DocsICP FilingConsole
官方文档
首页

Key Concepts

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes the key concepts of Cloud Firewall.

Security group and ECS firewall

A security group is a distributed, virtual firewall for Elastic Compute Service (ECS) instances. It provides stateful inspection and packet filtering to control network access for ECS instances. A security group contains instances in the same region that have similar security requirements and trust one another. When you create an instance, you must assign it to at least one security group.

The ECS firewall is built on the underlying functionality of security groups. You can configure policies on the Security Group Control page under the Security Group Configuration tab, or on the ECS console. The system automatically synchronizes configurations made in either location.

Outbound connection

An outbound connection occurs when a host on Alibaba Cloud actively accesses an external IP address. Analyzing this traffic helps you identify suspicious hosts.

Internet exposure

Internet exposure means that cloud-based applications and services are publicly accessible.

Breach detection

Breach Detection is a feature that monitors network traffic for suspicious activity. When it detects a suspicious event, it triggers an alert or takes proactive action. Cloud Firewall integrates nearly a decade of Alibaba Cloud's detection and defense capabilities to analyze traffic in real time, intelligently identifying compromised hosts and blocking abnormal network activity.

Exposed applications, ports, and public IPs

An exposed application is an application that is accessible from the internet, such as HTTP or SSH.

An exposed port is a port that is accessible from the internet, such as 80 or 22.

An exposed public IP is the public IP address of an asset that is accessible from the internet.

Application group

In Cloud Firewall's east-west traffic visualization, an application group is a collection of applications that provide the same or similar services. For example, all ECS instances that run MySQL can be added to the same DB application group.

An application is the smallest unit in east-west traffic visualization. By default, an application represents all exposed ports on a single ECS instance. You can create new applications by cloning an existing application and specifying specific ports.

Business zone

In Cloud Firewall's east-west traffic visualization, a business zone is a collection of application groups that form a specific business service. For example, a portal website business zone may include a web application group and a DB application group.

High-risk application group and high-risk business zone

A high-risk application group is a collection of applications that have an open high-risk port (such as port 445). Cloud Firewall creates a dedicated high-risk application group for each high-risk port.

A high-risk business zone contains high-risk application groups.

High-risk application groups and high-risk business zones help you identify which ECS instances have high-risk ports open and which instances have accessed those ports.

Currently, Cloud Firewall automatically creates and identifies high-risk business zones.

First seen traffic

First seen traffic is the initial detection of traffic between a source and destination IP address within a specific statistical period. You can investigate the cause of this traffic using details such as the time, source IP, and destination IP. First seen traffic is typically caused by a new service launch or a security breach.

Address book

An address book is a reusable collection of IP addresses or port numbers that simplifies policy configuration. When you configure an access control policy, you can reference an address book to apply rules to multiple IP addresses or ports at once.

Cloud Firewall supports four types of address books:

  • IP address book: A collection of IP addresses.

  • Port address book: A collection of ports.

  • Domain name address book: A collection of domain names.

  • Cloud address book: A collection of IP addresses or domain names.

Address books also have the following characteristics:

  • Cloud Firewall provides built-in global address books that you cannot edit or delete.

  • A single IP address or port can belong to multiple address books.

  • Changes to an address book are automatically applied to the access control policies that reference it.

Previous:ScenariosNext:Supported regions