You can use a Virtual Private Cloud (VPC) firewall to detect and control traffic between two VPCs. If your VPCs are connected by using Express Connect or if they belong to the same Cloud Enterprise Network (CEN) instance, you can create a VPC firewall for an Express Connect or a CEN instance. Cloud Firewall can be used to analyze and control the traffic between two VPCs only after a VPC firewall is created and enabled.

Prerequisites

You have purchased a Cloud Enterprise Network (CEN) or Express Connect instance, and have connected two VPCs by using the instance. For more information, see Connect two VPCs under the same Alibaba Cloud account.

Background information

A VPC firewall can control the traffic between two connected VPCs and the traffic between a VPC and a data center.
A VPC firewall is suitable for the following scenarios:

Supported editions

VPC Firewall is supported by Cloud Firewall Enterprise and Ultimate Editions. Cloud Firewall Premium Edition does not support VPC Firewall. The VPC Firewall tab is not displayed in the console of Cloud Firewall Premium Edition.

Precautions

After you create a VPC firewall, the following resources that the firewall needs to use are automatically created:
  • A VPC named Cloud_Firewall_VPC.
  • A vSwitch named Cloud_Firewall_VSWITCH using the CIDR block 10.219.219.216/29.
  • A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it. Remarks of a custom route entry
Take note of the following items:
  • Do not add the cloud resources of your service to the automatically created VPC.
  • Do not modify or delete the network resources within the automatically created VPC.
  • Do not use the CIDR block 10.219.219.216/29 that the automatically created vSwitch uses during network planning. This prevents the failure of communication between two VPCs caused by CIDR block conflict.

Create a VPC firewall for a CEN instance

Cloud Firewall can protect two VPCs that are created by different Alibaba Cloud accounts and are connected by using a CEN instance. One of the VPCs is created by the current Alibaba Cloud account, and the other is created by a different account. If two VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must be authorized to access the cloud resources of both accounts. Otherwise, you cannot create a VPC firewall for the CEN instance, and the message It is not allowed to be created because of the existing unauthorized network instance is displayed on the CEN tab. To go to the CEN tab, log on to the Cloud Firewall console, click Firewall Settings in the left-side navigation pane, and then click the VPC Firewall tab and then the CEN tab.

To authorize Cloud Firewall to access the cloud resources of an Alibaba Cloud account, perform the following operations:
  1. Log on to the Cloud Firewall console by using the account.
  2. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
Note If you want to create a VPC firewall for a CEN instance, take note of the following items:
  • The VPC firewall can be used to protect the VPCs that are deployed in different regions or created by different Alibaba Cloud accounts. If a VPC is connected to the other VPC that is created by using a different Alibaba Cloud account, you can enable VPC Firewall to protect these VPCs even if Cloud Firewall Enterprise or Ultimate Edition is not activated for the VPC that is created by another Alibaba Cloud account.
  • VPC Firewall can be enabled for up to 10 VPCs in a region of a CEN instance. If you want to increase the quota, submit a ticket.
  • VPC firewalls can protect traffic between VPCs, between a VPC and a Virtual Border Router (VBR) or a data center, and between a VPC and a Cloud Connect Network (CCN) instance. However, VPC firewalls cannot protect traffic between VBRs, between CCN instances, or between a CCN instance and a VBR.
To create a VPC firewall for a CEN instance, perform the following operations:
Note When you create, enable, disable, or delete a Virtual Private Cloud (VPC) firewall, the system automatically modifies the custom routes in your VPC route table, which causes a short network interruption. If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.
  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
  3. On the Firewall Settings page, click the VPC Firewall tab.
  4. On the VPC Firewall tab, click the CEN tab.
  5. Find the CEN instance for which you want to create a VPC firewall and click Create in the Actions column.
    Cloud Firewall can control traffic between two VPCs that are connected by using a CEN transit router. CEN transit router
    If a large number of CEN instances exist, you can filter CEN instances by region, CEN name, network instance name, or configuration status of Cloud Firewall. For example, you can set the configuration status of Cloud Firewall to Unconfigured and click Search to query all CEN instances for which Cloud Firewall is not configured.
  6. In the Create VPC Firewall dialog box, configure the parameters.

    The following table describes the parameters.

    Parameter Description
    Name The name of the VPC firewall. We recommend that you enter a unique name based on your business requirements. This allows you to identify the VPC firewall.
    Routing Mode The routing mode of the traffic that passes through Cloud Firewall. This parameter is required only when you use a CEN transit router of the Enterprise Edition. Valid values:
    • Automatic: If you select this option, Cloud Firewall automatically assigns a VPC and a CIDR block that the vSwitch uses for the VPC firewall.
    • Manual: If you have deployed multiple VPCs and CIDR blocks in your network, connected the VPCs with CEN transit routers, and planned CIDR blocks for Cloud Firewall, you can select this option to manually assign a VPC and a CIDR block that the vSwitch uses for the VPC firewall. This way, the existing network architecture is not affected.
      Notice If you select this option, you must select the VPC with which the CEN instance is associated and the vSwitch that the CEN instance uses. You must also renew your Cloud Firewall in a timely manner before it expires. If your Cloud Firewall expires, Cloud Firewall features are unavailable, and traffic cannot be directed to the VPC firewall that you create. In this case, network interruptions occur.
    IPS Mode The working mode of the intrusion prevention system (IPS). Valid values:
    • Monitoring Mode: If you select this option, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic.
    • Traffic Control Mode: If you select this option, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts.
    Note This setting is applied to all VPCs that belong to a CEN instance.
    IPS Capabilities The intrusion prevention policies that you want to enable. Valid values:
    • Basic Policies: This feature provides basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. It also allows you to manage and control the connections from compromised hosts to a command and control (C&C) server.
    • Virtual Patches: This feature defends against the most common high-risk application vulnerabilities in real time.
    Note This setting is applied to all VPCs that belong to a CEN instance.
  7. Click Submit. In the message that appears, click Submit. The VPC firewall is created.
  8. Turn on Firewall switch in the Firewall Settings column.
    Wait until the VPC firewall takes effect. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall takes effect. VPC Firewall enabled
Note After a Virtual Private Cloud (VPC) firewall is enabled, a security group named Cloud_Firewall_Security_Group is automatically created and an access control policy is created to allow traffic to the VPC firewall. Do not modify or delete this security group and the access control policy.

Create a VPC firewall for an Express Connect

Note If your VPCs are connected by using an Express Connect, a VPC firewall can protect traffic between VPCs in the same region. However, the VPC firewall cannot protect traffic between a VPC and a VBR or between the VPCs that are deployed in different regions or created by different Alibaba Cloud accounts.

To create a VPC firewall for an Express Connect, perform the following operations:

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
  3. On the Firewall Settings page, click the VPC Firewall tab.
  4. On the VPC Firewall tab, click the Express Connect tab.
  5. Find the Express Connect for which you want to create a VPC firewall and click Create in the Actions column.
    If a large number of Express Connects exist, you can filter them by region, VPC, or configuration status of Cloud Firewall. For example, you can select Unconfigured from the status drop-down list and click Search to query all Express Connects for which Cloud Firewall is not configured.
  6. In the Create VPC Firewall dialog box, configure the parameters. The following table describes the parameters.
    Parameter Description
    Instance Name Enter a name for the VPC firewall. We recommend that you enter a unique name based on your business requirements. This allows you to identify the VPC firewall.
    Connection Type Specify the type of the connection between VPCs or between a VPC and a data center. In this scenario, the value is fixed as Express Connect.
    VPC Confirm the region and name of the VPC, and configure Route Table and Destination CIDR Block.
    • Route Table

      When you create a VPC, the system automatically creates a default route table. You can add system routes to the route table to manage VPC traffic. VPC allows you to create multiple route tables based on your business requirements. For more information, see Overview.

      When you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically reads your VPC route tables. Express Connect supports multiple route tables. When you create a VPC firewall for an Express Connect, you can view multiple VPC route tables and can select the route tables that you want to protect.

    • Destination CIDR block

      After you select a route table from the Route Table drop-down list, the default destination CIDR block of the route table is displayed in the Destination CIDR Block section. If you need to protect traffic destined for other CIDR blocks, you can modify this destination CIDR block. You can add multiple CIDR blocks that are separated by commas (,).

    Peer VPC Confirm the region and name of the peer VPC, and configure Peer Route Table and Peer Destination CIDR Blocks. For more information about route tables and destination CIDR blocks, see the VPC configuration description.
    Intrusion Prevention Select the intrusion prevention policies that you want to enable. Valid values:
    • Basic Policies: This feature provides basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. It also allows you to manage and control the connections from compromised hosts to a command and control (C&C) server.
    • Virtual Patches: This feature defends against the most common high-risk application vulnerabilities in real time.
    Enable VPC Firewall After you turn on Enable VPC Firewall, a VPC firewall is automatically enabled after it is created. If you do not require the VPC firewall to be automatically enabled after it is created, turn off this switch.
  7. Click Submit and confirm the submission.
    The VPC firewall is created. If you turn on Enable VPC Firewall when you configure the VPC firewall, wait until the VPC firewall is enabled. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall takes effect. VPC Firewall enabled

Protect traffic between a VPC and a data center

A VPC firewall can protect traffic between a VPC and a data center that are connected by a VBR. If a VPC and a data center are connected by the VBR of a CEN instance, traffic between the VPC and the data center is automatically protected after you enable the VPC firewall created for the CEN instance. You do not need to create or enable a VPC firewall for the VBR.

You can perform the following operations to view the protection details of the VBR: Log on to the Cloud Firewall console, go to the Firewall Settings page, and then click the VPC Firewall tab. In the CEN list, view the details.

What to do next

After a VPC firewall is created, you can perform the following operations:
  • On the VPC Firewall tab, click Modify or Delete in the Actions column to modify or delete an existing VPC firewall.
  • On the VPC Firewall tab, enable or disable the VPC firewall. For more information, see Enable or disable VPC Firewall.
  • In the left-side navigation pane, choose Access Control > Access Control. On the Access Control page, click the VPC Firewall tab. On the VPC Firewall tab, configure VPC firewall policies to control traffic between VPCs. For more information, see Access control on VPC firewalls.

After a VPC firewall is enabled, VPC access traffic is collected and analyzed. You can view the statistics and analysis results on the VPC Access page. To go to this page, choose Traffic Analysis > VPC Access in the left-side navigation pane. For more information, see VPC access.