All Products
Search
Document Center

Cloud Firewall:Configure an access control policy to deny traffic from regions outside China to a server

Last Updated:Dec 11, 2023

If you want to manage traffic between your asset and a specific region, you can configure an access control policy for the Internet firewall and set the Source Type or Destination Type parameter to Region. For example, you can configure an access control policy to allow traffic from your asset only to a specific region or deny traffic from a specific region to your asset. This topic describes how to configure an access control policy to deny traffic from regions outside China.

Example scenario

In this example, your asset is an Elastic Compute Service (ECS) instance with which the elastic IP address (EIP) 47.100.XX.XX is associated. Your business is intended for users in regions in China. You do not require traffic from regions outside China to the ECS instance. To achieve this goal, you must configure an access control policy to deny traffic from all regions outside China.

image

Prerequisites

Cloud Firewall is activated, and the Internet Firewall feature is enabled. For more information, see Purchase Cloud Firewall and Internet firewall.

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Internet Border.

  3. On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure the parameters. The following table describes the parameters.

    Parameter

    Description

    Example

    Source Type

    The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    Region

    Source

    All Geographical Regions Outside China

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    IP

    Destination

    47.100.XX.XX/32, which is the public IP address of the ECS instance

    Protocol Type

    The type of the transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    ANY

    Port Type

    The port type and port number of the destination.

    Port

    Port

    0/0, which indicates all ports

    Application

    The application type of the traffic.

    ANY

    Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values:

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Deny

    Priority

    The priority of the access control policy. Default value: Lowest.

    Highest

    Policy Validity Period

    The validity period of the access control policy. The policy can be used to match traffic only during the validity period.

    Always

    Status

    Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

    Enabled

What to do next

By default, an access control policy immediately takes effect after it is created. In the list of access control policies, view the hit details about an access control policy in the Hits/Last Hit At column.

image.png

The Hits/Last Hit At column displays the number of hits and the time when the policy was last hit. Click the number of hits to go to the Log Audit page. On the Traffic Logs tab, view the hit details. For more information, see Log audit.

References