This topic describes how to use Terraform to create a virtual private cloud (VPC) firewall for an Enterprise Edition transit router of a Cloud Enterprise Network (CEN) instance.
You can run the sample code in this topic directly in Terraform Explorer.
Prerequisites
Before you begin, make sure that you have:
A Resource Access Management (RAM) user with an AccessKey pair. For security, use a RAM user instead of your Alibaba Cloud account. For more information, see Create a RAM user and Create an AccessKey pair
The
AliyunBSSFullAccesspolicy and a custom Cloud Firewall policy attached to the RAM user. For more information, see Grant permissions to RAM usersA Terraform environment (version 0.12.28 or later). Run
terraform --versionto check your version
Terraform environment options
Choose one of the following methods to set up your Terraform environment:
Terraform Explorer (recommended for quick testing): An online runtime environment provided by Alibaba Cloud. No local installation required. For more information, see Use Terraform in Terraform Explorer.
Cloud Shell: Terraform is preinstalled with identity credentials already configured. For more information, see Use Terraform in Cloud Shell.
Local installation: Install Terraform on your on-premises machine. For more information, see Install and configure Terraform in the local PC.
Required RAM policy
The following custom policy grants the minimum Cloud Firewall permissions. Attach this policy alongside AliyunBSSFullAccess to your RAM user. The AliyunBSSFullAccess policy grants full permissions on the Alibaba Cloud Transactions and Bills Management OpenAPI (BSS OpenAPI).
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"yundun-cloudfirewall:CreateVpcFirewallCenConfigure",
"yundun-cloudfirewall:CreateVpcFirewallCenManualConfigure",
"yundun-cloudfirewall:ModifyVpcFirewallCenConfigure",
"yundun-cloudfirewall:ModifyVpcFirewallCenSwitchStatus",
"yundun-cloudfirewall:DeleteVpcFirewallCenConfigure",
"yundun-cloudfirewall:DescribeVpcFirewallCenDetail",
"yundun-cloudfirewall:DescribeVpcFirewallCenList"
],
"Resource": "*"
}
]
}Architecture overview
This configuration creates the following resources and connects them to form a VPC firewall that inspects traffic routed through a CEN transit router:
| Resource | Terraform type | Purpose |
|---|---|---|
| CEN instance | alicloud_cen_instance | Central hub for connecting networks across regions |
| Transit router | alicloud_cen_transit_router | Enterprise Edition router within the CEN instance |
| VPC | alicloud_vpc | Network (CIDR: 192.168.1.0/24) attached to the transit router |
| vSwitch x 2 | alicloud_vswitch | Subnets in two zones for the VPC-to-transit-router attachment |
| Route table | alicloud_route_table | Custom route table associated with the VPC |
| Transit router VPC attachment | alicloud_cen_transit_router_vpc_attachment | Connects the VPC to the transit router through the two vSwitches |
| Wait timer | time_sleep | 10-minute delay to allow the VPC attachment to fully initialize |
| VPC firewall | alicloud_cloud_firewall_vpc_cen_tr_firewall | Cloud Firewall instance that inspects traffic between VPCs connected through the transit router |
The deployment flow is:
Create the CEN instance and transit router.
Create a VPC with two vSwitches and a route table.
Attach the VPC to the transit router.
Wait 10 minutes for the attachment to initialize.
Create the VPC firewall on the transit router.
Terraform resource
alicloud_cloud_firewall_vpc_cen_tr_firewall: Creates a VPC firewall for an Enterprise Edition transit router of a CEN instance.
Create a VPC firewall
Variables reference
The following table lists the configurable variables used in the configuration. Adjust these values for your environment.
| Variable | Type | Default | Description |
|---|---|---|---|
name | string | "terraform-example" | Name for most resources (CEN, transit router, VPC, vSwitches, route table) |
description | string | "Created by Terraform" | General description |
firewall_name | string | "tf-example" | Name for the VPC firewall |
firewall_name_update | string | "tf-example-1" | Updated name for the VPC firewall (used when modifying) |
region | string | "cn-hangzhou" | Region for the VPC firewall |
firewall_vpc_cidr | string | "192.168.3.0/24" | CIDR block for the firewall VPC |
firewall_subnet_cidr | string | "192.168.3.0/25" | Subnet CIDR block within the firewall VPC |
tr_attachment_master_cidr | string | "192.168.3.192/26" | CIDR block for the transit router attachment in the primary zone |
tr_attachment_slave_cidr | string | "192.168.3.128/26" | CIDR block for the transit router attachment in the secondary zone |
zone1 | string | "cn-hangzhou-h" | Primary availability zone |
zone2 | string | "cn-hangzhou-i" | Secondary availability zone |
Configuration
Create a working directory and add a file named main.tf with the following content:
# -------------------------------------------
# Provider and version constraints
# -------------------------------------------
terraform {
required_providers {
alicloud = {
source = "aliyun/alicloud"
version = "~> 1.238"
}
time = {
source = "hashicorp/time"
version = "~> 0.12"
}
}
}
# -------------------------------------------
# Variables
# -------------------------------------------
variable "name" {
type = string
default = "terraform-example"
description = "Name used for CEN, transit router, VPC, vSwitches, and route table"
}
variable "description" {
type = string
default = "Created by Terraform"
description = "General description for resources"
}
variable "firewall_name" {
type = string
default = "tf-example"
description = "Name for the VPC firewall"
}
variable "firewall_name_update" {
type = string
default = "tf-example-1"
description = "Updated name for the VPC firewall (used when modifying)"
}
variable "region" {
type = string
default = "cn-hangzhou"
description = "Region for the VPC firewall"
}
variable "firewall_vpc_cidr" {
type = string
default = "192.168.3.0/24"
description = "CIDR block for the firewall VPC"
}
variable "firewall_subnet_cidr" {
type = string
default = "192.168.3.0/25"
description = "Subnet CIDR block within the firewall VPC"
}
variable "tr_attachment_master_cidr" {
type = string
default = "192.168.3.192/26"
description = "CIDR block for the transit router attachment in the primary zone"
}
variable "tr_attachment_slave_cidr" {
type = string
default = "192.168.3.128/26"
description = "CIDR block for the transit router attachment in the secondary zone"
}
variable "zone1" {
type = string
default = "cn-hangzhou-h"
description = "Primary availability zone"
}
variable "zone2" {
type = string
default = "cn-hangzhou-i"
description = "Secondary availability zone"
}
# -------------------------------------------
# Provider
# -------------------------------------------
provider "alicloud" {
region = "cn-hangzhou"
}
# -------------------------------------------
# Data sources
# -------------------------------------------
data "alicloud_cen_transit_router_available_resources" "default" {
}
data "alicloud_zones" "default" {
available_resource_creation = "VSwitch"
}
# -------------------------------------------
# CEN and transit router
# -------------------------------------------
resource "alicloud_cen_instance" "cen" {
description = "terraform example"
cen_instance_name = var.name
}
resource "alicloud_cen_transit_router" "tr" {
transit_router_name = var.name
transit_router_description = "tr-created-by-terraform"
cen_id = alicloud_cen_instance.cen.id
}
# -------------------------------------------
# VPC, vSwitches, and route table
# -------------------------------------------
resource "alicloud_vpc" "vpc1" {
description = "created by terraform"
cidr_block = "192.168.1.0/24"
vpc_name = var.name
}
resource "alicloud_vswitch" "vpc1vsw1" {
cidr_block = "192.168.1.0/25"
vswitch_name = var.name
vpc_id = alicloud_vpc.vpc1.id
zone_id = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[1]
}
resource "alicloud_vswitch" "vpc1vsw2" {
vpc_id = alicloud_vpc.vpc1.id
cidr_block = "192.168.1.128/26"
vswitch_name = var.name
zone_id = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[2]
}
resource "alicloud_route_table" "foo" {
vpc_id = alicloud_vpc.vpc1.id
route_table_name = var.name
description = var.name
}
# -------------------------------------------
# Transit router VPC attachment
# -------------------------------------------
resource "alicloud_cen_transit_router_vpc_attachment" "tr-vpc1" {
zone_mappings {
vswitch_id = alicloud_vswitch.vpc1vsw1.id
zone_id = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[1]
}
zone_mappings {
zone_id = data.alicloud_cen_transit_router_available_resources.default.resources[0].master_zones[2]
vswitch_id = alicloud_vswitch.vpc1vsw2.id
}
vpc_id = alicloud_vpc.vpc1.id
cen_id = alicloud_cen_instance.cen.id
transit_router_id = alicloud_cen_transit_router.tr.transit_router_id
depends_on = [alicloud_route_table.foo]
}
# -------------------------------------------
# Wait for VPC attachment to initialize
# -------------------------------------------
# The transit router VPC attachment requires approximately 10 minutes
# to fully initialize before a VPC firewall can be created on it.
resource "time_sleep" "wait_10_minutes" {
depends_on = [alicloud_cen_transit_router_vpc_attachment.tr-vpc1]
create_duration = "10m"
}
# -------------------------------------------
# VPC firewall
# -------------------------------------------
resource "alicloud_cloud_firewall_vpc_cen_tr_firewall" "default" {
cen_id = alicloud_cen_transit_router_vpc_attachment.tr-vpc1.cen_id
firewall_name = var.name
firewall_subnet_cidr = var.firewall_subnet_cidr
tr_attachment_slave_cidr = var.tr_attachment_slave_cidr
firewall_description = "VpcCenTrFirewall created by terraform"
region_no = var.region
tr_attachment_master_cidr = var.tr_attachment_master_cidr
firewall_vpc_cidr = var.firewall_vpc_cidr
transit_router_id = alicloud_cen_transit_router.tr.transit_router_id
route_mode = "managed"
depends_on = [time_sleep.wait_10_minutes]
}
# -------------------------------------------
# Outputs
# -------------------------------------------
output "firewall_id" {
description = "The ID of the VPC firewall"
value = alicloud_cloud_firewall_vpc_cen_tr_firewall.default.id
}
output "cen_id" {
description = "The CEN instance ID"
value = alicloud_cen_instance.cen.id
}
output "transit_router_id" {
description = "The transit router ID"
value = alicloud_cen_transit_router.tr.transit_router_id
}Key firewall parameters
The alicloud_cloud_firewall_vpc_cen_tr_firewall resource accepts the following parameters:
| Parameter | Required | Description |
|---|---|---|
cen_id | Yes | The ID of the CEN instance that contains the transit router |
transit_router_id | Yes | The ID of the Enterprise Edition transit router |
firewall_name | Yes | A display name for the VPC firewall |
region_no | Yes | The region in which to create the firewall (for example, cn-hangzhou) |
firewall_vpc_cidr | Yes | The CIDR block for the firewall VPC. Must not overlap with existing VPC CIDR blocks in the CEN instance |
firewall_subnet_cidr | Yes | The CIDR block for the firewall subnet. Must be a subnet of firewall_vpc_cidr |
tr_attachment_master_cidr | Yes | The CIDR block for the transit router attachment in the primary zone. Must be a subnet of firewall_vpc_cidr |
tr_attachment_slave_cidr | Yes | The CIDR block for the transit router attachment in the secondary zone. Must be a subnet of firewall_vpc_cidr |
route_mode | Yes | The route mode. Set to "managed" to let Cloud Firewall automatically manage routes |
firewall_description | No | A description for the VPC firewall |
Deploy
Initialize Terraform to download the required providers: If initialization succeeds, the output includes:
terraform initTerraform has been successfully initialized!Preview the changes:
terraform planApply the configuration. Enter
yeswhen prompted: The deployment includes a 10-minute wait after the transit router VPC attachment is created, plus several minutes for the VPC firewall itself. When the deployment succeeds, the output ends with:NoteIf no VPC firewall exists for the specified transit router, Terraform creates a new one. If a VPC firewall already exists, Terraform modifies its configuration. The resource counts in the
planandapplyoutput vary based on existing resources in your account.terraform applyApply complete! Resources: 9 added, 0 changed, 0 destroyed.
Verify the result
Run terraform show to view the details of the created VPC firewall:
terraform showIn the output, find the alicloud_cloud_firewall_vpc_cen_tr_firewall.default block and verify the key attributes:
# alicloud_cloud_firewall_vpc_cen_tr_firewall.default:
resource "alicloud_cloud_firewall_vpc_cen_tr_firewall" "default" {
cen_id = "cen-74686vyua3r13lv0nc"
firewall_description = "VpcCenTrFirewall created by terraform"
firewall_name = "terraform-example"
firewall_subnet_cidr = "192.168.3.0/25"
firewall_vpc_cidr = "192.168.3.0/24"
id = "vfw-tr-beec8a3d978e470a84cf"
region_no = "cn-hangzhou"
route_mode = "managed"
status = "Ready"
tr_attachment_master_cidr = "192.168.3.192/26"
tr_attachment_slave_cidr = "192.168.3.128/26"
transit_router_id = "tr-bp1sxqrc3lh4lyd3ya6oh"
}A status of "Ready" confirms the VPC firewall was created successfully. You can also verify the result in the Cloud Firewall console.
Clean up resources
To delete all resources created by this configuration, run:
terraform destroyEnter yes when prompted. For more information about the terraform destroy command, see Common commands.
Usage notes
10-minute wait period: The
time_sleepresource introduces a 10-minute delay between creating the transit router VPC attachment and creating the VPC firewall. The VPC attachment needs time to fully initialize. Do not remove this resource.CIDR planning: The firewall VPC CIDR (
firewall_vpc_cidr) must not overlap with any existing VPC CIDR blocks in the CEN instance. Thefirewall_subnet_cidr,tr_attachment_master_cidr, andtr_attachment_slave_cidrmust all be subnets offirewall_vpc_cidr.Managed route mode: Setting
route_modeto"managed"allows Cloud Firewall to automatically manage the routing configuration. This is the recommended setting.One firewall per transit router: Each Enterprise Edition transit router supports one VPC firewall. If a VPC firewall already exists for the transit router,
terraform applymodifies the existing firewall instead of creating a new one.Provider version: Pin the
alicloudprovider version in yourrequired_providersblock to avoid unexpected changes from major version upgrades.Zone selection: The vSwitch zones are dynamically resolved from
alicloud_cen_transit_router_available_resources. The actual zones depend on your region's available resources.
Next steps
Configure access control policies for VPC firewalls to define traffic filtering rules.
Monitor Cloud Firewall traffic logs to inspect traffic between VPCs.
Run the complete sample code directly in Terraform Explorer.