This topic describes how to create an access control policy for a virtual private cloud (VPC) firewall. Cloud Firewall allows you to create access control policies for VPC firewalls. A VPC firewall can detect and control the traffic between two VPCs.
VPC firewalls are not automatically created. Before you create an access control policy for a VPC firewall, you must create and enable a VPC firewall.
Create an access control policy
By default, a VPC firewall allows all traffic. If you want to control traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources.
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, click Access Control.
- On the VPC Firewall tab, click Create Policy.
- In the Create VPC Firewall Policy dialog box, configure the parameters. For more information about the parameters for
a policy, see the Policy parameters table in this topic. You can configure the parameters based on your business requirements.
Note A VPC firewall allows all traffic by default.
- Deny traffic from suspicious or malicious sources.
- Specifically, create a policy to allow traffic from trusted sources and create another policy to deny traffic from other sources. Make sure that the priority of the allow policy is higher than that of the deny policy. For more information about policy priorities, see Change the priority of an access control policy.
|Source Type||The type of the traffic source. Valid values: IP and Address Book.
|Source||The source CIDR block of the traffic.
Note You can enter only one CIDR block. Example: 188.8.131.52/32.
If you set Source Type to Address Book, select a preconfigured address book for Source.
Note You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
|Destination Type||The type of the traffic destination. Valid values:
|Destination||The destination address that can be accessed.
|Protocol||The protocol of the traffic. Valid values:
|Port Type||The type of the port. Valid values: Ports and Address Book.
|Ports||The ports on which you want to control traffic. If you set Port Type to Ports, enter a port number. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column.
|Application||The type of the application. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT,
MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.
If you set Protocol to TCP, the applications that are in the list of valid values are available. If you set Protocol to a value other than TCP, you can select only ANY.
Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, it allows the packet.
|Policy Action||Specifies whether the VPC firewall allows or denies the traffic. Valid values:
|Description||The description of the policy. Enter a description that can help you identify the policy.|
|Priority||The priority of the policy. Default value: Lowest. Valid values: