By default, if you do not configure an access control policy after you enable a firewall, Cloud Firewall allows all traffic. You can configure Allow or Deny policies for different types of firewalls based on your business requirements to better control unauthorized access to your assets. This topic describes access control policies of Cloud Firewall, including how access control policies work and the billing rules.
Feature description
Cloud Firewall allows you to configure access control policies for the Internet firewall, NAT firewalls, virtual private cloud (VPC) firewalls, and internal firewalls to block unauthorized access and implement multi-directional isolation and control on traffic. The access control policies that are described in this topic apply only to the Internet firewall, NAT firewalls, and VPC firewalls.
For more information about how to configure an access control policy for an internal firewall, see Create an access control policy for an internal firewall.
Items in access control policies
You can specify different items in access control policies to allow or deny related traffic.
Item | Description | Type | Supported type by policy |
Source | The initiator of the network connection. |
|
|
Destination | The receiver of the network connection. | IP address, IP address book, domain name, and region.
|
|
Protocol type | The transport layer protocol. | TCP, UDP, ICMP, and ANY. If you do not know the protocol for the policy, select ANY. The value ANY specifies all protocol types. | The types are supported by all access control policies for firewalls. |
Port | The destination port. | The access control policy controls traffic that passes through specific ports. The types are port and address book. | The types supported by access control policies for firewalls vary based on the specified protocol types. |
Application | The application layer protocol. | The types include HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP. If you do not know the application type, select ANY. The value ANY specifies all application types. Note Cloud Firewall identifies the application of traffic whose application is SSL or TLS from port 443 as HTTPS, and traffic whose application is SSL or TLS from other ports as SSL. | The types supported by access control policies vary based on the selected protocol types. Up to five protocol types can be selected at the same time. |
Implementation
By default, if no access control policy is configured, Cloud Firewall allows all traffic during the matching process of access control policies.
After you configure an access control policy, Cloud Firewall splits the policy into one or more matching rules based on specific logic and sends the policy to an engine. When traffic passes through Cloud Firewall, Cloud Firewall matches traffic packets in sequence based on the priorities of the configured access control policies. If a traffic packet hits a policy, the action that is specified in the policy is performed, and the subsequent policies are not matched. Otherwise, the system continues to match the traffic packet against the policy that has a lower priority until a policy is hit or all configured policies are matched. By default, if traffic does not hit a policy after all configured policies are matched, the traffic is allowed.
After you create, modify, or delete an access control policy, Cloud Firewall requires approximately 3 minutes to send the policy to the engine.
A small priority value indicates a higher priority. To ensure that the capabilities of access control can be maximized, we recommend that you specify high priorities for frequently matched policies and refined policies.
The following figure shows how an access control policy works.
Domain name resolution
The Internet firewall, NAT firewalls, and VPC firewalls implement access control for domain names based on the domain name information in traffic. If the destination in an outbound access control policy that is configured for the Internet firewall or a NAT firewall is set to a domain name, Cloud Firewall resolves the domain name into IP addresses and implements access control on the IP addresses. You can also view the IP addresses.
The following list describes the logic based on which access control policies match domain names of different application types:
If Domain Name Identification Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields) and the application type is HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall uses the Host or SNI field to implement access control for domain names.
If Domain Name Identification Mode is set to DNS-based Dynamic Resolution and the application type is other than HTTP, HTTPS, SSL, SMTP, or SMTPS is specified, Cloud Firewall dynamically resolves domain names and implements access control. You can view the IP addresses to which the domain names are resolved. A domain name can be resolved to up to 500 IP addresses.
Usage notes on domain name-based access control policies
When you configure an access control policy and set the destination to a domain name, take note of the following items:
Domain Name System (DNS) resolution is not supported in the following scenarios:
The access control policy is configured for inbound traffic. DNS resolution is supported only for outbound access control policies.
The destination is a wildcard domain name. Example: *.example.com. A wildcard domain name cannot be resolved into a specific IP address.
Domain Address Books is selected for the destination type.
The quota that is consumed by access control policies created for NAT firewalls cannot exceed 200. If the quota exceeds 200, an error is reported when you create an access control policy and set the destination to a domain name.
For example, you configured an access control policy whose destination address is aliyun.com and application type is ANY, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy and set the destination to a domain name, and the quota that is consumed by the policy exceeds 15, the policy fails to be created.
The quota that is consumed by access control policies created for the Internet cannot exceed 200. If the quota exceeds 200, the number of excess quota is 10 times calculated.
For example, you configured an access control policy whose destination address is aliyun.com and application type is ANY, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy and set the destination to a domain name, and the quota that is consumed by the policy is 16, the total quota consumed by the two policies are calculated based on the following formula: (185 + 16 - 200) × 10 + 200 = 210.
NoteFor more information about how to calculate the quota that is consumed by an access control policy, see Quota consumed by access control policies.
If a request is initiated from an Elastic Compute Service (ECS) instance to an external domain mane, only the default DNS server of the ECS instance is supported for domain name resolution. The IP address of the DNS server is 100.100.2.136 or 100.100.2.138. If you change the address of the DNS server of the ECS instance, the outbound access control policy for your ECS instance becomes invalid.
If multiple domain names are resolved to the same IP address, access control performance may be affected.
For example, you configure an access control policy to allow FTP traffic that is destined for the domain name example1.aliyun.com. If the A record of the domain name example1.aliyun.com is 1.1.XX.XX, the FTP traffic that is destined for 1.1.XX.XX is allowed. If the A record of the domain name example2.aliyun.com is also 1.1.XX.XX, the FTP traffic that is destined for example2.aliyun.com is also allowed.
If the IP addresses to which a domain name is resolved change, Cloud Firewall uses the new IP addresses to automatically update the access control policy. Cloud Firewall automatically updates the access control policies that are created for the Internet firewall every 5 minutes and the access control policies that are created for NAT firewalls every 60 minutes.
If the IP address to which the domain name example1.aliyun.com is resolved changes from 1.1.XX.XX to 2.2.XX.XX, Cloud Firewall automatically updates the access control policy. Then, the policy takes effect on the IP address 2.2.XX.XX. This way, the access control policy always takes effect on the IP address to which the domain name is dynamically resolved.
NoteIf you want to update your access control policy based on dynamic DNS resolution results, click DNS Resolution on the policy editing page to manually trigger DNS resolution and obtain the updated IP addresses. Then, click OK to save the policy updates.
Policy actions
The following actions are supported in access control policies: Allow, Monitor, and Deny. When the elements of traffic packets match an access control policy, Cloud Firewall performs the action specified in the policy.
If the action of a policy is set to Monitor, traffic is allowed when the policy is hit. You can observe traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
You can view the traffic data on the Traffic Logs page. For more information, see Log audit.
Quota consumed by access control policies
After you configure an access control policy, Cloud Firewall calculates the quota that is consumed by the policy based on the numbers of items that are specified in the policy, such as source addresses, destination addresses, protocol types, ports, and applications.
Calculation method
The quotas that are consumed by access control policies are calculated by using the following formulas:
Quota consumed by an access control policy = Number of source addresses (number of CIDR blocks or regions) × Number of destination addresses (number of CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.
ImportantIf you configure an access control policy whose destination is a domain name, the total quota that is consumed cannot exceed 200. If the total quota exceeds 200, the number of excess quota is 10 times calculated.
You can view the quota that is consumed by an access control policy in the Consumed Quota column of the policy in the access control policy list.
Total quota consumed by access control policies = Quota consumed by outbound access control policies + Quota consumed by inbound access control policies.
You can view the total quota that is consumed by the access control policies for a type of firewall in the upper part of the page of the firewall. The following figure shows the quota that is consumed by access control policies that are created for the Internet firewall.
Billing
By default, the basic price of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method covers a specific quota for access control policies. If the specific quota cannot meet your business requirements, you can purchase an additional quota.
The additional quota on access control policies can be used for access control policies for the Internet firewall, NAT firewalls, and VPC firewalls. For more information, see Subscription.
Cloud Firewall that uses the pay-as-you-go billing method allows you to create a maximum of 2,000 access control policies for the Internet firewall, 2,000 access control policies for NAT firewalls, and 10,000 access control policies for VPC firewalls. The numbers cannot be increased. For more information, see Pay-as-you-go.
Examples on how to calculate the quota consumed by access control policies
References
For more information about how to manage the traffic between Internet-facing assets and the Internet, see Create access control policies for the Internet firewall.
For more information about how to manage the traffic from internal-facing assets to the Internet, see Create an access control policy for a NAT firewall.
For more information about how to manage traffic between VPCs and between VPCs and data centers, see Create an access control policy for a VPC firewall.
For more information about how to manage traffic between ECS instances, see Create an access control policy for an internal firewall between ECS instances.
For more information about how to configure access control policies and the usage scenarios of access control policies, see Configure access control policies.
If you deploy Cloud Firewall together with Bastionhost, you must configure access control policies to prevent the traffic of your Bastionhost from being blocked by Cloud Firewall. For more information, see Configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost.