use Cloud Firewall to control access between ECS instances, configure internal firewalls, and view business relationships - Elastic Compute Service

Cloud Firewall allows you to centrally manage east-west traffic between Elastic Compute Service (ECS) instances and north-south traffic between the Internet and ECS instances to prevent unauthorized access to ECS instances. The access control policies that you configure and publish for an internal firewall in Cloud Firewall are synchronized to ECS security groups. This topic describes how to configure access control policies for an internal firewall and view business relationships in the Cloud Firewall console.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Sign up to Alibaba Cloud page.
Cloud Firewall is authorized to access cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.
Cloud Firewall Enterprise Edition or Ultimate Edition is used. For more information, see Billing method.

Background information

Cloud Firewall provides various features, such as a switch that allows you to quickly enable or disable firewalls, intrusion detection, outbound connection blocking, traffic analysis, and logging. Cloud Firewall provides firewalls as a service, including internal firewalls, Internet firewalls, and virtual private cloud (VPC) firewalls. For more information, see Cloud Firewall and Terms.

Internal firewalls are used to control east-west traffic between ECS instances and use ECS security group capabilities at the underlying layer. To control east-west traffic between ECS instances, you can create policy groups for internal firewalls in the Cloud Firewall console or configure security group rules in security groups in the ECS console. The configurations of Cloud Firewall and ECS security groups are automatically synchronized. You can also configure application groups to view the access relationships between ECS instances, and then optimize the policies that control network communication between the instances based on the access status.

Internet firewalls are used to control north-south traffic between the Internet and ECS instances. You can create inbound or outbound access control policies for Internet firewalls based on your business requirements to improve security posture on top of intrusion prevention. For more information, see Overview of traffic analysis and Overview of access control policies.

We recommend that you use Cloud Firewall in the following scenarios:

Domain name-based access control
Application-based access control
Automatic interception of outbound connections initiated by victim hosts
Scenarios in which access logs within the previous six months are required based on the Multi-Level Protection Scheme (MLPS) requirements

Configure an internal firewall

Security groups are distributed virtual internal firewalls provided by ECS that allow you to monitor port status, filter packets, and control network access between ECS instances. A security group contains ECS instances that reside in the same region, have the same security requirements, and trust each other. When you create an ECS instance, you must specify security groups for the instance. Each ECS instance must be added to at least one security group.

Internal firewalls use the security group feature at the underlying layer. You can configure policies on the Access Control > Internal Border page in the Cloud Firewall console or configure security groups in the ECS console. The configurations in the consoles are automatically synchronized.

Perform the following steps to configure an internal firewall:

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Access Control > Internal Border.

Create a policy group.

On the Internal Border page, click Create Policy Group.

In the Create Policy Group dialog box, configure parameters. The following table describes the parameter.

Parameter	Description
Policy Group Type	Select a type for the policy group. Valid values: Common Policy Group Enterprise Policy Group
Policy Group Name	Enter a name for the policy group. We recommend that you enter an informative name for easy identification.
VPC	Select a VPC to which you want to apply the policy group from the VPC drop-down list. A policy group can be applied to only one VPC.
Instance ID	Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list. Note The Instance ID drop-down list contains only ECS instances within the selected VPC.
Description	Enter a description for the policy group.
Template	Select a template that you want to use from the Template drop-down list. default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic. default-accept-all: allows all inbound and outbound traffic. default-drop-all: denies all inbound and outbound traffic. Note Enterprise policy groups do not support the default-drop-all template.

Create a policy in the policy group.

On the Internal Border page, find the policy group that you want to manage. In the Actions column, click Configure Policy.
On the page that appears, click Create Policy.

In the Create Policy dialog box, configure parameters. The following table describes the parameter.

Parameter	Description
NIC Type	The default value is Internal Network. This value specifies that the policy controls the inbound and outbound traffic of ECS instances.
Direction	The direction of traffic to which you want to apply the policy. Valid values: Inbound: traffic from other ECS instances to the ECS instances specified in the policy group. Outbound: traffic from the ECS instances specified in the policy group to other ECS instances.
Policy Type	The type of the policy. Valid values: Allow: allows the traffic that hits the policy. Deny: denies the traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect. Note Enterprise policy groups do not support the Deny policy type.
Protocol Type	The protocol type of traffic to which you want to apply the policy. If you select ANY, the policy is applied to all traffic. If you do not know the protocol type, select ANY.
Port Range	The destination port range of traffic to which you want to apply the policy. If you enter a port range, the policy takes effect on all ports within the port range. For example, if you enter 1/200, the policy takes effect on ports 1 to 200. If you enter a port, the policy take effects only on the port. For example, if you enter 80/80, the policy takes effect on port 80.
Priority	The priority of the policy. The priority must be an integer within the range of 1 to 100. A smaller value indicates a higher priority. Different policies can have the same priority. If an Allow policy and a Deny policy have the same priority, the Deny policy takes precedence.
Source Type and Source	The source of traffic. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. CIDR Block If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block. Policy Group If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed. Note Enterprise policy groups do not support the Policy Group type. Prefix List If you select this type, you must select a prefix list from the Source drop-down list. Then, Cloud Firewall controls the traffic of all ECS instances in the security groups with which the prefix list is associated. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
Destination	The destination of traffic. If you set Direction to Inbound, you must configure this parameter. Valid values: All ECS Instances: all ECS instances specified in the current policy group. CIDR Block: If you select this option, you must enter a CIDR block. The ECS instances that correspond to the CIDR block are the destination of traffic. Cloud Firewall controls only the inbound traffic of ECS instances that correspond to the CIDR block.
Select Source	The type of the traffic source. If you set Direction to Outbound, you must configure this parameter. Valid values: All ECS Instances: all ECS instances specified in the current policy group. CIDR Block: If you select this option, you must enter a source IP address or CIDR block. The ECS instances that correspond to the IP address or CIDR block are the source of traffic.
Destination Type and Destination	The type of the traffic destination and the destination addresses. If you set Direction to Outbound, you must configure these parameters. Valid destination types: CIDR Block If you select this type, you must enter a destination CIDR block. You can enter only one CIDR block. Policy Group If you select this type, you must select a policy group. Traffic destined for all ECS instances in the policy group is managed. Note Enterprise policy groups do not support the Policy Group type. Prefix List If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
Description	The description of the policy.

Click Submit.
Wait until the policy is created. Then, you can view the policy in the policy list of the internal firewall.

Publish the policy.
1. On the Internal Border page, find the control group of the policy that you want to publish. In the Actions column, click Publish.
2. In the Publish Policy dialog box, configure Remarks, confirm policy changes, and then click OK.
  The policies are synchronized to ECS security groups and take effect only after you publish the policies. You can log on to the ECS console and choose Network & Security > Security Groups to view the policies that you published in the Cloud Firewall console. The default name of the policy group created by Cloud Firewall in the ECS console is Cloud_Firewall_Security_Group.

After the internal firewall is configured, the firewall controls access between ECS instances. You can also configure application groups in Cloud Firewall to visualize business relationships.

View business relationships

In the east-west business visualization module of Cloud Firewall, a business group contains all application groups related to specific business. For example, a web portal business group contains web application groups and database application groups. In the east-west business visualization module of Cloud Firewall, an application group is a collection of applications that provide the same or similar services. For example, you can add all ECS instances on which MySQL is deployed to a database application group. You can also deploy all ECS instances on which Apache is deployed to a web application group.

Perform the following steps to view the relationship between ECS instances:

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Business Visualization > Custom Groups.

Create a business group.

On the Custom Groups page, click the Business Groups tab.
On the Business Groups tab, select a VPC and click Create Business Group.

In the dialog box that appears, configure parameters and click OK.

The following table describes the parameters.

Parameter	Description	Example
Name	Enter a name for the business group. The name must be 1 to 40 characters in length.	Database business or Web business
Description	Enter a description for the business group.	Web
Importance Degree	Specify the importance degree of the business group. You can distinguish business groups based on importance degrees in the business relations graph. Valid values: Moderate, Important, and Critical.	Critical

Create an application group.

On the Custom Groups page, click the Application Groups tab.
On the Application Groups tab, select a VPC and click Create Application Group.

In the dialog box that appears, configure parameters and click OK.

The following table describes the parameters.

Parameter	Description	Example
Name	Enter a name for the application group. The name must be 1 to 40 characters in length.	Database application group or Web application group
Description	Enter a description for the application group.	Web application group
Importance Degree	Specify the importance degree of the application group. You can distinguish application groups based on importance degrees in the business relations graph. Valid values: Moderate, Important, and Critical.	Critical
Business Group	Optional. You can select Select Existing Business Group or Create Business Group.	Select Existing Business Group
Name	If you select Select Existing Business Group, select the name of an existing business group from the Name drop-down list. If you select Create Business Group, configure the Name, Description, and Importance Degree parameters that appear below Business Group.	Database business or Web business

Assign applications.
1. On the Custom Groups page, click the Applications tab.
2. Select a VPC. Example: China (Hangzhou) - vpc-xxx.
3. Assign applications based on your business requirements. For example, assign all ECS instances on which MySQL is deployed to a database application group, and assign all ECS instances on which Apache is deployed to a web application group.
View business relationships.
1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Business Visualization > Application Groups.
3. On the Application Groups page, click the VPC that you want to manage.
4. On the application group visualization page of the VPC, you can view information about each business group, including the visits, dependent business groups, and independent business groups.
5. In the right part of the application group visualization page, click the View Details icon to open the business relationship page of a business group. You can view the nodes and business relationships of the business group.