How to protect specific traffic between VPCs that are connected by using a CEN transit router - Cloud Firewall

If you use a Cloud Enterprise Network (CEN) transit router, you must manually configure routing between the transit router and a virtual private cloud (VPC) firewall before you can use the VPC firewall to protect traffic between VPCs and virtual border routers (VBRs) that are connected by using the transit router. This topic describes how to configure routing between a CEN transit router (TR) and a VPC firewall.

Application scope

Cloud Firewall can protect the traffic between network instances that are connected by using CEN transit routers. The network instances are VPCs, VBRs, Cloud Connect Network (CCN) instances, and VPN gateways.

If you want to protect the traffic between VPCs in the same region by using a VPC firewall, you can follow the procedure in this topic.

Prerequisites

A CEN instance is created in the CEN console. Three VPCs are created. In this topic, VPC1, VPC2, and DMZ VPC are used. Two VBRs are created. In this topic, IDC-1 and IDC-2 are used. For more information, see CEN instances.

In this topic, the traffic between other VPCs and each of the following network instances is protected by Cloud Firewall: VPC1, IDC-1, and IDC-2. The traffic between VPC2 and DMZ VPC is not protected by Cloud Firewall. The traffic from any VPC or data center to 0.0.0.0/0 in the default route is not protected by Cloud Firewall.

Step 1: Create a VPC for a VPC firewall

A VPC firewall requires a VPC. Therefore, you must create a VPC for the VPC firewall.

Log on to the VPC console.
In the top navigation bar, select the region in which you want to create a VPC and click Create VPC.

On the Create VPC page, configure the following parameters and click OK.

Parameter	Description
Region	Select the region in which you want to enable a VPC firewall.
Name	Enter a name for the VPC. In this example, enter FW VPC.
IPv4 CIDR Block	Specify a primary IPv4 CIDR block for the VPC. The subnet mask of the CIDR block must be at least 26 bits in length, and the CIDR block cannot conflict with the CIDR blocks that are used in your workloads.
vSwitch	Specify the vSwitches that you can connect to the transit router. The subnet mask of each CIDR block must be at least 28 bits in length. You need to specify two vSwitches to connect to the transit router and select two different zones that support transit routers. We recommend that you select the zones in which your workloads are deployed to reduce latency. You also need to specify a vSwitch for the VPC firewall, and you can select an arbitrary zone for this vSwitch. In this example, specify a primary vSwitch named TR-Vswitch-01 and a secondary vSwitch named TR-VSwitch-02 for the transit router, and a vSwitch named Cfw-Vswitch for the VPC firewall.

On the VPC page, find and click the ID of the created VPC named FW VPC.
On the page that appears, click the Resource Management tab, and move the pointer over Route Table and click Add below Route Table. Alternatively, you can go to the Route Tables page and click Create Route Table.

On the Create Route Table page, configure the following parameters to create a route table and click OK.

Parameter	Description
VPC	Select the VPC that is created in the preceding step. In this example, select FW VPC.
Associated Resource Type	Select vSwitch as the resource type with which the route table can be associated.
Name	Enter a name for the route table. In this example, enter VPC-CFW-RouteTable.

Step 2: Connect the created VPC to the transit router

This step establishes a connection between the created VPC named FW VPC and an Enterprise Edition transit router.

Log on to the CEN console.
On the Instances page, find the CEN instance whose traffic you want to redirect to a VPC firewall and click the ID of the instance.
On the Basic Information tab, find a CEN transit router and click Create Connection in the Actions column, or click the icon to the right of VPC in the upper part of the tab.

On the Connection with Peer Network Instance page, configure the parameters.

The following table describes the important parameters.

Parameter	Description
Network Type	The type of the network instance that you want to connect to the CEN instance. In this example, select VPC.
Region	The region in which the network instance resides. In this example, select the region that you specify when you create FW VPC.
Network Instance	The network instance that you want to connect to the CEN instance. In this example, select the ID of FW VPC.
VSwitch	The vSwitches that you can associate with the network instance. In this example, select TR-Vswitch-01 as the primary vSwitch and TR-VSwitch-02 as the secondary vSwitch.

For more information about other parameters, see Use an Enterprise Edition transit router.

Step 3: Connect the VPCs and VBRs to the transit router

This step separately establishes a connection between the transit router and each of the following network instances: VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2. This way, the VPCs and VBRs are connected to the CEN instance.

For more information, see Use an Enterprise Edition transit router.

Step 4: Create a VPC firewall

This step creates a VPC firewall for FW VPC.

To create a VPC firewall, log on to the Cloud Firewall console. In the left-side navigation pane, choose Firewall Settings > VPC Firewall > CEN (Enterprise Edition). On the CEN (Enterprise Edition) tab, find the required transit router and click Create in the Actions column. In the Create VPC Firewall dialog box, select Manual for Traffic Redirection Mode, FW VPC for VPC, and Cfw-Vswitch for vSwitch. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

Important

The VPC for the firewall and the CEN-TR must belong to the same account. Otherwise, a VPC firewall cannot be created.
After this step, Cloud Firewall creates an Elastic Network Interface (ENI) in the Cfw-Vswitch to redirect traffic. You can view this ENI in the ECS console. Go to the Network & Security > Elastic Network Interfaces page. By default, the network interface is named `cfw-bonding-eni`. The virtual ENI is used for traffic routing and redirection, while the firewall binds multiple virtual network interfaces across different availability zones to ensure high cluster availability. In manual traffic redirection mode, the firewall cluster uses an active-active pattern by default across two automatically allocated availability zones to provide high availability.

Step 5: Configure routes for FW VPC

This step creates routes to redirect traffic that is forwarded by the transit router to FW VPC to the VPC firewall and then redirect traffic that is processed by the VPC firewall to the transit router.

Log on to the VPC console.
On the Route Tables page, click the system route table that is created for FW VPC.
On the Route Entry List tab, click the Custom Route tab.
Click Add Route Entry and configure the parameters. If other custom routes exist, delete the custom routes.
Parameter description:
- Destination CIDR Block: Specify 0.0.0.0/0.
- Next Hop Type: Select ENI.
- ENI: Select Cfw-bonding-eni, which is created in Step 4.
After this step is complete, the traffic that is forwarded by the transit router to FW VPC is redirected to the VPC firewall.
On the Route Tables page, click the custom route table VPC-CFW-RouteTable that you create. On the page that appears, click the Associated vSwitch tab and click Associate vSwitch. In the Associate vSwitch dialog box, select Cfw-Vswitch for vSwitch. Then, click OK.
On the Route Entry List tab, click the Custom Route tab. Click Add Route Entry and configure the parameters. If other custom routes exist, delete the custom routes.
Parameter description:
- Destination CIDR Block: Specify 0.0.0.0/0.
- Next Hop Type: Select Transit Router.
- Transit Router: Select the transit router for which the VPC firewall is created.
After this step is complete, the traffic that is processed by the VPC firewall is forwarded to the transit router.

Step 6: Configure routes for the transit router

This step creates routes for VPC-01, VPC-02, and Cfw-TR-manual-VPC to allow traffic between VPC-01 and VPC-02 to pass through the VPC firewall.

Log on to the CEN console.
Log on to the CEN console, and find and click the transit router for which you want to enable a VPC firewall. The Route Table tab appears.
Create route tables named Cfw-Untrust-RouteTable and Cfw-Trust-RouteTable.
1. On the Route Table tab, click Create Route Table.
2. In the Create Route Table dialog box, configure the parameters for the Cfw-Untrust-RouteTable and Cfw-Trust-RouteTable route tables.
  Transit Router: Select the transit router for which you want to enable the VPC firewall.
  Note
  The Cfw-Untrust-RouteTable route table is used to forward traffic from VPC1, IDC-1, and IDC-2 to FW VPC.
  The Cfw-Trust-RouteTable route table is used to forward traffic from FW VPC to VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2.
Configure the Cfw-Trust-RouteTable route table.
After this operation is complete, the Cfw-Trust-RouteTable route table automatically learns routes from VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2, and the traffic from FW VPC is forwarded based on the Cfw-Trust-RouteTable route table.
1. Click the Cfw-Trust-RouteTable route table that you created. In the right-side section, click the Route Propagation tab.
2. On the Route Propagation tab, click Enable Route Propagation.
3. In the Enable Route Propagation dialog box, select VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2 for Attachment. Then, click OK.
  After route learning is enabled, you can view the information about the routes that the system learns on the Route Entry tab.
4. On the Route Table tab, click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.
5. On the Route Table Association tab, click the Cfw-Trust-RouteTable route table that you created. On the Route Table Association tab, click Create Association.
6. In the Add Association dialog box, select FW VPC for Association. Then, click OK.
Configure the Cfw-Untrust-RouteTable route table.
After this operation is complete, traffic is forwarded to FW VPC based on the Cfw-Untrust-RouteTable route table.
1. Click the Cfw-Untrust-RouteTable route table that you created. In the right-side section, click the Route Entry tab.
2. On the Route Entry tab, click Add Route Entry.
3. In the Add Route Entry dialog box, configure the parameters.
  Parameter description:
  - Destination CIDR: Retain the default value 10.0.0.0/8.
  - Blackhole Route: Retain the default value No.
  - Next Hop: Select FW VPC.
4. Repeat the preceding steps to add the following routes:
  - The route whose Destination CIDR is 172.16.0.0/12 and Next Hop is FW VPC.
  - The route whose Destination CIDR is 192.168.0.0/16 and Next Hop is FW VPC.
  - The route whose Destination CIDR is 61.20.0.0/16 and Next Hop is FW VPC.
  - The route whose Destination CIDR is 0.0.0.0/0 and Next Hop is DMZ VPC.
Configure the system route table to allow traffic that is destined for VPC1, IDC-1, and IDC-2 to pass through Cloud Firewall.
Warning
When you perform this operation, traffic may be interrupted. We recommend that you perform this operation during off-peak hours or during a change window.
1. On the Route Table tab, click the system route table in the left-side route table list. In the right-side section, click the Route Propagation tab.
2. On the Route Propagation tab, delete the route learning correlations that are created for VPC1, IDC-1, FW VPC, and IDC-2.
  After this operation is complete, the system route table retains only the route learning correlations that are created for VPC2 and DMZ VPC. You can view the information about the routes that the system automatically learns on the Route Entry tab.
3. On the Route Entry tab, click Add Route Entry.
4. In the Add Route Entry dialog box, add the following routes:
  - The route whose Destination CIDR is 10.0.0.0/24 (VPC1) and Next Hop is FW VPC.
  - The route whose destination CIDR is 172.16.0.0/12 (IDC-1) and Next Hop is FW VPC.
  - The route whose Destination CIDR is 61.20.0.0/16 (IDC-2) and Next Hop is FW VPC.
Modify the associated forwarding correlations to allow traffic from VPC1, IDC-1, and IDC-2 to other VPCs to pass through Cloud Firewall.
After this operation is complete, the traffic from VPC1, IDC-1, and IDC-2 is forwarded based on the Cfw-Untrust-RouteTable route table.
Warning
When you perform this operation, traffic may be interrupted. We recommend that you perform this operation during off-peak hours or during a change window.
1. On the Route Table Association tab of the system route table, delete the associated forwarding correlations that are created for VPC1, IDC-1, and IDC-2.
2. On the Route Table Association tab of the Cfw-Untrust-RouteTable route table, click Create Association.
3. In the Add Association dialog box, select VPC1, IDC-1, and IDC-2 for Association. Then, click OK.
4. On the Route Table Association tab, click Create Association.
5. In the Add Association dialog box, select VPC1, IDC-1, and IDC-2 for Association. Then, click OK.

After this step is complete, the routes between the CEN instance and FW VPC are created, and traffic can be forwarded to FW VPC.

Step 7: Check whether the forwarding configuration is successful

You can check whether the traffic logs of the CEN instance are displayed on the Traffic Logs tab. If the traffic logs are displayed, the forwarding configuration is successful. Examples:

VPC1 and VPC2 can communicate with each other, and traffic logs are displayed.
VPC2 and DMZ VPC can communicate with each other, but no traffic logs are displayed.

For more information, see Log audit.