All Products
Search
Document Center

Cloud Firewall:Overview of access control policies

Last Updated:Jul 23, 2024

By default, if you do not configure an access control policy after you enable a firewall, Cloud Firewall allows all traffic. You can configure Allow or Deny policies for different types of firewalls based on your business requirements to better control unauthorized access to your assets. This topic describes access control policies of Cloud Firewall, including how access control policies work and the billing rules.

Feature description

Cloud Firewall allows you to configure access control policies for the Internet firewall, NAT firewalls, virtual private cloud (VPC) firewalls, and internal firewalls to block unauthorized access and implement multi-directional isolation and control on traffic. The access control policies that are described in this topic apply only to the Internet firewall, NAT firewalls, and VPC firewalls.

Note

For more information about how to configure an access control policy for an internal firewall, see Create an access control policy for an internal firewall.

Items in access control policies

You can specify different items in access control policies to allow or deny related traffic.

Item

Description

Type

Supported type by policy

Source

The initiator of the network connection.

  • IP address: The access control policy controls traffic to specific CIDR blocks.

  • IP address book: The access control policy controls traffic to specific CIDR blocks that are added to an IP address book.

  • Region: The access control policy controls traffic to specific geographic locations.

  • Access control policies for the Internet firewall, NAT firewalls, and VPC firewalls: IP address and IP address book.

  • Access control policies for internal firewalls: IP address, IP address book, and region.

Destination

The receiver of the network connection.

IP address, IP address book, domain name, and region.

  • IP address: The access control policy controls traffic from specific CIDR blocks.

  • IP address book: The access control policy controls traffic from specific CIDR blocks that are added to an IP address book.

  • Domain name: The access control policy controls traffic from specific domain names.

  • Region: The access control policy controls traffic from specific geographic locations.

  • Outbound access control policies for the Internet firewall and NAT firewalls: IP address, IP address book, domain name, and region.

  • Access control policies for VPC firewalls: IP address, IP address book, and domain name.

  • Inbound access control policies for the Internet firewall: IP address and IP address book.

Protocol type

The transport layer protocol.

TCP, UDP, ICMP, and ANY.

If you do not know the protocol for the policy, select ANY. The value ANY specifies all protocol types.

The types are supported by all access control policies for firewalls.

Port

The destination port.

The access control policy controls traffic that passes through specific ports. The types are port and address book.

The types supported by access control policies for firewalls vary based on the specified protocol types.

Application

The application layer protocol.

The types include HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP.

If you do not know the application type, select ANY. The value ANY specifies all application types.

Note

Cloud Firewall identifies the application of traffic whose application is SSL or TLS from port 443 as HTTPS, and traffic whose application is SSL or TLS from other ports as SSL.

The types supported by access control policies vary based on the selected protocol types. Up to five protocol types can be selected at the same time.

Implementation

By default, if no access control policy is configured, Cloud Firewall allows all traffic during the matching process of access control policies.

After you configure an access control policy, Cloud Firewall splits the policy into one or more matching rules based on specific logic and sends the policy to an engine. When traffic passes through Cloud Firewall, Cloud Firewall matches traffic packets in sequence based on the priorities of the configured access control policies. If a traffic packet hits a policy, the action that is specified in the policy is performed, and the subsequent policies are not matched. Otherwise, the system continues to match the traffic packet against the policy that has a lower priority until a policy is hit or all configured policies are matched. By default, if traffic does not hit a policy after all configured policies are matched, the traffic is allowed.

Important
  • After you create, modify, or delete an access control policy, Cloud Firewall requires approximately 3 minutes to send the policy to the engine.

  • A small priority value indicates a higher priority. To ensure that the capabilities of access control can be maximized, we recommend that you specify high priorities for frequently matched policies and refined policies.

The following figure shows how an access control policy works.

image

Domain name resolution

The Internet firewall, NAT firewalls, and VPC firewalls implement access control for domain names based on the domain name information in traffic. If the destination in an outbound access control policy that is configured for the Internet firewall or a NAT firewall is set to a domain name, Cloud Firewall resolves the domain name into IP addresses and implements access control on the IP addresses. You can also view the IP addresses.

The following list describes the logic based on which access control policies match domain names of different application types:

  • If Domain Name Identification Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields) and the application type is HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall uses the Host or SNI field to implement access control for domain names.

  • If Domain Name Identification Mode is set to DNS-based Dynamic Resolution and the application type is other than HTTP, HTTPS, SSL, SMTP, or SMTPS is specified, Cloud Firewall dynamically resolves domain names and implements access control. You can view the IP addresses to which the domain names are resolved. A domain name can be resolved to up to 500 IP addresses.

Usage notes on domain name-based access control policies

When you configure an access control policy and set the destination to a domain name, take note of the following items:

  • Domain Name System (DNS) resolution is not supported in the following scenarios:

    • The access control policy is configured for inbound traffic. DNS resolution is supported only for outbound access control policies.

    • The destination is a wildcard domain name. Example: *.example.com. A wildcard domain name cannot be resolved into a specific IP address.

    • Domain Address Books is selected for the destination type.

  • The quota that is consumed by access control policies created for NAT firewalls cannot exceed 200. If the quota exceeds 200, an error is reported when you create an access control policy and set the destination to a domain name.

    For example, you configured an access control policy whose destination address is aliyun.com and application type is ANY, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy and set the destination to a domain name, and the quota that is consumed by the policy exceeds 15, the policy fails to be created.

  • The quota that is consumed by access control policies created for the Internet cannot exceed 200. If the quota exceeds 200, the number of excess quota is 10 times calculated.

    For example, you configured an access control policy whose destination address is aliyun.com and application type is ANY, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy and set the destination to a domain name, and the quota that is consumed by the policy is 16, the total quota consumed by the two policies are calculated based on the following formula: (185 + 16 - 200) × 10 + 200 = 210.

    Note

    For more information about how to calculate the quota that is consumed by an access control policy, see Quota consumed by access control policies.

  • If a request is initiated from an Elastic Compute Service (ECS) instance to an external domain mane, only the default DNS server of the ECS instance is supported for domain name resolution. The IP address of the DNS server is 100.100.2.136 or 100.100.2.138. If you change the address of the DNS server of the ECS instance, the outbound access control policy for your ECS instance becomes invalid.

  • If multiple domain names are resolved to the same IP address, access control performance may be affected.

    For example, you configure an access control policy to allow FTP traffic that is destined for the domain name example1.aliyun.com. If the A record of the domain name example1.aliyun.com is 1.1.XX.XX, the FTP traffic that is destined for 1.1.XX.XX is allowed. If the A record of the domain name example2.aliyun.com is also 1.1.XX.XX, the FTP traffic that is destined for example2.aliyun.com is also allowed.

  • If the IP addresses to which a domain name is resolved change, Cloud Firewall uses the new IP addresses to automatically update the access control policy. Cloud Firewall automatically updates the access control policies that are created for the Internet firewall every 5 minutes and the access control policies that are created for NAT firewalls every 60 minutes.

    If the IP address to which the domain name example1.aliyun.com is resolved changes from 1.1.XX.XX to 2.2.XX.XX, Cloud Firewall automatically updates the access control policy. Then, the policy takes effect on the IP address 2.2.XX.XX. This way, the access control policy always takes effect on the IP address to which the domain name is dynamically resolved.

    Note

    If you want to update your access control policy based on dynamic DNS resolution results, click DNS Resolution on the policy editing page to manually trigger DNS resolution and obtain the updated IP addresses. Then, click OK to save the policy updates.

Policy actions

The following actions are supported in access control policies: Allow, Monitor, and Deny. When the elements of traffic packets match an access control policy, Cloud Firewall performs the action specified in the policy.

If the action of a policy is set to Monitor, traffic is allowed when the policy is hit. You can observe traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

Note

You can view the traffic data on the Traffic Logs page. For more information, see Log audit.

Quota consumed by access control policies

After you configure an access control policy, Cloud Firewall calculates the quota that is consumed by the policy based on the numbers of items that are specified in the policy, such as source addresses, destination addresses, protocol types, ports, and applications.

Calculation method

The quotas that are consumed by access control policies are calculated by using the following formulas:

  • Quota consumed by an access control policy = Number of source addresses (number of CIDR blocks or regions) × Number of destination addresses (number of CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.

    Important

    If you configure an access control policy whose destination is a domain name, the total quota that is consumed cannot exceed 200. If the total quota exceeds 200, the number of excess quota is 10 times calculated.

    You can view the quota that is consumed by an access control policy in the Consumed Quota column of the policy in the access control policy list.

    image.png

  • Total quota consumed by access control policies = Quota consumed by outbound access control policies + Quota consumed by inbound access control policies.

    You can view the total quota that is consumed by the access control policies for a type of firewall in the upper part of the page of the firewall. The following figure shows the quota that is consumed by access control policies that are created for the Internet firewall.

    image.png

Billing

  • By default, the basic price of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method covers a specific quota for access control policies. If the specific quota cannot meet your business requirements, you can purchase an additional quota.

    The additional quota on access control policies can be used for access control policies for the Internet firewall, NAT firewalls, and VPC firewalls. For more information, see Subscription.

  • Cloud Firewall that uses the pay-as-you-go billing method allows you to create a maximum of 2,000 access control policies for the Internet firewall, 2,000 access control policies for NAT firewalls, and 10,000 access control policies for VPC firewalls. The numbers cannot be increased. For more information, see Pay-as-you-go.

Examples on how to calculate the quota consumed by access control policies

Example

Policy configuration

Quota consumed by a policy

Example 1

  • Source: 19.16.XX.XX/32, 17.6.XX.XX/32

  • Destination: www.aliyun.com

  • Protocol type: TCP

  • Port: 80/88, 443/443

  • Application: HTTP, HTTPS

Quota that is consumed by the policy is calculated by using the following formula: Number of source CIDR blocks × Number of destination domain names × Number of port ranges × Number of applications = 2 × 1 × 2 × 2 = 8.

Example 2

  • Source: Beijing, Zhejiang

  • Destination: 19.18.XX.XX/32

  • Protocol type: TCP

  • Port: 80/80

  • Application: HTTP

Quota that is consumed by the policy is calculated by using the following formula: Number of source regions × Number of destination CIDR blocks × Number of port ranges × Number of applications = 2 × 1 × 1 × 1 = 2.

References