• Virtual Private Cloud

  1. Help Center
  2. Virtual Private Cloud
  3. User Guide
  4. Security
  5. Firewall
  6. Firewall Overview

Firewall Overview

A firewall is an optional layer of security for your subnets. You can associate one or more subnets with a firewall for controlling traffic in and out of the subnets.

Figure 1 shows how the firewall works.

Figure 1 Security groups and firewalls

Similar to security groups, firewalls provide access control functions and add an additional layer of defense to your VPC. Security groups have only the allow rules, while firewalls have both the allow rules and deny rules. You can use firewalls together with security groups to implement fine-grained and comprehensive access control.

Differences Between Security Groups and Firewalls summarizes the basic differences between security groups and firewalls.

Firewall Basics

  • Your VPC does not come with a firewall by default. You can create a custom firewall and associate it with a subnet if required. By default, each firewall denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
  • You can associate a firewall with multiple subnets; however, a subnet can be associated with only one firewall at a time.
  • Each newly created firewall is in the Inactive state until you associate subnets with it.

Default Firewall Rules

By default, each firewall has preset rules that allow the following packets:

  • Packets whose source and destination are in the same subnet
  • Broadcast packets with the destination
  • Multicast packets with the destination
  • Metadata packets with the destination and TCP port number 80
  • Packets from CIDR blocks that are reserved for public services (for example, packets with the destination
  • A firewall denies all traffic in and out of a subnet excepting the preceding ones. Table 1 shows the default firewall rules. The default rules cannot be modified or deleted.
    Table 1 Default firewall rules












    Denies all inbound traffic.





    Denies all outbound traffic.

Rule Priority

  • Each firewall rule has a priority value. The rule with a smaller value has a higher priority and will be applied regardless of any higher-numbered rule that may contradict it. The rule whose priority value is an asterisk (*) has the lowest priority.
  • If multiple firewall rules conflict, the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.

Application Scenarios

  • Because the application layer needs to provide services for users, traffic from all IP addresses must be allowed to reach the application layer. Then, what can I do to prevent illegal access from malicious users?

    Solution: Add firewall rules to deny access traffic from the IP addresses used by malicious users.

  • How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?

    Solution: Add firewall rules to deny access traffic from specific port and protocol, for example, TCP port 445.

  • No defense is required for the east-west traffic between subnets, while access control is required for north-south traffic.

    Solution: Add firewall rules to protect north-south traffic.

  • For frequently accessed applications, the security rule sequence needs to be adjusted to improve performance.

    Solution: A firewall allows you to adjust the rule sequence to make the frequently used rule take precedence over other rules.

Firewall Configuration Procedure

Figure 2 shows the procedure for configuring a firewall.

Figure 2 Firewall configuration procedure
  1. Create a firewall by following the steps described in Creating a Firewall.
  2. Add firewall rules by following the steps described in Adding a Firewall Rule.
  3. Associate subnets with the firewall by following the steps described in Associating Subnets with a Firewall. After subnets are associated with the firewall, the subnets will be protected by the configured firewall rules.