You can use the Internet firewall to manage inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of the Internet-facing assets on the Internet and security risks of business traffic. When you enable the Internet firewall, you do not need to modify the current network topology. You can add resources to the Internet firewall within seconds to implement visualized analysis, attack prevention, access control, and log audit for inbound and outbound Internet traffic.
You can view the video tutorial to quickly learn about how to add assets for protection.
Feature description
Implementation
After you enable the Internet firewall for Internet-facing assets, Cloud Firewall filters inbound and outbound traffic based on traffic analysis policies, intrusion prevention policies, threat intelligence rules, virtual patching policies, and access control policies. Then, the Internet firewall checks whether inbound and outbound traffic matches the specified conditions and blocks unauthorized traffic. This ensures the security of traffic between Internet-facing assets and the Internet.
Inbound and outbound traffic of the following Internet-facing assets can be protected: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Classic Load Balancer (CLB) instances, EIPs of CLB instances, EIPs of Application Load Balancer (ALB) instances, EIPs of Network Load Balancer (NLB) instances, EIPs (including Layer 2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, EIPs that are associated with high-availability virtual IP addresses (HAVIPs), EIPs of Global Accelerator (GA) instances, and IP addresses of bastion hosts.
The following limits are imposed on EIPs of GA instances:
The GA instance to which the accelerated IP addresses belong must be a standard GA instance.
The accelerated IP addresses must be of the EIP type.
The acceleration region to which the accelerated IP addresses belong cannot be an Alibaba Cloud point of presence (POP).
To check whether an acceleration region is a POP of Alibaba Cloud, call the ListAvailableBusiRegions operation.
The following figure provides an example.
Impacts
When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds without the need to change the current network topology. Your workloads are not affected. We recommend that you enable the Internet firewall during off-peak hours.
Specifications
The specifications of the Internet firewall contain Protected Public IP Addresses and Protected Internet Traffic.
Specification | Description | Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method | Cloud Firewall that uses the pay-as-you-go billing method |
Protected Public IP Addresses | The number of public IP addresses that can be protected by the Internet firewall. | The protection capabilities vary based on the specifications that you purchase. If the quotas are insufficient, you can upgrade the specifications. For more information, see View the protection status of assets. The maximum value of Protected Public IP Addresses varies based on the Cloud Firewall edition. For more information, see Subscription. | You are charged based on the actual number of protected public IP addresses and the total protected peak Internet traffic. The values of the specifications are unlimited. For more information, see Pay-as-you-go. |
Protected Internet Traffic | The total peak Internet traffic that can be protected. The metering metric is the peak inbound or outbound Internet traffic, whichever is higher. |
View the protection status of assets
Enable the Internet firewall
Enable the Internet firewall for public IP addresses with a few clicks
If you do not turn on Automatic Protection for New Assets, you can manually enable the Internet firewall for public IP addresses.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPV4 or IPV6 tab and enable the Internet firewall for public IP addresses.
If the required public IP address is not displayed in the public IP address list, you can click Synchronize Assets in the upper-right corner of the IP address list to synchronize information about the public IP addresses within the current Alibaba Cloud account and members that are managed by the account. The system requires 1 minute to 2 minutes to synchronize asset information.
Enable the Internet firewall for a single public IP address
In the public IP address list, find the public IP address for which you want to enable the Internet firewall and click Enable Protection in the Actions column.
Enable the Internet firewall for multiple public IP addresses at a time
In the public IP address list, select the public IP addresses for which you want to enable the Internet firewall and click Enable Protection below the list.
Alternatively, click Enable Protection in the statistics section to enable the Internet firewall for all public IP addresses based on the public IP address, region, or asset type.
Turn on Automatic Protection for New Assets
After you turn on Automatic Protection for New Assets, Cloud Firewall automatically enables the Internet firewall for public IP addresses that are newly added to the current Alibaba Cloud account and members that are managed by the account.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, turn on Automatic Protection for New Assets.
What to do next
After you create the Internet firewall, you can manage the traffic between your Internet-facing assets and the Internet in a more efficient manner. For example, you can configure access control policies for the Internet firewall and view the access logs of Internet-facing assets.
Configure access control policies
If you do not configure an access control policy, Cloud Firewall automatically allows all traffic. You can configure access control policies for the Internet firewall to manage traffic between Internet-facing assets and the Internet in a fine-grained manner. To configure an access control policy, perform the following operations:
On the Internet Firewall tab of the Create access control policies for the Internet firewall.
page, find the Internet-facing asset that you want to manage, click Configure Policy in the Actions column, and then select Inbound or Outbound. For more information, seeQuery audit logs
On the Log audit.
page, click the Traffic Logs tab, click the Internet Border tab, and then specify query conditions to view the access logs of Internet-facing assets and the Internet. For more information, seeView traffic analysis results
On the Outbound Connection.
page, view information about the outbound connections from your assets to the Internet. The information includes the trace information about outbound traffic, destination addresses that can be accessed on the Internet, and outbound connections of Internet-facing and internal-facing assets. This helps identify suspicious assets and ensure business security. For more information, seeOn the Internet Exposure.
page, view information about traffic from the Internet to your assets. The information includes the trace information about unusual inbound traffic, and the numbers of open public IP addresses, open ports, open applications, and public IP addresses of cloud services. This helps identify suspicious assets and ensure business security. For more information, see
View the attack prevention data
On the Internet Firewall tab of the Intrusion prevention.
page, find the Internet-facing asset that you want to manage, click View Attacks in the Actions column, and then click Inbound or Outbound. For more information, seeView the specification usage of the Internet firewall
In the left-side navigation pane, click Overview. On the Overview page, click Purchased Specification Usage in the upper-right corner to view the usage of the specifications for the Internet firewall. The specifications are Protected Internet Traffic, Recent Peak Traffic, and Protected Public IP Addresses.