Help Center/ Cloud Firewall/ User Guide/ Access Control/ Access Control Policy Overview
Updated on 2025-06-27 GMT+08:00

Access Control Policy Overview

CFW allows all traffic by default. If no access control policies are configured, all the communication between internal servers and the Internet will be allowed. Unauthorized access or the lateral threat movement will go unchecked. You can configure access control policies in Cloud Firewall to allow or block specific traffic and implement multi-dimensional protection.

Access Control Policy Types

Access control policies include protection rules, traffic filtering configuration, the blacklist, and the whitelist. Table 1 describes their differences. If traffic hits a policy, the action specified in the policy will be performed. For details about the priority of each configuration, see Priority of Access Control Policies.

Table 1 Protection policies

-

Protection Rule

Blacklist

Whitelist

Traffic Filtering

Protected object

  • 5-tuples
  • IP address groups
  • Geographical locations
  • Domain names and domain name groups (layer-4 and layer-7 traffic)
  • Applications
  • 5-tuples
  • IP address groups
  • 5-tuples
  • IP address groups

IP address

Network type

  • EIP
  • Private IP address
  • EIP
  • Private IP address
  • EIP
  • Private IP address
  • EIP
  • Private IP address

Action

  • If Block is selected, traffic will be blocked.
  • If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.

Traffic is blocked directly.

Traffic is allowed by CFW and not checked by other functions.

Traffic is blocked directly.

Scenario and characteristics

Identify specified traffic based on its characteristics. It is suitable for fine-grained control of specific traffic. For example, you can specify protocol types, port numbers, and applications in a rule.

Quickly block identified security threats. It is suitable for handling known malicious traffic.

Quickly allow trusted traffic. It is suitable for trusted IP addresses.

Quickly block abnormal traffic based on the configured characteristics. It is suitable for quickly blocking a large number of IP addresses.

Protection log

Access Control Logs

Access Control Logs

Access Control Logs

Attack Event Logs

Configuration method

Configuring Protection Rules to Block or Allow Internet Border Traffic

Adding Blacklist or Whitelist Items to Block or Allow Traffic

Adding Blacklist or Whitelist Items to Block or Allow Traffic

Quickly Block Malicious Traffic Through Traffic Blocking

CAUTION:

Traffic filtering is a new function. If you cannot access the Access Control > Traffic Filtering page on the console, please submit a service ticket to upgrade the firewall engine.

Priority of Access Control Policies

The priorities of CFW access control policies in descending order are as follows: Traffic blocking > Whitelist > Blacklist > Protection policy (ACL).
Figure 1 Protection priority

For details about the protection sequence of all CFW policies, see What Is the Protection Sequence of CFW?

Specification Limitations

To enable VPC border protection and NAT protection, use the CFW professional edition and enable VPC firewall protection.

Precautions for Configuring a Blocking Policy

The precautions for configuring a protection rule or a blacklist item for blocking IP addresses are as follows:

  1. You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
  2. Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the CDN, Advanced Anti-DDoS, and WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
  3. Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
  4. When configuring region protection, take possible EIP changes into consideration.

Elements in a Protection Rule

Protection rules can identify and match different traffic elements to allow or block related traffic.

Element

Description

Configuration Type

Configuration Supported By Different Rules

Source

The party that initiates a connection.

  • IP address: Access control is performed on the traffic from a specific IP address.
  • IP address group: Access control is performed on the traffic from a series of IP addresses.
  • Region: Access control is performed on the traffic from the IP addresses in a specific region.
  • Any: any source address
  • Internet border:
    • Inbound: IP address, IP address group, region, and Any
    • Outbound: IP address, IP address group, and Any
  • NAT gateway:
    • Inbound: IP address, IP address group, region, and Any
    • Outbound: IP address, IP address group, and Any
  • VPC border rule: IP address, IP address group, and Any

Destination

The party that receives a connection.

  • IP address: Access control is performed on the traffic sent to a specific IP address.
  • IP address group: Access control is performed on the traffic sent to a series of IP addresses.
  • Region: Access control is performed on the traffic sent to the IP addresses in a specific region.
  • Domain name or domain name group: Access control is performed on the traffic sent to specific domain name addresses.

    To set the destination to a domain name or domain name group in a protection rule, choose from the following domain name types:

    • Application: HTTP, HTTPS, TLS, SMTPS, or POPS. CFW preferentially control the access to domain names based on the Host or SNI field.
    • Network: CFW performs DNS resolution to obtain the IP address of a domain name and controls access to the IP address.
  • Any: any destination address
  • Internet border:
    • Inbound: IP address, IP address group, and Any
    • Outbound: IP address, IP address group, region, domain name, domain name group, and Any
  • NAT gateway:
    • Inbound: IP address, IP address group, and Any
    • Outbound: IP address, IP address group, region, domain name, domain name group, and Any
  • VPC border rule: IP address, IP address group, domain name, domain name group, and Any

Service

Traffic protocol type or port number

Service and service group: A service or a set of services. You can specify the protocol type, source port, and destination port to identify a service.

The ICMP protocol does not support port configuration.

Service: Set Protocol Type, Source Port, and Destination Port.

  • Protocol: Transport layer protocol. It can be TCP, UDP, or ICMP.
  • Source port: Access is controlled based on traffic source ports.
  • Destination port: Access is controlled based on traffic destination ports.

Service Group. A set of services.

Any: Select Any if you are not sure about the protocol type.

Application

Application layer protocol

The application layer protocol can be HTTP, HTTPS, SMTP, SMTPS, SSL, or POP3.

If you are not sure about the protocol type, select Any.

It varies according to the selected protocol type.

Example configuration:

Parameter

Input

Description

Source/Destination

0.0.0.0/0

All IP addresses

Domain name

www.example.com

Domain name www.example.com

*.example.com

All domain names ending with example.com, for example, test.example.com

Service - Source port or destination port

1-65535

All ports

80-443

All ports in the range 80 to 443

  • 80
  • 443

Ports 80 and 443

References