• Virtual Private Cloud

vpc
  1. Help Center
  2. Virtual Private Cloud
  3. User Guide
  4. Security
  5. Firewall
  6. Firewall Configuration Examples

Firewall Configuration Examples

Example: Denying Access from a Specific Port

In this example, you need to prevent WannaCry ransomware attacks and deny access from the port that can be exploited by WannaCry, for example TCP 445. You can add a firewall rule to deny all incoming traffic from TCP port 445.

Firewall configuration

Table 1 lists the inbound rule required.
Table 1 Firewall rule

Direction

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

Deny

TCP

0.0.0.0/0

1-65535

0.0.0.0/0

445

Denies inbound traffic from any IP address through TCP port 445.

Example: Allowing Access from Specific Ports and Protocols

In this example, an ECS in a subnet is used as the web server, and you must allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all outbound traffic. You need to configure both the firewall rules and security group rules to allow the traffic.

Firewall configuration

Table 2 lists the inbound and outbound firewall rules required.

Table 2 Firewall rule

Direction

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

Permit

TCP

0.0.0.0/0

1-65535

0.0.0.0/0

80

Allows inbound HTTP traffic from any IP address to ECSs in the subnet through port 80.

Inbound

Permit

TCP

0.0.0.0/0

1-65535

0.0.0.0/0

443

Allows inbound HTTPS traffic from any IP address to ECSs in the subnet through port 443.

Outbound

Permit

All

0.0.0.0/0

All

0.0.0.0/0

All

Allow all outbound traffic from the subnet.

Security group configuration

Table 3 lists the inbound and outbound security group rules required.

Table 3 Security group rules

Direction

Protocol

Port/Range

Source/Destination

Description

Inbound

TCP

80

Source: 0.0.0.0/0

Allows inbound HTTP traffic from any IP address to ECSs associated with the security group through port 80.

Inbound

TCP

443

Source: 0.0.0.0/0

Allows inbound HTTPS traffic from any IP address to ECSs associated with the security group through port 443.

Outbound

All

All

Destination: 0.0.0.0/0

Allow all outbound traffic from the security group.

A firewall is an additional layer of security. Even if the security group rules allow more traffic than that actually required, the firewall rules allow only access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic.