Cloud Firewall allows you to centrally manage east-west traffic between Elastic Compute Service (ECS) instances and north-south traffic between the Internet and ECS instances to prevent unauthorized access to ECS instances. The access control policies that you configure and publish for an internal firewall in Cloud Firewall are synchronized to ECS security groups. This topic describes how to configure access control policies for an internal firewall in the Cloud Firewall console.
Prerequisites
An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Sign up to Alibaba Cloud page.
Cloud Firewall is authorized to access cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.
Cloud Firewall Enterprise Edition or Ultimate Edition is used. For more information, see Subscription.
Background information
Cloud Firewall provides various features, such as a switch that allows you to quickly enable or disable firewalls, intrusion detection, outbound connection blocking, traffic analysis, and logging. Cloud Firewall provides firewalls as a service, including internal firewalls, Internet firewalls, and virtual private cloud (VPC) firewalls. For more information, see What is Cloud Firewall? and Terms.
Internal firewalls are used to control east-west traffic between ECS instances and use ECS security group capabilities at the underlying layer. To control east-west traffic between ECS instances, you can create policy groups for internal firewalls in the Cloud Firewall console or configure security group rules in security groups in the ECS console. The configurations of Cloud Firewall and ECS security groups are automatically synchronized. You can also configure application groups to view the access relationships between ECS instances, and then optimize the policies that control network communication between the instances based on the access status.
Internet firewalls are used to control north-south traffic between the Internet and ECS instances. You can create inbound or outbound access control policies for Internet firewalls based on your business requirements to improve security posture on top of intrusion prevention. For more information, see Outbound Connection and Overview of access control policies.
We recommend that you use Cloud Firewall in the following scenarios:
Domain name-based access control
Application-based access control
Automatic interception of outbound connections initiated by victim hosts
Scenarios in which access logs within the previous six months are required based on the Multi-Level Protection Scheme (MLPS) requirements
Configure an internal firewall
Security groups are distributed virtual internal firewalls provided by ECS that allow you to monitor port status, filter packets, and control network access between ECS instances. A security group contains ECS instances that reside in the same region, have the same security requirements, and trust each other. When you create an ECS instance, you must specify security groups for the instance. Each ECS instance must be added to at least one security group.
Internal firewalls use the security group feature at the underlying layer. You can configure policies on the Prevention Configuration > Access Control > Internal Border page in the Cloud Firewall console or configure security groups in the ECS console. The configurations in the consoles are automatically synchronized.
Perform the following steps to configure an internal firewall:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose
.Create a policy group.
On the Internal Border page, click Create Policy Group.
In the Create Policy Group dialog box, configure parameters. The following table describes the parameters.
Parameter
Description
Policy Group Type
Select a type for the policy group. Valid values:
Common Policy Group
Enterprise Policy Group
Policy Group Name
Enter a name for the policy group.
We recommend that you enter an informative name for easy identification.
VPC
Select a VPC to which you want to apply the policy group from the VPC drop-down list. A policy group can be applied to only one VPC.
Instance ID
Select one or more ECS instances to which you want to apply the policy group from the Instance ID drop-down list.
NoteThe Instance ID drop-down list contains only ECS instances within the selected VPC.
Description
Enter a description for the policy group.
Template
Select a template that you want to use from the Template drop-down list.
default-accept-login: allows inbound traffic destined for TCP ports 22 and 3389 and all outbound traffic.
default-accept-all: allows all inbound and outbound traffic.
default-drop-all: denies all inbound and outbound traffic.
NoteEnterprise policy groups do not support the default-drop-all template.
Create a policy in the policy group.
On the Internal Border page, find the policy group that you want to manage. In the Actions column, click Configure Policy.
On the Inbound or Outbound tab, click Create Policy.
In the Create Policy dialog box, configure parameters. The following table describes the parameter.
Parameter
Description
NIC Type
The default value is Internal Network. This value specifies that the policy controls the inbound and outbound traffic of ECS instances.
Direction
The direction of traffic to which you want to apply the policy. Valid values:
Inbound: traffic from other ECS instances to the ECS instances specified in the policy group.
Outbound: traffic from the ECS instances specified in the policy group to other ECS instances.
Policy Type
The type of the policy. Valid values:
Allow: allows the traffic that hits the policy.
Deny: denies the traffic that hits the policy. If the traffic is denied, data packets are discarded without responses. If two policies have the same configurations but different policy types, the policy whose type is Deny takes effect.
NoteEnterprise policy groups do not support the Deny policy type.
Protocol Type
The protocol type of traffic to which you want to apply the policy.
If you select ANY, the policy is applied to all traffic. If you do not know the protocol type, select ANY.
Port Range
The destination port range of traffic to which you want to apply the policy.
If you enter a port range, the policy takes effect on all ports within the port range. For example, if you enter 1/200, the policy takes effect on ports 1 to 200. If you enter a port, the policy takes effects only on the port. For example, if you enter 80/80, the policy takes effect on port 80.
Priority
The priority of the policy. The priority must be an integer within the range of 1 to 100. A smaller value indicates a higher priority.
Different policies can have the same priority. If an Allow policy and a Deny policy have the same priority, the Deny policy takes precedence.
Source Type and Source
The source of traffic. If you set Direction to Inbound, you must configure these parameters. You can configure Source based on the value of Source Type. Valid source types:
CIDR Block
If you select this type, you must enter a source CIDR block in Source. You can enter only one CIDR block.
Policy Group
If you select this type, you must select a policy group from the Source drop-down list as the traffic source. Traffic from all ECS instances in the policy group is managed.
NoteEnterprise policy groups do not support the Policy Group type.
Prefix List
If you select this type, you must select a prefix list from the Source drop-down list. Then, Cloud Firewall controls the traffic of all ECS instances in the security groups with which the prefix list is associated. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
Destination
The destination of traffic. If you set Direction to Inbound, you must configure this parameter. Valid values:
All ECS Instances: all ECS instances specified in the current policy group.
CIDR Block: If you select this option, you must enter a CIDR block. The ECS instances that correspond to the CIDR block are the destination of traffic. Cloud Firewall controls only the inbound traffic of ECS instances that correspond to the CIDR block.
Select Source
The type of the traffic source. If you set Direction to Outbound, you must configure this parameter. Valid values:
All ECS Instances: all ECS instances specified in the current policy group.
CIDR Block: If you select this option, you must enter a source IP address or CIDR block. The ECS instances that correspond to the IP address or CIDR block are the source of traffic.
Destination Type and Destination
The type of the traffic destination and the destination addresses. If you set Direction to Outbound, you must configure these parameters.
Valid destination types:
CIDR Block
If you select this type, you must enter a destination CIDR block. You can enter only one CIDR block.
Policy Group
If you select this type, you must select a policy group. Traffic destined for all ECS instances in the policy group is managed.
NoteEnterprise policy groups do not support the Policy Group type.
Prefix List
If you select this type, you must select a prefix list from the Source drop-down list. Traffic of all ECS instances in the security groups with which the prefix list is associated is managed. For more information about prefix lists, see Use prefix lists to simplify management of security group rules.
Description
The description of the policy.
Click Submit.
Wait until the policy is created. Then, you can view the policy in the policy list of the internal firewall.
Publish the policy.
On the Internal Border page, find the control group of the policy that you want to publish. In the Actions column, click Publish.
In the Publish Policy dialog box, configure Update Remarks, confirm policy changes, and then click OK.
The policies are synchronized to ECS security groups and take effect only after you publish the policies. You can log on to the ECS console and choose
to view the policies that you published in the Cloud Firewall console. The default name of the policy group created by Cloud Firewall in the ECS console is Cloud_Firewall_Security_Group.
After the internal firewall is configured, the firewall controls access between ECS instances.