Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Cloud Firewall/ Getting Started/ Configuring a Protection Rule to Allow the Inbound Traffic to a Specified EIP

Configuring a Protection Rule to Allow the Inbound Traffic to a Specified EIP

Updated on 2024-10-30 GMT+08:00

Proper protection rules can help you manage and control the traffic between cloud assets and the Internet in a refined manner, prevent the spread of internal threats, and enhance the depth of security strategies.

You can configure protection rules on the standard edition firewall to allow the inbound traffic to a specified EIP, easily controlling the traffic to your cloud assets.

Process

Procedure

Description

Making Preparations

Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign CFW permissions to the account.

Step 1: Purchase the CFW Standard Edition

Purchase CFW. Select a region and an edition (for example, the standard edition), and configure other parameters.

Step 2: Enable Protection for a Specified EIP

Enable protection for an EIP to divert traffic to CFW.

Step 3: Add a Protection Rule to Block All Inbound Traffic

Configure a protection rule to block all inbound traffic and set its priority to the lowest.

Step 4: Add a Protection Rule to Allow Inbound Traffic to a Specified EIP

Configure a protection rule to allow the inbound traffic of a specified EIP (for example, xx.xx.xx.1) and set its priority to be higher than that of the blocking rule.

Step 5: Viewing Rule Hits in Access Control Logs

Check whether protection rule takes effect.

Making Preparations

  1. Before purchasing CFW, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. Make sure that your account has sufficient balance, or you may fail to pay to your CFW orders.
  3. Make sure your account has CFW permissions assigned. For details, see Creating a User Group and Granting Permissions.
    Table 1 System policies supported by CFW

    Role Name

    Description

    Category

    Dependency

    CFW FullAccess

    All permissions for CFW

    System-defined policy

    None

    CFW ReadOnlyAccess

    Read-only permissions for CFW

    System-defined policy

    None

Step 1: Purchase the CFW Standard Edition

CFW provides the standard edition, and the professional edition. You can use access control, intrusion prevention, traffic analysis, and log audit functions on the console.

This section describes how to purchase the CFW standard edition. For details about how to purchase other editions, see Purchasing CFW. For details about the function differences between editions, see Editions.

  1. Log in to the management console. In the navigation pane, click in the upper left corner and choose Security & Compliance > Cloud Firewall.
  2. Click Buy CFW . On the displayed page, configure the following parameters:
    This example only introduces mandatory parameters. Configure other parameters as needed.

    Parameter

    Example Value

    Description

    Region

    AP-Singapore

    Select the region where the EIP is located.

    CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW is available, see Can CFW Be Used Across Clouds or Regions?

    Editions

    Standard

    Select an edition.

  3. Confirm the information and click Buy Now.
  4. Confirm the order details, select I have read and agreed to the Huawei Cloud Firewall Service Statement, and click Next.
  5. Select a payment method and pay for your order.

Step 2: Enable Protection for a Specified EIP

  1. In the navigation pane on the left, choose Assets > EIPs.
  2. Enable EIP protection.
    • Enable protection for a single EIP: In the row of the EIP, click Enable Protection in the Operation column.
    • Enable protection for multiple EIPs: Select the EIPs that you want to enable protection and click Enable Protection above the list.
    NOTICE:
    • Currently, IPv6 addresses cannot be protected.
    • An EIP can only be protected by one firewall.
    • Only EIPs in the enterprise project to which the current account belongs can be protected.
  3. On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.
    NOTE:

    After EIP protection is enabled, the default action of the access control policy is Allow.

Step 3: Add a Protection Rule to Block All Inbound Traffic

  1. In the navigation pane, choose Access Control > Access Policies.
  2. Click Add Rule. In the Add Rule dialog box, configure parameters.

    In this example, only necessary parameters are described. For details about other parameters, see Adding Protection Rules to Block or Allow Traffic.

    Figure 1 Blocking all traffic

    Parameter

    Example Value

    Description

    Direction

    Inbound (indicating inbound traffic)

    Select the traffic direction.

    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source

    Any

    Source address of access traffic.

    Destination

    Any

    Destination address of access traffic.

    Service

    Any

    Set Protocol, Source Port, and Destination Port.

    Application

    Any

    Configure protection policies for application-layer protocols.

    Action

    Block

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Priority

    Pin on top (If there are other protection rules, select Lower than the selected rule to set the rule priority to the lowest.)

    Set the priority of the rule. Its value can be:

    • Pin on top, indicating that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicating that the policy priority is lower than a specified rule.
  3. Click OK to complete the protection rule configuration.

Step 4: Add a Protection Rule to Allow Inbound Traffic to a Specified EIP

  1. Choose Access Policies and click the Protection Rules tab, click Add. In the displayed Add Rule dialog box, configure the following parameters:
    Figure 2 Allowing a specified IP address

    Parameter

    Example Value

    Description

    Direction

    Inbound (indicating inbound traffic)

    Select the traffic direction.

    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source

    Any

    Source address of access traffic.

    Destination

    xx.xx.xx.1

    Destination address of access traffic.

    Service

    Any

    Set Protocol, Source Port, and Destination Port.

    Application

    Any

    Configure protection policies for application-layer protocols.

    Action

    Allow

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Priority

    Pin on top (or at least higher than the previous blocking rule)

    Set the priority of the rule. Its value can be:

    • Pin on top, indicating that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicating that the policy priority is lower than a specified rule.
  2. Click OK to complete the protection rule configuration.

Step 5: Viewing Rule Hits in Access Control Logs

In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab.

The rule has taken effect if access control logs meet the following conditions:
  • In the row where Destination IP is the allowed EIP (for example, xx.xx.xx.1), the corresponding Action is Allow.
  • In the rows where Destination IP values are other IP addresses, the corresponding Action is Block.

References

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback