This topic describes how to create an access control policy for a virtual private cloud (VPC) firewall. Cloud Firewall allows you to create access control policies for VPC firewalls. A VPC firewall can detect and control the traffic between two VPCs.

Prerequisites

VPC firewalls are not automatically created. Before you create an access control policy for a VPC firewall, you must create and enable a VPC firewall.

An access control policy for a VPC firewall takes effect only after the VPC firewall is enabled. VPC firewall

Create an access control policy

By default, a VPC firewall allows all traffic. If you want to control traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, click Access Control.
  3. On the VPC Firewall tab, click Create Policy. Create Policy
  4. In the Create VPC Firewall Policy dialog box, configure the parameters. For more information about the parameters for a policy, see the Policy parameters table in this topic. Create VPC Firewall Policy
    You can configure the parameters based on your business requirements.
    • Deny traffic from suspicious or malicious sources.
    • Specifically, create a policy to allow traffic from trusted sources and create another policy to deny traffic from other sources. Make sure that the priority of the allow policy is higher than that of the deny policy. For more information about policy priorities, see Change the priority of an access control policy.
    Note A VPC firewall allows all traffic by default.

Policy parameters

Parameter Description
Source Type The type of the traffic source. Valid values: IP and Address Book.
  • IP: If you select this option, enter a CIDR block for Source.
  • Address Book: If you select this option, select a preconfigured address book for Source.
    Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
Source The source CIDR block of the traffic.
Note You can enter only one CIDR block. Example: 1.1.1.1/32.
If you set Source Type to Address Book, select a preconfigured address book for Source.
Note You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
Destination Type The type of the traffic destination. Valid values:
  • IP: If you select this option, enter an IP address for Destination.
  • Address Book: If you select this option, select an address book for Destination.
  • Domain Name: If you select this option, enter a domain name for Destination. You can specify a wildcard domain name. Example: *.aliyun.com.
    Note By default, if an HTTP header does not contain the host field or an HTTPS request does not contain the Server Name Indication (SNI), Cloud Firewall allows the traffic.
Destination The destination address that can be accessed.
  • If you set Destination Type to IP, enter a CIDR block. Example: 1.1.1.1/32.
  • If you set Destination Type to Address Book, find the required address book and click Select in the Actions column.
    Note You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
  • If you set Destination Type to Domain Name, enter a domain name or wildcard domain name for Destination. Example: *.aliyun.com.
Protocol The protocol of the traffic. Valid values:
  • ANY: any protocol
  • TCP
  • UDP
  • ICMP
Port Type The type of the port. Valid values: Ports and Address Book.
  • Ports: If you select this option, specify only one port range.
  • Address Book: If you select this option, select a preconfigured port address book. A port address book contains multiple ports, which allows you to configure access control for multiple ports in an efficient manner.
Ports The ports on which you want to control traffic. If you set Port Type to Ports, enter a port number. If you set Port Type to Address Book, find the required port address book and click Select in the Actions column.
Note
  • You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
  • If you set Protocol to ICMP, the destination ports you specify do not take effect. If you set Protocol to ANY, the destination ports you specify do not take effect in ICMP traffic control.
Application The type of the application. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

If you set Protocol to TCP, the applications that are in the list of valid values are available. If you set Protocol to a value other than TCP, you can select only ANY.

Note Cloud Firewall identifies applications based on packet characteristics, instead of port numbers. If Cloud Firewall fails to identify the application for a packet, it allows the packet.
Policy Action Specifies whether the VPC firewall allows or denies the traffic. Valid values:
  • Allow: If traffic meets the conditions that you specify for the policy, the traffic is allowed.
  • Deny: If traffic meets the conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
  • Monitor: If traffic meets the conditions that you specify for the policy, the traffic is recorded and allowed. After you observe the traffic for a period of time, you can change the policy action to Allow or Deny based on your business requirement.
Description The description of the policy. Enter a description that can help you identify the policy.
Priority The priority of the policy. Default value: Lowest. Valid values:
  • Lowest: The policy has the lowest priority and is the last one to take effect.
  • Highest: The policy has the highest priority and is the first one to take effect.