All Products
Search
Document Center

Bastionhost:Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost

Last Updated:Nov 29, 2023

This topic describes how to configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost to prevent the access traffic of your bastion host from being blocked by Cloud Firewall. If the access traffic is blocked, your business cannot run as expected.

Scenarios

You can deploy Cloud Firewall together with Bastionhost to protect traffic from the Internet and ensure the security of your business. If you deploy Cloud Firewall together with Bastionhost, the access traffic of your bastion host may be blocked by Cloud Firewall. As a result, the bastion host cannot access the Internet as expected. Therefore, you must configure access control policies for the Internet firewall in Cloud Firewall to ensure that the firewall protects the traffic between the bastion host and the Internet and does not affect the business of the bastion host.

The following figure shows how Cloud Firewall provides security protection for a bastion host.

原理图

If you do not configure access control policies based on the following procedures, the following issues may occur: The service ports of the bastion host become inaccessible, assets and users cannot be imported, web page-based O&M cannot be performed, and videos cannot be played.

Prerequisites

Step 1: Configure a policy to allow inbound traffic

Configure an inbound policy for the Internet firewall to allow Internet access to the open ports of the bastion host.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Internet Border.

  3. On the Inbound tab, click Create Policy.

  4. In the Create Inbound Policy panel, click the Create Policy tab, and configure the parameters to create a policy that allows access from the Internet. For more information, see Parameters of an inbound policy. Then, click OK.

    Parameter

    Description

    Source Type

    Select IP.

    Source

    Enter the public CIDR blocks that are allowed to access the bastion host.

    Destination Type

    Select IP.

    Destination

    Enter the IP address to which the O&M address of the bastion host is resolved.

    Note

    To view the IP address of the bastion host, go to the Internet Border page and set Asset Type as the filter condition. You do not need to log on to the Bastionhost console.

    Protocol Type

    Select TCP.

    Port Type

    Select the port type. Valid values: Port and Address Book.

    If you want to enable multiple ports of the bastion host, you can create an address book that contains the ports in advance. This way, you can select the address book when you configure the Port Type parameter.

    Note

    You can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to enable only one port, you do not need to create an address book.

    Port

    If you set Port Type to Port, you must configure this parameter. The following list describes the commonly used services and ports of a bastion host. You can specify ports based on your business requirements.

    • SSH-based O&M: port 60022

    • RDP-based O&M: port 63389

    • Video playback: port 9443

    • Host O&M and O&M portal: port 443

    Application

    Select ANY.

    Action

    Select Allow, which indicates that the specified CIDR blocks are allowed to access the open ports of the bastion host.

    Description

    The description of the policy. Enter a description that can help identify the policy.

    Priority

    Select Highest.

    Status

    Turn on the switch, which indicates that the policy is enabled after it is created.

  5. Create another policy to deny access to the bastion host from all public IP addresses.

    Configure the parameters based on Parameters of an outbound policy. Set Source to 0.0.0.0/0 and Priority to Lowest.

Step 2: Configure a policy to allow outbound traffic

The bastion host needs to access cloud services over the Internet. Therefore, you must configure an outbound policy for the Internet firewall to allow the bastion host to access the Internet.

  1. On the Outbound tab, click Create Policy.

  2. In the Create Outbound Policy panel, click the Create Policy tab, and configure the parameters to create a policy that allows access from the bastion host. For more information, see Parameters of an outbound policy. Then, click OK.

    Parameter

    Description

    Source Type

    Select IP.

    Source

    Enter the egress IP addresses of the bastion host.

    Destination Type

    Select Address Book. In the Select Address Book panel, select Cloud Service Address Book and search for Alibaba credible domains.

    Protocol Type

    Select TCP.

    Port Type

    Select the port type. Valid values: Port and Address Book.

    If you want to enable multiple ports of a cloud service, you can create an address book that contains the ports in advance. This way, you can select the address book when you configure the Port Type parameter.

    Note

    You can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to enable only one port, you do not need to create an address book.

    Port

    If you set Port Type to Port, you must specify the following ports of your bastion host: 443 and 80.

    Application

    Select HTTP and HTTPS.

    Action

    Select Allow, which indicates that the open ports of your bastion host are allowed to access the endpoints of cloud services.

    Description

    Enter a description that can help identify the policy.

    Priority

    Select Highest.

    Status

    Turn on the switch, which indicates that the policy is enabled after it is created.

  3. Create a policy to deny access to the Internet from all addresses of the bastion host.

    Configure the parameters based on Parameters of an outbound policy. Set Source to 0.0.0.0/0 and Priority to Lowest.

Step 3: Enable the Internet firewall for the bastion host

After the policies are configured, you must enable the Internet firewall for the bastion host.

  1. In the left-side navigation pane, click Firewall Settings.

  2. On the Internet Firewall tab, find the IP address of the bastion host and click Enable Protection in the Actions column.

    Note

    If your bastion host is newly purchased, the information about the bastion host is synchronized to Cloud Firewall after approximately 15 to 30 minutes.

    After you complete the preceding configurations, the bastion host is protected by Cloud Firewall, and the workload of the bastion host is not affected by Cloud Firewall. You can log on to the bastion host to import assets and users for O&M and audit.

Step 4: Verify whether the configurations take effect

If you can access the service ports of the bastion host, import assets and users, perform web page-based O&M, and play videos, the configurations take effect. You can go to the Traffic Logs tab on the Log Audit page of the Cloud Firewall console to view the logs of traffic between the bastion host and the Internet. For more information, see Traffic logs.