If you want to block access to your assets from regions outside China, you can go to the Cloud Firewall console and configure an access control policy. This topic describes how to configure a policy to block access from regions outside China in the Cloud Firewall console.
Create an access control policy
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- On the Internet Firewall tab, click Inbound Policies.
- On the Inbound Policies tab, click Create Policy.
- In the Create Inbound Policy dialog box, configure the parameters and click Submit.
Set Source Type to Region. Then, set Source to Regions Outside China and Policy Action to Deny. The following table describes the parameters.
|Source Type||The type of the source address. Valid values:
|Source||The source IP address or CIDR block of the access traffic.
Note You can specify only one CIDR block, such as 192.0.2.0/32.
If you set Source Type to Address Book, select a preconfigured address book for Source.
Note You can select only one address book for a policy. If you want to use multiple address books, click Create Policy.
|Destination Type||The type of the destination address. Valid values:
|Destination||The destination of the traffic. If you set Destination Type to IP, specify a CIDR
block. You can specify only one CIDR block.
If you set Destination Type to Domain Name, enter a domain name. You can enter a wildcard domain name.
|Port Type||The type of the port. Valid values:
|Ports||The ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
|Application||The application on which you want the policy to take effect. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.
If you set Protocol to TCP, all the preceding applications are supported. If you set Protocol to another value, you can select only ANY for this parameter.
Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Strict mode of the Internet firewall.
|Policy Action||Specifies whether the Internet firewall allows or denies the traffic. Valid values:
|Description||The description of the policy. Enter a description that can help you identify the policy.|
|Priority||The priority of the policy. Valid values:
Default value: Lowest.
Check whether access traffic hits an access control policy
By default, an access control policy immediately takes effect after it is created. However, if you specify invalid values for the policy parameters or disable the Internet firewall, the policy may not take effect.
Modify an access control policy
After an access control policy is created, you can modify the access control policy based on your business requirements.
To modify an access control policy, find the access control policy on the Inbound Policies tab and click Modify in the Actions column. In the Modify Policy panel, modify the parameters of the access control policy.