Help Center/ Cloud Firewall/ User Guide/ Access Control/ Configuring an Access Control Policy/ Example 3: Allowing Traffic from a Service to a Platform
Updated on 2025-07-23 GMT+08:00

Example 3: Allowing Traffic from a Service to a Platform

This section describes how to allow traffic from a service to a platform. For more parameter settings, see Configuring Protection Rules to Block or Allow Internet Border Traffic.

Domain Name Group Types

CFW provides two types of domain name groups: application domain name groups (layer 7 protocol parsing) and network domain name groups (layer 4 protocol parsing). Table 1 describes the differences between them.

Table 1 Domain name group types

-

Application Domain Name Group (Layer 7 Protocol Parsing)

Network Domain Name Group (Layer 4 Protocol Parsing)

Protected object

  • Domain names
  • Wildcard domain names
  • A single domain name
  • Multiple domain names

Protocol Type

Application layer protocols, including HTTP, HTTPS, TLS, SMTPS, and POPS.

Network layer protocols. All protocol types are supported.

Match rule

The match is based on domain name. The service compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit.

The filtering is based on the resolved IP addresses.

The service obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit.

Suggestion

You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results.

Allowing Traffic from a Service to a Platform

To allow an EIP (xx.xx.xx.48) to access cfw-test.com and *.example.com, configure parameters as follows. The parameters not mentioned below can be configured as needed.
  • Create an application domain name group and configure the platform domain names. An example is as follows:
    Table 2 Adding the domain name group of a platform

    Parameter

    Example Value

    Description

    Domain Name Group Types

    Application

    Select a domain name group type.

    Group Name

    Platform_A

    Name of a user-defined domain name group.

    Domain names

    cfw-test.com

    *.example.com

    Enter a domain name or wildcard domain name. Use commas (,), line breaks, semicolons (;), or spaces to separate multiple domain names.

    Description

    Allow traffic from a service to a platform.

    Describe the content and application scenarios of the current domain name group.

  • Configure the following protection rules:
    • The following rule blocks all traffic and has the lowest priority.
      Table 3 Blocking all traffic

      Parameter

      Example Value

      Description

      Direction

      Outbound

      Direction of the protected traffic.

      Source

      Any

      Origin of network traffic.

      Destination

      Any

      Receiver of network traffic.

      Service

      Any

      Protocol, source port, and destination port of network traffic.

      Application

      Any

      Protection policy for application layer protocols.

      Action

      Block

      Action taken when traffic passes through the firewall.

    • The other rule allows the traffic from the EIP to the platform. The priority is the highest. An example is as follows:
      Table 4 Allowing the traffic from an EIP to a platform

      Parameter

      Example Value

      Description

      Direction

      Outbound

      Direction of the protected traffic.

      Source

      IP Address

      xx.xx.xx.48

      Origin of network traffic.

      Destination

      Domain Name/Domain Name Group

      Application, Application Domain Name Group, X_platform

      Receiver of network traffic.

      Service

      Service. Retain the default values for other parameters.

      Protocol, source port, and destination port of network traffic.

      Application

      Application: HTTP and HTTPS

      Protection policy for application layer protocols.

      Action

      Allow

      Action taken when traffic passes through the firewall.

Follow-up Operations

Checking protection outcomes

References