All Products
Search
Document Center

Cloud Firewall:Overview of access control policies

更新時間:Nov 28, 2024

By default, if you do not configure an access control policy after you enable a firewall, Cloud Firewall allows all traffic. You can configure Allow or Deny policies for different types of firewalls based on your business requirements to better control unauthorized access to your assets. This topic describes access control policies of Cloud Firewall, including how access control policies work and the billing rules.

Feature description

Cloud Firewall allows you to configure access control policies for the Internet firewall, NAT firewalls, virtual private cloud (VPC) firewalls, and internal firewalls to block unauthorized access and implement multi-directional isolation and control on traffic. The access control policies that are described in this topic apply only to the Internet firewall, NAT firewalls, and VPC firewalls.

Note

For more information about how to configure an access control policy for an internal firewall, see Create an access control policy for an internal firewall.

Items in access control policies

You can specify different items in access control policies to allow or deny related traffic.

Item

Description

Type

Supported type by policy

Source

The initiator of the network connection.

  • IP address: The access control policy controls traffic to specific CIDR blocks.

  • IP address book: The access control policy controls traffic to specific CIDR blocks that are added to an IP address book.

  • Region: The access control policy controls traffic to specific geographic locations.

  • Access control policies for the Internet firewall, NAT firewalls, and VPC firewalls: IP address and IP address book.

  • Access control policies for internal firewalls: IP address, IP address book, and region.

Destination

The receiver of the network connection.

IP address, IP address book, domain name, and region.

  • IP address: The access control policy controls traffic from specific CIDR blocks.

  • IP address book: The access control policy controls traffic from specific CIDR blocks that are added to an IP address book.

  • Domain name: The access control policy controls traffic from specific domain names.

  • Region: The access control policy controls traffic from specific geographic locations.

  • Outbound access control policies for the Internet firewall and NAT firewalls: IP address, IP address book, domain name, and region.

  • Access control policies for VPC firewalls: IP address, IP address book, and domain name.

  • Inbound access control policies for the Internet firewall: IP address and IP address book.

Protocol type

The transport layer protocol.

TCP, UDP, ICMP, and ANY.

If you do not know the protocol for the policy, select ANY. The value ANY specifies all protocol types.

The types are supported by all access control policies for firewalls.

Port

The destination port.

The access control policy controls traffic that passes through specific ports. The types are port and address book.

The types supported by access control policies for firewalls vary based on the specified protocol types.

Application

The application layer protocol.

The types include HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP.

If you do not know the application type, select ANY. The value ANY specifies all application types.

Note

Cloud Firewall identifies the application of traffic whose application is SSL or TLS from port 443 as HTTPS, and traffic whose application is SSL or TLS from other ports as SSL.

The types supported by access control policies vary based on the selected protocol types. Up to five protocol types can be selected at the same time.

Implementation

By default, if no access control policy is configured, Cloud Firewall allows all traffic during the matching process of access control policies.

After you configure an access control policy, Cloud Firewall splits the policy into one or more matching rules based on specific logic and sends the policy to an engine. When traffic passes through Cloud Firewall, Cloud Firewall matches traffic packets in sequence based on the priorities of the configured access control policies. If a traffic packet hits a policy, the action that is specified in the policy is performed, and the subsequent policies are not matched. Otherwise, the system continues to match the traffic packet against the policy that has a lower priority until a policy is hit or all configured policies are matched. By default, if traffic does not hit a policy after all configured policies are matched, the traffic is allowed.

Important
  • After you create, modify, or delete an access control policy, Cloud Firewall requires approximately 3 minutes to send the policy to the engine.

  • A small priority value indicates a higher priority. To ensure that the capabilities of access control can be maximized, we recommend that you specify high priorities for frequently matched policies and refined policies.

The following figure shows how an access control policy works.

image

Policy actions

The following actions are supported in access control policies: Allow, Monitor, and Deny. When the elements of traffic packets match an access control policy, Cloud Firewall performs the action specified in the policy.

If the action of a policy is set to Monitor, traffic is allowed when the policy is hit. You can observe traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

Note

You can view the traffic data on the Traffic Logs page. For more information, see Log audit.

Quota consumed by access control policies

After you configure an access control policy, Cloud Firewall calculates the quota that is consumed by the policy based on the numbers of items that are specified in the policy, such as source addresses, destination addresses, protocol types, ports, and applications.

Calculation method

The quotas that are consumed by access control policies are calculated by using the following formulas:

  • Quota consumed by an access control policy = Number of source addresses (number of CIDR blocks or regions) × Number of destination addresses (number of CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.

    Important

    You can configure access control policies whose destination type is domain name for the Internet firewall, VPC firewalls, and NAT firewalls. The quota consumed by such access control policies in which the domain name identification mode is set to DNS-based dynamic resolution or set to FQDN and DNS-based dynamic resolution is calculated by tier on each firewall boundary.

    If the total quota consumed by such access control policies on a firewall boundary is less than or equal to 200, the actual consumed quota is the total quota. If the total quota consumed by such access control policies on a firewall boundary is greater than 200, the actual consumed quota is calculated based on the following formula: Actual consumed quota = 200 + (Excess quota × 10).

    For example, you configured an access control policy on the Internet boundary. The destination address of the policy is aliyun.com, the domain name identification mode of the policy is DNS-based dynamic resolution, and the quota that is consumed by the policy is 185. In this case, if you want to create an access control policy whose domain name identification mode is DNS-based dynamic resolution and the quota that is consumed by the policy is 16, the total quota consumed by the two policies is calculated based on the following formula: 200 + (185 + 16 - 200) × 10 = 210.

    You can view the quota that is consumed by an access control policy in the Consumed Quota column of the policy in the access control policy list.

    image.png

  • Total quota consumed by access control policies = Quota consumed by outbound access control policies + Quota consumed by inbound access control policies.

    You can view the total quota that is consumed by the access control policies for a type of firewall in the upper part of the page of the firewall. The following figure shows the quota that is consumed by access control policies that are created for the Internet firewall.

    image.png

Billing

  • By default, the basic price of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method covers a specific quota for access control policies. If the specific quota cannot meet your business requirements, you can purchase an additional quota.

    The additional quota on access control policies can be used for access control policies for the Internet firewall, NAT firewalls, and VPC firewalls. For more information, see Subscription.

  • Cloud Firewall that uses the pay-as-you-go billing method allows you to create a maximum of 2,000 access control policies for the Internet firewall, 2,000 access control policies for NAT firewalls, and 10,000 access control policies for VPC firewalls. The numbers cannot be increased. For more information, see Pay-as-you-go.

Examples on how to calculate the quota consumed by access control policies

Example

Policy configuration

Quota consumed by a policy

Example 1

  • Source: 19.16.XX.XX/32, 17.6.XX.XX/32

  • Destination: www.aliyun.com

  • Protocol type: TCP

  • Port: 80/88, 443/443

  • Application: HTTP, HTTPS

Quota that is consumed by the policy is calculated by using the following formula: Number of source CIDR blocks × Number of destination domain names × Number of port ranges × Number of applications = 2 × 1 × 2 × 2 = 8.

Example 2

  • Source: Beijing, Zhejiang

  • Destination: 19.18.XX.XX/32

  • Protocol type: TCP

  • Port: 80/80

  • Application: HTTP

Quota that is consumed by the policy is calculated by using the following formula: Number of source regions × Number of destination CIDR blocks × Number of port ranges × Number of applications = 2 × 1 × 1 × 1 = 2.

References