What is Firewall?
A firewall is an access control policy that monitors ingress and egress traffic of VPC vRouters and decides whether to allow or block specific traffic based on a defined set of security rules.
You can associate rules and rule sets with the egress or ingress flow
direction of VPC vRouter NICs:
- Ingress: applies to the traffic that flows in the specified VPC vRouter via a network.
- Egress: applies to the traffic that flows out of the specified VPC vRouter via a network.
A rule set is a set of rules that a firewall uses to defend against network attacks. You need to associate a rule set with the egress or ingress flow direction of VPC vRouter NICs to make the rule set take effect.
Firewall rule:
- You can set a priority for a firewall rule. A small number indicates a higher priority. Valid values: 1001 to 2999.
- You can specify the source or destination of data packets to control traffic
flows:
- You can specify one or more source and destination IP addresses. These IP addresses can be static IP addresses, IP ranges, CIDR block, or a mix of the three.
- If you specify multiple entries, which include one or more CIDR blocks, the netmask of the CIDR block must be 24. If you specify only one CIDR block, the netmask of the CIDR block is not limited.
- You can enter a maximum of ten entries, with each entry separated by a comma (,).
A rule template is a template that you can select when you add rules to a rule set or a firewall.
An IP or port set is a set of IP addresses or ports that you can select when you add rules to a rule set or a firewall.
Firewall vs Security Group: A firewall manages the south-north traffic
of VPC networks. A security group manages the east-west traffic of VPC networks and is
applied to VM NICs. These services complement with each other. The following table
compares the two services from three aspects.
| Item | Security Group | Firewall |
|---|---|---|
| Application scope | VM NIC | The entire VPC network |
| Deployment mode | Distributed | Centralized |
| Deployment location | VM instance | VPC vRouter |
| Configuration policy | Supports only Allow policies | Allows you to customize Accept, Drop, or Reject policies as needed |
| Priority | Takes effect based on the predefined sequence | Allows you to customize priorities |
| Matching rules | Source IP address, source port, and protocol | Source IP address, source port, destination IP address, destination port, protocol, and packet status |