Help Center/ Cloud Firewall/ User Guide/ Access Control/ Configuring an Access Control Policy/ Example 3: Allowing Traffic from a Service to a Platform
Updated on 2025-06-27 GMT+08:00

Example 3: Allowing Traffic from a Service to a Platform

This section describes how to allow traffic from a service to a platform. For more parameter settings, see Configuring Protection Rules to Block or Allow Internet Border Traffic.

Domain Name Group Types

CFW provides two types of domain name groups: application domain name groups (layer 7 protocol parsing) and network domain name groups (layer 4 protocol parsing). Table 1 describes the differences between them.

Table 1 Domain name group types

-

Application Domain Name Group (Layer 7 Protocol Parsing)

Network Domain Name Group (Layer 4 Protocol Parsing)

Protected object

  • Domain names
  • Wildcard domain names
  • A single domain name
  • Multiple domain names

Protocol Type

Application layer protocols, including HTTP, HTTPS, TLS, SMTPS, and POPS.

Network layer protocols. All protocol types are supported.

Match rule

The match is based on domain name. The service compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit.

The filtering is based on the resolved IP addresses.

The service obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit.

Suggestion

You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results.

Allowing Traffic from a Service to a Platform

To allow an EIP (xx.xx.xx.48) to access cfw-test.com and *.example.com, configure parameters as follows. The parameters not mentioned below can be configured as needed.
  • Create an application domain name group and configure the platform domain names, as shown in Figure 1.
  • Configure the following protection rules:
    • One of the rule blocks all traffic, as shown in Figure 2. The priority is the lowest.
    • The other rule allows the traffic from the EIP to the platform, as shown in Figure 3. The priority is the highest.
Figure 1 Adding the domain name group of a platform
Figure 2 Blocking all traffic
Figure 3 Allowing the traffic from an EIP to a platform

Follow-up Operations

Checking protection outcomes

References