You can use the features of Cloud Firewall to protect your bastion host. The features include access control, intrusion prevention system (IPS), and network traffic analysis. This way, you can manage the public IP addresses that communicate with your bastion host in a centralized manner and protect your bastion host.

Recommended configurations

The following list describes the recommended configurations for Cloud Firewall to protect a bastion host:

  1. Configure inbound policies for the Internet firewall to allow access to the open ports of a bastion host from the Internet globally or the Internet in specified regions.
  2. Configure outbound policies for the Internet firewall to allow a bastion host to access the Internet.
  3. Enable the Internet firewall for the bastion host so that inbound traffic and outbound traffic of the bastion host all pass through Cloud Firewall.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Internet Firewall tab of the Access Control page, configure inbound policies to allow access to the open ports of the bastion host from the Internet globally or the Internet in specified regions.
    1. Click the Inbound Policies tab.
    2. Optional:Click Address Books. In the dialog box that appears, click the Port Address Books tab. Then, click Create Address Book.
      Note You can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to open only one port of the bastion host, you do not need to create an address book.
    3. In Create Port Address Book, add the bastion host ports that you want to open.

      In this example, ports 60022 (SSH), 63389 (RDP), and 443 (bastion host O&M) need to be opened. You can add ports to a port address book based on your business requirements. Separate multiple ports with commas (,). You can add up to 50 ports.

    4. Create an inbound policy to allow access to the specified ports of the bastion host from the Internet.
      Parameter Description
      Source Type Select IP.
      Source To allow all public IP addresses to access the open ports of the bastion host, enter 0.0.0.0/0. To allow some public IP addresses to access the open ports of the bastion host, enter the CIDR blocks of these IP addresses.
      Destination Type Select IP.
      Destination Enter the IP address of the bastion host.
      Note To view the IP address of the bastion host, log on to the Cloud Firewall console. In the left-side navigation pane, choose Firewall Settings > Firewall Settings. On the Internet Firewall tab, configure Asset Type to search for the IP address of the bastion host. You do not need to log on to the Bastionhost console.
      Protocol Select TCP.
      Port Type To open multiple ports of the bastion host, select Address Book for Port Type and select the address book that you create.
      Application Select ANY.
      Policy Action Select Allow, which indicates that the specified public IP addresses are allowed to access the open ports of the bastion host.
      Description Enter a description for the policy. The description can help you identify the policy.
      Priority Select a priority for the policy. Default value: Lowest. Valid values:
      • Lowest: The policy has the lowest priority.
      • Highest: The policy has the highest priority.
      Enabled Turn on the switch, which indicates that the policy is enabled.
    5. Create another inbound policy to deny access to unopened ports of the bastion host from all public IP addresses.

      Ports: Enter 0/0, which indicates all ports of the bastion host.

      Policy Action: Select Deny, which indicates that access to the unopened ports of the bastion host from all public IP addresses is denied.

  4. Allow the bastion host to access the Internet.

    If a bastion host needs to access Alibaba Cloud services over the Internet, an Elastic Compute Service (ECS) instance in a different virtual private cloud (VPC), or a host outside the cloud, you must configure settings to allow the bastion host to access the Internet.

    1. Choose Access Control > Access Control and click the Internet Firewall tab. Then, click the Outbound Policies tab.
    2. Click Create Policy and configure the parameters.
  5. Choose Firewall Settings > Firewall Settings. On the Internet Firewall tab, find the bastion host for which you want to enable the Internet firewall, and click Enable Firewall. Firewall Settings
    Note A newly purchased bastion host is synchronized to the Cloud Firewall console within 15 to 30 minutes.

References