Choose whether to enable Deny communication by default.
When virtual machines in the ANS service have no custom security policy or quarantine policy applied, if this option is enabled, the virtual machines will not be allowed to receive or send any traffic; if this option is not enabled, the virtual machines are allowed to receive or send any traffic.
Note:
- This configuration only takes effect for the virtual NICs corresponding to the VM networks associated with this ANS service in the virtual machine.
- This configuration will take effect after ANS is successfully deployed.
Create the Global allowlist and choose whether to enable it immediately.
When Deny communication by default is enabled or custom security policies are configured, the global allowlist ensures normal communication between services deployed outside the data center (such as bastion hosts) and virtual machines within the data center.
Choose whether to enable the global allowlist immediately.
Note:
When using the traffic visualization feature of observability, you can configure the global allowlist during the ANS deployment, but not enable it immediately. After deployment, run the relevant applications for a period of time, then turn on the Preview switch in the traffic visualization to observe the current flow type and the expected flow type after the global allowlist takes effect. If the expected flow type does not match your expectation, refer to Editing the global security policy to edit the global allowlist again, and then continue running the applications for a period of time, and observe the expected flow type again until it meets your expectation before enabling the global allowlist. This way, you can learn about the impact of the global allowlist before it takes effect, and identify and resolve potential security issues in advance, without causing any actual impact on the normal running application traffic. For specific operations, refer to Security policy monitoring mode.
Click + Add IP address to configure ingress and egress allowlists. This operation is optional if the global allowlist is not enabled.
Add ingress/egress allowlist by IP address: Enter IP addresses, CIDR blocks, or IP ranges, separated by commas. After entering IP addresses, you can click the ellipsis (...) on the right of the input box, and click Exclude specific IP address to manually exclude specific IP addresses from above.
Protocol: You can choose Specify and then enter the allowed protocols and ports, or select specific services. If you don't need to restrict protocols, you can choose Any.
Note:
- The global allowlist does not apply to virtual machines with quarantine policies applied.
- The IP addresses filled in the global allowlist should be IP addresses outside the scope of the ANS service. If the allowlist includes virtual machines in clusters already associated with ANS, the global allowlist will not set symmetric traffic rules for such virtual machines, so it cannot guarantee that these virtual machines can access other virtual machines associated with the ANS service. The traffic handling method will depend on other security policies to which these virtual machines belong.
