What is the functionality of the Internet firewall?

If you disable the Internet firewall for public IP addresses, the traffic of these public IP addresses is forwarded to internal firewalls or security groups and then to the destination Elastic Compute Service (ECS) instances.

If you enable the Internet firewall for public IP addresses, the traffic of these public IP addresses is monitored and filtered by the Internet firewall. Then, the traffic is forwarded to internal firewalls and then to the destination ECS instances. If you enable the Internet firewall but do not configure access control policies or policies for the intrusion prevention system (IPS), Cloud Firewall monitors traffic and generates alerts for suspicious traffic but does not block the suspicious traffic.

The following figure shows the route of network traffic when the Internet firewall is enabled and the route when the Internet firewall is disabled.

Is network traffic affected if I enable the Internet firewall?

By default, the Internet firewall is enabled after you activate Cloud Firewall. If no policies are configured, the access traffic of your services only passes through Cloud Firewall but Cloud Firewall does not process the traffic.

What happens if I disable the Internet firewall?

The following figure shows the Internet Firewall tab.

Firewall Settings

If you disable the Internet firewall, the following issues may occur:

  • On the Internet Access page, some traffic analysis charts have no data. To go to the Internet Access page, log on to the Cloud Firewall console and choose Traffic Analysis > Internet Access in the left-side navigation pane.
  • The outbound or inbound access control policies that you created for your ECS instances become invalid, and the hits of the policies remain unchanged.
  • Network traffic does not pass through Cloud Firewall, and intrusion prevention becomes invalid.
  • The Traffic Logs tab does not display the traffic data that is generated after you disable the Internet firewall. To go to the Traffic Logs tab, log on to the Cloud Firewall console, choose Log Analysis > Log Audit in the left-side navigation pane, and then click the Traffic Logs tab.
  • Network traffic does not pass through Cloud Firewall. As a result, traffic data that is generated after you disable the Internet firewall cannot be captured, and the Packet Capture section does not show the IP packet information. To go to the Packet Capture section, log on to the Cloud Firewall console and choose Settings > Toolbox in the left-side navigation pane. For more information, see Create a packet capture task.

For more information, see Enable or disable the Internet firewall.

Why do I fail to enable the Internet firewall?

Problem description

When you click Enable Firewall in the Actions column for some assets on the Internet Firewall tab of the Firewall Settings page, the following message appears: You cannot enable Cloud Firewall for this IP address because the network where the SLB instance is located does not support Cloud Firewall. Failed to enable the Internet firewall

Cause

The Server Load Balancer (SLB) instance has only private IP addresses and does not support the Internet firewall.

Solution

If your assets are deployed only on an internal-facing SLB instance, associate an elastic IP address (EIP) with the internal-facing SLB instance to redirect the traffic to Cloud Firewall. For more information, see Associate an EIP with an SLB instance.

What types of public IP addresses can be protected by the Internet firewall?

The Internet firewall can protect the following types of public IP addresses:
  • EIPs of Elastic Network Interfaces (ENIs). The EIPs can be associated with ECS instances of the VPC type, internal-facing SLB instances of the VPC type, ENIs, and Network Address Translation (NAT) gateways
  • Public IP addresses of ECS instances
  • EIPs associated with SLB instances of the VPC type
  • Public IP addresses of bastion hosts