Configuring a Protection Rule to Allow the Inbound Traffic to a Specified EIP
Proper protection rules can help you manage and control the traffic between cloud assets and the Internet in a refined manner, prevent the spread of internal threats, and enhance the depth of security strategies.
You can configure protection rules on the standard edition firewall to allow the inbound traffic to a specified EIP, easily controlling the traffic to your cloud assets.
Process
|
Procedure |
Description |
|---|---|
|
Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign CFW permissions to the account. |
|
|
Purchase CFW. Select a region and an edition (for example, the standard edition), and configure other parameters. |
|
|
Enable protection for an EIP to divert traffic to CFW. |
|
|
Configure a protection rule to block all inbound traffic and set its priority to the lowest. |
|
|
Step 4: Add a Protection Rule to Allow Inbound Traffic to a Specified EIP |
Configure a protection rule to allow the inbound traffic of a specified EIP (for example, xx.xx.xx.1) and set its priority to be higher than that of the blocking rule. |
|
Check whether protection rule takes effect. |
Video Tutorial
This video introduces how to configure protection rules to specify the inbound traffic to an EIP.
Making Preparations
- Before purchasing CFW, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
Real-name authentication is required only when you buy or use cloud services provisioned in the Chinese mainland.
- Make sure that your account has sufficient balance, or you may fail to pay to your yearly/monthly CFW orders.
- Make sure your account has CFW permissions assigned. For details, see Creating a User Group and Granting Permissions.
Table 1 System policies supported by CFW Role Name
Description
Category
Dependency
CFW FullAccess
All permissions for CFW
System-defined policy
None
CFW ReadOnlyAccess
Read-only permissions for CFW
System-defined policy
None
Step 1: Purchase the CFW Standard Edition
CFW provides the standard and professional editions to implement access control, attack defense, traffic analysis, and log audit.
This section uses the standard edition as an example to describe how to purchase the standard edition CFW. For details about how to purchase other editions, see Purchasing a Cloud Firewall. For details about the differences between editions, see Editions.
- Log in to the management console. In the navigation pane, click
in the upper left corner and choose . - Click Buy CFW. On the displayed page, configure the following parameters:
This example only introduces mandatory parameters. Configure other parameters as needed.
Parameter
Example Value
Description
Region
AP-Singapore
Select the region where the EIP is located.
CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW is available, see Can CFW Be Used Across Clouds or Regions?
Edition
Standard
Select an edition.
- Confirm the information and click Buy Now.
- Confirm the order details, select I have read and agreed to the Huawei Cloud Firewall Service Statement, and click Next.
- Select a payment method and pay for your order.
Step 2: Enable Protection for a Specified EIP
- In the navigation pane on the left, choose .
- Enable EIP protection.
IPv6 protection is not supported for EIPs. An EIP can be protected by only one firewall.
- Enable protection for a single EIP: In the row of the EIP, click Enable Protection in the Operation column.
- Enable protection for multiple EIPs: Select the EIPs that you want to enable protection and click Enable Protection above the list.
- On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.
After EIP protection is enabled, the default action of the access control policy is Allow.
Step 3: Add a Protection Rule to Block All Inbound Traffic
- In the navigation pane, choose .
- Click Add Rule. In the Add Rule dialog box, configure parameters.
This example describes only mandatory parameters. For details about other parameters, see Blocking or Allowing Traffic by Adding Protection Rules.
Figure 1 Blocking all traffic
Parameter
Example Value
Description
Direction
Inbound (indicating inbound traffic)
Select the traffic direction.
- Inbound: Cloud assets (EIPs) are accessed from the Internet.
- Outbound: Cloud assets (EIPs) access the Internet.
Source
Any
Set the party that originates a session.
Destination
Any
Set the recipient of a session.
Service
Any
Set Protocol, Source Port, and Destination Port.
Application
Any
Configure protection policies for application-layer protocols.
Action
Block
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Priority
Pin on top (If there are other protection rules, select Lower than the selected rule to set the rule priority to the lowest.)
Set the priority of the rule. Its value can be:
- Pin on top, indicating that the priority of the policy is set to the highest.
- Lower than the selected rule: indicating that the policy priority is lower than a specified rule.
- Click OK to complete the protection rule configuration.
Step 4: Add a Protection Rule to Allow Inbound Traffic to a Specified EIP
- On the Access Policies page, click Protection Rules. Click Add Rule. In the Add Rule dialog box, configure the following parameters:
Figure 2 Allowing a specified IP address
Parameter
Example Value
Description
Direction
Inbound (indicating inbound traffic)
Select the traffic direction.
- Inbound: Cloud assets (EIPs) are accessed from the Internet.
- Outbound: Cloud assets (EIPs) access the Internet.
Source
Any
Set the party that originates a session.
Destination
xx.xx.xx.1
Set the recipient of a session.
Service
Any
Set Protocol, Source Port, and Destination Port.
Application
Any
Configure protection policies for application-layer protocols.
Action
Allow
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Priority
Pin on top (or at least higher than the previous blocking rule)
Set the priority of the rule. Its value can be:
- Pin on top, indicating that the priority of the policy is set to the highest.
- Lower than the selected rule: indicating that the policy priority is lower than a specified rule.
- Click OK to complete the protection rule configuration.
Step 5: Viewing Rule Hits in Access Control Logs
In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab.
- In the row where Destination IP is the allowed EIP (for example, xx.xx.xx.1), the corresponding Action is Allow.
- In the rows where Destination IP values are other IP addresses, the corresponding Action is Block.
References
- For details about the parameters for adding a protection rule, see Adding a Protection Rule.
- To protect the EIPs under other accounts, add these accounts on the Multi-Account Management page of the current firewall instance. For details, see Adding an Organization Member Account.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
