Cloud Firewall:Configure the VPC firewall for an Enterprise Edition transit router

Protection mechanism

After you enable a vpc firewall, Cloud Firewall filters traffic between VPCs by using features such as deep packet inspection (DPI), intrusion prevention, threat intelligence, virtual patching, and access control policies. Based on the inspection results, Cloud Firewall determines whether to allow the traffic. This blocks unauthorized access and secures traffic between your private network assets.

The following figure shows an example of how a vpc firewall protects an Enterprise Edition transit router.

For more information about the protection scope, see What is Cloud Firewall?

Impact on your business

You can create a vpc firewall and set a traffic redirection mode (automatic or manual) to protect your assets without disrupting your business. The creation process takes about 5 minutes. We recommend that you enable the vpc firewall during off-peak hours.

In automatic traffic redirection mode, enabling or disabling the vpc firewall takes about 5 to 30 minutes, depending on the number of route entries. This does not affect your business.

In manual traffic redirection mode, the duration of business impact when you enable or disable the vpc firewall depends on your traffic switching method.

Limitations

• When you enable a vpc firewall, Cloud Firewall creates a new VPC instance named Cloud_Firewall_VPC. Ensure that you have a sufficient VPC quota. For more information about VPC quotas, see Limits and quotas.

• The automatic traffic redirection mode does not support the following scenarios:

  • The route table of the Enterprise Edition transit router contains static routes, excluding static routes to the 100.64.0.0/10 CIDR block and its subnets.

  • Using multiple traffic redirection scenarios for VPC, VBR, and transit router (TR) instances at the same time.

  • Adding a Basic Edition transit router to the traffic redirection mode.

  • The transit router has a route conflict.

  • A VPC uses the prefix list feature.

• A vpc firewall cannot protect traffic from a VPN gateway (such as an IPsec-VPN or SSL-VPN gateway) that is directly connected to a VPC. However, the vpc firewall can protect traffic from an IPsec-VPN connection that is attached to a transit router. For more information, see IPsec-VPN application scenarios (attached to a transit router).

• A vpc firewall does not protect IPv6 traffic.

• Traffic destined for the cloud service CIDR block (100.64.0.0/10) and routes with a 32-bit subnet mask is not redirected to the vpc firewall for protection.

• You must maintain the following configurations:

  • Routing policies in the CEN-TR route table. For example, you must manually configure and maintain the route priority policy for VBRs in the TR route table of the vpc firewall.

  • Static routes for the cloud service CIDR block (100.64.0.0/10).

  • Route learning in the system route table.

Prerequisites

• You have purchased Cloud Firewall Enterprise Edition, Ultimate Edition, or Pay-As-You-Go. For more information, see Purchase Cloud Firewall.

  Note

  Only Cloud Firewall Enterprise Edition, Ultimate Edition, and Pay-As-You-Go support configuring a vpc firewall for an Enterprise Edition transit router. Premium Edition does not support this feature.

• You have authorized Cloud Firewall to access your cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.

• You have purchased a CEN instance and used an Enterprise Edition transit router to establish network connections between VPCs or between on-premises and cloud networks. For more information, see Connect on-premises and cloud networks and Connect VPCs across accounts.

  Note

  If a VPC in your CEN instance belongs to a different Alibaba Cloud account and that account has not authorized Cloud Firewall, you cannot create the vpc firewall. To create the vpc firewall, log in to the Cloud Firewall console with the corresponding account to grant authorization. For more information, see Authorize Cloud Firewall to access other cloud resources.

• Ensure that your network resources are in regions supported by the vpc firewall. Otherwise, you cannot enable the vpc firewall. For more information, see Supported regions.

Procedure

1. Log in to the Cloud Firewall console. In the left-side navigation pane, click Firewall.

2. On the Firewall page, click VPC Firewall.

3. On the VPC Firewall tab, click CEN (Enterprise Edition).

4. Find the transit router under the target CEN instance, and click Create in the Actions column.

   If the asset you want to protect is not in the asset list, click Synchronize Assets to sync assets from your Alibaba Cloud account and its member accounts.

   Important

   • Automatic: If your Cloud Firewall is a Pay-As-You-Go instance or a subscription instance with elastic pay-as-you-go enabled, Cloud Firewall covers the network TR traffic fees for traffic returned to the Enterprise Edition transit router after processing by the vpc firewall. You are not charged for these fees, and this process does not consume your VPC quota.

   • Manual: You will be charged network TR traffic fees for traffic returned to the Enterprise Edition transit router after processing by the vpc firewall.

   Automatic (recommended)

   In automatic mode, you can create traffic redirection scenarios for your network instances based on your business requirements. The vpc firewall automatically configures routes on the Enterprise Edition transit router and creates an elastic network interface to redirect traffic to the vpc firewall.

   1. In the Create VPC Firewall panel, configure the vpc firewall parameters as described in the following table. Then, click Check Now. After the check is complete, click Next.

      Parameter	Description
      Firewall Basic Information	Firewall Name：定义VPC边界防火墙的名称。该名称用于识别VPC边界防火墙实例，建议您根据业务的实际情况输入具有意义的名称，并保证名称的唯一性。
      VPC Configurations of Firewall	VPC CIDR Block of Firewall: Assign a VPC CIDR block to Cloud Firewall. To ensure proper operation, assign a CIDR block with a subnet mask of at least /27 that does not conflict with your network plan. Configure Zone: Note If you select Default (Auto-assigned) for both the primary and secondary zones, the active-active mode is enabled. This mode is easy to configure and ideal for scenarios with latency-insensitive service traffic. If you specify a primary zone and a secondary zone, the active-passive mode is used. This mode is suitable for scenarios where service traffic is sensitive to latency and helps reduce traffic latency. For more information about the active-active and active-passive modes and the migration steps, see Best practices for migrating VPC firewall zones. Primary Zone: Set the primary zone. Cloud Firewall supports default allocation of vSwitch zones. Important If your services are latency-sensitive, we recommend that you set the Primary Zone to the zone where your services are deployed to reduce latency. Secondary Zone: Set the secondary zone. By default, the vpc firewall forwards traffic through the elastic network interface (ENI) in the primary zone for efficiency. If the primary zone becomes unavailable, the system automatically switches to the ENI in the secondary zone to ensure business continuity.
      IPS	Select the operating mode and intrusion prevention policy for the Intrusion Prevention System (IPS) module. IPS Mode Monitor Mode: Monitors and generates alerts for malicious traffic. Block Mode: Intercepts malicious traffic to block intrusions. IPS Capabilities Basic Rules: Provides basic protection for your assets, including blocking brute-force attacks, command execution vulnerabilities, and connections to command and control (C&C) servers after an infection. Virtual Patching: Provides real-time protection against popular high-risk application vulnerabilities. Note This setting applies to all network instances under the same CEN instance.

   2. After the creation is complete, click Next. Configure the traffic redirection scenario as described in the following table.

      You can also configure the traffic redirection scenario later based on your business needs. On the CEN (Enterprise Edition) tab, find the target transit router under the CEN instance, click Configure Now in the Firewall Status column. On the Traffic Redirection Scenario tab, click Immediately Create Traffic Redirection Scenario, and then click Create Redirection Scenario to configure it.

      Parameter	Description
      Basic Information	Template Name: The name of the traffic redirection template.
      Select a scenario	Select the type of scenario to be controlled and protected by the vpc firewall. Instance-Instance: Controls traffic between two network instances. Suitable for simple network topologies. Instance to Instances: Controls traffic between one network instance and multiple network instances. Suitable for star network topologies. You can select ALL for sub-redirection instances to redirect all traffic to the primary redirection instance through Cloud Firewall. This is equivalent to the traffic redirection scenario of a vpc firewall for a Basic Edition transit router. Important The instance-to-multi-instance scenario is not supported if the transit router route table contains a custom deny route policy. Use the multi-instance interconnection scenario instead. Interconnected Instances: Controls traffic among multiple network instances. Suitable for full-mesh network topologies. Note A network instance is a VPC instance, VBR instance, or TR instance connected through an Enterprise Edition transit router.
      Redirection object	Configure the Instance Type and Instance ID for traffic redirection.

      Important

      In automatic mode, the number of protected VPCs is determined by the number of network instances (VPC, TR, and VBR) configured in the traffic redirection scenario.

   3. Click OK.

      The traffic redirection configuration process may take up to 30 minutes. After the process is complete, traffic between the network instances connected to the transit router will be protected.

   After the vpc firewall is created, it is automatically enabled. Cloud Firewall automatically creates the following resources in your VPC:

   • A VPC resource named Cloud_Firewall_VPC.

     Important

     Do not add other business resources to Cloud_Firewall_VPC. Otherwise, you cannot delete these resources when you delete the vpc firewall. Do not manually modify or delete network resources in this VPC.

   • A vSwitch resource named Cloud_Firewall_VSWITCH.

   • A custom route entry with the remark: Created by cloud firewall. Do not modify or delete it..

   Note

   After you enable the vpc firewall, if you add or delete VPC route table information, it takes 15 to 30 minutes for Cloud Firewall to learn the routes. We recommend that you wait for the route learning process to complete before you verify that the route table is effective. If you have any questions, submit a .

   Manual

   In manual mode, you must manually create an elastic network interface for the vpc firewall on the Enterprise Edition transit router and configure routes to redirect traffic to the ENI. For detailed instructions, see Protect all traffic between VPCs connected by a CEN transit router (manual traffic redirection), Protect some traffic between VPCs connected by a CEN transit router (manual traffic redirection), and Protect traffic between VPCs across regions in a CEN instance (manual traffic redirection).

   Important

   In manual mode, you must also select the VPC network and the vSwitch connected to the CEN instance. If you choose manual mode, you must renew your Cloud Firewall instance before it expires. Otherwise, if the Cloud Firewall service becomes unavailable, traffic redirection fails, causing a network outage.

   1. In the Create VPC Firewall panel, configure the vpc firewall.

      Parameter	Description
      Firewall Basic Information	Firewall Name: Enter a unique and descriptive name for the vpc firewall instance. VPC: Configure the VPC for the firewall. Important The configured VPC must belong to the same account as the CEN-TR. Otherwise, the vpc firewall cannot be created. vSwitch: Configure the vSwitch for the firewall.
      Intrusion prevention	Select the operating mode and intrusion prevention policy for the IPS module. IPS Mode Monitor Mode: Monitors and generates alerts for malicious traffic. Block Mode: Intercepts malicious traffic to block intrusions. IPS Capabilities Basic Rules: Provides basic protection for your assets, including blocking brute-force attacks, command execution vulnerabilities, and connections to C&C servers. Virtual Patching: Provides real-time protection against popular high-risk application vulnerabilities. Note This setting applies to all network instances under the same CEN instance.

   2. Click Start Creation.

   After you enable the vpc firewall, Cloud Firewall automatically adds a security group named Cloud_Firewall_Security_Group. This security group has a preconfigured allow policy (also known as an authorization policy) to permit traffic to the vpc firewall.

   Important

   Do not delete the Cloud_Firewall_Security_Group security group or its allow policy. Doing so will cause a traffic interruption.

   Warning

   • After you create a vpc firewall, changing the vSwitch or route table in the firewall's VPC may cause a traffic interruption.

   • Disabling or deleting the vpc firewall for an Enterprise Edition transit router in manual mode may cause a traffic interruption.

   Perform batch operations or frequently switch the vpc firewall on and off during off-peak hours to minimize the impact on your business.

Change the automatic redirection configuration

To modify or remove the automatic traffic redirection mode configuration, find the target transit router under the CEN instance, click Details in the Actions column, and then perform the following operations on the Traffic Redirection Scenario tab of the VPC Firewall Details panel.