This topic describes the best practices that you can use to configure access control policies.

How access control works

  • Internet firewall:
    • Principle: The Internet firewall controls traffic between the Internet and public IP addresses.
    • Default policy: The default policy allows all traffic.
  • Internal firewalls or security groups:
    • Principle: An internal firewall or security group is configured on each Elastic Compute Service (ECS) instance to implement access control for the ECS instance.
    • Default policy: The default policy allows outbound traffic and denies inbound traffic.

Procedure

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Access Control > Internet Firewall.
  2. On the Internet Firewall page, create an inbound access control policy for the Internet firewall.
    • Allow traffic on the ports that need to be open to the Internet. These ports include HTTP port 80 and HTTPS port 443.
    • Allow traffic on specific ports that are used for O&M and ports on which high risks may occur. These ports include SSH port 22 and MySQL port 3306. We recommend that you allow traffic on these ports only when the ports are required in your workloads.
      Note We recommend that you allow traffic only from specific sources. You can use address books to streamline the configurations.
    • By default, traffic on the ports on which high risks may occur is denied. The ports include SMB port 445.
    • Create a policy whose source and destination are set to Any, and set the action of the policy to Monitor. You can view the traffic logs to determine whether you want to deny all traffic. If you want to deny all traffic, you can change the action of the policy to Deny.
  3. Create an access control policy for an internal firewall to allow inbound traffic to ECS instances.

    You can refer to the following information:

    On the Internal Firewall tab of the Access Control page, select the policy group that contains all test ECS instances, and create a policy to allow traffic to the test ECS instances from the source address 0.0.0.0/0. By default, internal firewalls and security groups deny all inbound traffic. Therefore, you must create a policy to allow all inbound traffic.

    Note The Internal Firewall tab of the Access Control page is available only for Cloud Firewall Enterprise Edition and Ultimate Edition users. If you use Cloud Firewall Premium Edition, you must go to the Security Groups page of the ECS console to perform this step.
  4. Check whether the policies meet your business requirements.

    On the Log Audit page, click the Traffic Logs tab and view the details of traffic that is allowed, denied, or monitored. You can check whether the policies meet your business requirements based on the log audit results.

  5. Optimize the access control policy that is configured for the Internet firewall.
    If the policy whose source and destination are set to Any does not cause false positives, you can change the action of the policy from Monitor to Deny.
    Notice You can change the action of the policy only after you confirm that risks do not occur due to the policy.
  6. Allow inbound traffic to all ECS instances.

    You can refer to the following information:

    • On the Internal Firewall tab, add an inbound access control policy whose source is set to 0.0.0.0/0 to each policy group.
    • If you add newly purchased ECS instances to existing security groups, you do not need to create policies. If you add newly purchased ECS instances to newly created security groups, you must create policies to allow inbound traffic between the ECS instances on the Internal Firewall tab.
  7. Check the availability of all workloads.

    In the left-side navigation pane, choose Log Analysis > Log Audit. On the Log Audit page, click the Traffic Logs tab and view the details of traffic that is allowed, denied, or monitored. You can check whether the policies meet your business requirements based on the log audit results.

  8. Create an outbound access control policy for the Internet firewall.

    You can refer to the following information:

    • If you want to control traffic over outbound connections, you can create an outbound access control policy on the Access Control > Internet Firewall > Outbound Policies tab.
    • We recommend that you allow only traffic destined for specific domain names or IP addresses on the Internet, such as the endpoint of an external API.
    • You can allow only traffic destined for specific domain names or IP addresses, such as the endpoint of an external API.
    • By default, all traffic destined for the Internet is denied. You can monitor your workloads for a period of time. If the default policy does not affect your workloads, the policy takes effect.