Deploy Cloud Firewall at your Internet egress to filter inbound and outbound traffic for your ECS instances — even if your instances only access the Internet and don't serve external users.
Security risks
Any ECS instance with a public IP is exposed to both inbound and outbound threats.
Inbound threats originate from the Internet. Attackers continuously scan public IP addresses for open ports such as port 22 (Secure Shell Protocol (SSH)), port 3306 (databases), and port 3389 (remote desktop). Once they find an open port, they attempt to intrude through:
Exploits: attacks that target known vulnerabilities in your applications or system software, such as Log4j and Fastjson, to gain arbitrary code execution on your server.
Brute-force attacks: automated password guessing against SSH, Remote Desktop Protocol (RDP), and database services.
Web attacks: SQL injection, cross-site scripting (XSS), and Webshell uploads targeting web services.
DDoS attacks: malformed packets or traffic floods that exhaust server resources and cause service disruptions.
Outbound threats emerge when your server is compromised and becomes a foothold in an attacker's network:
C&C communication (Command and Control): implanted trojans or botnet programs actively connect to an external control center to receive instructions and send data.
Data breach: sensitive data is stolen and transferred to an external location.
Lateral movement: attackers use your server to attack other servers within the virtual private cloud (VPC) or launch external attacks such as sending spam or participating in DDoS attacks, which can get your IP address blocked globally and damage your business reputation.
How Cloud Firewall protects your instances
Cloud Firewall sits at your Internet egress and analyzes all traffic crossing that boundary before it reaches your instances.
Cloud Firewall applies the following techniques to block malicious traffic:
Deep packet inspection (DPI): inspects packet contents — not just IP addresses and ports — to identify threats hidden in legitimate-looking traffic.
Intrusion prevention system (IPS): uses a built-in library of thousands of attack signature rules to detect and block exploits, brute-force attacks, mining trojans, and Webshells. Protection applies even to ports you have intentionally opened.
Threat intelligence integration: integrates in real time with Alibaba Cloud's global threat intelligence database of malicious IP addresses and domain names and automatically blocks connection requests from known malicious IP addresses and botnet C&C servers.
Virtual patching: before an official patch is released, Cloud Firewall updates its IPS rules to block 0-day exploits, closing the window of exposure for your instances.
Enable the Internet firewall and protect public assets
Prerequisites
Before you begin, ensure that you have:
Enable protection
Log on to the Cloud Firewall console.
In the left navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPv4 or IPv6 tab.
Enable protection for your public assets using one of the following methods:
Method Steps Single asset In the public asset list, find the asset. In the Actions column, click Enable Protection. Multiple assets Select one or more assets in the list, then click Enable Protection below the list. All assets at once Click Enable Protection in the data statistics area. Assets are organized by public IP, region, and asset type. 
If an asset doesn't appear in the list, click Synchronize Assets in the upper-right corner to sync assets from your Alibaba Cloud account and its member accounts. The sync takes 1 to 2 minutes.
Configure access control
After enabling protection, restrict which traffic can reach your instances and which external destinations your instances can connect to.
Block traffic from regions outside China: statistics show that many attacks originate from IP addresses outside China. Restricting access from these addresses reduces your exposure. For details, see Configure an access control policy to deny traffic from regions outside China to a server.
Restrict outbound domain access: limit which external domains your ECS instances can reach. For example, if a server only needs to download images or packages from specific sites, allow only web protocols to those domains. For details, see Configure access control policies to allow traffic from an Internet-facing server only to a specific domain name and Configure access control policies to allow traffic from an internal-facing server only to a specific domain name.
For a comprehensive set of access control patterns, see Access control best practices.
Defend against specific attack types
Use the following Cloud Firewall guides to address the attacks most relevant to your workload:
Database attacks: brute-force, application vulnerabilities, malicious file reads and writes, command execution, and data exfiltration. See Best practices for database security defense.
Worms: service-exploiting malware that spreads across networks. They can cause service disruptions, information theft, regulatory blocks, and ransomware attacks. Cloud Firewall detects worms and their variants and updates detection in real time based on cloud risk posture. This disrupts the entire worm attack and propagation chain. See Best practices to defend against worms.
System security threats: misconfigurations (open ports, weak passwords, weak policies) and system vulnerabilities (command execution, denial-of-service, information disclosure). The IPS module blocks scanning and intrusion attempts, intercepts high-risk vulnerability exploits, and stops reverse shells and system file leaks. See Best practices for system security defense.
Mining programs: IPS uses vulnerability intelligence and virtual patching to block propagation of mining worms. The breach awareness feature identifies infected servers for prompt remediation. See Best practices to defend against mining programs.