Best practices for VPC firewall changes when upgrading a Basic Edition transit router - Cloud Firewall

VPC firewalls are created based on the network architecture of Cloud Enterprise Network (CEN). If you upgrade a Basic Edition transit router in CEN to an Enterprise Edition transit router, you must also update the VPC firewall to adapt to the new network architecture. This topic describes how to update the VPC firewall to protect traffic on the upgraded Enterprise Edition transit router.

Differences before and after the change

The following table describes the differences between a VPC firewall created for a Basic Edition transit router and one created for an Enterprise Edition transit router after an upgrade.

Comparison	VPC firewall for a Basic Edition transit router	VPC firewall for an Enterprise Edition transit router
Protection scope	Supported protections: Traffic between VPCs in the same region Traffic between cross-region VPCs that are connected by using a Basic Edition transit router Traffic between a VPC and a virtual border router (VBR) or a data center Traffic between a VPC and a Cloud Connect Network (CCN) instance Not protected: Traffic between VBRs Traffic between a VBR and a CCN instance Traffic between CCN instances	Protection: Traffic between VPCs in the same region Traffic between cross-region VPCs that are connected by using an Enterprise Edition transit router Traffic between a VPC and a virtual border router (VBR) or a data center Traffic between a VPC and a Cloud Connect Network (CCN) instance Traffic between VBRs Traffic between a VBR and a CCN instance Traffic between a VPC and a public VPN gateway This type of VPC firewall cannot protect traffic between CCN instances.
Granularity for enabling the VPC firewall	The VPC firewall is enabled for each VPC instance.	The VPC firewall is enabled for each Enterprise Edition transit router.
Impact of enabling and disabling the VPC firewall	When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected. The creation duration is approximately 5 minutes. The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent connections may be interrupted for several seconds. Short-lived connections are not affected. Note Before you enable a VPC firewall, we recommend that you check whether your application is configured to automatically re-establish connections over TCP, and pay close attention to the connection status of your application. This helps avoid connection interruptions.	Automatic traffic redirection When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected. The creation duration is approximately 5 minutes. The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Your workloads are not affected. Manual traffic redirection When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected. The creation duration is approximately 5 minutes. When you enable or disable a VPC firewall, the time period during which your workloads are affected varies based on the traffic redirection mode.
CIDR block planning for traffic redirection	You must allocate a CIDR block to the automatically created Cloud Firewall VPC and vSwitch. This is used to create a firewall security VPC (Cloud_Firewall_VPC) for traffic redirection. A subnet CIDR block is allocated from the VPC CIDR block for the vSwitch of the Cloud Firewall VPC. The subnet mask must be 29 bits or shorter and must not conflict with your planned network CIDR blocks. For the vSwitches of the service VPCs that require traffic redirection protection, you need to use elastic network interfaces (ENIs) for Cloud Firewall traffic redirection. Cloud Firewall automatically allocates the ENIs. If your services are sensitive to latency, you can specify a zone for the service VPC to reduce network latency.	Configure the VPC CIDR block and zone for the firewall. Enter a CIDR block that is 27 bits or shorter and does not conflict with your network plan. This CIDR block is allocated to the vSwitch required for firewall creation.
Traffic redirection method	Traffic between the service VPC instance for which the VPC firewall is enabled and other network elements is redirected to the VPC firewall by default.	Before you create a VPC firewall for an Enterprise Edition transit router, determine the traffic redirection mode (automatic or manual). If you use the automatic traffic redirection mode, determine the traffic redirection scenario that suits your services. Instance-Instance: If you select this option, Cloud Firewall manages traffic between two network elements. This option is suitable for simple network topologies. Instance To Instances: If you select this option, Cloud Firewall manages traffic between one network element and multiple network elements. This option is suitable for star network topologies. If you select this option, you can set Instance Type to ALL for the secondary instance. This way, Cloud Firewall manages all traffic of the primary instance. This configuration is equivalent to a traffic redirection scenario of a VPC firewall created for a Basic Edition transit router. Important If a routing policy whose Routing Policy Action is set to Deny is associated with the route table of the transit router, the Instance to Instances type is not supported. We recommend that you select the Interconnected Instances type. Interconnected Instances: If you select this option, Cloud Firewall manages traffic between multiple network elements. This option is suitable for Full-mesh network topologies.

Precautions

If the route table of the transit router is missing the default routing policy with a priority of 5000, or if this routing policy does not include the new VPN Gateway or Express Connect Router (ECR) instance types, the check fails when you enable the VPC firewall for the Enterprise Edition transit router. In this case, submit a ticket to Cloud Enterprise Network and request that technical support refresh the default routing policy with a priority of 5000.
After the upgrade, the access control policies of the existing VPC firewall for the Basic Edition transit router are retained.
Important
- When you enable the VPC firewall for the Enterprise Edition transit router, check whether the configured access control policies in Cloud Firewall allow normal communication between the redirected network elements. If you add new network elements, you must also add corresponding access control policies.
- After you upgrade a Basic Edition transit router to an Enterprise Edition transit router, note the following routing-related items before you configure automatic traffic redirection for the VPC firewall. This helps prevent traffic redirection failures or route propagation exceptions:
  - The next hop of a cross-region Alibaba Cloud service route must be a TR connection instance: If an Alibaba Cloud service route in the route table of a transit router has a cross-region connection as its next hop, replace the next hop with the corresponding cross-region TR connection instance. Otherwise, the creation of the automatic traffic redirection scenario may fail.
  - VPC instance routes may cause unintended propagation: If the next hop of an Alibaba Cloud service route entry is a VPC instance, the automatic traffic redirection process replaces it with the corresponding TR connection for that VPC. This action may trigger route propagation to the selected network instances for traffic redirection, including cross-region TR connections. If this propagation is not required, you can use routing policies to restrict it.
  - Custom routing policies must be synchronized to the dedicated firewall route table: If custom routing policies are configured for the transit router, you must add the same policies to the TR route table Cloud_Firewall_ROUTE_TABLE that is associated with the firewall VPC. You must add these policies after you create the VPC firewall but before you create the automatic traffic redirection scenario. Otherwise, the traffic redirection may fail or route forwarding exceptions may occur.

Solution overview

The following network architecture diagrams show the network changes before and after the upgrade:

Detailed plan:

You must first understand the impact of enabling and disabling the VPC firewall on your services. For more information, see Impact of enabling the firewall on services.

Delete the existing VPC firewall for the Basic Edition transit router: Before you upgrade to an Enterprise Edition transit router, you must disable and delete the VPC firewall for the Basic Edition transit router.
Before you delete the VPC firewall for the Basic Edition transit router, you must first disable it. This removes the routes that redirect traffic to Cloud Firewall. Then, you must manually delete the VPC firewall.
Upgrade the Basic Edition transit router to an Enterprise Edition transit router: After the upgrade is successful, wait for the assets of the Enterprise Edition transit router to be automatically synchronized by CEN. The time required for route learning depends on the number of your route entries. You can also manually synchronize the assets. We recommend that you perform this operation during off-peak hours.
Before you upgrade the network architecture for your services, you must understand how Basic Edition and Enterprise Edition transit routers work. For more information, see How transit routers work.
Create a VPC firewall for the Enterprise Edition transit router: You can first use the one-click check feature to check for routing errors. Then, create the VPC firewall. We recommend that you use the automatic traffic redirection mode.
If the upgrade fails, you must start the emergency rollback plan. For more information, see FAQ.

1. Delete the existing VPC firewall for the Basic Edition transit router

Important

Disabling the VPC firewall for the Basic Edition transit router causes transient interruptions to service traffic.

Log on to the Cloud Firewall console. In the navigation pane on the left, click Firewall Switch.
On the VPC Firewall page, click the CEN (Basic Edition) tab. Disable all VPC firewalls under the Basic Edition transit router that you want to upgrade.
To disable multiple VPC firewalls, you can use the Batch Disable feature.
In the Actions column, click Delete to delete the VPC firewall.
You can delete VPC firewalls only one by one. Batch deletion is not supported.

2. Upgrade the Basic Edition transit router to an Enterprise Edition transit router

During the upgrade, all dynamic routes that virtual private clouds (VPCs) learn from Cloud Enterprise Network (CEN) are converted to custom routes whose next hops point to the Enterprise Edition transit router. The conversion does not affect your services.
After the upgrade, the Enterprise Edition transit router does not advertise routes to VPCs. You can enable route synchronization for VPCs to allow the Enterprise Edition transit router to automatically advertise routes to the VPCs. For more information, see Route synchronization.
Basic Edition transit routers in the following regions can be upgraded to the Enterprise Edition transit router.

For more information about how to upgrade a Basic Edition transit router to an Enterprise Edition transit router, see Upgrade a Basic Edition transit router.

3. Create a VPC firewall for the Enterprise Edition transit router

In the Cloud Firewall console, go to the Cloud Enterprise Network (Enterprise Edition) tab of the VPC Firewall page.
If the Enterprise Edition transit router instance that you want to protect is not synchronized to Cloud Firewall, click Sync Asset.
Find the Enterprise Edition transit router instance that you want to protect. In the Actions column, click Create. Select Automatic and then perform a one-click check to verify whether the current asset meets the conditions for enabling the VPC firewall.
You can also select the manual traffic redirection mode as needed. This topic uses the automatic traffic redirection mode as an example.
After the check is complete, review the diagnostic details. If any check items fail, you must make corrections based on the suggestions provided by Cloud Firewall. Then, perform the one-click check again until all check items pass.
Create the VPC firewall.
Important
The VPC instance CIDR block allocated to the VPC firewall cannot conflict with your service CIDR blocks. When you select a zone for the vSwitch, we recommend that you select the nearest zone to reduce the network latency of traffic that passes through Cloud Firewall.
Create a traffic redirection scenario.
The following example shows how to create a point-to-multipoint traffic redirection scenario.

After the traffic redirection scenario is created, Cloud Firewall can protect the traffic between the network instances connected to the Enterprise Edition transit router.
The traffic redirection process is time-consuming and is expected to be complete within 30 minutes.
For more information about how to create a VPC firewall, see Configure a VPC firewall for an Enterprise Edition transit router.

FAQ

What do I do if the upgrade fails?

If the upgrade fails, you must start the emergency rollback plan:

Disable the traffic redirection mode for the Enterprise Edition transit router and delete the created VPC firewall for the Enterprise Edition transit router.
We recommend that you use route rollback to disable the newly created traffic redirection scenario.
Troubleshoot the issues with the Enterprise Edition transit router and the VPC firewall instance.
After the issues are resolved, create the VPC firewall for the Enterprise Edition transit router again.