Access Control rules support domain filtering and traffic filtering based on geographical location requirements. Internet Border Rule provides two access control rule lists, namely Inbound Rule and Outbound Rule:
Inbound Rule: controls north-south traffic from external to internal.
Outbound Rule: controls north-south traffic from internal to external.
This document will take "Inbound Rule" as an example to provide relevant operational instructions, and the operation for "Outbound Rule" is similar.
Note:
Operations on Rules for Internet Border will take effect within 1-3 minutes after the rules are saved.
View Operation Record
1. Log in to CFW console, and in the left sidebar, select Access Control.
2. On the Access Control page, click Internet Border Rule to switch to the Internet Border Rule page.
3. On the Internet Border Rule page, you can view recent operation records. Recent operation records show the recent operations performed by users on the rule list:
Click Details to view the details of this operation record.
Click View Operation Logs to view detailed operation records.
Note:
Due to log delivery taking approximately one minute, there will be a slight delay in updating recent records of operations.
Add Rule
1. On the Internet Border Rule page, click Inbound Rule to go to the Inbound Rule page.
2. On the Inbound Rule page, click Add Rule to configure relevant parameters.
Advanced Settings:
Port protocol type:
Custom: Manually enter the destination port and select the protocol.
port protocol template: Select the required address template from the existing content of the port template protocol. For custom templates for port protocols, refer to Address Template > Create Template.
Rule Priority:
Earliest: Set the priority to 1.
Last: Set the priority to the highest value.
Custom: Customize rule priority. Custom rule priority only supports editing the first rule's priority, with subsequent rules increasing successively.
Priority: Editable only when Advanced Settings > Rule Priority is set to Custom. Priority numbering starts from 1, with smaller numbers indicating higher priority. When users customize rule priorities, the priorities of other rules will be automatically adjusted in sequence.
Access source:
IP address: any IP address or address in CIDR block format, such as 10.10.10.10 or 10.10.10.10/24. Multiple entries are allowed and need to be separated by commas.
Note:
Inbound Rule: When the source is set to 0.0.0.0/0, the system will automatically associate all public IP addresses. Similarly, when a CIDR block is entered, the rule will only apply to public IP addresses within that specific subnet.
Outbound Rule: same as Inbound Rule.
Location: refers to the actual geographic location corresponding to an IP address, including provinces in the Chinese mainland, Hong Kong (China), Macao (China), and Taiwan (China), as well as continents in overseas regions.
Note
Only Enterprise Edition and Flagship Edition CFW support the geographic location feature. If you need to use this feature, you can upgrade to Enterprise Edition or Flagship Edition CFW.
Address Template: a user-defined address template.
Access destination:
IP address: The destination of Inbound Rule only applies to your public IP address. If you enter a CIDR block, the system will automatically include all your public IP addresses within that block. Multiple entries are supported and should be separated by commas.
Domain name: supports matching in standard domain name format and wildcard format. The specific matching patterns are as follows:
FQDN Matching: identifies matches based on the Host header field or SNI extension field in application-layer packets.
Loose Matching: satisfies the FQDN matching rule, or the IP address of the accessing client belongs to any IP address in the current DNS resolution result of the domain name. Meeting either condition will trigger a match.
Strict Matching: satisfies the FQDN matching rule and the IP address of the accessing client belongs to any IP address in the current result of DNS resolution of the domain name. Meeting both conditions will trigger a match.
Asset Instance: selects specific instances as the destination in the inbound direction.
Resource Tag: the tag of the resource based on which the access destination is selected. The public IP addresses of instances within the tag will match Internet boundary rules.
Address Template: selects a user-defined address template as the access destination.
Destination Port: Supports single port numbers, port ranges using '/', and discrete port values separated by commas. For example, "80", "80/80", "-1/-1", or "80,443,3380/3389".
Protocol: The relationships of protocol support between various border scenarios (rule-type) and destination types are as shown in the table below:
Direction
Destination Type
Supported Protocols
Inbound
IP Address
ANY, TCP, UDP, ICMP, FTP (only supports exact IP address)
Geographic Location, Address Template > Template of IP Address
ANY,TCP,UDP,ICMP
Policy
Pass: Allow the traffic that hits rules, record the number of hits and traffic logs, but do not record access control logs.
Observe: Allow traffic that hits rules, record the number of hits, and record both access control logs and traffic logs.
Block: Block the traffic that hits rules, record the number of hits and access control logs, and record a request data packet information of the traffic in traffic logs.
Description: Used to describe the rule, supporting up to 50 characters.
Internet Boundary Wildcard-based Matching Rules:
Input Field
Input Example
Description
Access source/Access destination
0.0.0.0/0
Indicates all IP addresses.
Domain name (in outbound rules only)
*
Indicates all domain names.
Domain name (in outbound rules only)
*.aa.com
Indicates a second-level domain name that starts with *, such as aa.com.
Target port
-1/-1
Indicates all ports.
Target port
80,443,3389
Indicates that it is effective for ports 80, 443, and 3389.
Target port
80/443
Indicates that it is effective for all ports between 80 and 443.
Target port
80/443,3389
Indicates that it is effective for all ports between 80 and 443 as well as port 3389.
Note:
The operation to input a domain name is as follows: on the Access Control > Internet Border Rule > Outbound Rule page, click Add Rule, select the access destination, according to the outbound rule, input the required domain name, click Save.
Outbound Rule: The access destination supports any IP address, CIDR address, and domain name. It also supports wildcard domain names starting with * and all domain names represented by *.
3. After confirmation, click Save to complete the configuration.
Other Operations
On the Internet Border Rule page, click Inbound Rule to go to the Inbound Rule page. On the Inbound Rule page, you can perform the following operations on existing rules:
Switch Operations: Click the switch in the status column to toggle the enable/disable status of the corresponding rule. Newly added rules are automatically enabled after configuration.
Basic Operations: After adding a rule, you can click Edit, Add one above, or Delete in the operation column to edit, insert, or delete the corresponding rule.
Copy Operation: When adding or inserting a rule, if the preceding rule has been edited and the subsequent rule to be configured is similar to it, you can use the copy feature to quickly generate a new rule and then adjust the details as needed.
Note
In the Add Inbound Rule pop-up window, each row represents a rule. When a rule is added, it is inserted to the end of the list by default. That is, the last rule with the largest priority value is assigned the lowest priority.
A maximum of 10 rules can be added per operation.
Click the
in the operation bar to add a new rule row below the currently selected rule and automatically copy its entire content.
Click the
below to add a new rule at the bottom of the rule list and automatically copy the content of the last rule in the list.
Import Rule: Click Import Rule to select a file from your local device for import. You can download an import template, export existing rules, specify the import location, set the backup method for rules, and configure the enabling method after import.
Sort: Rules are sorted by priority value by default (the lower the priority value, the higher the rule's position in the list and the higher its priority).
a. Click Sort, and hover the mouse over any blank area in the rule row that needs adjustment.
b. When the cursor changes to a draggable state, hold down the left mouse button and drag it vertically to the target position.
c. After adjustment, click Save to make it take effect.
Note:
Rules higher in the list have higher priority than those below. After the rules are dragged to sort, there is no need to manually set values; the priority will be updated automatically upon saving.
More Actions: Click More Actions, then you can Delete All / Disable All / Enable All rules by clicking the corresponding options.
Export Rules: Click the
above the rule list to pop up the custom list export window. Select Export all or Export matched results, choose the search criteria, then click Export to export the rules.
Backup and Rollback Rules: See the Rule Backup documentation.
Related Information
If you need to manage inbound and outbound traffic at the NAT boundary in the CFW console, see NAT Firewall Rules.
If you need to set rules for the VPC border in the CFW console, see VPC Border Rule.
If you need to learn about the special use cases of the access control feature of CFW, see Special Use Cases.
If you encounter issues related to Internet Border Rule, see the Internet Firewall documentation.
