All Products
Search

This Product

    Cloud Firewall:Protect traffic between VPCs connected by using a CEN transit router

    Document Center

    Cloud Firewall:Protect traffic between VPCs connected by using a CEN transit router

    Last Updated:Dec 22, 2023

    If you use a Cloud Enterprise Network (CEN) transit router, you must manually configure routing between the transit router and a virtual private cloud (VPC) firewall before you can use the VPC firewall to protect traffic between the VPCs that are connected by using the transit router. This topic describes how to configure routing between a transit router and a VPC firewall.

    Prerequisites

    1. A CEN instance is created in the CEN console. Two VPCs are created. In this topic, VPC-01 and VPC-02 are used. For more information, see Create a CEN instance.

    2. A VPC is created in the VPC console. In the following procedure, you must create a VPC firewall for the VPC. In this topic, Cfw-TR-manual-VPC is used. In addition, three vSwitches are created for the VPC. In this topic, TR-Vswitch-01, TR-VSwitch-02, and Cfw-Vswitch are used. TR-Vswitch-01 and TR-VSwitch-02 are used by a transit router to connect a network instance, which refers to Cfw-TR-manual-VPC. The zone of one vSwitch is the same as the primary zone that you select when you connect the network instance to the transit router. The zone of the other vSwitch is the same as the secondary zone that you select when you connect the network instance to the transit router. Cfw-Vswitch is used by the VPC firewall that you create for Cfw-TR-manual-VPC.

    3. A custom route table is created for Cfw-TR-manual-VPC in the VPC console. In this topic, VPC-CFW-RouteTable is used.

    Application scope

    Cloud Firewall can protect the traffic between network instances that are connected by using CEN transit routers. The network instances include VPCs, virtual border routers (VBRs), and Cloud Connect Networks (CCNs).

    If you want to protect the traffic between VPCs in the same region by using a VPC firewall, you can follow the procedure in this topic.

    Step 1: Connect Cfw-TR-manual-VPC to a transit router

    This step establishes a connection between Cfw-TR-manual-VPC and an Enterprise Edition transit router.

    1. Log on to the CEN console.

    2. On the Instances page, find the CEN instance whose traffic you want to redirect to a VPC firewall and click the ID of the instance.

    3. On the Basic Settings tab, find a CEN transit router and click Create Connection in the Actions column, or click the 添加图标 icon to the right of VPC in the upper part of the tab.

    4. On the Connection with Peer Network Instance page, configure the parameters.

      The following table describes the important parameters.

      Parameter

      Description

      Network Type

      The type of the network instance that you want to connect to the CEN instance. In this example, select VPC.

      Region

      The region where the network instance resides. In this example, select the region that you specify when you create Cfw-TR-manual-VPC.

      Networks

      The network instance that you want to connect to the CEN instance. In this example, select the ID of Cfw-TR-manual-VPC.

      VSwitch

      The vSwitches that you can bind to the network instance. In this example, select TR-Vswitch-01 as the primary vSwitch and TR-VSwitch-02 as the secondary vSwitch.

      For more information about other parameters, see Use an Enterprise Edition transit router to connect VPCs.

    Step 2: Connect VPC-01 and VPC-02 to the transit router

    This step establishes a connection between VPC-01 and the transit router and a connection between VPC-02 and the transit router. This way, both VPCs are connected to the transit router.

    For more information, see Use an Enterprise Edition transit router to connect VPCs.

    Step 3: Create a VPC firewall

    This step creates a VPC firewall for Cfw-TR-manual-VPC.

    To create a VPC firewall, log on to the Cloud Firewall console, choose Firewall Settings > Firewall Settings. On the page that appears, click the VPC Firewall tab. On the VPC Firewall tab, click the CEN tab, find Cfw-TR-manual-VPC, and then click Create in the Actions column. In the Create VPC Firewall dialog box, select Manual for Routing Mode, Cfw-TR-manual-VPC for VPC, and Cfw-Vswitch for vSwitch. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

    Note

    After this step is complete, an elastic network interface (ENI) named cfw-bonding-eni is created. To view the ENI, log on to the ECS console and choose Network & Security > ENIs.

    Step 4: Create routes for VPC-01 and VPC-02

    This step creates routes between the CEN instance and the VPC firewall.

    1. Log on to the CEN console.

    2. On the Instances page, find the CEN instance whose traffic you want to redirect to the VPC firewall and click the ID of the instance.

    3. On the Transit Router tab, find a transit router and click the number in the Route Table column. The Route Table tab appears.

    4. On the Route Table tab, click Create Route Table at the top of the left-side route table list. In the Create Route Table dialog box, configure the parameters.

      Retain the default value for Transit Router. Set the Name parameter to Cfw-TR-RouteTable.

      The Cfw-TR-RouteTable route table is used to forward traffic from VPC-01 and VPC-02 to Cfw-TR-manual-VPC.

    5. Click the Cfw-TR-RouteTable route table. Then, click Add Route Entry. In the Add Route Entry dialog box, configure the parameters.

      Parameter description:

      • Destination CIDR: Retain the default value 0.0.0.0/0.

      • Blackhole Route: Retain the default value No.

      • Next Hop: Select Cfw-TR-manual-VPC.

      After you add the route, traffic from the Cfw-TR-RouteTable route table is forwarded to Cfw-TR-manual-VPC.

    6. On the Route Table tab, click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.

    7. On the Route Table Association tab, delete the associated forwarding correlations that are created for VPC-01 and VPC-02. On the Route Table tab, click the Cfw-TR-RouteTable route table in the left-side route table list.

    8. In the Route Table Details section, click the Route Table Association tab and click Create Association.

    9. In the Add Association dialog box, select VPC-01 and VPC-02 for Association and click OK.

      After the associated forwarding correlations are created, the traffic from the two VPCs is forwarded to the Cfw-TR-RouteTable route table.

    10. On the Route Table tab, click the system route table in the left-side route table list.

    11. In the Route Table Details section, click the Route Propagation tab.

    12. On the Route Propagation tab, create route learning correlations for VPC-01 and VPC-02. To create a route learning correlation for VPC-01, select VPC-01 for Attachment. To create a route learning correlation for VPC-02, select VPC-02 for Attachment.

      After route learning correlations are created, the system learns routes from VPC-01 and VPC-02.

      In addition, you can view the information about the routes that the system learns on the Route Entry tab.

    13. Click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.

    14. On the Route Table Association tab, click Create Association.

    15. In the Add Association dialog box, select Cfw-TR-manual-VPC for Association.

    After the step is complete, the routes between the CEN instance and the VPC firewall are created, and traffic can be forwarded to Cfw-TR-manual-VPC.

    Step 5: Configure route tables for the VPC firewall

    This step redirects the traffic from Cfw-TR-manual-VPC to the VPC firewall.

    1. Log on to the VPC console.

    2. On the Route Tables page, click the name of the VPC-CFW-RouteTable route table. On the Associated vSwitch tab of the page that appears, click Associate vSwitch. In the Associate vSwitch dialog box, select Cfw-Vswitch for vSwitch. Then, click OK.

    3. On the Route Entry List tab, click the Custom Route tab. On the Custom Route tab, click Add Route Entry. In the panel that appears, configure the parameters.

      Parameter description:

      • Destination CIDR Block: Specify 0.0.0.0/0.

      • Next Hop Type: Select Transit Router.

      • Transit Router: Retain the default value, which specifies the network instance connection of Cfw-TR-manual-VPC for which the VPC firewall is created.

      After this operation is complete, the outbound traffic of the VPC firewall is forwarded to the CEN transit router.

    4. On the Route Tables page, click the name of the system route table that is created for Cfw-TR-manual-VPC.

    5. On the page that appears, click the Route Entry List tab and then click the Custom Route tab.

    6. Click Add Route Entry. In the Add Route Entry panel, configure the parameters.

      Parameter description:

      • Destination CIDR Block: Specify 0.0.0.0/0.

      • Next Hop Type: Select Secondary ENI.

      • Secondary ENI: Select Cfw-bonding-eni.

    7. On the Custom Route tab, delete other custom route entries. To delete a custom route entry, click Delete in the Actions column.

      After the step is complete, the traffic from Cfw-TR-manual-VPC is redirected to the VPC firewall.

    Step 6: Check whether the forwarding configuration is successful

    You can go to the Traffic Logs tab of the Log Audit page to check whether the traffic logs of the CEN instance are recorded. If the traffic logs are recorded, the forwarding configuration is successful. For more information, see Traffic logs.