All Products
Search
Document Center

Cloud Firewall:Internet Firewall

Last Updated:Feb 20, 2024

You can use the Internet firewall to manage inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of the Internet-facing assets on the Internet and security risks of business traffic. When you enable the Internet firewall, you do not need to modify the current network topology. You can add resources to the Internet firewall within seconds to implement visualized analysis, attack prevention, access control, and log audit for inbound and outbound Internet traffic.

Feature description

Implementation

After you enable the Internet firewall for public IPv4 and IPv6 addresses, Cloud Firewall filters inbound and outbound traffic based on traffic analysis policies, intrusion prevention policies, threat intelligence rules, virtual patching policies, and access control policies. Then, the Internet firewall checks whether the inbound and outbound traffic match the specified conditions and blocks unauthorized traffic. This ensures the security of the traffic between Internet-facing assets and the Internet.

The following figure provides an example.

image

Impacts

When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds without the need to change the current network topology. Your workloads are not affected.

Specifications

The specifications of the Internet firewall contain Protected Public IP Addresses and Protected Internet Traffic.

Specification

Description

Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method

Cloud Firewall that uses the pay-as-you-go billing method

Protected Public IP Addresses

The number of public IP addresses that can be protected by the Internet firewall.

The protection capabilities vary based on the specifications that you purchase. If the quotas are insufficient, you can upgrade the specifications. For more information, see View the protection status of assets.

The maximum value of Protected Public IP Addresses varies based on the Cloud Firewall edition. For more information, see Subscription.

You are charged based on the actual number of protected public IP addresses and the total protected peak Internet traffic. The values of the specifications are unlimited. For more information, see Pay-as-you-go.

Protected Internet Traffic

The total peak Internet traffic that can be protected. The metering metric is the peak outbound or inbound Internet traffic, whichever is higher.

View the protection status of assets

Cloud Firewall collects statistics such as the number of public IP addresses that are protected, the number of public IP addresses that are not protected, and the protection status of public IP addresses in different regions. You can enable the Internet firewall for public IP addresses based on your business requirements.

Note

To ensure the security of business traffic, we recommend that you enable the Internet firewall for all public IP addresses within your Alibaba Cloud account.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. On the Internet Firewall tab, view the protection status of the public IP addresses within the current Alibaba Cloud account.

    image..png

  4. Optional. If the Available Quota is insufficient, click Increase Quota to upgrade the Cloud Firewall edition, or increase the values of the Protected Public IP Addresses and Protected Internet Traffic parameters based on your business requirements. For more information, see Subscription.

Enable the Internet firewall

Enable the Internet firewall for public IP addresses with a few clicks

If you do not turn on Automatic Protection for New Assets, you can manually enable the Internet firewall for public IP addresses.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. On the Internet Firewall tab, click the IPV4 or IPV6 tab and enable the Internet firewall for public IP addresses.

    If the required public IP address is not displayed in the public IP address list, you can click Synchronize Assets in the upper-right corner of the IP address list to synchronize information about the public IP addresses within the current Alibaba Cloud account and members that are managed by the account. The system requires 1 to 2 minutes to synchronize asset information.

    • Enable the Internet firewall for a single public IP address

      In the public IP address list, find the public IP address for which you want to enable the Internet firewall and click Enable Protection in the Actions column.

      image.png

    • Enable the Internet firewall for multiple public IP addresses at a time

      In the public IP address list, select the public IP addresses for which you want to enable the Internet firewall and click Enable Protection below the list.

      Alternatively, click Enable Protection in the statistics section to enable the Internet firewall for all public IP addresses based on the public IP address, region, or asset type.

Turn on Automatic Protection for New Assets

After you turn on Automatic Protection for New Assets, Cloud Firewall automatically enables the Internet firewall for public IP addresses that are newly added to the current Alibaba Cloud account and members that are managed by the account.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. On the Internet Firewall tab, turn on Automatic Protection for New Assets.

    image.png

What to do next

If you do not create an access control policy for the Internet firewall, Cloud Firewall automatically allows all traffic that passes through the Internet firewall. You can go to the Access Control > Internet Border page and create access control policies. For more information, see Create inbound and outbound access control policies for the Internet firewall.

More operations

Apply default Allow policies

Note

The Internet firewall protects Internet traffic. Make sure that traffic between the protected Internet-facing assets and the Internet is allowed. For more information, see the official documentation of the Internet-facing assets.

When you protect public IP addresses or elastic IP addresses (EIPs) of Elastic Compute Service (ECS) instances, you can apply the default Allow policies to a security group with a few clicks in the Cloud Firewall console. You do not need to modify the security group rules in the ECS console.

How it works

Cloud Firewall applies four access control policies with the lowest priority to the security groups of an ECS instance that has a public IP address. The policies allow traffic from the Internet to the public IP address. The access control policies are considered security group rules. The lowest priority is 100.

For rules that have the same priority, the ECS security group preferentially uses a Deny rule to match traffic. If you configured a Deny rule that has a priority of 100, the default Allow policies that are added by Cloud Firewall do not affect the Deny rule.

Precautions

  • The default Allows policies that are applied take effect on all resources that are added to the security group. Before you apply the default Allows policies, we recommend that you enable firewalls for all resources that are added to the security group, and properly configure inbound access control policies for the Internet firewall. Otherwise, your assets may be exposed on the Internet.

    We recommend that you do not apply the default Allow policies to resources for which firewalls are disabled, and do not disable firewalls for resources to which the default Allows policies are applied.

  • After Cloud Firewall expires, the four default Allow policies that are added by Cloud Firewall are retained in the security groups and are valid. If you no longer use Cloud Firewall, we recommend that you manually delete the four default Allow policies that are added by Cloud Firewall. For more information, see Delete a security group rule.

Limits

  • The default Allow policies for security groups allow only inbound traffic to the public IP address and EIP of an ECS instance.

  • Advanced security groups do not support default Allow policies.

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. On the Internet Firewall tab, click the IPV4 or IPV6 tab.

  4. On the public IP address list, find the IP address of an ECS instance to which you want to apply the default Allow policies and click Apply in the Default Allow Policies column.

  5. Optional. If the existing rules of the security group conflict with the default Allow policies, adjust the rules.

    • The conflicts can be resolved: The priorities of the existing rules are the same as the priorities of the default Allow policies, and the protocol types, port ranges, and authorization objects are different.

      To increase the priorities of the existing rules, you need to only click Quick Modify and then click OK in the Default Allow Policies dialog box.

    • The conflicts cannot be resolved: The priorities, protocol types, port ranges, and authorization objects of the existing rules are the same as those of the default Allow policies.

      We recommend that you go to the Security Groups page in the ECS console to view and adjust the priorities of the existing rules. For more information, see Modify a security group rule. You can also submit a ticket to obtain technical support.

  6. In the Actions column of a security group, click Quick Apply to view the four default Allow policies, and click OK.

    If an ECS instance is added to multiple security groups, you must apply the default Allow policies to all the security groups before the policies can take effect.

    image.png

Subsequent operations

After you apply the default Allow policies, you can go to the Firewall Settings > Internet Firewall tab to check whether the policies are applied to the security groups of your ECS instances. If the policies fail to be applied, troubleshoot the failure at the earliest opportunity.

The default Allow policies can be in one of the following states:

  • Applied: The policies are applied to all security groups of an ECS instance.

  • Not Applied: The policies are applied only to specific security groups of the ECS instance, the policies are not applied to a security group of the ECS instance, or conflicts among security group rules exist.

  • -: This type of asset does not support default Allow policies.

Download a list of public IP addresses

You can download information about public IP addresses as a CSV file to your computer.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. On the Internet Firewall tab, click the IPV4 or IPV6 tab.

  4. In the upper-right corner of the public IP address list, click the image.png icon.

  5. In the upper-right corner of the Internet Firewall tab, click Download Task Management to view the progress of the download task. After the download task is complete, click Download in the Actions column.

Disable the Internet firewall for a public IP address

Warning

After you disable the Internet firewall for a public IP address, Cloud Firewall cannot manage traffic of the public IP address, and risks such as attacks and data leaks may occur. Proceed with caution.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. On the Internet Firewall tab, click the IPV4 or IPV6 tab. Find the public IP address for which you want to disable the Internet firewall and click Disable Protection in the Actions column.