Cloud Firewall:Protect traffic between VPCs connected by using a CEN transit router

How it works

The setup inserts a dedicated firewall VPC (FW VPC) into the transit router's forwarding path. Two custom route tables on the transit router control which traffic gets inspected:

• Cfw-Untrust-RouteTable — associated with the VPCs and virtual border routers (VBRs) whose traffic must pass through the firewall. In this example, it routes traffic from VPC1, IDC-1, and IDC-2 toward FW VPC for inspection.

• Cfw-Trust-RouteTable — associated with FW VPC. It learns routes from all network instances so the firewall can forward inspected traffic to the correct destination.

VPCs that remain in the system route table (VPC2 and DMZ VPC in this example) bypass the firewall entirely.

Cloud Firewall can protect traffic between network instances connected via CEN transit routers, including VPCs, VBRs, Cloud Connect Network (CCN) instances, and VPN gateways. This topic covers protecting traffic between VPCs in the same region. Traffic from any VPC or data center to 0.0.0.0/0 (the default route) is not protected by Cloud Firewall.

Prerequisites

Before you begin, ensure that you have:

• A CEN instance with an Enterprise Edition transit router

• Three VPCs: VPC1, VPC2, and DMZ VPC

• Two VBRs: IDC-1 and IDC-2

• Permissions to manage VPC, CEN, and Cloud Firewall resources

Steps overview

This topic walks you through the following steps:

1. Create a VPC for the VPC firewall (FW VPC)

2. Connect FW VPC to the transit router

3. Connect your workload VPCs and VBRs to the transit router

4. Create a VPC firewall in FW VPC

5. Configure routes for FW VPC

6. Configure routes for the transit router

7. Verify the configuration

Step 1: Create a VPC for the VPC firewall

The VPC firewall requires its own dedicated VPC. Create a VPC with two vSwitches for the transit router connection and one vSwitch for the firewall.

1. Log on to the VPC console.

2. In the top navigation bar, select the region where you want to enable the VPC firewall, then click Create VPC.

3. On the Create VPC page, configure the following parameters and click OK.

   Parameter	Description
   Region	Select the region where you want to enable the VPC firewall.
   Name	Enter a name. This example uses FW VPC.
   IPv4 CIDR block	Specify a CIDR block with a subnet mask of at least /26. The block must not conflict with your existing workload CIDR blocks.
   vSwitch	Create three vSwitches: TR-Vswitch-01 (primary, for the transit router), TR-vSwitch-02 (secondary, for the transit router), and Cfw-Vswitch (for the VPC firewall). TR-Vswitch-01 and TR-vSwitch-02 must be in different zones that support transit routers, and each must use a subnet mask of at least /28. Select zones where your workloads run to reduce latency.

4. On the VPC page, click the ID of the VPC you created (FW VPC).

5. On the Resource Management tab, hover over Route Table and click Add. Alternatively, go to the Route Tables page and click Create Route Table.

6. On the Create Route Table page, configure the following parameters and click OK.

   Parameter	Value
   VPC	FW VPC
   Associated resource type	vSwitch
   Name	VPC-CFW-RouteTable

Step 2: Connect FW VPC to the transit router

Connect FW VPC to the Enterprise Edition transit router so the transit router can forward traffic to the firewall.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance you want to use.

3. On the Basic Information tab, find the transit router and click Create Connection in the Actions column, or click the icon next to VPC.

4. On the Connection with peer network instance page, configure the following parameters. For all other parameters, see Use an Enterprise Edition transit router.

   Parameter	Value
   Network type	VPC
   Region	Select the region where FW VPC was created
   Network instance	FW VPC
   vSwitch	Primary: TR-Vswitch-01 / Secondary: TR-vSwitch-02

Step 3: Connect your workload VPCs and VBRs to the transit router

Connect each workload network instance — VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2 — to the transit router. For instructions, see Use an Enterprise Edition transit router.

Step 4: Create a VPC firewall

Create a VPC firewall for FW VPC using manual traffic redirection mode.

In the Cloud Firewall console, choose Firewall Settings > VPC Firewall > CEN (Enterprise Edition). Find the transit router and click Create in the Actions column. In the Create VPC Firewall dialog box, set the following:

• Traffic redirection mode: Manual

• VPC: FW VPC

• vSwitch: Cfw-Vswitch

For full parameter details, see Configure a VPC firewall for an Enterprise Edition transit router.

Step 5: Configure routes for FW VPC

Add routes to FW VPC so that traffic arriving from the transit router is directed to the firewall, and inspected traffic is forwarded back to the transit router.

1. Log on to the VPC console.

2. On the Route Tables page, click the system route table for FW VPC.

3. On the Route entry list tab, click Custom route.

4. Click Add route entry and configure the following parameters. Delete any existing custom routes before adding this one. This routes all traffic arriving at FW VPC from the transit router to the VPC firewall.

   • Destination CIDR block: 0.0.0.0/0

   • Next hop type: ENI

   • ENI: Cfw-bonding-eni (created in Step 4)

5. On the Route Tables page, click VPC-CFW-RouteTable. On the Associated vSwitch tab, click Associate vSwitch, select Cfw-Vswitch, and click OK.

6. On the Route entry list tab, click Custom route. Click Add route entry and configure the following parameters. Delete any existing custom routes before adding this one. This forwards inspected traffic from the firewall back to the transit router.

   • Destination CIDR block: 0.0.0.0/0

   • Next hop type: Transit Router

   • Transit Router: Select the transit router for this VPC firewall

Step 6: Configure routes for the transit router

Create two custom route tables on the transit router to control which traffic passes through the firewall. Then modify the system route table to redirect VPC1, IDC-1, and IDC-2 traffic through the firewall.

1. Log on to the CEN console.

2. Find and click the transit router. The Route table tab appears.

3. Create two route tables: Cfw-Untrust-RouteTable and Cfw-Trust-RouteTable. On the Route table tab, click Create route table. In the dialog box, select the transit router and create each route table.

   - Cfw-Untrust-RouteTable directs traffic from VPC1, IDC-1, and IDC-2 toward FW VPC for inspection. - Cfw-Trust-RouteTable directs traffic from FW VPC to all destination network instances.

4. Configure Cfw-Trust-RouteTable to learn routes from all network instances and associate it with FW VPC.

   1. Click Cfw-Trust-RouteTable, then click the Route propagation tab.

   2. Click Enable route propagation.

   3. In the dialog box, select VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2 for Attachment, then click OK. After route propagation is enabled, the route table automatically learns all destination routes. View the learned routes on the Route entry tab.

   4. In the system route table, click the Route table association tab, then select Cfw-Trust-RouteTable.

   5. On the Route table association tab, click Create association.

   6. In the dialog box, select FW VPC for Association, then click OK.

5. Configure Cfw-Untrust-RouteTable with static routes pointing to FW VPC.

   1. Click Cfw-Untrust-RouteTable, then click the Route entry tab.

   2. Click Add route entry and add the following routes one by one. For each route, retain the default value No for Blackhole Route:

      Destination CIDR	Next hop
      10.0.0.0/8	FW VPC
      172.16.0.0/12	FW VPC
      192.168.0.0/16	FW VPC
      61.20.0.0/16	FW VPC
      0.0.0.0/0	DMZ VPC

6. Redirect VPC1, IDC-1, and IDC-2 traffic through the firewall by modifying the system route table.

   Warning

   When you perform the following operations, traffic may be interrupted. We recommend that you perform these operations during off-peak hours or during a change window.

   Remove route propagation from the system route table:

   1. In the system route table, click the Route propagation tab.

   2. Delete the route propagation entries for VPC1, IDC-1, FW VPC, and IDC-2.

      After this, the system route table retains propagation only for VPC2 and DMZ VPC.

   3. On the Route entry tab, click Add route entry and add the following static routes:

      Destination CIDR	Network instance	Next hop
      10.0.0.0/24	VPC1	FW VPC
      172.16.0.0/12	IDC-1	FW VPC
      61.20.0.0/16	IDC-2	FW VPC

   Reassign VPC1, IDC-1, and IDC-2 to Cfw-Untrust-RouteTable:

   4. On the Route table association tab of the system route table, delete the associations for VPC1, IDC-1, and IDC-2.

   5. On the Route table association tab of Cfw-Untrust-RouteTable, click Create association.

   6. In the dialog box, select VPC1, IDC-1, and IDC-2 for Association, then click OK.

7. Log on to the CEN console.

After this step, all routing between the transit router and FW VPC is in place.

Step 7: Verify the configuration

Check that traffic is flowing through the firewall as expected.

In the Cloud Firewall console, go to the traffic logs for the CEN instance. Confirm the following:

• VPC1 to VPC2: Communication succeeds and traffic logs appear.

• VPC2 to DMZ VPC: Communication succeeds but no traffic logs appear (traffic bypasses the firewall).

Traffic logs for VPC1 to VPC2 confirm the routing configuration is correct. For details on reading traffic logs, see Log audit.

Next steps

• To create firewall access control policies for the protected VPCs, see the Cloud Firewall policy documentation.

• To monitor traffic through the VPC firewall, use the Log audit feature in the Cloud Firewall console.