This topic provides examples on how to configure access control policies for the Internet firewall, a virtual private cloud (VPC) firewall, and an internal firewall.
Configure an access control policy for the Internet firewall
In Cloud Firewall, inbound and outbound traffic is also referred to as north-south traffic and Internet traffic. You can configure access control policies in the Cloud Firewall console to manage north-south traffic. After you create access control policies, Cloud Firewall performs precise access control to ensure network security. For more information about the parameters of an access control policy that you can configure for the Internet firewall, see Create inbound and outbound access control policies for the Internet firewall.
Configure an inbound policy to allow Internet traffic destined for a specified port
For example, you want to create an inbound policy to allow Internet traffic that is destined only for TCP port 80 of an Elastic Compute Service (ECS) instance. The IP address of the ECS instance is 10.1.XX.XX, and the elastic IP address (EIP) is 200.2.XX.XX/32.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Inbound tab, click Create Policy. In the Create Inbound Policy panel, click the Create Policy tab and configure a policy.
Configure a policy to allow Internet traffic from all sources to the ECS instance and click OK.
The following table describes the parameters.
Parameter
Description
Example
Source Type
The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.
IP
Source
0.0.0.0/0
NoteThe value 0.0.0.0/0 specifies all public IP addresses.
Destination Type
The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.
IP
Destination
200.2.XX.XX/32
Protocol Type
The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
TCP
Port Type
The port type and port number of the destination.
Port
Port
80/80
Application
The application type of the traffic.
ANY
Action
The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.
Allow
Priority
The priority of the access control policy. Default value: Lowest.
Highest
Status
Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.
Enabled
Configure a policy to deny Internet traffic destined for all ECS instances and click OK.
Configure the Deny policy based on the descriptions for the preceding Allow policy. The following list describes the parameters:
Destination: Enter 0.0.0.0/0.
NoteThe value 0.0.0.0/0 specifies the IP addresses of all ECS instances.
Protocol Type: Select ANY.
Port: Enter 0/0.
NoteThe value 0/0 specifies all ports of the ECS instance.
Application: Select ANY.
Action: Select Deny.
Priority: Select Lowest.
After you complete the configurations, make sure that the priority of the Allow policy is higher than that of the Deny policy.
Configure an access control policy for a VPC firewall
A VPC firewall can monitor and control traffic between two VPCs. The traffic is also referred to as east-west traffic. If you want to manage traffic between two VPCs, you can create an access control policy to deny traffic from suspicious or malicious sources. You can also allow traffic from trusted sources and deny traffic from other sources. For more information about the parameters of an access control policy that you can configure for a VPC firewall, see Create an access control policy for a VPC firewall.
Deny traffic between ECS instances that reside in different VPCs
If two VPCs are attached to the same Cloud Enterprise Network (CEN) instance or connected by using an Express Connect circuit, the ECS instances that reside in the VPCs can communicate with each other.
For example, you want to deny access from ECS 1 to ECS 2. ECS 1 resides in VPC 1, and ECS 2 resides in VPC 2. The VPCs are attached to the same CEN instance. The IP address of ECS 1 is 10.33.XX.XX/32, and the IP address of ECS 2 is 10.66.XX.XX/32.
Log on to the Cloud Firewall console
In the left-side navigation pane, choose .
On the VPC Border page, click Create Policy.
In the Create Policy - VPC Border dialog box, configure the parameters and click OK.
The following table describes the parameters.
Parameter
Description
Example
Source Type
Select the type of the traffic source.
IP
Source
Specify the address of the traffic source.
10.33.XX.XX/32
Destination Type
Select the type of the traffic destination.
IP
Destination
Specify the address of the traffic destination.
10.66.XX.XX/32
Protocol Type
Select the protocol type of the traffic.
TCP
Port Type
Select the type of the port.
Port
Port
Specify the port ranges on which you want to manage traffic. If you set Port Type to Port, enter a port range. If you set Port Type to Address Book, configure the Port Address Book parameter and click Select.
0/0
Application
Select the application type of the traffic.
ANY
Action
Select the action on the traffic.
Deny
Configure an access control policy for an internal firewall
An internal firewall can manage inbound and outbound traffic between ECS instances to block unauthorized access. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. For more information about the parameters of an access control policy that you can configure for an internal firewall, see Create an access control policy for an internal firewall between ECS instances.
Allow traffic between ECS instances in the same policy group
If you configure security group rules in the ECS console, ECS instances in the same ECS security group can communicate with each other. This is different from the internal firewalls of Cloud Firewall. By default, a policy group that is created for an internal firewall can contain multiple ECS instances, but the instances cannot communicate with each other.
For example, you want to allow traffic between ECS 1 and ECS 2 that reside in the sg-test policy group. The IP address of ECS 1 is 10.33.XX.XX, and the IP address of ECS 2 is 10.66.XX.XX.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Internal Border page, find the required policy group and click Configure Policy in the Actions column.
On the Inbound tab, click Create Policy.
The following table describes the parameters of an inbound policy.
Parameter
Description
Example
Policy Type:
Select the type of the policy.
Allow
Protocol Type
Select the protocol type of the traffic.
TCP
Port Range
Specify the port ranges on which you want to manage traffic.
0/0
Source Type and Source
Specify the address of the traffic source. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type.
Source Type: Policy Group
Source: sg-test
Destination
Specify the address of the traffic destination. If you set Direction to Inbound, you must configure this parameter.
CIDR Block: 10.66.XX.XX
NoteIf you want all ECS instances in the policy group to communicate with each other, set Destination to All ECS Instances.
If you want specific ECS instances in the policy group to communicate with each other, set Destination to CIDR Block and enter the CIDR blocks of the peer ECS instances.
Configure an outbound policy. This step is required if you use an advanced security group.
By default, a basic security group allows outbound traffic. If you use a basic security group, you do not need to configure an outbound policy.
Configure the outbound policy based on the descriptions for the inbound policy. The following list describes the parameters:
Source Type: IP
Source: 10.66.XX.XX
CIDR Block: 10.33.XX.XX
Allow traffic between ECS instances in different policy groups
For example, you want to allow traffic between ECS 1 and ECS 2 that reside in different policy groups of an internal firewall. The IP address of ECS 1 is 10.33.XX.XX, and the IP address of ECS 2 is 10.66.XX.XX.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Internal Border page, find the policy group in which ECS 1 resides and click Configure Policy in the Actions column.
On the Inbound tab, click Create Policy.
The following table describes the parameters of an inbound policy.
Parameter
Description
Example
Policy Type
Select the type of the policy.
Allow
Protocol Type
Select the protocol type of the traffic.
TCP
Port Range
Specify the port ranges on which you want to manage traffic.
0/0
Source Type and Source
Specify the address of the traffic source. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type.
Source Type: IP
Source: 10.66.XX.XX
Destination
Specify the address of the traffic destination. If you set Direction to Inbound, you must configure this parameter.
CIDR Block: 10.33.XX.XX
NoteIf you want the ECS instances in the sg-test2 policy group to access all ECS instances in the sg-test1 policy group, set Destination to All ECS Instances.
If you want the ECS instances in the sg-test2 policy group to access specific ECS instances in the sg-test1 policy group, set Destination to CIDR block and enter the CIDR blocks of the specific ECS instances in the sg-test1 policy group.
Configure an outbound policy. This step is required if you use an advanced security group.
By default, a basic security group allows outbound traffic. If you use a basic security group, you do not need to configure an outbound policy.
Configure the outbound policy based on the descriptions for the inbound policy. The following list describes the parameters:
Source Type: IP
Source: 10.33.XX.XX
CIDR Block: 10.66.XX.XX
Configure the inbound and outbound policies to allow traffic of ECS 2 based on the preceding configurations.