only trusted IP addresses and deny traffic from other sources, perform the following steps:
Create a policy that allows traffic from trusted IP addresses. Then, create a policy that denies traffic from all sources to the Internet. Make sure that the priority of the Allow policy is higher than that of the Deny policy.
On the Internet Border page, click the Outbound or Inbound tab.
On the Outbound or Inbound tab, click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.
Create a policy. Configure the following parameters and click OK.
Parameter
Description
Source Type
Specify the type of the traffic source. Valid values:
IP
Address Book
Region (You can set Source Type to Region only when you create an inbound policy.)
Source
Specify the address of the traffic source.
If you set Source Type to IP, specify one or more CIDR blocks for Source. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.
An address book is preconfigured and contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner. You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.
If you set Source Type to Region, select one or more regions from the drop-down list. All regions are supported. You can set Source Type to Region only when you create an inbound policy.
Destination Type
Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region. You can set Destination Type to Domain Name or Region only when you create an outbound policy.
Destination
Specify the address of the traffic destination.
If you set Destination Type to IP, specify one or more CIDR blocks for Destination. Separate multiple CIDR blocks with commas (,). You can specify up to 2,000 CIDR blocks.
If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control.
If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can set Destination Type to Region only when you create an outbound policy. You can select one or more regions inside or outside China.
Protocol
Select the protocol of the traffic on which you want the policy to take effect. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol, select ANY. The value ANY indicates all protocols.
Port Type
Specify the type of the port. Valid values:
Ports: If you select this option, you can enter one or more port ranges. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.
Address Book: If you select this option, you can select the preconfigured port address book that you want to use. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
Ports
Specify the port ranges on which you want to manage traffic. If you set Port Type to Ports, enter port ranges. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
Application
Select the type of the application on which you want the policy to take effect.
Cloud Firewall supports various types of applications. For more information, go to the Internet Border page in the Cloud Firewall console.
If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application.
If you select a domain address book or specify a wildcard domain name for Destination, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.
NoteCloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.
Policy Action
Select the action on the traffic.
Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
To deny traffic from all sources to the Internet, set Source to 0.0.0.0/0 and Policy Action to Deny. This setting denies all unauthorized access requests.
Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description
Enter a description that can help identify the policy.
priority
Select the priority of the policy. Default value: Lowest. Valid values:
Highest: The policy has the highest priority.
Lowest: The policy has the lowest priority.
Enabled
Specify whether to enable the policy.
If you do not enable the policy when you create the policy, you can enable the policy in the policy list.
If you enter more than one source IP address, destination IP address, or port range, the Create Address Book dialog box appears after you click OK. You must specify the name and description for the address book. After the address book is created, the address book is automatically referenced by the policy. For more information about how to configure an address book, see Manage address books.
After a custom policy is created, you can find the policy in the list of custom policies and click Edit, Delete, or Copy in the Actions column to manage the policy. You can download the list of custom policies, delete multiple policies at a time, and click Move to change the priority of the policy. After you change the priority of a policy, the priorities of policies with lower priorities decrease.
WarningAfter you delete a policy, Cloud Firewall does not control the traffic on which the policy originally takes effect. Proceed with caution.
Apply recommended intelligent policies
Cloud Firewall automatically learns your traffic from the last 30 days and recommends multiple intelligent policies based on the traffic risks it identifies. You must promptly view the details of the recommended policies in the Cloud Firewall console and determine whether to apply the intelligent policies. You can apply both outbound and inbound intelligent policies that are recommended.
Before you apply a common policy, make sure that you understand its meaning and the possible impacts on services.
On the Internet Border page, click the Outbound or Inbound tab.
On the Outbound or Inbound tab, click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click the Recommended Intelligent Policy tab.
On the Recommended Intelligent Policy tab, find the required policy and click Apply Policy on the right side.
The Recommended Intelligent Policy panel lists the inbound and outbound access control policies that Cloud Firewall recommends. If a large number of policies are recommended, you can specify a recommendation type and destination to filter policies.
We recommend that you allow access to the open ports that provide services for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.
You can select multiple recommended intelligent policies and click Batch Dispatch to apply multiple policies at a time.
Apply recommended common policies
Cloud Firewall recommends common policies for you. If the recommended common policies meet your business requirements, you can apply the policies.
Before you apply a common policy, make sure that you understand its meaning and the possible impacts on services.
The recommended common policies can be ignored. After a policy is ignored, the policy cannot be restored. Proceed with caution. If all common policies are ignored, the Recommended Common Policy tab is not displayed.
On the Internet Border page, click the Outbound or Inbound tab.
On the Outbound or Inbound tab, click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click the Recommended Common Policy tab.
On the Recommended Common Policy tab, find a policy and click Quick Dispatch below the policy.
The Recommended Common Policy panel lists the common inbound and outbound access control policies that Cloud Firewall recommends.
Check whether access traffic hits an access control policy
By default, an access control policy immediately takes effect after it is created.
In the access control policy list, if the number in the Hits/Last Hit At column is greater than 0 for an access control policy and time information is displayed in the column, access traffic hits the policy. The number and time information in the Hits/Last Hit At column indicate the cumulative number of times that access traffic hits the policy and the time when the policy was last hit.
You can click the number to go to the Traffic Logs tab. On the Traffic Logs tab, the name of an access control policy that the access traffic hits is displayed in the Policy Name column.
This tab displays information about the traffic that was generated within the last seven days. If the last hit of the access control policy was more than seven days ago, the information about the traffic is not displayed on the Traffic Logs tab.
Resolve domain names specified in outbound access control policies
Cloud Firewall allows you to specify domain names as destinations for outbound traffic in access control policies. Cloud Firewall resolves domain names, displays resolution results, and controls the access to IP addresses to which the domain names are resolved.
Cloud Firewall uses dynamic Domain Name System (DNS) resolution to optimize outbound access control policies for domain names. You can view the IP addresses to which the destination domain names are resolved and manually update the IP addresses.
If the destination in an outbound access control policy is set to a domain name, Cloud Firewall resolves the domain name into IP addresses and implements access control on the IP addresses. However, if the protocol type is set to TCP and the application type is set to HTTP, HTTPS, SSL, SMTP, or SMTPS, Cloud Firewall does not implement domain name resolution or access control. A domain name can be resolved to up to 500 IP addresses.
If the application type is HTTP or SMTP, Cloud Firewall first uses the Host field to implement access control for domain names.
If the application type is HTTPS, SMTPS, or SSL, Cloud Firewall first uses the SNI field to implement access control for domain names.
If an application type other than HTTP, HTTPS, SSL, SMTP, or SMTPS is specified, Cloud Firewall dynamically resolves the domain names and implements access control. You can view the resolution results, which are the IP addresses mapped to the domain names.
DNS resolution is not supported if an access control policy meets the following conditions:
The access control policy is configured for inbound traffic.
DNS resolution is supported only for outbound access control policies.
The destination is a wildcard domain name. Example: *.example.com.
Domain Address Books is selected for the destination type.
When you configure access control policies for domain names, take note of the following items:
The default DNS server (ADNS) is used to resolve the external domain names that an ECS instance requests. Custom DNS servers are not supported. If you change the DNS server of the ECS instance, the outbound access control policy for your ECS instance becomes invalid.
If multiple domain names are resolved to the same IP address, access control may be compromised.
For example, you configure an access control policy to allow FTP traffic that is destined for the domain name example1.aliyun.com. If the A record for the domain name example1.aliyun.com is 1.1.XX.XX, the FTP traffic destined for 1.1.XX.XX is allowed. If the A record for the domain name example2.aliyun.com is also 1.1.XX.XX, the FTP traffic destined for example2.aliyun.com is also allowed.
If the IP addresses mapped to a domain name are changed, Cloud Firewall uses the up-to-date IP addresses and automatically updates the access control policy for the domain name.
If the IP address mapped to the domain name example1.aliyun.com is changed from 1.1.XX.XX to 2.2.XX.XX, Cloud Firewall automatically updates the access control policy for the domain name. Cloud Firewall uses the IP address 2.2.XX.XX to ensure that the access control policy takes effect as expected. Cloud Firewall automatically updates the access control policy every 30 minutes, which means that the access control policy takes effect on the new IP address in 30 minutes.
If you need to update your access control policy based on dynamic resolution records, click DNS on the policy editing page to manually trigger DNS resolution and obtain the up-to-date IP addresses. Then, click OK to save the policy updates.