By default, Cloud Firewall allows all traffic if no access control policies are configured. To manage unauthorized access to your assets, create policies to block or allow specific traffic. This topic describes how access control policies in Cloud Firewall work and how their use is billed.
Overview
Cloud Firewall provides access control policies for the internet boundary, NAT boundary, VPC boundary, and host boundary. You can configure access control policies for different firewalls to block unauthorized traffic and create multi-layered security isolation. The principles described in this topic apply only to access control policies for the internet boundary, NAT boundary, and VPC boundary.
For information about access control policies for the host boundary, see Security group configuration.
Policy elements
An access control policy can identify and match different traffic elements to allow or deny the corresponding traffic.
Parameter | Description | Configuration type | Supported policies |
Source | The initiator of the network connection. |
|
|
Destination | The receiver of the network connection. | Supports IP, IP address book, domain name, and region.
|
|
Protocol type | Transport layer protocol. | Supports TCP, UDP, ICMP, and ANY. If you are unsure of the specific protocol type, you can select ANY. | All policies: Support all types. |
Port | Destination port. | Controls traffic based on its destination port. You can specify individual ports or use port address books. |
|
Application | Application layer protocol. | Supports various protocols, including HTTP, HTTPS, SMTP, SMTPS, SSL, FTP, IMAPS, and POP3. If you are unsure of the specific application, you can select ANY . Note Cloud Firewall identifies the application type of TLS and SSL traffic based on the port.
| Depends on the selected protocol type. |
How it works
If you do not configure any access control policies, Cloud Firewall allows all traffic by default.
After you configure access control policies, Cloud Firewall evaluates traffic against them in descending order of priority. When traffic matches a policy, the specified action is executed, and no further policies are evaluated. If no match is found, Cloud Firewall proceeds to the next policy. If traffic does not match any configured access control policy, it is allowed by default.
After you create, modify, or delete an access control policy, it takes about 3 minutes for Cloud Firewall to deploy the policy to the engine.
The lower the priority value of an access control policy, the higher its priority. To ensure optimal matching, set higher priorities for frequently matched and more specific policies.
The following diagram illustrates how access control policies work.
Policy actions
Each access control policy has one of three actions: Allow, Monitor, or Deny. When traffic matches the policy, Cloud Firewall takes the specified action.
If a policy's action is set to Monitor, traffic is still allowed to pass when a match occurs. After observing the traffic for a period, you can change the action to Allow or Deny as needed.
You can view traffic data on the Traffic Logs page. For more information, see Log audit.
Consumed quota
After you configure an access control policy, Cloud Firewall calculates the consumed quota for each policy based on the number of objects specified in the source, destination, protocol type, port, and application fields.
Calculation method
The consumed quota is calculated using the following formulas:
Consumed quota per policy = (Number of source addresses) × (Number of destination addresses) × (Number of port ranges) × (Number of applications)
You can view the consumed quota for each policy in the Consumed Quota column of the access control policy list.
Total used quota = Sum of the consumed quota of all access control policies (including inbound and outbound policies)
You can view the quota usage at the top of the access control policy page. For example, the usage statistics for the internet boundary might show:
The Used quota area displays Used quota/Total quota (for example, 14/10000) and Expanded quota (for example, 0/0). You can click Upgrade to increase the quota.
Billing
The Subscription editions of Cloud Firewall (Premium, Enterprise, and Ultimate) include a default quota for access control policies. If the default quota is insufficient for your needs, you can expand it on demand.
The expanded quota is shared among the internet, NAT, and VPC boundary firewalls. For more information, see Subscription 2.0.
The pay-as-you-go version of Cloud Firewall supports a maximum of 2,000 consumed quota for internet boundary access control policies, 2,000 for NAT boundary policies, and 10,000 for VPC boundary policies. This quota cannot currently be expanded. For more information, see pay-as-you-go 2.0.
Calculation examples
References
To manage traffic between your public assets and the internet, see Configure an access control policy for the internet boundary.
To manage traffic from your private assets to the internet, see Configure an access control policy for the NAT boundary.
To manage traffic between VPCs and between VPCs and on-premises data centers, see Configure an access control policy for the VPC boundary.
To manage traffic between ECS instances, see Security group configuration.
For configuration rules and use case examples for access control policies, see Access control policy configuration examples.
If you have deployed both Cloud Firewall and Bastionhost, you must configure your access control policies correctly to prevent unintentionally blocking access from Bastionhost. For detailed instructions, see Best practices for access control policies when Cloud Firewall is deployed with Bastionhost.