Alibaba Cloud enterprise account Alibaba Cloud Firewall Rules Setup Guide
Alibaba Cloud Firewall Rules Setup Guide
Setting up firewall rules on Alibaba Cloud can feel confusing at first, especially when you’re trying to balance three goals at the same time: security, availability, and operational simplicity. If rules are too broad, you increase your attack surface. If they’re too strict, you accidentally block legitimate traffic and create outages. The good news is that the process is predictable once you adopt a clear workflow.
Alibaba Cloud enterprise account This guide walks you through a practical approach to designing and implementing firewall rules on Alibaba Cloud. It covers what you should decide before you touch the console, how to create rules safely, how to test and verify behavior, and how to troubleshoot when traffic doesn’t flow as expected.
1. Before You Create Rules: Clarify Your Network Goals
Firewall rules should not be created as a collection of one-off exceptions. Start with a small plan. Even a short plan saves hours of back-and-forth later.
Define what you are protecting
List the assets that need protection. For example:
- Public-facing services (web, API, SSH, VPN)
- Internal services that should only be reachable from certain subnets
- Databases that must not be exposed to the public internet
Write down which servers or ECS instances are involved, and which ports each service uses.
Decide traffic directions
Alibaba Cloud enterprise account Most firewall confusion comes from unclear direction. Separate inbound from outbound:
- Inbound: traffic coming from a source to your server
- Outbound: traffic leaving your server to a destination
Ask: Do you need to restrict outbound connections? If yes, which protocols matter (for example, HTTPS for package downloads, database connections to a known endpoint, or DNS queries)?
Use a minimal set of ports and sources
The safest baseline is “deny by default, allow only what you need.” Practically, that means you should:
- Allow specific ports rather than wide port ranges
- Limit source IPs to known networks (your office IP, a jump host subnet, or a CDN range if applicable)
- Avoid allowing “any” unless it’s truly required
If you must open a port to the world (like 80/443 for a website), still keep other ports closed and monitor traffic.
2. Choose the Right Firewall Scope and Resource Model
Before configuration, understand where the rules apply. On Alibaba Cloud, firewall behavior depends on the specific service or feature you use (for example, security group rules, network firewall products, or other policy-based systems). The underlying idea is the same: rules match traffic based on criteria, then allow or deny.
To avoid mistakes, decide these items upfront:
- Which resource the rules attach to (instance, VPC, subnet, or firewall policy)
- Whether rules are stateful or stateless (most typical firewall systems are stateful, but verify in your chosen product)
- Whether the product supports address groups, port groups, and protocols beyond TCP/UDP
Alibaba Cloud enterprise account Even if you’re experienced with other clouds, don’t assume the exact semantics. Spend a few minutes reading the matching fields and precedence rules in the console documentation for your specific firewall feature.
3. Plan Your Rule Set: A Simple Template That Works
A clean rule set usually looks like this:
- Administrative access rules (SSH/RDP restricted to your IP or jump host)
- Application rules (HTTP/HTTPS or required service ports)
- Internal rules (service-to-service communication inside your VPC)
- DNS and essential outbound rules if you need outbound control
- Default deny handled by the system’s default behavior or explicit denies
Rule naming and grouping strategy
Use names that communicate purpose, not just a port number. For example:
- Allow-SSH-From-Office
- Allow-HTTPS-From-Internet
- Allow-DB-From-App-Subnet
Alibaba Cloud enterprise account If the system allows tags or descriptions, include a short note like “Change ticket: #1234” or “Owner: DevOps.” This makes future audits far easier.
Start with “least privilege” assumptions
When uncertain, assume you should only allow the minimum. You can always add more, but removing a broad rule after it has been exploited is harder than tightening it beforehand.
4. Create Firewall Rules Safely in the Console
Now let’s go through a safe step-by-step approach. The key is to apply changes in a controlled order and avoid locking yourself out.
Step 1: Validate current connectivity
Before adding or modifying rules, confirm your current access method works:
- If you access via SSH, ensure your current IP is correct and your connection succeeds.
- If you use a bastion/jump host, verify it can reach the target instance.
Document the working path. This becomes your fallback when you need to troubleshoot.
Step 2: Add an administrative access rule first
When you’re about to restrict inbound traffic, always add a rule that preserves your ability to manage the system.
For example, if you need SSH access:
- Protocol: TCP
- Port: 22
- Source: your public office IP (or a secure jump host subnet)
Then test immediately with a fresh connection attempt. If this fails, fix it before adding application rules.
Step 3: Add application-facing rules with tight scope
For web services:
- Allow TCP 80 from the required sources (often “any” if you want public HTTP)
- Allow TCP 443 from the required sources (often “any” for public HTTPS)
If you have a load balancer, you may not need to open these ports directly on instances; the load balancer can handle inbound connections and forward internally. Decide based on your architecture.
Step 4: Add internal service-to-service rules
For microservices or backend systems, restrict by source subnet or by specific internal components.
Common examples:
- Allow the application subnet to reach the database port
- Allow backend services to call one another on specific ports
If your environment uses separate VPCs or peered networks, ensure you select the correct source CIDR ranges.
Step 5: Consider outbound restrictions carefully
Outbound rules can improve security, but they can also break systems silently. Many servers need outbound access for updates, DNS, metrics, or third-party APIs.
If outbound control is optional, start with monitoring first. If you must restrict outbound, begin with essential services:
- Alibaba Cloud enterprise account DNS (TCP/UDP 53 to your DNS resolver)
- NTP (UDP 123) if time sync is required
- HTTPS (TCP 443) to trusted endpoints (package repositories, internal APIs, or known external services)
Then roll out gradually, verify, and expand as needed.
5. Rule Precedence and Conflict: Avoid “Why Is Traffic Still Allowed?”
Firewall systems typically process rules based on priority, order, or an explicit precedence logic. If you’re seeing unexpected results, conflict and precedence are usually the cause.
What to check first
- Does the system prioritize allow rules over deny rules (or vice versa)?
- Are there overlapping rules that match broader conditions?
- Are there multiple layers of filtering (security groups plus firewall policies)?
How to design to minimize conflicts
Alibaba Cloud enterprise account To reduce surprises:
- Use specific rules for specific traffic patterns
- Avoid “any-to-any” rules except for necessary public services
- Group rules by function and keep them consistent across environments (dev, staging, production)
6. Testing and Verification: Prove It Works Before You Move On
After rules are created, test both positive and negative cases. This is the only way to be confident that your firewall behaves as expected.
Test allowed traffic
Use simple tools and repeatable checks:
- From an allowed source IP, test reaching each service port (for example, SSH, HTTPS)
- Validate the application actually responds, not just the TCP handshake
Alibaba Cloud enterprise account If you have a CI/CD pipeline, you can integrate basic connectivity tests before promoting changes.
Test denied traffic
Pick one or two “should be blocked” scenarios:
- Try connecting to a closed port from the internet or from an unapproved IP
- Try connecting from a subnet that is not supposed to access the internal service
Be careful not to test disruptive scenarios in production (like blocking critical monitoring). Choose low-risk ports or non-production instances.
Watch logs and metrics during the first hours
Even with correct rules, network path issues can occur. Review firewall logs (if available), instance security logs, and load balancer access logs. Look for patterns like repeated denied attempts, timeouts, or successful connections from unexpected sources.
7. Troubleshooting Guide: When Traffic Doesn’t Reach the Server
When something fails, don’t guess. Use a structured approach that narrows the cause quickly.
Step 1: Confirm the service is listening
On the target instance, verify the application is bound to the expected interface and port.
- Alibaba Cloud enterprise account Confirm the process is running
- Confirm it listens on the correct port (and correct protocol)
If the service isn’t listening, firewall changes won’t help.
Step 2: Confirm internal route and reachability
Even when firewall rules are correct, routing issues can break connectivity. Check that:
- The source can reach the destination network
- There are no missing route table entries
- Network ACLs (if present) aren’t blocking the traffic
Step 3: Re-check rule match fields
Most rule mismatches come from simple errors:
- Wrong source IP/CIDR range
- Wrong port or protocol (for example, TCP vs UDP)
- Using a hostname or group that resolves differently than you expect
Compare the rule criteria to your test setup carefully.
Step 4: Check for overlapping rules and precedence
If you added a deny-like policy after an allow policy, precedence matters. Also check if another policy layer (like a different firewall policy attached elsewhere) is influencing traffic.
Step 5: Use a controlled test path
To eliminate variables, try:
- Test from the exact allowed source IP you configured
- Test from a known denied IP
- Test within the VPC from a host in the expected subnet
This helps you confirm whether the failure is rule-related or routing/application-related.
8. Common Best Practices That Prevent Security Incidents
Firewall rules are not just about “opening the right ports.” Over time, they become a security boundary. Treat them like production code: maintainable, reviewable, and auditable.
Use dedicated admin access paths
Instead of exposing SSH/RDP to the internet, prefer:
- A bastion/jump host with strict IP restrictions
- Or a VPN-based access model
This reduces brute-force exposure and simplifies logging.
Keep rules small and change them deliberately
When you need to add a rule, do it with justification and a clear scope. Avoid “temporary” rules that remain forever.
Operationally:
- Apply changes during a maintenance window if they affect production traffic
- Remove rules once the incident or task is complete
Document ownership and intent
Even a single sentence in the rule description can save future you. Examples:
- “Allow monitoring agent to scrape metrics”
- “Used by staging only; remove after release”
Monitor for denied traffic anomalies
Denied requests are not always bad. They can indicate misconfiguration, but they can also show scanning or probing. Watch patterns like repeated connection attempts to unusual ports.
9. A Practical Example Rule Set
Below is a sample approach you can adapt. Assume you run a public web service, an internal API, and a database that must remain private.
Inbound rules
- Alibaba Cloud enterprise account Allow-HTTP: TCP 80 from 0.0.0.0/0 (or from your CDN if applicable)
- Allow-HTTPS: TCP 443 from 0.0.0.0/0
- Allow-SSH: TCP 22 from your office public IP only
- Allow-Internal-API-to-DB: DB port (for example, 5432 for PostgreSQL or 3306 for MySQL) from your app subnet only
Alibaba Cloud enterprise account Outbound rules (optional)
- Allow-DNS: UDP/TCP 53 to your DNS resolver
- Allow-Updates: TCP 443 to trusted package repositories
- Allow-Internal-Dependencies: Required ports to known internal services
If outbound restrictions are too complex to start with, begin without outbound control, then tighten gradually after you observe traffic needs.
10. Rollout Strategy: From Test to Production Without Breaking Things
Even well-tested rules can fail in production due to environment differences. A rollout strategy reduces risk.
Use a staged rollout
- Apply to a staging environment first
- Verify connectivity from all required sources
- Apply to production in smaller steps if possible
Keep rollback simple
Before making changes:
- Record the existing rule set
- Save the current configuration if the console supports exporting
- Be ready to revert quickly if you block admin access or critical traffic
Conclusion
Setting up Alibaba Cloud firewall rules becomes straightforward when you treat it as a process: plan the traffic you need, apply least-privilege rules in a safe order, test both allowed and denied cases, and troubleshoot systematically. If you keep rules narrow, document intent, and monitor behavior after changes, you’ll build a firewall configuration that’s both secure and stable.
Start small, validate early, and tighten gradually. That approach beats rushing toward a complex rule set and hoping it works on the first try.

