All Products
Search
Document Center

Cloud Firewall:Access control policy overview

Last Updated:Jun 25, 2026

By default, Cloud Firewall allows all traffic if no access control policies are configured. To manage unauthorized access to your assets, create policies to block or allow specific traffic. This topic describes how access control policies in Cloud Firewall work and how their use is billed.

Overview

Cloud Firewall provides access control policies for the internet boundary, NAT boundary, VPC boundary, and host boundary. You can configure access control policies for different firewalls to block unauthorized traffic and create multi-layered security isolation. The principles described in this topic apply only to access control policies for the internet boundary, NAT boundary, and VPC boundary.

Note

For information about access control policies for the host boundary, see Security group configuration.

Policy elements

An access control policy can identify and match different traffic elements to allow or deny the corresponding traffic.

Parameter

Description

Configuration type

Supported policies

Source

The initiator of the network connection.

  • IP: Controls traffic from specific IP address ranges.

  • IP address book: Controls traffic from a collection of IP address ranges.

  • Region: Controls traffic from a specific geographic region.

  • Outbound policies for the internet boundary and NAT boundary, and VPC boundary policies support IP and IP address book.

  • Inbound policies for the internet boundary support IP, IP address book, and region.

Destination

The receiver of the network connection.

Supports IP, IP address book, domain name, and region.

  • IP: Controls traffic to specific IP address ranges.

  • IP address book: Controls traffic to a collection of IP address ranges.

  • Domain name: Controls traffic to a specific domain name.

  • Region: Controls traffic to a specific geographic region.

  • Outbound policies for the internet boundary and NAT boundary support IP, IP address book, domain name, and region.

  • VPC boundary policies support IP, IP address book, and domain name.

  • Inbound policies for the internet boundary support IP and IP address book.

Protocol type

Transport layer protocol.

Supports TCP, UDP, ICMP, and ANY.

If you are unsure of the specific protocol type, you can select ANY.

All policies: Support all types.

Port

Destination port.

Controls traffic based on its destination port. You can specify individual ports or use port address books.

  • You cannot configure a port for the ICMP protocol.

  • If the protocol is set to ANY and you want to match ICMP traffic, the port range must include 0, such as 0/80.

Application

Application layer protocol.

Supports various protocols, including HTTP, HTTPS, SMTP, SMTPS, SSL, FTP, IMAPS, and POP3. If you are unsure of the specific application, you can select ANY .

Note

Cloud Firewall identifies the application type of TLS and SSL traffic based on the port.

  • 443: HTTPS

  • 465: SMTPS

  • 993: IMAPS

  • 995: POP3S

  • Other ports: SSL

Depends on the selected protocol type.

How it works

If you do not configure any access control policies, Cloud Firewall allows all traffic by default.

After you configure access control policies, Cloud Firewall evaluates traffic against them in descending order of priority. When traffic matches a policy, the specified action is executed, and no further policies are evaluated. If no match is found, Cloud Firewall proceeds to the next policy. If traffic does not match any configured access control policy, it is allowed by default.

Important
  • After you create, modify, or delete an access control policy, it takes about 3 minutes for Cloud Firewall to deploy the policy to the engine.

  • The lower the priority value of an access control policy, the higher its priority. To ensure optimal matching, set higher priorities for frequently matched and more specific policies.

The following diagram illustrates how access control policies work.

image

Policy actions

Each access control policy has one of three actions: Allow, Monitor, or Deny. When traffic matches the policy, Cloud Firewall takes the specified action.

If a policy's action is set to Monitor, traffic is still allowed to pass when a match occurs. After observing the traffic for a period, you can change the action to Allow or Deny as needed.

Note

You can view traffic data on the Traffic Logs page. For more information, see Log audit.

Consumed quota

After you configure an access control policy, Cloud Firewall calculates the consumed quota for each policy based on the number of objects specified in the source, destination, protocol type, port, and application fields.

Calculation method

The consumed quota is calculated using the following formulas:

  • Consumed quota per policy = (Number of source addresses) × (Number of destination addresses) × (Number of port ranges) × (Number of applications)

    You can view the consumed quota for each policy in the Consumed Quota column of the access control policy list.

  • Total used quota = Sum of the consumed quota of all access control policies (including inbound and outbound policies)

    You can view the quota usage at the top of the access control policy page. For example, the usage statistics for the internet boundary might show:

    The Used quota area displays Used quota/Total quota (for example, 14/10000) and Expanded quota (for example, 0/0). You can click Upgrade to increase the quota.

Billing

  • The Subscription editions of Cloud Firewall (Premium, Enterprise, and Ultimate) include a default quota for access control policies. If the default quota is insufficient for your needs, you can expand it on demand.

    The expanded quota is shared among the internet, NAT, and VPC boundary firewalls. For more information, see Subscription 2.0.

  • The pay-as-you-go version of Cloud Firewall supports a maximum of 2,000 consumed quota for internet boundary access control policies, 2,000 for NAT boundary policies, and 10,000 for VPC boundary policies. This quota cannot currently be expanded. For more information, see pay-as-you-go 2.0.

Calculation examples

Example

Policy configuration

Consumed quota

Example 1

  • Source: 19.16.XX.XX/32, 17.6.XX.XX/32

  • Destination: www.aliyun.com

  • Protocol type: TCP

  • Port: 80/88, 443/443

  • Application: HTTP, HTTPS

Source: 2 IP addresses

Destination: 1 domain name

Protocol: TCP

Port: 2 ranges

Application: 2 types

Consumed quota per policy = 2 × 1 × 2 × 2 = 8

Example 2

  • Source: Beijing, Zhejiang

  • Destination: 19.18.XX.XX/32

  • Protocol type: TCP

  • Port: 80/80

  • Application: HTTP

Source: 2 regions

Destination: 1 IP address

Protocol: TCP

Port: 1 range

Application: 1 type

Consumed quota per policy = 2 × 1 × 1 × 1 = 2

References