This topic describes the limits of virtual private cloud (VPC) firewalls.

Item Description Solution
Cloud Enterprise Network (CEN) If multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall is authorized to access all VPCs and is the Ultimate Edition. Otherwise, VPC firewalls cannot be created.
VPC Firewall can be enabled for a CEN instance only if VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. Make sure that VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. For more information about the regions that support VPC Firewall, see Supported regions.
If you enabled a VPC firewall before May 1, 2021, you cannot advertise routes that use 32-bit subnet masks in a CEN instance. If the routes that use 32-bit subnet masks are advertised and the VPC firewall is enabled, the connections to the network of the subnet masks are interrupted. If you enable a VPC firewall on or after May 1, 2021, you are not subject to this limit. Before you enable a VPC firewall, we recommend that you use the subnet masks that are less than or equal to 30 bits in length. Alternatively, contact the after-sales service in the specified DingTalk group.
If you enabled a VPC firewall before May 1, 2021, and you used a public IP address as a private IP address in your network topology, your access to Server Load Balancer (SLB) and ApsaraDB RDS is interrupted. If you enable a VPC firewall on or after May 1, 2021, you are not subject to this limit. We recommend that you develop a network plan based on the standards. We also recommend that you do not use a public IP address as a private IP address.
You can advertise up to 100 routes in a CEN instance. We recommend that you advertise less than or equal to 100 routes. For more information, contact the after-sales service in the specified DingTalk group.
After you enable a VPC firewall, a custom route is added to your VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls. The maximum number of custom routes allowed for each VPC route table is 400. Increase the VPC quota.

Log on to the VPC console. Go to the Quota Management page and increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account.

If a VPC in a CEN instance has a custom route table that is associated with a vSwitch, you cannot enable a VPC firewall for the CEN instance. Delete the custom route table or disassociate the custom route table from the vSwitch.
Cloud Firewall does not protect the following mutual access traffic that does not pass through Cloud Firewall:
  • Mutual access traffic between Virtual Border Routers (VBRs)
  • Mutual access traffic between Cloud Connect Networks (CCNs)
  • Mutual access traffic between VBRs and CCNs
Submit a ticket or contact the after-sales service in the specified DingTalk group for consultation.
When you enable or disable VPC Firewall for an SLB or ApsaraDB RDS instance, existing persistent connections may fail. We recommend that you take the following measures to prevent the failure of persistent connections:
  • Before you enable or disable VPC Firewall, make sure that the SLB instance and its backend server reside in the current VPC. This way, network latency and network jitter are prevented.
  • Configure the keep-connection-alive and reconnection mechanisms on the client.
The total number of VPCs and regions for which VPC Firewall is enabled must be less than or equal to 32. None.
When you enable a VPC firewall for a CEN instance, you can add up to 15 network instances. We recommend that you upgrade the CEN instance to support the transit router feature. For more information, contact the after-sales service in the specified DingTalk group.
Transit router in CEN When you enable a VPC firewall for a CEN instance, you can add up to 100 network instances such as VPCs, VBRs, and CCNs to the transit router in each region.
Note The total number of VPCs that you can add to a transit router includes the VPC that is automatically created when you enable the VPC firewall. The created VPC is named Cloud_Firewall_VPC and is displayed on the VPCs page of the VPC console.
None.
A transit router is subject to the following limits:
  • After you create a VPC firewall in automatic mode, you must contact after-sales service to add the automatically created VPC named Cloud_Firewall_VPC to the whitelist of the transit router. After the VPC is added to the whitelist, you can enable the VPC firewall.
  • After you create a VPC firewall in manual mode, you must contact after-sales service to add the newly created VPC to the whitelist of the transit router. After the VPC is added to the whitelist, you can enable the VPC firewall.
To add a VPC to the whitelist of a transit router, submit a ticket or contact the after-sales service in the specified DingTalk group.
Express Connect If you enable a VPC firewall for Express Connect, the firewall does not protect the mutual access traffic between VPCs that reside in different regions or belong to different Alibaba Cloud accounts. The firewall also does not protect the mutual access traffic between VPCs and VBRs. If you want to protect the mutual access traffic in these scenarios, we recommend that you use CEN to replace Express Connect. For more information, contact the after-sales service in the specified DingTalk group.
After you enable a VPC firewall, a custom route is added to your VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls. The maximum number of custom routes allowed for each VPC route table is 400. Increase the VPC quota.

Log on to the VPC console. Go to the Quota Management page and increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account.

You cannot advertise routes that use 32-bit subnet masks in Express Connect. If the routes that use 32-bit subnet masks are advertised and the VPC firewall is enabled, the connections to the network of the subnet masks are interrupted. Before you enable a VPC firewall, we recommend that you use the subnet masks that are less than or equal to 30 bits in length. Alternatively, contact the after-sales service in the specified DingTalk group.
General limits A VPC quota of 20 is allowed for each region. A VPC firewall that is created by Cloud Firewall consumes this quota. After you enable a VPC firewall, Cloud Firewall automatically creates a VPC named Cloud_Firewall_VPC for each region. This VPC displayed on the VPCs page of the VPC console. If a region has 20 VPCs, you cannot enable VPC firewalls for this region. If the VPC quota is exhausted, log on to the VPC console and go to the Quota Management page to increase the VPC quota. If the VPC quota reaches the upper limit, submit a ticket or contact the after-sales service in the specified DingTalk group.