You can use the Internet firewall to manage inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of the Internet-facing assets on the Internet and security risks of business traffic. When you enable the Internet firewall, you do not need to modify the current network topology. You can add resources to the Internet firewall within seconds to implement visualized analysis, attack prevention, access control, and log audit for inbound and outbound Internet traffic.
You can view the video tutorial to quickly learn about how to add assets for protection.
Feature description
Implementation
After you enable the Internet firewall for Internet-facing assets, Cloud Firewall filters inbound and outbound traffic based on traffic analysis policies, intrusion prevention policies, threat intelligence rules, virtual patching policies, and access control policies. Then, the Internet firewall checks whether inbound and outbound traffic matches the specified conditions and blocks unauthorized traffic. This ensures the security of traffic between Internet-facing assets and the Internet.
Inbound and outbound traffic of the following Internet-facing assets can be protected: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Classic Load Balancer (CLB) instances, EIPs of CLB instances, EIPs of Application Load Balancer (ALB) instances, EIPs of Network Load Balancer (NLB) instances, EIPs (including Layer 2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, high-availability virtual IP addresses (HAVIPs), and IP addresses of bastion hosts.
The following figure provides an example.
Impacts
When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds without the need to change the current network topology. Your workloads are not affected. We recommend that you enable the Internet firewall during off-peak hours.
Specifications
The specifications of the Internet firewall contain Protected Public IP Addresses and Protected Internet Traffic.
Specification | Description | Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method | Cloud Firewall that uses the pay-as-you-go billing method |
Protected Public IP Addresses | The number of public IP addresses that can be protected by the Internet firewall. | The protection capabilities vary based on the specifications that you purchase. If the quotas are insufficient, you can upgrade the specifications. For more information, see View the protection status of assets. The maximum value of Protected Public IP Addresses varies based on the Cloud Firewall edition. For more information, see Subscription. | You are charged based on the actual number of protected public IP addresses and the total protected peak Internet traffic. The values of the specifications are unlimited. For more information, see Pay-as-you-go. |
Protected Internet Traffic | The total peak Internet traffic that can be protected. The metering metric is the peak outbound or inbound Internet traffic, whichever is higher. |
View the protection status of assets
Enable the Internet firewall
Enable the Internet firewall for public IP addresses with a few clicks
If you do not turn on Automatic Protection for New Assets, you can manually enable the Internet firewall for public IP addresses.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPV4 or IPV6 tab and enable the Internet firewall for public IP addresses.
If the required public IP address is not displayed in the public IP address list, you can click Synchronize Assets in the upper-right corner of the IP address list to synchronize information about the public IP addresses within the current Alibaba Cloud account and members that are managed by the account. The system requires 1 to 2 minutes to synchronize asset information.
Enable the Internet firewall for a single public IP address
In the public IP address list, find the public IP address for which you want to enable the Internet firewall and click Enable Protection in the Actions column.
Enable the Internet firewall for multiple public IP addresses at a time
In the public IP address list, select the public IP addresses for which you want to enable the Internet firewall and click Enable Protection below the list.
Alternatively, click Enable Protection in the statistics section to enable the Internet firewall for all public IP addresses based on the public IP address, region, or asset type.
Turn on Automatic Protection for New Assets
After you turn on Automatic Protection for New Assets, Cloud Firewall automatically enables the Internet firewall for public IP addresses that are newly added to the current Alibaba Cloud account and members that are managed by the account.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, turn on Automatic Protection for New Assets.
What to do next
If you do not create an access control policy for the Internet firewall, Cloud Firewall automatically allows all traffic that passes through the Internet firewall. You can create access control policies on the Create access control policies for the Internet firewall.
page. For more information, seeMore operations
Apply default Allow policies
Download a list of public IP addresses
Disable the Internet firewall for a public IP address
After you disable the Internet firewall for a public IP address, Cloud Firewall cannot manage traffic of the public IP address, and risks such as attacks and data leaks may occur. Proceed with caution.
Log on to the Cloud Firewall console.
In the left-side navigation pane, click Firewall Settings.
On the Internet Firewall tab, click the IPV4 or IPV6 tab. Find the public IP address for which you want to disable the Internet firewall and click Disable Protection in the Actions column.