VPC Border Rule provides an access control list. When creating a rule, configure its effective scope to provide Access Control for traffic flow between different VPC borders. This article describes how to configure VPC Border Rules in the CFW console.
Note:
Operations on VPC Border Rules take effect within 1-3 minutes after the rules are saved.
Viewing of Operation Record
1. Log in to CFW console, in the left sidebar, select Access Control.
2. On the Access Control page, click VPC Border Rule to switch to the VPC Border Rule page.
3. On the VPC Border Rule page, you can view recent operation records. The recent operation records display the latest actions performed by users on the rule list.
Click Details to view the details of this operation record.
Click View Operation Logs to view detailed operation records.
Note:
Due to log delivery taking approximately one minute, there will be a slight delay in updating recent operation records.
Add Rule
1. On the VPC Border Rule page, click Add Rule to configure the relevant parameters.
Advanced Settings:
Port protocol type:
Custom: Manually enter the destination port and select the protocol.
port protocol template: Select the required address template from the content of the port template protocol. To create a custom template for port protocol, refer to Address Template > Create template.
Rule Priority:
Earliest: Set the priority to 1.
Last: Set the priority to the highest value.
Custom: Customize rule priority. Only the priority of the first rule can be edited, and subsequent rules will increase sequentially.
Priority: Editable only when Advanced Settings > Rule Priority is set to Custom. Priorities are numbered starting from 1, with smaller numbers indicating higher priority. When users customize rule priorities, priorities of other rules will be automatically adjusted sequentially.
Scope: The scope to which the current rule applies.
Access source:
IPv4 Address: any IP address or CIDR block, such as 10.10.10.10 or 10.10.10.10/24. Multiple entries are supported and should be separated by commas.
Note:
When the source is set to 0.0.0.0/0, the system will automatically associate all public IP addresses. Similarly, when a CIDR block is entered, the rule only applies to public IP addresses within that subnet.
Asset instance: select specific instances as the source.
Address template: a user-defined template of IP address.
Resource Tag: Select the destination based on resource tags. The public IP addresses of instances within the tagged scope will match the VPC Border Rule.
Access destination:
IPv4: The destination applies only to your public IP addresses. If a CIDR block is entered, the system will automatically associate all your public IP addresses within that address range. Multiple entries are supported and should be separated by commas.
Domain name: supports matching in standard domain name format and wildcard format. The specific matching patterns are as follows:
FQDN Matching: identifies matches based on the field of the Host header in the application-layer packet or the field of the SNI extension.
Loose Matching: meets the FQDN matching rule, or the client IP address accessing the domain belongs to any IP address in the current DNS resolution result of that domain. Meeting either condition will trigger a match.
Strict Matching: meets the FQDN matching rule, and the client IP address accessing the domain belongs to any IP address in the current DNS resolution result of that domain. Both conditions must be met simultaneously to trigger a match.
Asset instance: select specific instances as the destination.
Address template: a user-defined template of IP address.
Resource Tag: Select the destination based on resource tags. The public IP addresses of instances within the tagged scope will match the VPC Border Rule.
Destination Port: Supports single port numbers, port ranges using '/', and discrete port values separated by commas. For example, "80", "80/80", "-1/-1", or "80,443,3380/3389"
Protocol: The relationships of protocol support between various border scenarios (rule-type) and destination types are as shown in the table below:
Destination Type
Supported Protocols
IPv4 Address
ANY, TCP, UDP, ICMP, FTP (only supports exact IP address)
Asset Instances, Resource Tags, Address Template > Template of IP Address
Pass: Allow the traffic that hits rules and record the number of hits and traffic logs, but not record access control logs.
Observe: Allow traffic that hits rules and record the number of hits, access control logs, and traffic logs.
Block: Block the traffic that hits rules, record the number of hits and generate access control logs, and record the complete data packet information of the current request in traffic logs.
Description: Used to describe the rule, supporting up to 50 characters.
Note:
The CIDR blocks of the local and peer VPCs for the inter-VPC firewall cannot be the same or overlapped. Otherwise, the firewall cannot be enabled.
In access control rules for the VPC boundary, Source and Access Destination only support IP addresses or CIDR subnets within the CIDR blocks of the local/peer VPC. Since the CIDR blocks of local and peer VPCs cannot be identical or overlapping, the traffic direction controlled by the rule can thus be distinguished through "Source" and "Access Destination".
The rule will not take effect if you enter an address other than those in the CIDR block of the local or peer VPC.
If Source and Access Destination are set to 0.0.0.0/0, they represent all IP addresses of the VPC.
2. After confirming the content is a false positive, click Save to complete the configuration.
Other Operation
On the VPC Border Rule page, you can perform the following operations on existing rules:
Switch Operations: Click the switch in the status column to toggle the enable/disable status of the corresponding rule. Newly added rules are automatically enabled after configuration.
Basic Operations: After adding a rule, you can click Edit, Add one above, or Delete in the operation column to edit, insert, or delete the corresponding rule.
Copy Operation: When adding or inserting a rule, if the preceding rule has been edited and the subsequent rule to be configured is similar to it, you can use the copy feature to quickly generate a new rule and then adjust the details as needed.
Note
In the "Add Rule" pop-up window, each row represents a rule. Newly added rules are inserted at the end of the list by default, meaning they have the highest number of the execution order and the lowest priority.
A maximum of 10 rules can be added per operation.
Click the
in the operation bar to add a new rule row below the currently selected rule and automatically copy its entire content.
Click the
below to add a new rule row at the bottom of the rule list and automatically copy the content of the last rule.
Import Rules: Click Import Rule to select a file from your local device for import. You can download an import template, export existing rules, specify the import location, set the method for backing up rules, and configure the enabling method after import.
Sort: Rules are sorted by the value of priority by default (the lower the value of priority, the higher the rule's position in the list and the higher its priority).
a. Click Sort, and hover the mouse over any blank area in the rule row that needs adjustment.
b. When the cursor changes to a draggable state, hold down the left mouse button and drag it vertically to the target position.
c. After adjustment, click Save to make it take effect.
Note:
Rules higher in the list have higher priority than those below. After the rules are sorted by dragging, there is no need to manually set values; the priority will be updated automatically upon saving.
More Actions: Click More Actions, then you can Delete All / Disable All / Enable All rules by clicking the corresponding options.
Export Rules: Click the
above the rule list to pop up the custom list export window. Select Export all or Export matched results, choose the search criteria, then click Export to export the rules.
Backup and Rollback Rules: See the Rule Backup documentation.
Note:
Rules for the VPC border backed up before the revision do not support rollback. If needed, please submit a ticket to contact us.
Related Information
If you need to manage inbound and outbound traffic at the Internet boundary in the CFW console, see Internet Border Rule.
If you need to manage inbound and outbound traffic at the NAT boundary in the CFW console, see NAT Firewall Rules.
If you need to learn about the special use cases of the access control feature of CFW, see Special Use Cases.
If you encounter issues related to rules for the VPC border, see the Inter-VPC Firewall documentation.
