All Products
Search

This Product

    Cloud Firewall:Protect all traffic between VPCs connected by a CEN Transit Router (Manual traffic diversion)

    Document Center

    Cloud Firewall:Protect all traffic between VPCs connected by a CEN Transit Router (Manual traffic diversion)

    Last Updated:Jan 09, 2026

    When using a Transit Router (TR), manually configure routes between the TR and a VPC Firewall to protect all traffic between Virtual Private Clouds (VPCs) connected by the TR. This topic describes how to establish network connectivity between a TR and a VPC Firewall.

    Use cases

    Cloud Firewall can protect traffic between network instances connected through a Cloud Enterprise Network (CEN) Transit Router (TR). These network instances include VPCs, Virtual Border Routers (VBRs), Cloud Connect Networks (CCNs), and VPN gateways.

    This topic focuses on configuring the Manual Traffic Diversion mode for a VPC Firewall. This method protects traffic between multiple VPCs within the same region.

    Architecture diagram

    image

    Prerequisites

    You have created a CEN instance in the CEN Console and two VPCs. This topic usesVPC-01 and VPC-02 as examples. For more information, see Create a CEN instance.

    Step 1: Create a VPC for the VPC Firewall

    The VPC Firewall requires a dedicated VPC. Therefore, create a new VPC for this purpose.

    Important

    Ensure that the VPC you configure for the firewall belongs to the same Alibaba Cloud account as the CEN Transit Router. Otherwise, you cannot create the VPC Firewall.

    1. Log on to the Virtual Private Cloud Console.

    2. In the top navigation bar, select the Region for the new VPC, and then click Create VPC.

    3. In the Create VPC dialog, configure the parameters and click OK.

      Parameter

      Description

      Region

      Select the Region where you want to enable the VPC Firewall.

      Name

      Enter a name for the VPC instance. This topic uses Cfw-TR-manual-VPC as an example.

      IPv4 CIDR Block

      The primary IPv4 CIDR block for the VPC. Specify a private CIDR block with a prefix length of 26 bits or fewer. The CIDR block cannot conflict with the CIDR blocks of your services.

      vSwitch

      The vSwitches that can be associated with the network instance connection. Specify a private CIDR block with a prefix length of 28 bits or fewer.

      Use two vSwitches for the TR network instance connection. Create them in two different Availability Zones that support the TR service. We recommend selecting the Availability Zones where your services are deployed to reduce latency. Use the other vSwitch for the VPC Firewall. You can create it in any Availability Zone.

      In this topic, the primary vSwitch for the TR connection is named TR-vSwitch-01, the secondary vSwitch is named TR-vSwitch-02, and the vSwitch for the VPC Firewall is named Cfw-vSwitch.

    4. On the VPC page, find the firewall VPC Cfw-TR-manual-VPC and click its instance ID.

    5. On the details page of the VPC, click the Resource Management tab. In the Route Table section, click Add. Alternatively, go to the Route Tables page and click Create Route Table.

    6. In the Create Route Table dialog, configure the parameters and click OK.

      Parameter

      Description

      VPC

      Select the firewall VPC created in the previous step. This topic uses Cfw-TR-manual-VPC as an example.

      Associated Resource Type

      Select vSwitch.

      Name

      Enter a custom name for the route table. This topic uses VPC-CFW-RouteTable as an example name for the Custom Route Table.

    Step 2: Connect the firewall VPC to the Transit Router

    In this step, you create a connection between the VPC instance Cfw-TR-manual-VPC and the Enterprise Edition Transit Router.

    1. Log on to the CEN console.

    2. On the Instances page, find the CEN instance to which you want to divert traffic and click its ID.

    3. On the Basic Settings tab, click Create Connection in the Actions column. Alternatively, click the Add icon icon next to the VPC information at the top of the page.

    4. On the Connection with Peer Network Instance page, configure the connection between Cfw-TR-manual-VPC and the Transit Router.

      The following table describes the key parameters for creating the network instance connection.

      Parameter

      Description

      Instance type

      The type of network instance to connect. Select VPC (Virtual Private Cloud).

      Region

      The region of the network instance. This must be the same region where you created Cfw-TR-manual-VPC.

      Network Instance

      The network instance to connect. Select the instance ID of Cfw-TR-manual-VPC.

      vSwitch

      The vSwitches that can be associated with the connection. Select TR-vSwitch-01 as the primary vSwitch and TR-vSwitch-02 as the secondary vSwitch.

      For other parameters, see Create a VPC connection on an Enterprise Edition transit router.

    Step 3: Create CEN network instance connections for the two VPCs

    You need to create separate network instance connections for VPC-01 and VPC-02 to attach them to the CEN instance.

    For more information, see Create a VPC connection on an Enterprise Edition transit router.

    Step 4: Create the VPC Firewall

    In this step, create a VPC Firewall for Cfw-TR-manual-VPC.

    In the Cloud Firewall Console, go to the Firewall Settings > VPC Firewall > CEN (Enterprise) tab. Find the TR instance for which you want to create a firewall and click Create in the Actions column. When creating the VPC Firewall, set Traffic Redirection Mode to Manual, select Cfw-TR-manual-VPC for the VPC parameter, and select Cfw-vSwitch for the vSwitch parameter. For more information, see Configure a VPC Firewall for an Enterprise Edition transit router.

    Note

    After you complete this step, Cloud Firewall creates an Elastic Network Interface (ENI) in the Cfw-vSwitch for traffic diversion. You can view this ENI, which is named cfw-bonding-eni by default, on the Network & Security > ENIs page in the ECS console. This ENI is a virtual network interface for route-based traffic diversion. By default, the firewall cluster binds to multiple virtual network interfaces in different Availability Zones to ensure high availability (HA). In Manual Traffic Diversion mode, the firewall cluster operates in a dual-active model across two automatically assigned Availability Zones, providing HA.

    Step 5: Configure VPC routes for the firewall VPC

    In this step, configure VPC routes to divert traffic from the TR to the VPC Firewall for inspection, and then forward the inspected traffic back to the TR.

    1. Log on to the Virtual Private Cloud Console.

    2. On the Route Tables page, select the system route table of the firewall VPC instance.

    3. Click the Route Entry List tab, then click the Custom Route tab.

    4. Click Add Route Entry, configure the following route entry, and delete any other custom route entries if they exist.

      Key parameters:

      • Destination CIDR Block: Select 0.0.0.0/0.

      • Next Hop Type: Select ENI.

      • ENI: Select the cfw-bonding-eni created in Step 4.

      After you complete this step, traffic forwarded from the TR to the firewall VPC is diverted to the VPC Firewall.

    5. On the Route Tables page, open the custom route table VPC-CFW-RouteTable that you created earlier. Click the Associated vSwitch tab, and then click Associate vSwitch. Select Cfw-vSwitch for the vSwitch parameter and click OK.

    6. In the Route Entry List section, click the Custom Route tab. Click Add Route Entry, configure the following route entry, and delete any other custom route entries if they exist.

      Key parameters:

      • Destination CIDR Block: Select 0.0.0.0/0.

      • Next Hop Type: Select Transit Router.

      • Transit Router: Select the network instance connection for the firewall VPC.

      After you complete this step, the VPC Firewall forwards processed traffic back to the TR.

    Step 6: Configure routes for the Transit Router

    In this step, you configure TR routes for VPC-01, VPC-02, and the firewall VPC. This ensures that traffic between VPC-01 and VPC-02 passes through the VPC Firewall.

    1. Log on to the CEN console.

    2. In the CEN Console, find the TR for which you want to enable the VPC Firewall, click its instance ID, and then click the Route Table tab.

    3. On the Route Table tab, click the system route table, which is the first entry in the route table list on the left.

    4. On the Route Table Details tab of the system route table, click the Route Propagation tab.

    5. On the Route Propagation tab, create two route learning entries. For the Attachment parameter, select VPC-01 for the first entry and VPC-02 for the second entry.

      This operation enables route learning for the system route table, which automatically synchronizes the routes of VPC-01 and VPC-02.

      After route learning is configured, you can view the automatically learned routes on the Route Entry tab.

    6. Return to the details page of the system route table and click the Route Table Association tab.

    7. On the Route Table Association tab, click Create Association.

    8. In the Add Association dialog box, select Cfw-TR-manual-VPC.

      After you complete this step, the firewall VPC can automatically forward traffic destined for VPC-01 and VPC-02 through the TR.

    9. On the Route Table page, click Create Route Table on the left. In the Create Route Table dialog, configure the route table.

      For Transit Router, select the TR for which you want to enable the VPC Firewall and specify a name for the route table. This topic uses Cfw-TR-RouteTable as an example name.

      The new Cfw-TR-RouteTable route table forwards traffic between VPC-01, VPC-02, and the firewall VPC Cfw-TR-manual-VPC.

    10. Find the Cfw-TR-RouteTable route table and click Add Route Entry. In the Add Route Entry dialog, configure the route entry.

      Parameters:

      • Destination CIDR: Select the default CIDR block0.0.0.0/0.

      • Blackhole Route: Select the default optionNo.

      • Next Hop: Select the TR connection instance ID that corresponds to the firewall VPC instance Cfw-TR-manual-VPC.

    11. On the Route Table tab, click the system route table in the list on the left. Then, on the details page, click the Route Table Association tab.

      Warning

      The following steps (12 to 14) involve route switching, which can cause Transient Disconnections for long-lived TCP connections. We recommend that you perform these operations during off-peak hours or a maintenance window.

    12. On the Route Table Association tab, delete the propagations whose next hops are VPC-01 and VPC-02. Then, on the Route Table tab, click the Cfw-TR-RouteTable route table in the list on the left.

    13. On the details page, click the Route Table Association tab, and then click Route Table Association.

    14. In the Add Association dialog, select VPC-01 and VPC-02 for Association, and then click OK to save the settings.

      After you complete this step, traffic from VPC-01 and VPC-02 is propagated to Cfw-TR-RouteTable. Traffic between VPC-01 and VPC-02 is then forwarded to the firewall VPC.

    Step 7: Verify the configuration

    You can check for traffic logs from the CEN instance in the Traffic Log feature. If the system generates relevant logs, the forwarding configuration is successful. For more information, see Log analysis.