All Products
Search
Document Center

Cloud Firewall:Create an access control policy for an internal firewall

Last Updated:Jun 06, 2024

An internal firewall can control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to block unauthorized access. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized with ECS security groups. This topic describes how to create an access control policy for an internal firewall.

Diagram of an internal firewall

image

Benefits

Access control policies for internal firewalls outperform ECS security group rules in the following aspects:

  • You can publish multiple policies at a time.

  • Cloud Firewall creates security groups based on application groups.

  • You can manage access control policies in the Cloud Firewall console without the need to switch between different regions of ECS instances.

By default, you can create up to 500 policy groups and 500 policies in each group. The policies include those synchronized from ECS security groups to Cloud Firewall and those created in the Cloud Firewall console. If you require more policies, we recommend that you delete unnecessary policies or configure access control policies for virtual private cloud (VPC) firewalls.

Policy group types

Policy groups are classified into common policy groups and enterprise policy groups.

Scenarios

  • A common policy group corresponds to a basic security group of ECS instances and functions as a virtual firewall to provide stateful packet inspection (SPI) and packet filtering capabilities. You can use a common policy group to isolate security domains in the cloud. You can configure a common policy group to allow or block inbound and outbound traffic between ECS instances in the common policy group. A common policy group is suitable for business that has high requirements for network control on a moderate number of network connections.

  • An enterprise policy group corresponds to an advanced security group of ECS instances and supports more ECS instances than a common policy group. You can configure access control policies for an unlimited number of private IP addresses. Enterprise policy groups are best suited to enterprises that require efficient O&M on large-scale networks.

Differences

For more information about the differences between basic and advanced security groups, see Basic security groups and advanced security groups.

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.

Configure an access control policy for an internal firewall

Before you configure access control policies for an internal firewall, you must create a policy group that contains default access control policies. Then, you can configure inbound and outbound access control policies in the policy group. After you configure access control policies in the policy group, you must publish the policies. This way, the policies can be synchronized to ECS security groups and take effect.

Step 1: Create a policy group

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > Access Control > Internal Border.

  3. On the Internal Border page, click Create Policy Group.

  4. In the Create Policy Group dialog box, configure the following parameters and click Confirm.

    Parameter

    Description

    Policy Group Type

    Select a type for the policy group. Valid values:

    • Common Policy Group

    • Enterprise Policy Group

    Policy Group Name

    Enter a name for the policy group.

    We recommend that you enter an informative name for easy identification.

    VPC

    Select a VPC to which you want to apply the policy group from the VPC drop-down list. A policy group can be applied to only one VPC.

    Instance ID

    Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list.

    Note

    The Instance ID drop-down list contains only ECS instances within the selected VPC.

    Description

    Enter a description for the policy group.

    Template

    Select a template that you want to use from the Template drop-down list.

    • default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic.

    • default-accept-all: allows all inbound and outbound traffic.

    • default-drop-all: denies all inbound and outbound traffic.

      Note

      Enterprise policy groups do not support the default-drop-all template.

Step 2: Create a policy in the policy group

  1. On the Internal Border page, find the policy group that you want to manage and click Configure Policy in the Actions column.

  2. On the Inbound or Outbound tab, click Create Policy.

  3. In the Create Policy dialog box, configure the following parameters and click Submit.

    Parameter

    Description

    NIC Type

    The default value is Internal Network. This value specifies that the policy controls the inbound and outbound traffic of ECS instances.

    Direction

    The direction of traffic to which you want to apply the policy. Valid values:

    • Inbound: traffic from other ECS instances to the ECS instances specified in the policy group.

    • Outbound: traffic from the ECS instances specified in the policy group to other ECS instances.

    Policy Type

    The type of the policy. Valid values:

    • Allow: allows the traffic that hits the policy.

    • Deny: denies the traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect.

      Note

      Enterprise policy groups do not support the Deny policy type.

    Protocol Type

    The protocol type of traffic to which you want to apply the policy.

    If you select ANY, the policy is applied to all traffic. If you do not know the protocol type, select ANY.

    Port Range

    The destination port range of traffic to which you want to apply the policy.

    If you enter a port range, the policy takes effect on all ports within the port range. For example, if you enter 1/200, the policy takes effect on ports 1 to 200. If you enter a port, the policy takes effects only on the port. For example, if you enter 80/80, the policy takes effect on port 80.

    Priority

    The priority of the policy. The priority must be an integer within the range of 1 to 100. A smaller value indicates a higher priority.

    Different policies can have the same priority. If an Allow policy and a Deny policy have the same priority, the Deny policy takes precedence.

    Source Type and Source

    The source of traffic. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. Valid source types:

    • CIDR Block

      If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block.

    • Policy Group

      If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed.

      Note

      Enterprise policy groups do not support the Policy Group type.

    • Prefix List

      If you select this type, you must select a prefix list from the Source drop-down list. Then, Cloud Firewall controls the traffic of all ECS instances in the security groups with which the prefix list is associated. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.

    Destination

    The destination of traffic. If you set Direction to Inbound, you must configure this parameter. Valid values:

    • All ECS Instances: all ECS instances specified in the current policy group.

    • CIDR Block: If you select this option, you must enter a CIDR block. The ECS instances that correspond to the CIDR block are the destination of traffic. Cloud Firewall controls only the inbound traffic of ECS instances that correspond to the CIDR block.

    Select Source

    The type of the traffic source. If you set Direction to Outbound, you must configure this parameter. Valid values:

    • All ECS Instances: all ECS instances specified in the current policy group.

    • CIDR Block: If you select this option, you must enter a source IP address or CIDR block. The ECS instances that correspond to the IP address or CIDR block are the source of traffic.

    Destination Type and Destination

    The type of the traffic destination and the destination addresses. If you set Direction to Outbound, you must configure these parameters.

    Valid destination types:

    • CIDR Block

      If you select this type, you must enter a destination CIDR block. You can enter only one CIDR block.

    • Policy Group

      If you select this type, you must select a policy group. Traffic destined for all ECS instances in the policy group is managed.

      Note

      Enterprise policy groups do not support the Policy Group type.

    • Prefix List

      If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.

    Description

    The description of the policy.

  4. Wait until the policy is created. Then, you can view the policy in the policy list of the internal firewall.

Step 3: Publish the policy in the policy group

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > Access Control > Internal Border.

  3. On the Internal Border page, find the policy group whose policy you want to publish and click Publish in the Actions column.

  4. In the Publish Policy dialog box, configure Remarks, confirm the policy changes, and then click OK.

    The policies are synchronized to ECS security groups and take effect only after you publish the policies. You can log on to the ECS console and choose Network & Security > Security Groups to view the policies that you published in the Cloud Firewall console. The default name of the policy group created by Cloud Firewall in the ECS console is Cloud_Firewall_Security_Group.

Synchronize ECS security group rules

  • Manual synchronization: On the Internal Border page, click Synchronize Security Group to synchronize the security group rules from ECS to Cloud Firewall. The process requires 2 to 3 minutes to complete.

  • Automatic synchronization: Cloud Firewall automatically synchronizes the information about ECS security group rules every 2 hours.

What to do next

You can perform the following operations on the policy group:

  • Edit: Change the ECS instances specified in the policy group and modify the policy group description.

  • Delete: Delete the policy group.

    Warning

    After you delete a policy group, its access control policies become invalid. Proceed with caution. A deleted policy group is retained in the list, but you can no longer perform operations on it.

    If you want to delete policy groups that are no longer required, you can set the policy group source to Custom to query all custom policy groups and determine whether to delete them.