Manage the firewall of a simple application server - Simple Application Server

The firewall of a simple application server is a virtual firewall that uses firewall rules to control the inbound traffic of the simple application server. This ensures the security of the server. This topic describes how to add, modify, disable, enable, and delete firewall rules for a simple application server. This topic also provides information about the ports preset for the firewall feature, FAQ about firewalls, and related documents.

Feature description

By default, the firewall of a simple application server enables specific ports based on the operating system of the server and disables other ports. You can add firewall rules to enable more ports based on your business requirements. The following list describes the ports that are enabled on a simple application server:

Servers use the TCP protocol:
- Windows servers: ports 3389, 80, and 443
- Linux servers: ports 22, 80, and 443
Servers use the ICMP protocol: The value for the port range is -1, which indicates all ports are enabled and access from all IP addresses is allowed.

If you remove or disable these default ports in the Simple Application Server console, the Firewall tab of the Servers page shows a message similar to You disabled or deleted the default port 22 allow rule on the firewall, which affects the remote connection feature. You can add or enable the corresponding ports based on your requirements.

Limits

You can create a maximum of 50 firewall rules for a simple application server.
Port 25 is the default email service port. For security reasons, this port is disabled for simple application servers by default. To send emails, use port 465.
A firewall controls only the inbound traffic of a simple application server. All outbound traffic of a simple application server is allowed by default.
Note
- Inbound traffic: the traffic generated when data is transmitted to a simple application server over the Internet or an internal network.
- Outbound traffic: the traffic generated when data is transmitted from a simple application server over the Internet or an internal network.

Manage a firewall

Log on to the Simple Application Server console.
In the left-side navigation pane, click Servers.
Find the simple application server for which you want to add a firewall rule, and click the instance ID in the card of the server.
In the upper-left corner of the Firewall tab, click Add Rule.

In the Add Firewall Rule dialog box, configure parameters based on your business requirements and click OK.

Warning

When you add a firewall rule, configure the port range and IP addresses that are allowed to access the server based on your requirements and follow the principle of least privilege to prevent network attacks.
If the ports, protocol, and IP addresses that you specify for the firewall rule are the same as the ports, protocol, and IP addresses of an existing rule, the existing rule is overwritten regardless of whether the existing rule is enabled or disabled.

Select a preset firewall rule

You can add a firewall rule with ease by selecting a preset firewall rule. The following table describes the parameters.

Parameter	Description
Application Type	The application type. Select RDP, FTP, TELNET, MYSQL, All Use TCP, All Use UDP, or All Use TCP and UDP from the drop-down list based on your business requirements. For more information, see the Preset port information section in this topic.
Protocol	The protocol. The displayed protocol is used by default and the value cannot be changed.
Port Range	The port. The displayed port is used by default and the value cannot be changed.
IP Source to be Used	The IP addresses. The default value is 0.0.0.0/0, which indicates all IPv4 addresses. Important Configure IP addresses based on your requirements and follow the principle of least privilege to prevent network attacks on your server.
Remarks	Enter the remarks of the firewall rule for subsequent management.
Actions	Click Add to add multiple firewall rules. Click Delete to delete the firewall rule.

Create a custom firewall rule

If the preset firewall rules cannot meet your business requirements, you can create one or more custom firewall rules. The following table describes the parameters.

Parameter	Description
Application Type	The application type. Select Specify a custom value.
Protocol	The protocol. Select TCP or UDP.
Port Range	The port range. Valid values: 1 to 65535. You can use one of the following methods to configure this parameter: Specify a single port. Enter the number of the port that you want to enable. For example, if you want to allow traffic on MySQL listening port 3306, enter `3306` in the Port Range field. Specify a port range. Use a forward slash (/) to separate the start port number and the end port number. For example, if you want to allow traffic over the port range 20000 to 30000 that you specify in the FTP configuration file, enter `20000/30000` in the Port Range field.
IP Source to be Used	The IP addresses. The default value is 0.0.0.0/0, which indicates all IPv4 addresses. You can also specify the IPv4 addresses that are allowed to access the server: Specify a single IPv4 address. Enter a single IPv4 address. Example: 192.168.0.100. Specify the IPv4 addresses within a CIDR block. Enter an IPv4 CIDR block. Example: 192.168.0.0/24.
Remarks	Enter the remarks of the firewall rule for subsequent management.
Actions	Click Add to add multiple firewall rules. Click Delete to delete the firewall rule.

Modify, disable, enable, and delete a firewall rule

After you add a firewall rule, you can perform the following operations based on your business requirements.

Operation	Description	Procedure
Modify a firewall rule	If the firewall rules that are created or added by default do not meet your business requirements, you can modify the firewall rules.	Click Modify in the Actions column of the firewall rule that you want to manage. In the Modify dialog box, modify the Protocol, Port Range, IP Source to be Used, and Remarks parameters based on your business requirements. Click Confirm.
Disable a firewall rule	You can temporarily disable a port. If you want to allow traffic on the port later, you can enable it directly without the need to create a firewall rule again. Important If a firewall rule is disabled, the port specified for the rule cannot be accessed. This affects your business. We recommend that you disable a firewall rule with caution. Make sure that this operation does not affect your business.	Click Disable in the Actions column of the firewall rule that you want to manage. In the Disable message, click Confirm.
Enable a firewall rule	You can enable a disabled port.	Click Enable in the Actions column of the disabled firewall rule that you want to manage. In the Enable message, click Confirm.
Delete a firewall rule	You can delete a firewall rule that is no longer used. Note If the number of firewall rules does not reach the upper limit of 50, we recommend that you temporarily disable a firewall rule for later use.	Click Delete in the Actions column of the firewall rule that you want to manage. In the Delete message, click Confirm.

Preset port information

The following table describes the common firewall rules preset in firewalls provided by Alibaba Cloud. You can add firewall rules with ease by using these preset firewall rules. For more information about common ports, see Common ports.

Application type	Protocol	Port range	IP source to be used	Description
HTTP	TCP	80	0.0.0.0/0 Important The default value is 0.0.0.0/0, which indicates all IPv4 addresses. Configure IP addresses based on your requirements and follow the principle of least privilege to prevent network attacks on your server.	The default HTTP port. It is used to access website services such as Internet Information Services (IIS), Apache, and NGINX. For more information, see Deploy Apache based on a CentOS system image.
HTTPS	TCP	443		The default HTTPS port. For more information, see the following topics: Enable HTTPS access Install an SSL certificate in a Node.js environment Install an SSL certificate in a WordPress runtime
RDP	TCP	3389		The default Remote Desktop Protocol (RDP) port. It is used to connect to a Windows server by using Remote Desktop. For more information, see Connect to a Windows server.
FTP	TCP	21		The default FTP port. It is used to upload and download files. For more information, see Build an FTP server (Linux).
TELNET	TCP	23		The default Telnet port.
MySQL	TCP	3306		The default MySQL port. For more information, see Use DMS to connect to a database on a simple application server.
All Use TCP	TCP	1~65535		All TCP ports.
All Use UDP	UDP	1~65535		All UDP ports.
All Use TCP and UDP	TCP+UDP	1~65535		All TCP and UDP ports.
Specify a custom value	TCP or UDP	1~65535		The custom port range.

FAQ

Q1: What is the difference between a simple application server firewall and an operating system firewall?

Simple application server firewall: The Simple Application Server console provides a visualized management interface. You can configure firewall rules with ease. However, the firewall of a simple application server can control only inbound traffic.
Operating system firewall: A system administrator can configure firewall rules for the operating system to control both inbound and outbound traffic. The system administrator must be familiar with the corresponding firewall software, such as the iptables of Linux systems. In addition, Linux users must be familiar with CLIs.

Q2: How do I check port connectivity by running the Telnet command?

Run the following command to check whether a port can be accessed:

telnet <IP address> <Port>

In this example, port 80 is used. The following command outputs are returned:

Windows

The port can be accessed.

The port cannot be accessed.

C:\Users\Administrator>telnet 120.55.XX.XX 80
Connecting To 120.55.XX.XX...Could not enable connection to the host.  The connection on port 80 failed.

Linux

The port can be accessed.

[root@VM-4-10-centos ~]# telnet 120.55.XX.XX 80
Trying 120.55.XX.XX...
Connected to 120.55.XX.XX.
Escape character is '^]'.

The port cannot be accessed.

[root@VM-4-10-centos ~]# telnet 120.55.XX.XX 80
Trying 120.55.XX.XX...
telnet: connect to address 120.55.XX.XX: Connection refused

Q3: How do I check the service status and the listening status of a port?

In this example, the NGINX service in a simple application server is used. The default port is port 80. If you want to check the status of other services, replace the service name and the port number in the commands.

Linux servers

In this example, a Linux server that runs CentOS 7.9 is used. Operations may vary based on the distribution of your Linux server.

Connect to the Linux simple application server.
For more information, see Connect to a Linux server.
Run the following command to check the status of NGINX:
```
systemctl status nginx
```
- The following sample command output indicates that NGINX is started.
- If NGINX is not started, run the following command to start NGINX:
```
systemctl start nginx
```
Run the following command to check whether port 80 is listened on:
```
netstat -an | grep 80
```
- If the following information is returned, port 80 is listened on.
- If the preceding command output is not returned, port 80 is not listened on.

Windows servers

In this example, a simple application server that runs Windows Server 2012 is used. Operations for simple application servers that run other Windows Server versions are similar.

Connect to the Windows simple application server.
For more information, see Connect to a Windows server.
Choose Start > Run, enterservice.msc, and then click OK. The Services page appears.
Check the status of NGINX.
1. If no status is displayed for NGINX, right-click NGINX and select Start.
2. If the status of NGINX is Running, NGINX is started.
Run the following command in Windows PowerShell to check whether port 80 is listened on:
```
netstat -ano | findstr "80"
```
- If the following information is returned, port 80 is listened on.
- If the preceding command output is not displayed, port 80 is not listened on.

Q4: What do I do if the port of my simple application server cannot be accessed?

If your server is deployed outside the Chinese mainland, such as in the China (Hong Kong) region, unstable connections and high latency may occur due to the congestion of international links and outbound routing restrictions of Internet service providers (ISPs). Cross-border connections are established through the networks of ISPs. The connection quality is affected by many factors and ISPs cannot optimize their networks in a short time.

Solutions:

If your business is mainly for users in the Chinese mainland, we recommend that you unsubscribe from the existing simple application server after you create a server in a Chinese mainland region and migrate the data in the existing server to the new server. For more information, see Migrate data between simple application servers.
You cannot modify the connection of the simple application server by changing an IP address. If your server is deployed in the China (Hong Kong) region, you can use an Elastic Compute Service (ECS) instance that is associated with a BGP (Multi-ISP) Pro elastic IP address (EIP). In this case, a direct cross-border connection can be established without using the services of ISPs to deliver a better user experience. However, cross-border connection issues still exist and cannot be eliminated. For more information, see Migrate data from a simple application server to an ECS instance by using a shared image, Apply for an EIP, and Associate an EIP with an ECS instance.

In other scenarios, troubleshoot the issue by using the following methods:

Run the netstat -tunlp command to check whether the port of the server is listened on. If the port is not listened on, start the corresponding service to ensure that the port is listened on.
Check whether restrictions are configured on the firewall of the server.
- For Ubuntu operation systems, run the sudo ufw status command to check.
- For operating systems of CentOS 7 and later, run the firewall-cmd --list-ports command to check. If the output indicates that ufw or firewall is not running, run the iptables -L;iptables -t nat -L command to check the firewall rules.
Check whether a firewall rule that enables the port for the server is added in the Simple Application Server console.

References

If you cannot access the website or the simple application server after you configure firewall rules, or the firewall of the server does not meet your business requirements, see the following topics: