All Products
Search
Document Center

Cloud Firewall:FAQ about enabling and disabling firewalls

Last Updated:Feb 22, 2024

This topic provides answers to some frequently asked questions about enabling and disabling firewalls in Cloud Firewall, including impacts of enabling firewalls and changes on routes and traffic after enabling firewalls.

What are the impacts of enabling a firewall?

Firewall type

Impact

Internet firewall

When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds without the need to change the current network topology. Your workloads are not affected.

NAT firewall

  • When you create a NAT firewall or delete a NAT firewall after it is disabled, your workloads are not affected.

    The creation duration varies based on the number of elastic IP addresses (EIPs) associated with the NAT gateway. The creation duration increases by approximately 2 to 5 minutes for each additional EIP.

  • The system requires approximately 10 seconds to enable or disable a NAT firewall. Persistent connections may be interrupted for several seconds. Short-lived connections are not affected.

A VPC firewall that is created for an Express Connect circuit

A VPC firewall that is created for a Basic Edition transit router

  • When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected.

    The creation duration is approximately 5 minutes.

  • The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent connections may be interrupted for several seconds. Short-lived connections are not affected.

    Note

    Before you enable a VPC firewall, we recommend that you check whether your application is configured to automatically to launch reconnections over TCP, and pay close attention to the connection status of your application. This helps avoid connection interruptions.

A VPC firewall that is created for an Enterprise Edition transit router

Automatic traffic redirection

  • When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected.

    The creation duration is approximately 5 minutes.

  • The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Your workloads are not affected.

Manual traffic redirection

  • When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected.

    The creation duration is approximately 5 minutes.

  • When you enable or disable a VPC firewall, the time period during which your workloads are affected varies based on the traffic redirection mode.

Why am I unable to activate Cloud Firewall for my account?

Causes

When you log on to the Cloud Firewall console, the Your account cannot be used to activate Cloud Firewall. message appears. The issue may occur in the following scenarios:

  • Your account is an Alibaba Cloud account that is added as a member by another Alibaba Cloud account for centralized management.

  • Your account is a Resource Access Management (RAM) user and does not have the required permissions.

Solutions

You can move the pointer over the profile picture in the upper-right corner of the Cloud Firewall console to view the value of Account ID.

  • If the value of Account ID is a string of digits that starts with 1, your account is an Alibaba Cloud account.

    If your account is a member of a management account, you must log on to the Cloud Firewall console by using the management account. Then, activate Cloud Firewall for the member and enable protection for cloud assets that belong to the member. For more information, see Purchase Cloud Firewall.

  • If the value of Account ID is a string of digits that starts with 2, your account is a RAM user. If your account is a RAM user, you must attach the following policies to the RAM user by using the Alibaba Cloud account to which the RAM user belongs: createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess. For more information, see Grant permissions to a RAM user.

    createSlr is a custom policy that you need to create. The following code provides an example on the content of the policy. For more information, see Create a custom policy.

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:166032244439****:role/*",
                "Effect": "Deny",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "cloudfw.aliyuncs.com"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note

    You must specify the value of the Resource parameter in the following format: acs:ram:*:ID of the Alibaba Cloud account:role/*. The ID is the ID of the Alibaba Cloud account to which the RAM user belongs.

What is the purpose of the Internet firewall?

You can add multiple types of Internet-facing assets to the Internet firewall for protection, including public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of Server Load Balancer (SLB) instances, and elastic IP addresses (EIPs). After you enable the Internet firewall, the system forwards inbound and outbound traffic at the Internet border to Cloud Firewall. Then, Cloud Firewall filters the traffic and allows only traffic that meets the specified conditions. For more information, see Internet Firewall.

Can the Internet firewall protect IPv6 addresses?

Yes, the Internet firewall can protect IPv6 addresses. The Internet firewall can protect Internet-facing assets such as IPv6 addresses of ECS instances and SLB instances. For information about the cloud assets that can be protected by the Internet firewall, see Protection scope.

Is network traffic affected after I enable the Internet firewall?

If you enable the Internet firewall but do not configure access control policies or policies for the intrusion prevention system (IPS), Cloud Firewall monitors traffic and generates alerts for suspicious traffic but does not block suspicious traffic.

By default, the Internet firewall is enabled after you activate Cloud Firewall.

What are the impacts of enabling the Internet firewall?

If you disable the Internet firewall, network traffic does not pass through Cloud Firewall, and the following issues may occur:

  • The protection capabilities of the Internet firewall become invalid. For example, the access control policies that you created become invalid, and intrusion prevention is disabled.

  • The statistics of traffic at the Internet border are not updated, including network traffic analysis reports and traffic logs.

When I enable the Internet firewall, SLB instance-related network restriction prompts are displayed. Why?

Cause

When you enable the Internet firewall, the "You cannot enable a firewall for the IP address because the network of the SLB instance does not support this operation." message appears. The cause may be that an SLB instance has only private IP addresses, and the SLB instance does not support Cloud Firewall.

Solution

If your asset is an internal-facing SLB instance, we recommend that you associate an EIP with the instance to redirect traffic to Cloud Firewall. For more information, see Associate and manage an EIP.

Why are my public IP addresses not displayed after I perform asset synchronization in Cloud Firewall Free Edition?

Cloud Firewall Free Edition displays only EIPs and does not display the public IP addresses of ECS instances.

Are the security group rules in ECS affected after VPC Firewall is enabled?

No, network traffic and security group rules are not affected.

After you enable VPC Firewall, a security group named Cloud_Firewall_Security_Group and an access control policy are automatically created to allow traffic to the VPC firewall. The security group controls only traffic between VPCs. The existing security group rules are not affected. You do not need to migrate or modify security group rules in ECS.

Why am I prompted that unauthorized network instances exist when I create a VPC firewall?

Cause

The Cloud Enterprise Network (CEN) instance is associated with a VPC that belongs to a different Alibaba Cloud account, and Cloud Firewall is not authorized to access the cloud resources that belong to the Alibaba Cloud account of the VPC.

Solution

Log on to the Cloud Firewall console with the Alibaba Cloud account, and authorize Cloud Firewall to access the cloud resources within the account by using a service-linked role as prompted. For more information, see Authorize Cloud Firewall to access other cloud resources.

I have enabled a VPC firewall for a Basic Edition transit router. Why is a routing policy whose Routing Policy Action is set to Deny added to the route table of the transit router?

After you create and enable a VPC firewall for the VPC that is named VPC-test and is connected to a Basic Edition transit router, the VPC Firewall feature creates a VPC named Cloud_Firewall_VPC and advertises a static route to redirect the traffic of other VPCs that are connected to the transit router and not protected by firewalls to Cloud Firewall.

Cloud Firewall also adds a static route whose next hop points to the ENI that is created for Cloud_Firewall_VPC to the route table of Cloud_Firewall_VPC and creates a routing policy whose Routing Policy Action is set to Deny. This way, VPC-test does not learn the routes that are advertised by CEN. The outbound traffic of VPC-test is redirected to Cloud Firewall based on the static route.

Important

Do not modify or delete the routing policy or the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.

Why does Cloud Firewall create a route table and add the static route 0.0.0.0/0 to the route table after I enable a NAT firewall?

After you enable a NAT firewall, Cloud Firewall automatically creates the custom route table Cloud_Firewall_ROUTE_TABLE and adds the static route 0.0.0.0/0 that points to the involved NAT gateway protected by Cloud Firewall to the custom route table. In addition, Cloud Firewall changes the next hop of the static route 0.0.0.0/0 in the system route table to the ENI of the NAT firewall. This way, the outbound traffic of the NAT gateway is redirected to Cloud Firewall.

Important

Do not modify or delete the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.

How does Cloud Firewall match outbound traffic against access control policies of the Internet firewall, a NAT firewall, and a Domain Name System (DNS) firewall?

If you have enabled the Internet firewall, a NAT firewall, and a DNS firewall, when an ECS instance accesses the domain name, Cloud Firewall matches the outbound traffic against access control policies based on the following order:

  1. The ECS instance initiates a DNS request. The DNS request passes through the DNS firewall and is matched against the access control policies created for the DNS firewall.

  2. The private network traffic that originates from the ECS instance passes through the NAT firewall, and is matched against the access control policies created for the NAT firewall.

  3. The allowed private network traffic passes through the NAT gateway, and the source IP address of the private traffic is converted to the public IP address of the NAT gateway.

  4. The NAT gateway sends Internet traffic to the Internet firewall to match against the access control policies that are created for the Internet firewall.

  5. The traffic is matched against threat intelligence rules, basic protection policies, intelligence defense rules, and virtual patching rules of Cloud Firewall in sequence.

If the traffic does not hit a Deny policy in the preceding procedure, the traffic accesses the domain name. If the traffic hits a Deny policy, the traffic is denied and cannot access the domain name.

image