All Products
Search
Document Center

Cloud Firewall:Create an access control policy for a VPC firewall

Last Updated:Jul 30, 2024

A virtual private cloud (VPC) firewall can be used to monitor and control the traffic between network instances that are connected by using a transit router of a Cloud Enterprise Network (CEN) instance or an Express Connect circuit. By default, a VPC firewall allows all traffic. You can create an access control policy to deny traffic from suspicious or malicious sources and allow traffic from trusted sources. This topic describes how to create an access control policy for a VPC firewall.

Prerequisites

  • A virtual private cloud (VPC) firewall is created and enabled. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

  • The quota for access control policies is sufficient. You can choose Prevention Configuration > Access Control > VPC Border to view the usage of the quota for access control policies. For more information about how to calculate the quota consumed by access control policies, see Overview of access control policies.

    If the quota is insufficient, you can click Increase Quota to increase the value of Quota for Additional Policy. For more information, see Purchase Cloud Firewall.

    image..png

Procedure

To manage the traffic between two VPCs, you can use the blacklist mode or whitelist mode. In blacklist mode, you need to configure a policy to deny traffic that is not trusted or is not required in your workloads and a policy to allow other traffic. In whitelist mode, you need to configure a policy to allow traffic that is trusted or is required in your workloads and a policy to deny other traffic. For more information about the examples of configuring an access control policy for a VPC firewall, see Configure access control policies.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > Access Control > VPC Border.

  3. On the VPC Border page, click Switchover to select the network instance for which you want to configure a policy.

    image

  4. Click Create Policy. Then, configure the policy parameters based on the following table and click OK.

    Parameter

    Description

    Source Type

    The initiator of the network connection. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.

    Source

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, you can select an IPv4 or domain address book that you create.

      If you have not created an address book, click Create Address Book to create an IPv4 or domain address book. For more information about address books, see Manage address books.

    • If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.

    Destination

    Protocol Type

    The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    Port Type

    The port type and port number of the destination.

    • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

      If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

    Port

    Application

    The application type of the traffic. You can select multiple application types.

    • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

    • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

    • If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, or SMTPS for Application.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values:

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    The description of the access control policy. Enter a description that can help identify the policy.

    Priority

    The priority of the access control policy. Default value: Lowest. Valid values:

    • Highest: The access control policy has the highest priority.

    • Lowest: The access control policy has the lowest priority.

    Policy Validity Period

    The validity period of the access control policy. The policy can be used to match traffic only within the validity period.

View the hit details about an access control policy

After your service runs for a period of time, you can view the hit details about an access control policy in the Hits/Last Hit At column in the list of access control policies.

You can click the number of hits to go to the Log Audit page to view traffic logs. For more information, see Log audit.

image.png

Related operations

After you create an access control policy, you can click Modify, Delete, or Copy in the Actions column of the policy. You can also click Move to change the priority of the policy. After you change the priority of the policy, the priorities of access control policies that have lower priorities decrease.

A valid priority value ranges from 1 to the number of existing policies. A smaller value indicates a higher priority. After you change the priority of the policy, the priorities of access control policies that have lower priorities decrease.

Important

After you delete a policy, Cloud Firewall no longer manages traffic on which the policy is originally in effect. Proceed with caution.

References