Configure VPC Firewall access control policies

更新时间:
复制 MD 格式

VPC Firewall inspects and controls traffic between network instances connected through Cloud Enterprise Network (CEN) or Express Connect. Use an access control policy to manage traffic, block suspicious activity, and allow trusted connections. This topic describes how to configure an access control policy for a VPC Firewall.

Prerequisites

  • A VPC Firewall is enabled. For more information, see Configure a VPC Firewall for an Enterprise Edition transit router.

  • Ensure you have a sufficient quota for access control policies. You can view your quota usage on the Prevention Configuration > Access Control > Policy Configuration > VPC Border page. To learn how the policy quota is calculated, see Overview of access control policies.

    If your policy quota is insufficient, click Increase Quota to purchase a Quota for Additional Policy. For more information, see Purchase Cloud Firewall.

    The Security Policies section of this page displays Configured policies, Consumed quota/Quota included in your edition, and Additional quota.

Configure VPC Firewall access control policies

When managing traffic between two VPCs, you can configure deny policies for untrusted or unnecessary traffic, and then allow other traffic (blacklist mode); Or you can configure allow policies for trusted or necessary traffic, and then deny other traffic (whitelist mode).For configuration examples of VPC firewall access control policies, see Examples of access control policy configurations.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, select Prevention Configuration > Access Control > Policy Configuration > VPC Border.

  3. On the VPC Border page, switch to the business instance for which you need to configure policies.

    image

  4. Click Create Policy refer to the following table, and, configure policy details, and click OK.

    Configuration item

    Description

    Source Type

    The source of network connections. You need to select the access source type and enter the source address based on the type.

    • Select the IP type and enter an IP address range. Address ranges must use the standard CIDR format, such as 192.168.0.0/16.You can enter up to 2,000 address ranges separated by commas (,).

      If you enter multiple IP address ranges, Cloud Firewall will automatically create an address book for the multiple address ranges you enter, and when you save the policy configurationprompts you to set an address book name.

    • Select Address Book type, and reference Custom IP Address Book or Cloud Asset IP Address Book.For more information, see Manage address books.

    Destination Type

    The destination of network traffic. You need to select the destination type and enter the address based on the type.

    • Select the IP type and enter an IP address range. Address ranges must use the standard CIDR format, such as 192.168.0.0/16.You can enter up to 2,000 address ranges separated by commas (,).

      If you enter multiple IP address ranges, Cloud Firewall automatically creates an address book and prompts you to set a name when you save the policy.

    • Select Address Book type, and reference IP Address Book and Domain Address Book.For more information, see Manage address books.

    • When you select the Domain Name type, you need to select the domain name recognition mode. Three domain name recognition modes are available:

      • FQDN-based Resolution (Extract Host or SNI Field in Packets): We recommend this mode when managing traffic of the following seven protocols: HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS.

      • DNS-based Dynamic Resolution: We recommend this mode when managing traffic other than the seven protocols: HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS.

        Important

        This mode does not support wildcard domains or wildcard address books.

      • at the same time based on FQDN and DNS dynamic resolution: We recommend this mode when managing traffic of the seven protocols, but some or all traffic does not carry the HOST/SNI field.

        Important

        This mode takes effect only when ACL Engine Management strict mode is enabled, and does not support wildcard domains or wildcard address books.

    Protocol

    Transport layer protocol type. Supported settings: TCP, UDP, ICMP, ANY. If you are unsure of the specific protocol, you can select ANY.

    Port Type

    Set the destination port type and destination port.

    • Select Port type, enter port range. Port ranges are separated by forward slashes (/), such as 22/22 and 80/88.You can add up to 2,000 port ranges, separated by commas (,).

      If you enter multiple port ranges, Cloud Firewall automatically creates a port address book and prompts you to set a name when you save the policy.

    • When you select the Port Address Book type, you need to create a port address book in advance. For more information, see Manage address books.

    Application

    Set the application type of the access traffic. You can select multiple application types.

    • Protocol When you select TCP:

      • Destination Type Select IP or IPAddress Book: You can select all applications.

      • Destination Type Select Domain Name ordomain name Address Book:

        • Domain Name Identification Mode When you select FQDN-based Resolution (Extract Host or SNI Field in Packets), you can only select applications such as HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS.

        • Domain Name Identification Mode When you select DNS-based Dynamic Resolution, you can select all applications.

    • Protocol When you select UDP, the application type supports ANY and DNS.

    • Protocol When you select ICMP or ANY, the application type can only be ANY.

    Note

    Application identification relies on packet features (protocol identification does not depend on ports). If application identification fails, the session traffic is allowed. To block traffic of unknown application types, we recommend that you enable strict mode for the Internet firewall. For more information, see Introduction to modes of the access control engine.

    Action

    Specify the action for matched traffic in this policy.

    • Allow: Allow the traffic.

    • Drop: Block the traffic without any notification.

    • Monitor: In this mode, traffic is allowed by default. You can filter and observe this traffic by using relevant fields in Traffic Logs, After a period of observation, adjust to Allow or Deny.

    Policy Priority

    Policy priority. Default value: Lowest, indicating the lowest priority.

    • Highest: The access control policy takes effect with the highest priority.

    • Lowest: The access control policy takes effect with the lowest priority.

    • Custom: Customize the priority. Minimum: 1, Maximum: 50. The smaller the number, the higher the priority.

    Policy Validity Period

    Set the validity period of the policy. The policy can match traffic only within the validity period.

    • Always

    • Single Time Range: Select a one-time time period.

    • Recurrence Cycle: Select a recurring time period and effective dates.

      Note

    Status

    Specify whether to enable the policy. Only enabled policies take effect.

    Description

    Enter a description for the policy to help you identify its purpose.

View policy hit statistics

After your business has been running for a period, you can view the hit count of access control policies in the Hits/Last Hit At column in the access control policy list.

Click the hit count to go to the Traffic Logs page to view traffic logs. For information about how to view traffic logs, see Traffic Logs.

image.png

Related operations

The policy priority can be set to a value from 1 to N, where N is the total number of configured access control policies. A smaller value indicates a higher priority. When you change a policy's priority, lower-ranked policies are automatically reordered sequentially.

The priority of an access control policy can be set to a value from 1 to N, where N is the total number of currently configured access control policies. A smaller value indicates a higher priority. When a policy's priority is modified, the priorities of other policies are automatically adjusted to maintain a consecutive sequence.

Important

If you delete a policy, the traffic it controls is no longer subject to access control by Cloud Firewall. Delete with caution.

Related documents