This topic describes how to use a Cloud Enterprise Network (CEN) transit router to implement secure traffic access.

Background information

The following figure shows the scenario used in the example. An enterprise has deployed three virtual private clouds (VPCs) in the China (Hong Kong) region: VPC A, VPC B, and VPC C. Security management services are deployed in VPC A. For the security of the enterprise network environment, the enterprise hopes that the access traffic between VPC B and VPC C is filtered first by the security management services deployed in VPC A. East-west flow architecture
Notice When you apply this scenario, make sure that VPC A that hosts the security management services is deployed in the China (Hong Kong) or US (Silicon Valley) region.

Prerequisites

Before you start the procedure, make sure that the following requirements are met:
  • Three VPCs (A, B, and C) are created in the China (Hong Kong) region, and Elastic Compute Service (ECS) instances are deployed in each VPC.
    • Three vSwitches are deployed in VPC A: vSwitch 1 and vSwitch 2 are deployed in different zones for connecting a transit router. Security management services are deployed on vSwitch 3.
    • In VPC B and VPC C, vSwitches are deployed in at least two different zones for subsequent connections to the transit router. For more information, see Work with VPCs.
  • A CEN instance is created. For more information, see Create a CEN instance.
  • Three VPCs are connected to the same CEN instance. For more information, see Create a VPC connection.

    Note that the three advanced configurations are disabled on every VPC.

  • Make sure that you have understood the security group rules of ECS instances in three VPCs and that the security group rules allow the ECS instances to communicate with each other. For more information, see Query security group rules.

Step 1: Plan your network

To meet the preceding requirements, use the following network planning scheme:
  • In the VPC console
    • Add a route entry whose destination Classless Inter-Domain Routing (CIDR) block is 0.0.0.0/0 and next hop is the transit router to the system route tables of VPC B and VPC C.
    • In VPC A, vSwitch 1 and vSwitch 2 are each associated with a custom route table. In each custom route table, add a route entry whose destination CIDR block is 0.0.0.0/0 and the next hop is the ECS instance in vSwitch 3 where security control services are deployed. vSwitch 3 is also associated with a custom route table. In the custom route table, add a route entry whose destination CIDR block is 0.0.0.0/0 and next hop is the transit router.
  • In the transit router
    • VPC B and VPC C are associated with the same custom route table of the transit router. In the custom route table, add a route entry whose destination CIDR block is 0.0.0.0/0 and next hop is VPC A.

      Then, VPC B and VPC C can forward traffic to VPC A by using this route table.

    • VPC A is associated with another custom route table of the transit router. The routes of VPC B and VPC C are propagated to the route table.

      Then, VPC A can forward traffic to VPC B and VPC C by using this route table.

  • The following table lists CIDR blocks of three VPCs in this example. You can customize CIDR blocks for your network. Make sure that three VPCs do not use repeated CIDR blocks.
    VPC vSwitch Zone CIDR block ECS instance IP address
    VPC A

    Primary CIDR block: 10.1.0.0/16

    vSwitch 1

    Zone B

    10.1.0.0/24 10.1.2.13

    vSwitch 2

    Zone C

    10.1.1.0/24

    vSwitch 3

    Zone B

    10.1.2.0/24
    VPC B

    Primary CIDR block: 10.2.0.0/16

    vSwitch 1

    Zone B

    10.2.0.0/24 10.2.2.48

    vSwitch 2

    Zone C

    10.2.1.0/24

    vSwitch 3

    Zone C

    10.2.2.0/24
    VPC C

    Primary CIDR block: 10.3.0.0/16

    vSwitch 1

    Zone B

    10.3.0.0/24 10.3.2.27

    vSwitch 2

    Zone C

    10.3.1.0/24

    vSwitch 3

    Zone C

    10.3.2.0/24

Step 2: Add route entries for the VPCs

  1. Log on to the VPC console.
  2. In the top navigation bar, select the region to which the route table belongs.
  3. Add a custom route entry for VPC B and VPC C.
    1. In the left-side navigation pane, click Route Tables.
    2. On the Route Tables page, find the route table and click its ID.
      Then, you can find the system route table of VPC B.
    3. In the Route Table Details section, click the Route Entry List tab, and then click Custom.
    4. On the Custom tab, click Add Route Entry.
    5. In the Add Route Entry panel, configure the following parameters and click OK.
      • Destination CIDR Block: Enter 0.0.0.0/0 in this example.
      • Next Hop Type: Select Forwarding Router in this example.
      • Forwarding Router: Select the transit router associated with VPC B in this example.
    6. Repeat the preceding step to add the same route entry in the system route table of VPC C.
      • Destination CIDR Block: Enter 0.0.0.0/0 in this example.
      • Next Hop Type: Select Forwarding Router in this example.
      • Forwarding Router: Select the transit router associated with VPC C in this example.
  4. Create three custom route tables for VPC A. For more information, see the "Create a custom route table" section in Work with route tables.
  5. Associate vSwitches with custom route tables. For more information, see the "Associate a route table with a vSwitch" section in Work with route tables.
    Associate each of vSwitch 1, vSwitch 2, and vSwitch 3 with a custom route table.
  6. Add route entries to the custom route table of VPC A.
    1. On the Route Tables page, select a created route table. Click the ID of the route table.
      Select the custom route table that is associated with vSwitch 1.
    2. In the Route Table Details section, click the Route Entry List tab, and then click Custom.
    3. On the Custom tab, click Add Route Entry.
    4. In the Add Route Entry panel, configure the following parameters and click OK.
      • Destination CIDR Block: Enter 0.0.0.0/0 in this example.
      • Next Hop Type: Select ECS Instance from the drop-down list in this example.
      • Resource Group: Select All from the drop-down list in this example.
      • ECS Instance: Select the ECS instance for which security management services are configured. The ECS instance is deployed in vSwitch 3 of VPC A.
    5. Repeat the preceding procedure and configurations to add the same route entry to the custom route table of vSwitch 2.
    6. Repeat the preceding procedure and configurations to add a route entry to the custom route table of vSwitch 3. The following section lists the information of route entries of vSwitch 3:
      • Destination CIDR Block: Enter 0.0.0.0/0 in this example.
      • Next Hop Type: Select Forwarding Router in this example.
      • Forwarding Router: Select the transit router that is associated with VPC A in this example.

Step 3: Configure routes on the transit router

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance and click its ID.
  3. On the details page of the CEN instance, find the transit router and click its ID.
  4. On the Route Table tab, create two custom route tables for the transit router. For more information, see Create a custom route table.
  5. Associate VPC B and VPC C with one custom route table and configure route entries.
    1. On the Route Table tab, select the custom route table that you create, click the Route Table Association tab, and then click Add Association.
    2. In the Add Association dialog box, select the network instance with which you want to associate the custom route table and click OK.
      Associate VPC B and VPC C with one custom route table.
    3. On the details page of the custom route table, click the Route Entry tab, and then click Add Route Entry.
    4. In the Add Route Entry dialog box, configure the following parameters and click OK.
      • Destination CIDR: Enter 0.0.0.0/0 in this example.
      • Blackhole Route: If you select Yes, traffic that is forwarded by this route is dropped. No is selected in this example.
      • Next Hop: Select VPC A in this example.

      For more information, see Add route entries to a transit router.

    Then, all requests sent from VPC B and VPC C are first forwarded to VPC A.
  6. Associate the other custom route table with VPC A and configure routes for the route table.
    1. On the Route Table tab, select the other custom route table that you create, click the Route Table Association tab, and then click Add Association.
    2. In the Add Association dialog box, select the network instances with which you want to associate the custom route table and click OK.
      Associate VPC A with the custom route table.
    3. On the details page of the custom route table, click the Route Propagation tab, and then click Enable Route Propagation.
    4. In the Enable Route Propagation dialog box, select the network instance for which you want to enable route propagation and click OK.

      Associate VPC B and VPC C with the route table. After VPC B and VPC C are associated with the route table, the routes of VPC B and VPC C can be propagated to the route table. Then, the connectivity between VPC A and VPC B and between VPC A and VPC C can be implemented by using this route table.

Step 4: Test the network connectivity

  1. Log on to the ECS instance deployed in VPC A. Run the following command to enable forwarding. For more information about how to log on to the ECS instance, see OverviewGuidelines on instance connection.
    Note When forwarding is not enabled, the connectivity between VPC B and VPC A and between VPC C and VPC A can be implemented. However, the connectivity between VPC B and VPC C cannot be implemented.
    echo 1 > /proc/sys/net/ipv4/ip_forward   # Enable forwarding. You can run the command to make the forwarding configuration temporarily take effect. After the ECS instance is restarted, the configuration becomes invalid.
    East-west flow-Step 1
  2. Log on to the ECS instance deployed in VPC B. Run the ping command to ping the IP addresses of the ECS instances deployed in VPC A and VPC C. This way, you can test the connectivity between VPC B and VPC A and between VPC B and VPC C.
    The verification result shows that the connectivity between VPC B and VPC A and between VPC B and VPC C works normally. East-west flow-verify the connectivity of VPC B
  3. Log on to the ECS instance deployed in VPC C. Run the ping command to test the connectivity between VPC C and VPC A and between VPC C and VPC B.
    The verification result shows that the connectivity between VPC C and VPC A and between VPC C and VPC B works normally. East-west flow-verify the connectivity of VPC C