Huawei Cloud Top-up without paypal Huawei Cloud Firewall Policy Configuration Guide
Introduction
On Huawei Cloud, a firewall policy is the backbone of network security. It decides who can access what, which ports are allowed, and how traffic is handled. But “policy configuration” can feel confusing because you’re not just toggling rules—you’re designing a decision system for traffic that must work reliably under real network conditions.
This guide explains how to configure Huawei Cloud firewall policies in a clear, practical way. You’ll learn how to think before you click, how to build rules step by step, how to avoid common mistakes, and how to verify the configuration when something doesn’t work as expected.
Understand the Components Before You Configure
Before creating any policy, you should understand the main building blocks and how they interact. Most configuration problems come from mixing concepts: rules vs. policies, direction vs. protocol, and address scope vs. service scope.
Firewall policy vs. firewall rule
A firewall policy is a collection of rules that apply to traffic under certain conditions. A firewall rule is the actual decision logic inside that policy: it specifies matching criteria (source/destination, protocol, ports, action) and the action to take.
Traffic direction: inbound and outbound
Huawei Cloud Top-up without paypal When you design rules, decide whether the traffic is coming into your protected resources (inbound) or going out from them (outbound). Many users accidentally configure rules in the wrong direction, which makes the policy look “correct” but ineffective.
Protocol and port matching
Firewall rules typically match on protocol (TCP/UDP/ICMP/any) and port ranges. A rule that allows TCP port 22 won’t automatically allow UDP port 22, and a rule that uses an “any port” setting won’t restrict that traffic.
Huawei Cloud Top-up without paypal Priority and rule order
Most firewall systems evaluate rules based on priority. If two rules could match the same traffic, the one with higher priority (or earlier evaluation order) usually wins. So you must design priorities deliberately, not randomly.
Plan Your Policy Like an Engineer
Good firewall configuration starts with a small checklist. You don’t need fancy tools—just a structured approach.
Define protected assets
Identify the resources you want to protect: ECS instances, load balancers, private network segments, or other services. Clarify which IP ranges represent these assets.
List required access paths
Write down exactly what traffic you need:
- Who should reach you? (source networks or specific IPs)
- What do they need? (protocol + port)
- What should happen? (allow or deny)
- From where to where? (destination IP range)
Adopt a least-privilege mindset
Try to allow only what you need. If you can restrict by IP range and port, do it. If you can restrict by direction, do it. “Allow any” rules reduce security value and make troubleshooting harder when attacks or misconfigurations happen.
Decide default behavior
Policies usually have a default action for unmatched traffic (often deny). If your environment expects “implicit deny,” make sure you explicitly allow required flows. If the default is allow, be extra careful and rely on deny rules rather than trusting that “nothing else matters.”
Gather the Information You’ll Need
Before you start creating rules, collect these inputs. Having them ready prevents repeated edits and accidental rule gaps.
Source and destination address ranges
Decide on the source CIDR blocks (for example, office network, partner network, or admin jump host) and destination CIDR blocks (the servers or subnets you protect).
Ports and protocol details
For each service you want to expose, list its ports and protocol. For example:
- SSH: TCP 22
- Web: TCP 80 and 443
- Database: TCP 3306 (MySQL) or TCP 5432 (PostgreSQL)
If you use non-standard ports, write them down clearly to avoid “almost correct” rules.
Special cases: ICMP and health checks
Some environments require ICMP for diagnostics or monitoring. Load balancers may also require health check traffic. Decide whether you need these and define their scope tightly.
Configure the Firewall Policy: Step-by-Step
The exact page names can vary, but the workflow is consistent. Below is a general process that you can map to Huawei Cloud console options.
Step 1: Select the correct environment (VPC / network context)
Start by choosing the network context where the firewall policy will be applied. Many users create a policy but attach it to a different context than the one where their resources live, so it never matches.
Step 2: Create or open the firewall policy
Create a new firewall policy and give it a clear name. Use naming that includes environment and purpose, such as prod-web-inbound or dev-db-outbound-restriction.
Step 3: Add rules with clear matching criteria
Create rules one by one. For each rule, specify:
- Huawei Cloud Top-up without paypal Direction (inbound or outbound)
- Action (allow or deny)
- Huawei Cloud Top-up without paypal Protocol
- Source addresses
- Destination addresses
- Port range (if applicable)
- Priority
Step 4: Set priorities to avoid conflicts
When you add multiple rules, decide which ones must win. For example:
- Allow rules for specific trusted sources should generally have higher priority than broader deny rules.
- Deny rules for clearly malicious networks may have higher priority than generic allow rules.
Never rely on “it should match.” Make the priority logic explicit.
Step 5: Apply the policy to the intended resources
A policy often needs to be associated with network segments or protection objects. Double-check that the attachment matches your actual deployment. If you applied the policy to a different subnet or ignored the target scope, traffic will not be evaluated as you expect.
Step 6: Enable the policy (if there’s a separate switch)
Some configurations create the policy in a “draft” or “disabled” state. Ensure the policy is enabled after configuration. This sounds obvious, but it’s one of the most frequent reasons a “working rule” still fails.
Recommended Rule Patterns
Instead of building rules randomly, use proven patterns that make policies easier to audit.
Pattern A: Explicit allow for required inbound services
If you protect a web service, you typically allow only these inbound flows from the required source ranges:
- Huawei Cloud Top-up without paypal Allow TCP 443 to the web server subnet from the internet (or only from a CDN / reverse proxy IP range if possible).
- Allow TCP 80 only if you use it for redirects or plain HTTP.
- Optionally allow SSH (TCP 22) only from admin jump hosts.
This approach reduces exposure and makes it clear what “legitimate” looks like.
Pattern B: Default deny with scoped exceptions
Start with a policy posture that denies by default, then add scoped allow rules. This prevents unintended traffic from creeping in as your environment grows.
For example, deny all inbound except:
- HTTP/HTTPS from trusted sources
- Admin access from a limited CIDR
Pattern C: Outbound restriction by service needs
Outbound rules are often overlooked. If your servers should only reach specific destinations (for example, package repositories, authentication services, or an internal API), restrict outbound traffic. Otherwise, malware or misconfigured apps can call out freely.
Testing and Validation: How to Confirm It Works
Once your policy is configured and enabled, test it in a controlled way. Don’t jump straight to “everything seems okay.” Validate rule-by-rule using clear traffic tests.
Validate connectivity from a known source
Choose a test source IP that you expect to be allowed and try to access the target service. For example, from an admin host test SSH, and from a test client test HTTPS.
Validate that forbidden traffic is blocked
Also test traffic that should not be allowed:
- Huawei Cloud Top-up without paypal Try connecting to a blocked port on the same destination.
- Try from a source IP that is not in the allowed CIDR.
This proves that your deny behavior (or lack of matching allow) is functioning.
Check whether the server or the network is the real issue
If a connection fails, don’t assume the firewall is wrong. Confirm service listening and reachability:
- Is the server application bound to the correct interface?
- Is it listening on the expected port?
- Huawei Cloud Top-up without paypal Is there any upstream routing or NAT behavior affecting source/destination?
Use logs if available
Many firewall features provide logs or alerts for matched/blocked traffic. Review those logs to see which rule matched (or why nothing matched). This is usually the fastest way to pinpoint the problem.
Troubleshooting Common Problems
Most issues are not mysterious—they’re mismatches between what you think you allowed and what the policy actually matches.
Problem 1: Policy attached to the wrong scope
Symptoms: nothing works, even though rules look correct. Fix: verify the association context (subnet/VPC/protection object) and confirm the resource is actually under that scope.
Problem 2: Direction mismatch (inbound vs outbound)
Symptoms: outbound tests fail, but inbound rules were added (or vice versa). Fix: recreate rules in the correct direction and retest.
Problem 3: Priority conflict
Huawei Cloud Top-up without paypal Symptoms: one rule “should allow,” but traffic is still blocked. Fix: check rule priorities and remove overlaps. Make sure allow rules for trusted traffic outrank deny rules that would otherwise catch it.
Problem 4: Port/protocol mismatch
Symptoms: web works but API calls fail; or SSH works but ICMP diagnostics fail. Fix: verify protocol (TCP vs UDP) and port range exactly. Many connection errors come from a single off-by-one port or wrong protocol.
Problem 5: Address range misunderstanding
Symptoms: a rule seems right, but only some clients work. Fix: confirm CIDR boundaries and whether addresses are changing due to NAT, proxying, or load balancing. The “source” seen by the firewall may not be the original client IP.
Problem 6: Using overly broad rules that mask the real issue
Symptoms: everything becomes allowed, so you can’t tell what is responsible. Fix: tighten rules temporarily. If you can reproduce the issue with minimal rules, you’ll find the mismatch faster.
Huawei Cloud Top-up without paypal Security Best Practices for Firewall Policies
Firewall policy configuration isn’t just about getting it to work. It’s about making it safe to operate for months.
Keep rules minimal and readable
Every rule is future technical debt. If you can combine ports into a single range safely, do it. But if combining makes the rule vague, split it for clarity.
Use consistent naming and tagging
Names should reflect intent: environment, service, direction, and whether it’s inbound/outbound. This makes audits and incident response faster.
Document assumptions
If a rule depends on a specific NAT gateway, a particular admin jump host CIDR, or load balancer health checks, note it. Otherwise, the next person will change something and wonder why traffic breaks.
Review rules regularly
As services change, ports and sources change too. A good operational habit is to review firewall rules every quarter or after any major infrastructure change.
Plan for change safely
When updating policies in production, avoid “edit everything at once.” Change one group of rules, validate, then proceed. This reduces blast radius and makes troubleshooting easier.
Example Policy Scenarios
Below are simplified examples that show how the same principles translate into real environments.
Scenario 1: Public web service with limited admin access
- Inbound: allow TCP 80/443 to the web subnet from the required client sources.
- Inbound: allow TCP 22 to the management subnet only from admin jump host CIDRs.
- Inbound: deny other ports by default.
- Outbound: restrict to necessary destinations (optional but recommended).
Scenario 2: Internal application talking to a database
- Inbound to app servers: allow required ports from internal networks.
- Inbound to database: allow TCP database port only from app server subnet CIDRs.
- Outbound: allow the app servers to reach specific internal services, block everything else if possible.
Scenario 3: Prevent outbound data exfiltration
- Outbound: allow only DNS/HTTP(S) to approved destinations (or approved ranges).
- Outbound: deny all other traffic.
- Inbound: keep as strict as your service needs.
Operational Checklist Before You Call It Done
When you finish configuring a firewall policy, run through this checklist:
- The policy is enabled.
- The policy is attached to the correct resources and network scope.
- Rules match the correct direction.
- Protocol and port definitions are exact.
- Priorities are set to avoid collisions.
- Required services are tested from allowed sources.
- Forbidden traffic is tested from disallowed sources.
- Logs (if available) confirm expected matches.
Conclusion
Configuring Huawei Cloud firewall policies becomes straightforward when you stop treating it as a form-filling task and start treating it as a structured design process. Plan the traffic flows, create rules with precise matching, apply the policy to the correct scope, and validate with targeted tests. If something doesn’t work, troubleshoot methodically by checking direction, priority, protocol/port, and address ranges.
With a disciplined approach, your firewall policy won’t just “pass” an initial test—it will hold up under changes, growth, and real-world network behavior.

