Access Control Rules support domain filtering and traffic filtering based on geographic location requirements. NAT Border Rule provides two access control rule lists, namely, the Inbound Rule and the Outbound Rule:
Inbound Rule: within the NAT boundary, manage north-south traffic from external to internal.
Outbound Rule: within the NAT boundary, manage outbound north-south traffic.
This document takes "Inbound Rule" as an example for operational instructions, with similar approach applying to "Outbound Rule".
Note:
Operations on NAT Border Rule will take effect within 1-3 minutes after the rules are saved.
View Operation Log
1. Log in to CFW console, in the left sidebar, select Access Control.
2. On the Access Control page, click NAT Border Rule to switch to the NAT Border Rule page.
3. On the NAT Border Rule page, you can view recent operation records. Recent operation records show the operations recently performed by the user on the rule list:
click Details to view this item's operation record detail.
Click View operation logs to view detailed operation records.
Note:
Because log delivery takes about 1 minute, there will be a slight delay in updating recent operation records.
Add Rule
1. On the NAT Border Rule page, click Inbound Rule to go to the Inbound Rule page.
2. On the Inbound Rule page, click Add rule to configure relevant parameters.
Advanced Settings:
Port protocol type:
Custom: Manually enter the destination port and select the protocol.
port protocol template: select the required address template from the existing port template protocol content. For custom port protocol templates, refer to Address Template > Add Template.
Rule priority:
Earliest: Set the priority to 1.
Last: the priority is set to the maximum number.
Custom: Customize rule priority. Custom rule priority only supports editing the first rule's priority, with subsequent rules increasing successively.
Priority: editable only when Advanced Settings > Rule Priority is set to Custom; priority numbers start from 1, where a smaller number indicates higher priority. When users customize rule priorities, the priorities of other rules will be automatically adjusted sequentially.
Scope: The region(s) where the current rule takes effect.
Access source:
IP address: any IP address or CIDR block address, such as 10.10.10.10 or 10.10.10.10/24. Multiple entries are allowed and need to be separated by commas.
Note:
Inbound Rule: When 0.0.0.0/0 is entered as the access source, the backend will automatically associate all public IP addresses. Similarly, when a CIDR address is entered, the rule takes effect only for public IP addresses within that IP range.
Outbound Rule: same as Inbound Rule.
Location: the actual geographic location corresponding to the IP address, including provinces in the Chinese mainland, Hong Kong (China), Macao (China), and Taiwan (China), as well as continents outside China.
Address template: a user-defined address template.
Access destination:
IP Address: The access destination of inbound rules applies only to your public IP addresses. If you enter a CIDR block address, the backend will automatically associate all your public IP addresses within the IP address range. Multiple entries are allowed and need to be separated by commas.
Domain name: Domain name matching supports standard domain name formats and wildcard forms. The specific matching patterns are as follows:
FQDN matching: Identifies matches based on the Host header field in the application layer packets or the SNI extension field.
Loose matching: The request meets the FQDN matching rule, or the accessing client IP address belongs to any IP address in the current DNS resolution results of the domain name. A match occurs if either condition is met.
Strict matching: The request meets the FQDN matching rule and the accessing client IP address belongs to any IP address in the current DNS resolution results of the domain name. A match occurs only when both conditions are satisfied.
Asset instance: Select a specific instance as the access destination in the inbound direction.
Resource Tag: Select the access destination based on the resource's tag. The public IP address of the instance within the tag will match the NAT Border Rule.
Address template: Select a user-defined address template as the access destination.
Destination port: Supports single port numbers, port ranges using '/', and discrete port values separated by commas. For example, "80", "80/80", "-1/-1", or "80,443,3380/3389".
Protocol: The supported protocol relationships between different boundary scenarios (rule-types) and access destination types are as shown in the table below:
Direction
Access Destination Type
Supported Protocols
Inbound
IP Address, Asset Instance, Resource Tag, Address Template > IP Address Template
Pass: Allow the traffic that hits rules, record the number of hits and traffic logs, but do not record access control logs.
Observe: Allow traffic that hits rules and record the hit count, access control logs, and traffic logs.
Block: Block the traffic that hits rules, record the hit count and generate access control logs, and record the complete data packet information of the current request in traffic logs.
Description: for description of rules, supports up to 50 characters.
NAT Boundary Wildcard Rules:
Input Field
Input Example
Description
Access source/Access destination
0.0.0.0/0
Indicates all IP addresses.
Domain name (in outbound rules only)
*
Indicates all domain names.
Domain name (in outbound rules only)
*.aa.com
Indicates a second-level domain name aa.com starting with *.
Destination port
-1/-1
Indicates all ports.
Destination port
80,443,3389
Indicates that it is effective for ports 80, 443, and 3389.
Destination port
80/443
Indicates that it is effective for all ports between 80 and 443.
Destination port
80/443,3389
Indicates that it is effective for all ports between 80 and 443 as well as port 3389.
Note:
The steps to input a domain name are as follows: On the Access Control > NAT Border Rule > Outbound Rule page, click Add Rule, select the access purpose, input the required domain name according to the outbound rule, and click Save.
Outbound Rule: The access destination supports any IP address, CIDR address, and domain name. It also supports wildcard domain names starting with * and all domain names represented by *.
3. After confirming, click Save to complete the configuration.
Other Operation
On the NAT Border Rule page, click Inbound Rule to go to the Inbound Rule page. On this page, you can perform the following operations on existing rules:
Switch Operations: Click the switch in the status column to toggle the enable/disable status of the corresponding rule. Newly added rules are automatically enabled after configuration.
Basic Operations: After adding a rule, you can click Edit, Add one above, or Delete in the operation column to edit, insert, or delete the corresponding rule.
Copy Operation: When adding or inserting a rule, if the preceding rule has been edited and the subsequent rule to be configured is similar to it, you can use the copy feature to quickly generate a new rule and then adjust the details as needed.
Note:
In the Add Inbound Rule pop-up window, each row represents a rule. When a rule is added, it is inserted to the end of the list by default. That is, the last rule with the largest priority value is assigned the lowest priority.
A maximum of 10 rules can be added per operation.
Click the
in the operation bar to add a new rule row below the currently selected rule and automatically copy its entire content.
Click the
below to add a new rule row at the bottom of the rule list, automatically copying the content of the last rule.
Import Rule: Click Import rule to select a file from your local device for import. You can download an import template, export existing rules, specify the import location, set the backup method for rules, and configure the enabling method after import.
Sort: Rules are sorted by the value of priority by default (the lower the value of priority, the higher the rule's position in the list and the higher its priority).
a. Click Sort, and hover the mouse over any blank area in the rule row that needs adjustment.
b. When the cursor changes to a draggable state, hold down the left mouse button and drag it vertically to the target position.
c. After adjustment, click Save to make it take effect.
Note:
Rules higher in the list have higher priority than those below. After the rules are dragged to sort, there is no need to manually set values; the priority will be updated automatically upon saving.
More Actions: Click More actions, then you can Delete all/Disable all/Enable all rules by clicking the corresponding options.
Export rules: Click the
above the rule list, and a custom list export window will pop up. Select Export all or Export matched results, choose the search criteria, then click Export to export the rules.
Backup and Rollback Rules: See the Rule Backup documentation.
Related Information
If you need to manage inbound and outbound traffic at the Internet boundary in the CFW console, see Internet Border Rule.
To configure VPC border rules in the Cloud Firewall console, see VPC Border Rules.
If you need to learn about the special use cases of the access control feature of CFW, see Special Use Cases.
If you encounter issues related to NAT Border Rule, see the NAT Firewall documentation.
