This topic describes the limits of VPC firewalls.

Item Description Handling suggestion
Number of VPCs that can be protected by VPC firewalls in a Cloud Enterprise Network (CEN) For VPCs that are deployed in the same region, the default number is six and the maximum number is 20. N/A
VPC custom routes The number of custom routes increases after you enable VPC Firewall. If the number of custom routes in your VPC route table reaches the upper limit, you cannot enable VPC Firewall. For more information, see Add a custom route entry. Increase the VPC quota.

You can log on to the VPC console, open the Quota Management page, and increase the maximum number of custom routes allowed for each route table under your Alibaba Cloud account.

Note Do not modify or delete custom routes that are added by Cloud Firewall. Otherwise, VPC firewalls cannot protect inbound traffic to ECS instances.
Subnet mask length VPC firewall users in a CEN cannot publish routes to a network with a 32-bit subnet mask. If such routes are published and VPC Firewall is enabled, the connections to this network are interrupted. We recommend that you change the subnet mask length to less than or equal to 30 bits before you enable VPC Firewall.
Total number of VPCs and regions for which VPC Firewall is enabled Less than or equal to 32. N/A
Cross-account VPCs in a CEN If two VPCs in a CEN are created by different Alibaba Cloud accounts, Cloud Firewall must be authorized to access both VPCs. Otherwise, VPC Firewall cannot be enabled for the CEN. Before you enable VPC Firewall, you must use the Alibaba Cloud accounts to separately log on to the Cloud Firewall console and complete the authorization. For more information, see Create a VPC firewall for a CEN.
Cross-region VPCs in a CEN Make ensure that VPC Firewall is available in all the regions in the CEN. Otherwise, VPC Firewall cannot be enabled for the CEN. N/A
VPC quantity Each region can have up to 20 VPCs. A VPC that is added by Cloud Firewall consumes this quota. After VPC Firewall is enabled, Cloud Firewall adds a VPC for each region involved. You can log on to the VPC console and open the VPCs page. The VPCs named "Cloud_Firewall_VPC" are added by Cloud Firewall. If a region already has 20 VPCs, VPC Firewall cannot be enabled for this region. If the VPC quota is used up, log on to the VPC console and open the Quota Management page to increase the VPC quota. If the VPC quota has reached the upper limit, submit a ticket.
Mutual access between Virtual Border Routers (VBRs) Mutual access traffic of VBRs does not pass Cloud Firewall. N/A
Mutual access between Cloud Connect Networks (CCNs) Mutual access traffic of CCNs does not pass Cloud Firewall. N/A
Brief disconnection occurred when VPC Firewall is enabled or disabled When VPC Firewall is enabled or disabled for Server Load Balancer (SLB) or database services such as ApsaraDB for RDS, the persistent connections fail. You can configure the keep-connection-alive and reconnection mechanisms on the client.
East-west traffic protection only VPC firewalls can only protect east-west traffic, but cannot protect the traffic from the default route to the Internet. N/A