You can use the Internet firewall to manage inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of the Internet-facing assets on the Internet and security risks of business traffic. When you enable the Internet firewall, you do not need to modify the current network topology. You can add resources to the Internet firewall within seconds to implement visualized analysis, attack prevention, access control, and log audit for inbound and outbound Internet traffic.
You can view the video tutorial to quickly learn about how to add assets for protection.
Feature description
Implementation
After you enable the Internet firewall for Internet-facing assets, Cloud Firewall filters inbound and outbound traffic based on traffic analysis policies, intrusion prevention policies, threat intelligence rules, virtual patching policies, and access control policies. Then, the Internet firewall checks whether inbound and outbound traffic matches the specified conditions and blocks unauthorized traffic. This ensures the security of traffic between Internet-facing assets and the Internet.
Inbound and outbound traffic of the following Internet-facing assets can be protected: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Classic Load Balancer (CLB) instances, EIPs of CLB instances, EIPs of Application Load Balancer (ALB) instances, EIPs of Network Load Balancer (NLB) instances, EIPs (including Layer 2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, high-availability virtual IP addresses (HAVIPs), and IP addresses of bastion hosts.
The following figure provides an example.
Impacts
When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds without the need to change the current network topology. Your workloads are not affected. We recommend that you enable the Internet firewall during off-peak hours.
Specifications
The specifications of the Internet firewall contain Protected Public IP Addresses and Protected Internet Traffic.
Specification | Description | Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method | Cloud Firewall that uses the pay-as-you-go billing method |
Protected Public IP Addresses | The number of public IP addresses that can be protected by the Internet firewall. | The protection capabilities vary based on the specifications that you purchase. If the quotas are insufficient, you can upgrade the specifications. For more information, see View the protection status of assets. The maximum value of Protected Public IP Addresses varies based on the Cloud Firewall edition. For more information, see Subscription. | You are charged based on the actual number of protected public IP addresses and the total protected peak Internet traffic. The values of the specifications are unlimited. For more information, see Pay-as-you-go. |
Protected Internet Traffic | The total peak Internet traffic that can be protected. The metering metric is the peak inbound or outbound Internet traffic, whichever is higher. |
View the protection status of assets
Cloud Firewall collects statistics such as the number of public IP addresses that are protected, the number of public IP addresses that are not protected, and the protection status of public IP addresses in different regions. You can enable the Internet firewall for public IP addresses based on your business requirements.
To ensure the security of business traffic, we recommend that you enable the Internet firewall for all public IP addresses within your Alibaba Cloud account.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, view the protection status of the public IP addresses within the current Alibaba Cloud account.
Optional. If the Available Quota is insufficient, click Increase Quota to upgrade the Cloud Firewall edition, or increase the values of the Protected Public IP Addresses and Protected Internet Traffic parameters based on your business requirements. For more information, see Subscription.
Enable the Internet firewall
Enable the Internet firewall for public IP addresses with a few clicks
If you do not turn on Automatic Protection for New Assets, you can manually enable the Internet firewall for public IP addresses.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPV4 or IPV6 tab and enable the Internet firewall for public IP addresses.
If the required public IP address is not displayed in the public IP address list, you can click Synchronize Assets in the upper-right corner of the IP address list to synchronize information about the public IP addresses within the current Alibaba Cloud account and members that are managed by the account. The system requires 1 minute to 2 minutes to synchronize asset information.
Enable the Internet firewall for a single public IP address
In the public IP address list, find the public IP address for which you want to enable the Internet firewall and click Enable Protection in the Actions column.
Enable the Internet firewall for multiple public IP addresses at a time
In the public IP address list, select the public IP addresses for which you want to enable the Internet firewall and click Enable Protection below the list.
Alternatively, click Enable Protection in the statistics section to enable the Internet firewall for all public IP addresses based on the public IP address, region, or asset type.
Turn on Automatic Protection for New Assets
After you turn on Automatic Protection for New Assets, Cloud Firewall automatically enables the Internet firewall for public IP addresses that are newly added to the current Alibaba Cloud account and members that are managed by the account.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, turn on Automatic Protection for New Assets.
What to do next
After you create the Internet firewall, you can manage the traffic between your Internet-facing assets and the Internet in a more efficient manner. For example, you can configure access control policies for the Internet firewall and view the access logs of Internet-facing assets.
Configure access control policies
If you do not configure an access control policy, Cloud Firewall automatically allows all traffic. You can configure access control policies for the Internet firewall to manage traffic between Internet-facing assets and the Internet in a fine-grained manner. To configure an access control policy, perform the following operations:
On the Internet Firewall tab of the page, find the Internet-facing asset that you want to manage, click Configure Policy in the Actions column, and then select Inbound or Outbound. For more information, see Create access control policies for the Internet firewall.
Query audit logs
On the page, click the tab, and then specify query conditions to view the access logs of Internet-facing assets and the Internet. For more information, see Log audit.
View traffic analysis results
On the page, view information about the outbound connections from your assets to the Internet. The information includes the trace information about outbound traffic, destination addresses that can be accessed on the Internet, and outbound connections of Internet-facing and internal-facing assets. This helps identify suspicious assets and ensure business security. For more information, see Outbound Connection.
On the page, view information about traffic from the Internet to your assets. The information includes the trace information about unusual inbound traffic, and the numbers of open public IP addresses, open ports, open applications, and public IP addresses of cloud services. This helps identify suspicious assets and ensure business security. For more information, see Internet Exposure.
View the attack prevention data
On the Internet Firewall tab of the page, find the Internet-facing asset that you want to manage, click View Attacks in the Actions column, and then click Inbound or Outbound. For more information, see Intrusion prevention.
View the specification usage of the Internet firewall
In the left-side navigation pane, click Overview. On the Overview page, click Purchased Specification Usage in the upper-right corner to view the usage of the specifications for the Internet firewall. The specifications are Protected Internet Traffic, Recent Peak Traffic, and Protected Public IP Addresses.
More operations
Apply default Allow policies
The Internet firewall protects Internet traffic. Make sure that traffic between the protected Internet-facing assets and the Internet is allowed. For more information, see the official documentation of the Internet-facing assets.
When you protect public IP addresses or EIPs of ECS instances, you can apply the default Allow policies to a security group with a few clicks in the Cloud Firewall console. You do not need to modify the security group rules in the ECS console.
How it works
Cloud Firewall applies 4 access control policies with the lowest priority to the security groups of an ECS instance that has a public IP address. The policies allow traffic from the Internet to the public IP address. The access control policies are considered security group rules. The lowest priority is 100.
For rules that have the same priority, the ECS security group preferentially uses a Deny rule to match traffic. If you configured a Deny rule that has a priority of 100, the default Allow policies that are added by Cloud Firewall do not affect the Deny rule.
Precautions
The default Allows policies that are applied take effect on all resources that are added to the security group. Before you apply the default Allows policies, we recommend that you enable firewalls for all resources that are added to the security group, and properly configure inbound access control policies for the Internet firewall. Otherwise, your assets may be exposed on the Internet.
We recommend that you do not apply the default Allow policies to resources for which firewalls are disabled, and do not disable firewalls for resources to which the default Allows policies are applied.
After Cloud Firewall expires, the four default Allow policies that are added by Cloud Firewall are retained in the security groups and are valid. If you no longer use Cloud Firewall, we recommend that you manually delete the four default Allow policies that are added by Cloud Firewall. For more information, see Delete a security group rule.
Limits
The default Allow policies for security groups allow only inbound traffic to the public IP address and EIP of an ECS instance.
Advanced security groups do not support default Allow policies.
Procedure
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPV4 or IPV6 tab.
In the public IP address list, find the IP address of the ECS instance to which you want to apply the default Allow policies and click Apply in the Default Allow Policies column.
Optional. If the existing rules of the security group conflict with the default Allow policies, adjust the rules.
The conflicts can be resolved: The priorities of the existing rules are the same as the priorities of the default Allow policies, and the protocol types, port ranges, and authorization objects are different.
To increase the priorities of the existing rules, you need to only click Quick Modify and then click OK in the Default Allow Policies dialog box.
The conflicts cannot be resolved: The priorities, protocol types, port ranges, and authorization objects of the existing rules are the same as those of the default Allow policies.
We recommend that you go to the Security Groups page in the ECS console to view and adjust the priorities of the existing rules. For more information, see Modify a security group rule. You can also submit a ticket to obtain technical support.
In the Actions column of a security group, click Quick Apply to view the four default Allow policies, and click OK.
If an ECS instance is added to multiple security groups, you must apply the default Allow policies to all the security groups before the policies can take effect.
After you apply the default Allow policies, you can go to the tab to check whether the policies are applied to the security groups of your ECS instances. If the policies fail to be applied, troubleshoot the failure at the earliest opportunity.
The default Allow policies can be in one of the following states:
Applied: The policies are applied to all security groups of an ECS instance.
Not Applied: The policies are applied only to specific security groups of the ECS instance, the policies are not applied to a security group of the ECS instance, or conflicts among security group rules exist.
-: This type of asset does not support default Allow policies.
Download a list of public IP addresses
You can download information about public IP addresses as a CSV file to your computer.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPV4 or IPV6 tab.
In the upper-right corner of the public IP address list, click the
icon. In the upper-right corner of the Internet Firewall tab, click Download Task Management to view the progress of the download task. After the download task is complete, click Download in the Actions column.