If you want to block access to your assets from regions outside China, you can go to the Cloud Firewall console and configure an access control policy. This topic describes how to configure a policy to block access from regions outside China in the Cloud Firewall console.

Prerequisites

Internet Firewall is enabled. If Internet Firewall is disabled, the access control policies that you create for the Internet firewall do not take effect. For more information, see Enable or disable the Internet firewall. Internet Firewall

Background information

On the Internet Firewall tab, you can configure inbound policies to control access by region.

Create an access control policy

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Internet Firewall tab, click Inbound Policies.
  4. On the Inbound Policies tab, click Create Policy.
    Create Policy
  5. In the Create Inbound Policy dialog box, configure the parameters and click Submit.

    Set Source Type to Region. Then, set Source to Regions Outside China and Policy Action to Deny. The following table describes the parameters.

    Create Inbound Policy
Parameter Description
Source Type The type of the source address. Valid values:
  • IP: If you select this option, specify a CIDR block for Source.
  • Address Book: If you select this option, select a preconfigured address book for Source
    Note You can add multiple CIDR blocks to an address book. This way, you can configure access control for multiple IP addresses in an efficient manner.
Source The source IP address or CIDR block of the access traffic.
Note You can specify only one CIDR block, such as 192.0.2.0/32.
If you set Source Type to Address Book, select a preconfigured address book for Source.
Note You can select only one address book for a policy. If you want to use multiple address books, click Create Policy.
Destination Type The type of the destination address. Valid values:
  • IP: If you select this option, specify a CIDR block for Destination.
  • Address Book: If you select this option, select an IP address book, domain address book, or cloud address book for Destination.
  • Domain Name: If you select this option, enter a domain name for Destination. You can enter a wildcard domain name, such as *.aliyun.com.
    Note By default, if an HTTP header does not contain the host field or an HTTPS request does not contain the Server Name Indication (SNI), Cloud Firewall allows the traffic.
  • Region: If you select this option, select one or more locations for Destination. You can select one or more locations in or outside China.
Destination The destination of the traffic. If you set Destination Type to IP, specify a CIDR block. You can specify only one CIDR block.

If you set Destination Type to Domain Name, enter a domain name. You can enter a wildcard domain name.

Note
  • In an outbound access control policy, if you set Source Type to Address Book, you can select only an IP address book for Source. If you set Destination Type to Address Book, you can select an IP address book, domain address book, or cloud address book for Destination.
  • In an inbound access control policy, if you set Source Type to Address Book, you can select an IP address book or cloud address book for Source. If you set Destination Type to Address Book, you can select only an IP address book for Destination.
  • You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
Protocol Valid values:
  • ANY: any protocol type
  • TCP
  • UDP
  • ICMP
Port Type The type of the port. Valid values:
  • Ports: If you select this option, enter a port range for Ports. You can enter only one port range.
  • Address Book: If you select this option, select a preconfigured port address book for Ports. A port address book contains multiple ports. This way, you can configure access control for multiple ports in an efficient manner.
Ports The ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
Note
  • You can select only one address book at a time. If you want to use multiple address books, click Create Policy.
  • If you set Protocol to ICMP, you do not need to specify the destination ports. If you set Protocol to ANY, the destination ports that you specify do not take effect in ICMP traffic control.
Application The application on which you want the policy to take effect. Valid values: ANY, HTTP, HTTPS, Memcache, MongoDB, MQTT, MySQL, RDP, Redis, SMTP, SMTPS, SSH, and VNC.

If you set Protocol to TCP, all the preceding applications are supported. If you set Protocol to another value, you can select only ANY for this parameter.

Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Strict mode of the Internet firewall.
Policy Action Specifies whether the Internet firewall allows or denies the traffic. Valid values:
  • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
  • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
  • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description The description of the policy. Enter a description that can help you identify the policy.
Priority The priority of the policy. Valid values:
  • Lowest: The policy has the lowest priority.
  • Highest: The policy has the highest priority.

Default value: Lowest.

Check whether access traffic hits an access control policy

By default, an access control policy immediately takes effect after it is created. However, if you specify invalid values for the policy parameters or disable the Internet firewall, the policy may not take effect.

In the access control policy list, if the number in the Hits column is greater than 0 for an access control policy, access traffic hits the policy. The number in the Hits column indicates the number of times that access traffic hits the policy. Hits
You can click the number in the Hits column to go to the Traffic Logs tab. On the Traffic Logs tab, you can view the names of the access control policy that the traffic hits in the Policy Name column.
Note This tab displays information about the traffic that was generated in the last seven days. If traffic hit the access control policy seven days ago, no data is displayed.

Modify an access control policy

After an access control policy is created, you can modify the access control policy based on your business requirements.

To modify an access control policy, find the access control policy on the Inbound Policies tab and click Modify in the Actions column. In the Modify Policy panel, modify the parameters of the access control policy.