All Products
Search

This Product

    Cloud Firewall:Configure a VPC firewall for a Basic Edition TR

    Document Center

    Cloud Firewall:Configure a VPC firewall for a Basic Edition TR

    Last Updated:Apr 01, 2026

    If your network instances, such as Virtual Private Cloud (VPC), Virtual Border Router (VBR), or Cloud Connect Network (CCN), are connected through a Cloud Enterprise Network (CEN) instance that uses a Basic Edition transit router, you can use a vpc firewall to protect traffic between these instances and secure your assets. This topic describes how to configure a vpc firewall for a Basic Edition transit router.

    Feature overview

    How it works

    After you enable a vpc firewall, Cloud Firewall intercepts and filters traffic between VPCs. It applies security measures such as Deep Packet Inspection (DPI), intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies to determine whether to allow or block traffic. This blocks unauthorized access and secures traffic between your private network assets.

    The following diagram shows an example of how a vpc firewall protects traffic in a Basic Edition transit router topology.

    image

    For more information about the protection scope, see What is Cloud Firewall?

    Potential impacts

    When you create a vpc firewall, you do not need to change your current network topology. You can create a vpc firewall and configure automatic traffic redirection to protect your assets without affecting your services. The creation process takes about 5 minutes. We recommend that you enable the vpc firewall during off-peak hours.

    Enabling or disabling a vpc firewall takes 5 to 30 minutes, depending on the number of route entries. During this process, long-lived connections may experience transient interruptions that last for a few seconds. Short-lived connections are not affected.

    Note

    Before you enable a vpc firewall, verify that your applications have a TCP automatic retransmission mechanism. Monitor the connection status of your applications during the operation to prevent interruptions caused by the lack of a retransmission mechanism.

    Limitations

    Limit

    Description

    Solution

    VPC limits

    When you enable a vpc firewall, a VPC instance named Cloud_Firewall_VPC is created. Make sure that you have a sufficient VPC quota for your account. For more information about VPC quotas, see Limits and quotas.

    For example, the default quota for the number of VPCs that can be created in a region is 10. If you enable a VPC firewall, a VPC is automatically created. In this case, you can create a maximum of 9 more VPCs.

    If your quota is reached, you need to increase your VPC quota. For more information, see Manage VPC quotas.

    Make sure that the number of network instances (including VPCs, VBRs, and CCNs) attached to a Basic Edition transit router in each region does not exceed the quota. The VPC count includes the Cloud_Firewall_VPC that is automatically created when you enable the vpc firewall. For more information about the network instance limit for a Basic Edition transit router, see Limitations.

    For example, if each Basic Edition transit router supports 10 network instances by default, and enabling a vpc firewall automatically creates one VPC, you can attach a maximum of 9 additional network instances.

    We recommend that you use an Enterprise Edition transit router. For assistance, .

    A CEN instance can protect a maximum of 31 VPCs in the same region.

    None

    Routing limits

    The CEN instance cannot have any routing policies where the Policy Behavior is set to Deny, except for the default deny routing policy with a priority of 5000 that CEN automatically generates. Otherwise, your services will be interrupted.

    We recommend that you delete the relevant routing policies. For assistance, .

    After you enable a vpc firewall, Cloud Firewall automatically adds custom route entries to the VPC's route table. A single VPC route table supports a maximum of 200 custom route entries. If the number of custom route entries in the VPC's route table reaches the limit, you cannot enable the vpc firewall.

    Increase the quota for custom route entries.

    You need to increase the custom route entry quota for the VPC route tables in your account. For more information, see Manage quotas.

    Make sure that the number of route entries in the CEN instance does not exceed the quota. This number includes the route entries that are automatically added when you enable a vpc firewall. For more information about the number of route entries supported in a CEN instance, see Limitations.

    We recommend that you limit the number of published route entries to 100. If needed, .

    You cannot enable a vpc firewall if a VPC has a custom route table that is bound to a vSwitch.

    You can delete the custom route table or unbind the vSwitch from the custom route table.

    Traffic type limits

    • A vpc firewall does not protect IPv6 traffic.

    • Traffic destined for the cloud service CIDR block (100.64.0.0/10) is not redirected to the vpc firewall for protection.

    None

    Other limits

    If you enabled a vpc firewall before May 1, 2021, and it uses a public CIDR block as a private one (any block other than 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) or redirects bidirectional traffic from a /32 IP address range, your services may be affected:

    • When accessing assets across VPCs, traffic may pass through the vpc firewall in only one direction. This can cause missing traffic log data and may lead to protection failures for Layer 4 and Layer 7 access control and IPS.

    • When accessing Server Load Balancer (SLB) or ApsaraDB for RDS assets across VPCs, packet loss may occur because traffic to and from SLB and ApsaraDB for RDS may take different paths. This can make the SLB and ApsaraDB for RDS services inaccessible.

    Note

    This limitation does not apply to users who enabled a vpc firewall on or after May 1, 2021.

    We recommend that you plan your network according to standards and avoid using public CIDR blocks as private ones or redirecting traffic from /32 IP address ranges in your CEN instance.

    If you have special business requirements, .

    When enabling or disabling a vpc firewall, established long-lived connections to some cloud services, such as Server Load Balancer (SLB) and ApsaraDB for RDS, may be dropped.

    • When enabling or disabling a vpc firewall, temporarily configure the SLB health check to use a backend server in the local VPC to prevent health check instability. You can restore the original setting after the operation is complete. For more information, see Configure and manage CLB health checks.

    • Implement connection protection and reconnection mechanisms on the client side.

    Create and enable a VPC firewall

    Prerequisites

    • You have purchased the Enterprise Edition, Ultimate Edition, or Pay-as-you-go Edition of Cloud Firewall. For more information, see Purchase Cloud Firewall.

      Note

      Only the Enterprise, Ultimate, and Pay-as-you-go editions of Cloud Firewall support configuring a vpc firewall for a Basic Edition transit router. The Premium Edition does not support this feature.

    • You have authorized Cloud Firewall to access your cloud resources. For more information, see Authorize Cloud Firewall to access cloud resources.

    • You have purchased a CEN instance and used it to establish network connectivity between VPCs. For more information, see Connect VPCs in the same region (Basic Edition) and Connect VPCs across regions and accounts (Basic Edition).

      Note

      If a VPC in your CEN instance was created by a different Alibaba Cloud account and that account has not granted the required permissions to Cloud Firewall, you cannot create a vpc firewall. We recommend that you log on to the Cloud Firewall console with the corresponding account to grant the permissions, and then enable the vpc firewall. For more information, see Authorize Cloud Firewall to access cloud resources.

    • Make sure that the regions where your network resources are located are supported by the vpc firewall. For more information, see Supported regions.

    Procedure

    Warning

    • After you create a vpc firewall, modifying the vSwitch and route table in the created Cloud Firewall VPC may cause traffic interruptions.

    • If there is only a single VBR in the CEN instance, creating or enabling the vpc firewall, or performing a network cutover, may cause traffic interruptions.

    • You cannot roll back or pause the process of enabling a VPC firewall. If an exception occurs, the system automatically rolls back the process.

    1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall.

    2. On the Firewall page, click VPC Firewall.

    3. On the VPC Firewall tab, click Cloud Enterprise Network (Basic Edition).

    4. Locate the CEN instance for which you want to create a vpc firewall and click Create in the Actions column.

      If the asset you want to protect is not in the asset list, click Synchronize Assets to synchronize the asset information of the current Alibaba Cloud account and its member accounts.

    5. In the Create Firewall panel, follow the configuration wizard to complete the vpc firewall configuration.

      For a Basic Edition transit router, you can run a diagnostic check to verify whether the conditions for creating the firewall are met. You can view the results in the Enable Diagnosis wizard. If you are familiar with the firewall creation requirements, you can skip the diagnostic check and create the firewall directly.

      The following table describes the vpc firewall configurations in a CEN-connected environment.

      Parameter

      Description

      Basic Information

      Name: Specify a unique name to identify the vpc firewall instance. We recommend that you use a meaningful name based on your business needs.

      VPC Configurations of Firewall

      Assign CIDR blocks to the automatically created Cloud Firewall VPC and vSwitch. These are used to create a dedicated firewall VPC (Cloud_Firewall_VPC) for traffic redirection. A subnet CIDR block is allocated from the assigned VPC CIDR block for the Cloud Firewall VPC's vSwitch. The subnet's mask must be /29 or shorter and must not conflict with your network plan.

      Important

      These settings depend on your service configuration and cannot be changed after creation. To make changes, you must delete and recreate the firewall.

      • VPC of Firewall: The default value is 10.0.0.0/8. You can customize the CIDR block for the firewall VPC. Supported ranges include 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and their subnets.

      • vSwitch CIDR Block: The default value is 10.219.219.216/29. If the default value conflicts with your network plan, you can customize this CIDR block.

      • Configure zone:

        Note

        • If you select Default (Auto-assigned) for both the primary and secondary zones, the active-active mode is enabled. This mode is easy to configure and ideal for scenarios with latency-insensitive service traffic.

        • If you specify a primary zone and a secondary zone, the active-passive mode is used. This mode is suitable for scenarios where service traffic is sensitive to latency and helps reduce traffic latency.

        • For more information about the active-active and active-passive modes and the migration steps, see Best practices for migrating VPC firewall zones.

        • Primary Zone: Set the primary availability zone for the vSwitch. Cloud Firewall also supports automatic assignment of the vSwitch availability zone.

          Important

          If your services are latency-sensitive, we recommend that you set the Primary Zone to the availability zone that hosts most of your services. Then, specify the same availability zone for the service VPC's vSwitch to further reduce latency.

        • Secondary Zone: Set the secondary availability zone for the vSwitch. The vpc firewall preferentially forwards traffic through the primary zone for efficient transmission. When the primary zone is unavailable, the system automatically switches traffic to the secondary zone to ensure business continuity in disaster recovery scenarios.

      Assign vSwitch for Firewall

      Configure the vSwitch in the service VPC that requires traffic protection. This vSwitch hosts the elastic network interface (ENI) that Cloud Firewall uses for traffic redirection. Cloud Firewall can assign the vSwitch automatically. If your services are latency-sensitive, you can customize the service VPC's availability zone to reduce network latency.

      Important

      This setting is based on your service configuration and cannot be changed after creation. To make changes, you must delete and recreate the firewall.

      • Zone: Select the availability zone for the service VPC's vSwitch. To reduce latency, we recommend setting it to be the same as the primary availability zone of the firewall VPC's vSwitch.

      • vSwitch: Select the vSwitch instance of the service VPC.

      Redirection Configuration

      Enable or disable the redirection switch and view the protected CIDR blocks.

      IPS

      Select the operating mode and policy for the intrusion prevention system (IPS) module.

      • IPS Mode

        • Monitor Mode: Monitors and generates alerts for malicious traffic.

        • Block Mode: Blocks malicious traffic and intercepts intrusive activities.

      • IPS Capabilities

        • Basic Rules: Provides basic protection for your assets, including interception of brute-force attacks and exploits of command execution vulnerabilities, and control over post-infection connections to Command and Control (C&C) servers.

        • Virtual Patching: Provides real-time protection against popular high-risk application vulnerabilities.

      Note

      This setting is applied to all network instances under the same CEN instance.

    6. Click Start Creation to create the vpc firewall.

    7. On the Cloud Enterprise Network (Basic Edition) tab, enable the switch for the vpc firewall you created.

      The vpc firewall must be enabled to protect your network resources. The vpc firewall is successfully enabled when its Firewall Status changes to Enabled.

      Note

      After you enable a vpc firewall, Cloud Firewall requires 15 to 30 minutes to learn new routes if you add or delete VPC route entries. We recommend that you wait for route learning to complete and then verify that the route table is updated. If you have any questions, .

      After the vpc firewall is created, Cloud Firewall automatically creates the following resources in your Virtual Private Cloud (VPC):

      • A VPC resource named Cloud_Firewall_VPC.

        Important

        Do not add other service resources to Cloud_Firewall_VPC. If you do, these resources will not be automatically deleted when you delete the vpc firewall. Do not manually modify or delete network resources in this VPC.

      • A vSwitch resource named Cloud_Firewall_VSWITCH.

      • Custom route table entries with the remark: Created by cloud firewall. Do not modify or delete it..

      After you enable the vpc firewall, a security group named Cloud_Firewall_Security_Group is automatically added to both Cloud_Firewall_VPC and the service VPC. An authorization policy is also configured for this security group to permit traffic to the vpc firewall.

      Important

      Do not delete the Cloud_Firewall_Security_Group security group or its authorization policy. Deleting either will interrupt service traffic.

      To perform batch operations or frequently enable and disable the vpc firewall, we recommend performing these actions during off-peak hours to avoid affecting your services.

    Next steps

    • After you enable the vpc firewall, you can configure access control policies to control access between VPCs. For more information, see Access control policies for vpc firewalls.

    • After you enable the vpc firewall, you can use the VPC Access feature to view traffic between VPCs. For more information, see VPC Access.

    • After you enable the vpc firewall, you can use the VPC Protection feature to view anomalous events between VPCs that were intercepted by Cloud Firewall. For more information, see VPC Protection.

    More operations

    Edit a VPC firewall

    To modify the configuration of a vpc firewall, on the VPC Firewall page, go to the Cloud Enterprise Network (Basic Edition) tab, locate the target CEN instance, and click Edit in the Actions column.

    Disable a VPC firewall

    Warning

    Disabling a vpc firewall may cause transient traffic interruptions.

    1. On the Firewall page, click VPC Firewall.

    2. On the VPC Firewall page, go to the Cloud Enterprise Network (Basic Edition) tab, locate the target CEN instance, and turn off the Firewall switch.

      After you turn off the switch, please wait. The vpc firewall is successfully disabled when its Firewall Status changes to Disabled.

    Delete a VPC firewall

    If your services no longer require the vpc firewall, on the VPC Firewall page, go to the Cloud Enterprise Network (Basic Edition) tab, locate the target CEN instance, and click Delete in the Actions column.

    Modify IPS configuration

    To change the IPS protection mode or capabilities, add IP addresses to a whitelist, or modify IPS rules, click Configure IPS in the Actions column. Configure the settings on the VPC Border tab of the IPS Configuration page. See IPS Configuration.

    References