VPC Firewall inspects and controls traffic between network instances connected through Cloud Enterprise Network (CEN) or Express Connect. Use an access control policy to manage traffic, block suspicious activity, and allow trusted connections. This topic describes how to configure an access control policy for a VPC Firewall.
Prerequisites
-
A VPC Firewall is enabled. For more information, see Configure a VPC Firewall for an Enterprise Edition transit router.
-
Ensure you have a sufficient quota for access control policies. You can view your quota usage on the page. To learn how the policy quota is calculated, see Overview of access control policies.
If your policy quota is insufficient, click Increase Quota to purchase a Quota for Additional Policy. For more information, see Purchase Cloud Firewall.
The Security Policies section of this page displays Configured policies, Consumed quota/Quota included in your edition, and Additional quota.
Configure VPC Firewall access control policies
When managing traffic between two VPCs, you can configure deny policies for untrusted or unnecessary traffic, and then allow other traffic (blacklist mode); Or you can configure allow policies for trusted or necessary traffic, and then deny other traffic (whitelist mode).For configuration examples of VPC firewall access control policies, see Examples of access control policy configurations.
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, select .
-
On the VPC Border page, switch to the business instance for which you need to configure policies.

-
Click Create Policy refer to the following table, and, configure policy details, and click OK.
Configuration item
Description
Source Type
The source of network connections. You need to select the access source type and enter the source address based on the type.
-
Select the IP type and enter an IP address range. Address ranges must use the standard CIDR format, such as 192.168.0.0/16.You can enter up to 2,000 address ranges separated by commas (,).
If you enter multiple IP address ranges, Cloud Firewall will automatically create an address book for the multiple address ranges you enter, and when you save the policy configurationprompts you to set an address book name.
-
Select Address Book type, and reference Custom IP Address Book or Cloud Asset IP Address Book.For more information, see Manage address books.
Destination Type
The destination of network traffic. You need to select the destination type and enter the address based on the type.
-
Select the IP type and enter an IP address range. Address ranges must use the standard CIDR format, such as 192.168.0.0/16.You can enter up to 2,000 address ranges separated by commas (,).
If you enter multiple IP address ranges, Cloud Firewall automatically creates an address book and prompts you to set a name when you save the policy.
-
Select Address Book type, and reference IP Address Book and Domain Address Book.For more information, see Manage address books.
-
When you select the Domain Name type, you need to select the domain name recognition mode. Three domain name recognition modes are available:
-
FQDN-based Resolution (Extract Host or SNI Field in Packets): We recommend this mode when managing traffic of the following seven protocols: HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS.
-
DNS-based Dynamic Resolution: We recommend this mode when managing traffic other than the seven protocols: HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS.
ImportantThis mode does not support wildcard domains or wildcard address books.
-
at the same time based on FQDN and DNS dynamic resolution: We recommend this mode when managing traffic of the seven protocols, but some or all traffic does not carry the HOST/SNI field.
ImportantThis mode takes effect only when ACL Engine Management strict mode is enabled, and does not support wildcard domains or wildcard address books.
-
Protocol
Transport layer protocol type. Supported settings: TCP, UDP, ICMP, ANY. If you are unsure of the specific protocol, you can select ANY.
Port Type
Set the destination port type and destination port.
-
Select Port type, enter port range. Port ranges are separated by forward slashes (/), such as 22/22 and 80/88.You can add up to 2,000 port ranges, separated by commas (,).
If you enter multiple port ranges, Cloud Firewall automatically creates a port address book and prompts you to set a name when you save the policy.
-
When you select the Port Address Book type, you need to create a port address book in advance. For more information, see Manage address books.
Application
Set the application type of the access traffic. You can select multiple application types.
-
Protocol When you select TCP:
-
Destination Type Select IP or IPAddress Book: You can select all applications.
-
Destination Type Select Domain Name ordomain name Address Book:
-
Domain Name Identification Mode When you select FQDN-based Resolution (Extract Host or SNI Field in Packets), you can only select applications such as HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS.
-
Domain Name Identification Mode When you select DNS-based Dynamic Resolution, you can select all applications.
-
-
-
Protocol When you select UDP, the application type supports ANY and DNS.
-
Protocol When you select ICMP or ANY, the application type can only be ANY.
NoteApplication identification relies on packet features (protocol identification does not depend on ports). If application identification fails, the session traffic is allowed. To block traffic of unknown application types, we recommend that you enable strict mode for the Internet firewall. For more information, see Introduction to modes of the access control engine.
Action
Specify the action for matched traffic in this policy.
-
Allow: Allow the traffic.
-
Drop: Block the traffic without any notification.
-
Monitor: In this mode, traffic is allowed by default. You can filter and observe this traffic by using relevant fields in Traffic Logs, After a period of observation, adjust to Allow or Deny.
Policy Priority
Policy priority. Default value: Lowest, indicating the lowest priority.
-
Highest: The access control policy takes effect with the highest priority.
-
Lowest: The access control policy takes effect with the lowest priority.
-
Custom: Customize the priority. Minimum: 1, Maximum: 50. The smaller the number, the higher the priority.
Policy Validity Period
Set the validity period of the policy. The policy can match traffic only within the validity period.
-
Always
-
Single Time Range: Select a one-time time period.
-
Recurrence Cycle: Select a recurring time period and effective dates.
Note-
The start time of the effective date must be earlier than the end time. The policy takes 3 to 5 minutes to take effect.
-
If you select Indefinite Recurrence, the effective end time is automatically set to December 31, 2099.
-
Related FAQ: Does a policy take effect if the recurrence cycle spans multiple days?
-
Status
Specify whether to enable the policy. Only enabled policies take effect.
Description
Enter a description for the policy to help you identify its purpose.
-
View policy hit statistics
After your business has been running for a period, you can view the hit count of access control policies in the Hits/Last Hit At column in the access control policy list.
Click the hit count to go to the Traffic Logs page to view traffic logs. For information about how to view traffic logs, see Traffic Logs.

Related operations
The policy priority can be set to a value from 1 to N, where N is the total number of configured access control policies. A smaller value indicates a higher priority. When you change a policy's priority, lower-ranked policies are automatically reordered sequentially.
The priority of an access control policy can be set to a value from 1 to N, where N is the total number of currently configured access control policies. A smaller value indicates a higher priority. When a policy's priority is modified, the priorities of other policies are automatically adjusted to maintain a consecutive sequence.
If you delete a policy, the traffic it controls is no longer subject to access control by Cloud Firewall. Delete with caution.
Related documents
-
For more information about the principles for configuring access control policies, see Access control policy configuration examples.
-
For more information about how access control policies work, see Access control policy overview.
-
To view and manage items such as IP address books, port address books, and domain name address books in access control policies, see Address book.
-
For answers to frequently asked questions about configuring and using access control policies, see Access control policy FAQ.