This topic describes how to configure access control policies in scenarios in which Cloud Firewall is deployed together with Bastionhost to prevent the access traffic of your bastion host from being blocked by Cloud Firewall. If the access traffic is blocked, your business cannot run as expected.
Scenarios
You can deploy Cloud Firewall together with Bastionhost to protect traffic from the Internet and ensure the security of your business. If you deploy Cloud Firewall together with Bastionhost, the access traffic of your bastion host may be blocked by Cloud Firewall. As a result, the bastion host cannot access the Internet as expected. Therefore, you must configure access control policies for the Internet firewall in Cloud Firewall to ensure that the firewall protects the traffic between the bastion host and the Internet and does not affect the business of the bastion host.
The following figure shows how Cloud Firewall provides security protection for a bastion host.
If you do not configure access control policies based on the following procedures, the following issues may occur: The service ports of the bastion host become inaccessible, assets and users cannot be imported, web page-based O&M cannot be performed, and videos cannot be played.
Prerequisites
Cloud Firewall is purchased. For more information, see Purchase Cloud Firewall.
A bastion host is purchased and enabled. For more information, see Purchase a bastion host and Enable a bastion host.
Step 1: Configure a policy to allow inbound traffic
Configure an inbound policy for the Internet firewall to allow Internet access to the open ports of the bastion host.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Inbound tab, click Create Policy.
In the Create Inbound Policy panel, click the Create Policy tab, and configure the parameters to create a policy that allows access from the Internet. For more information, see Parameters of an inbound policy. Then, click OK.
Parameter
Description
Source Type
Select IP.
Source
Enter the public CIDR blocks that are allowed to access the bastion host.
Destination Type
Select IP.
Destination
Enter the IP address to which the O&M address of the bastion host is resolved.
NoteTo view the IP address of the bastion host, go to the Internet Border page and set Asset Type as the filter condition. You do not need to log on to the Bastionhost console.
Protocol Type
Select TCP.
Port Type
Select the port type. Valid values: Port and Address Book.
If you want to enable multiple ports of the bastion host, you can create an address book that contains the ports in advance. This way, you can select the address book when you configure the Port Type parameter.
NoteYou can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to enable only one port, you do not need to create an address book.
Port
If you set Port Type to Port, you must configure this parameter. The following list describes the commonly used services and ports of a bastion host. You can specify ports based on your business requirements.
SSH-based O&M: port 60022
RDP-based O&M: port 63389
Video playback: port 9443
Host O&M and O&M portal: port 443
Application
Select ANY.
Action
Select Allow, which indicates that the specified CIDR blocks are allowed to access the open ports of the bastion host.
Description
The description of the policy. Enter a description that can help identify the policy.
Priority
Select Highest.
Status
Turn on the switch, which indicates that the policy is enabled after it is created.
Create another policy to deny access to the bastion host from all public IP addresses.
Configure the parameters based on Parameters of an outbound policy. Set Source to 0.0.0.0/0 and Priority to Lowest.
Step 2: Configure a policy to allow outbound traffic
The bastion host needs to access cloud services over the Internet. Therefore, you must configure an outbound policy for the Internet firewall to allow the bastion host to access the Internet.
On the Outbound tab, click Create Policy.
In the Create Outbound Policy panel, click the Create Policy tab, and configure the parameters to create a policy that allows access from the bastion host. For more information, see Parameters of an outbound policy. Then, click OK.
Parameter
Description
Source Type
Select IP.
Source
Enter the egress IP addresses of the bastion host.
Destination Type
Select Address Book. In the Select Address Book panel, select Cloud Service Address Book and search for Alibaba credible domains.
Protocol Type
Select TCP.
Port Type
Select the port type. Valid values: Port and Address Book.
If you want to enable multiple ports of a cloud service, you can create an address book that contains the ports in advance. This way, you can select the address book when you configure the Port Type parameter.
NoteYou can add multiple IP addresses or ports to an address book for batch operations, which simplifies your configuration. If you want to enable only one port, you do not need to create an address book.
Port
If you set Port Type to Port, you must specify the following ports of your bastion host: 443 and 80.
Application
Select HTTP and HTTPS.
Action
Select Allow, which indicates that the open ports of your bastion host are allowed to access the endpoints of cloud services.
Description
Enter a description that can help identify the policy.
Priority
Select Highest.
Status
Turn on the switch, which indicates that the policy is enabled after it is created.
Create a policy to deny access to the Internet from all addresses of the bastion host.
Configure the parameters based on Parameters of an outbound policy. Set Source to 0.0.0.0/0 and Priority to Lowest.
Step 3: Enable the Internet firewall for the bastion host
After the policies are configured, you must enable the Internet firewall for the bastion host.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, find the IP address of the bastion host and click Enable Protection in the Actions column.
NoteIf your bastion host is newly purchased, the information about the bastion host is synchronized to Cloud Firewall after approximately 15 to 30 minutes.
After you complete the preceding configurations, the bastion host is protected by Cloud Firewall, and the workload of the bastion host is not affected by Cloud Firewall. You can log on to the bastion host to import assets and users for O&M and audit.
Step 4: Verify whether the configurations take effect
If you can access the service ports of the bastion host, import assets and users, perform web page-based O&M, and play videos, the configurations take effect. You can go to the Traffic Logs tab on the Log Audit page of the Cloud Firewall console to view the logs of traffic between the bastion host and the Internet. For more information, see Traffic logs.