Configure access control policies to allow traffic from an internal-facing server only to a specific domain name

0.0.201

If you want to manage traffic from internal-facing assets to the Internet in a fine-grained manner, you can configure access control policies for NAT firewalls to block unauthorized access from the internal-facing assets to the Internet. This helps reduce risks such as data leaks in your core business. This topic describes how to configure access control policies for a NAT firewall to allow traffic from an internal-facing asset only to a specific website.

Example scenario

In this example, your asset is an internal-facing Elastic Compute Service (ECS) instance whose private IP address is 10.10.XX.XX. The ECS instance accesses the Internet over an Internet-facing NAT gateway. To ensure the security of the ECS instance, you must configure access control policies to allow traffic from the ECS instance only to the website www.aliyun.com.

Procedure

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Access Control > NAT Border
On the NAT Border page, find the NAT gateway for which you want to create an access control policy and click Create Policy.
The NAT gateways within the current Alibaba Cloud account are automatically synchronized to Cloud Firewall.

In the Create Policy - NAT Border panel, configure an access control policy that allows traffic from the ECS instance to www.aliyun.com and has the highest priority and an access control policy that denies traffic from the ECS instance to all public IP addresses and has the lowest priority.

Configure the access control policy that allows traffic from the ECS instance to www.aliyun.com. The following table describes the parameters.

Parameter	Description	Example

Parameter	Description	Example
Source Type	The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.	IP
Source		10.10.XX.XX/32, which is the private IP address of the ECS instance
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.	Domain Name, and set the Domain Name Identification Mode parameter to FQDN-based Dynamic Resolution (Extract Host and SNI Fields).
Destination		www.aliyun.com, which is the website that you allow the ECS instance to access Note You can also resolve the domain name into an IP address.
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.	TCP
Port Type	The port type and port number of the destination.	Port
Port	The port type and port number of the destination.	0/0, which indicates all ports
Application	The application type of the traffic. Valid values: If you set the Domain Name Identification Mode parameter to DNS-based Dynamic Resolution, you can select all applications. If you set the Domain Name Identification Mode parameter to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL. If you set the Domain Name Identification Mode parameter to FQDN and DNS-based Dynamic Resolution, you can select only HTTP, HTTPS, SMTP, SMTPS, SSL, or ANY.	HTTPS
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values: Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications are sent. Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.	Allow
Priority	The priority of the access control policy. Default value:Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.	Highest
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only during the validity period.	Always
Status	Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.	Enabled

Configure the access control policy to deny traffic from the ECS instance to all public IP addresses. The following list describes the parameters.
- Source: Enter 10.10.X.X/32.
- Destination: Enter 0.0.0.0/0, which indicates the IP addresses of all servers.
- Protocol Type: Select ANY.
- Port: Enter 0/0, which indicates all ports of servers.
- Application: Select ANY.
- Action: Select Deny.
- Priority: Select Lowest.

After you create the access control policies, make sure that the priority of the policy that allows traffic from the ECS instance to www.aliyun.com is higher than the priority of the policy that denies traffic from the ECS instance to all public IP addresses.

What to do next

References

For more information about how to configure an access control policy for a NAT firewall, see Create an access control policy for a NAT firewall.
For more information about how to configure an access control policy, see Configure access control policies.
For more information about how to configure and use an access control policy, see FAQs about access control policies.