This topic describes the basic concepts and common scenarios of virtual private cloud (VPC) firewalls in Cloud Firewall.
What is a VPC firewall?
A VPC firewall helps you detect and manage traffic between VPCs and between a VPC and a data center. If VPCs are attached to the same Cloud Enterprise Network (CEN) instance or connected by an Express Connect circuit, you can create a VPC firewall to control traffic between the VPCs and between a VPC and a data center.
VPC firewalls also support cross-account management. For example, if Account A creates a CEN instance and VPC_1, and Account B creates VPC_2, and both VPCs are connected through the CEN instance of Account A, you can use Account A to purchase Cloud Firewall Enterprise Edition or Ultimate Edition to protect the traffic between VPC_1 and VPC_2.
How it works
For diagrams that illustrate how VPC firewalls work, see the following topics:
Protection scope
Cloud Firewall provides three types of VPC firewalls. You can select a firewall type based on your network architecture.
VPC firewall type | Scenario | Operation guide |
VPC firewall that is created for an Enterprise Edition transit router | Protection:
This type of VPC firewall cannot protect traffic between CCN instances. | Configure a VPC firewall for an Enterprise Edition transit router |
VPC firewall that is created for a Basic Edition transit router | Supported protections:
Not protected:
| |
VPC firewall that is created for an Express Connect circuit | Supported protections:
Unsupported protection:
Note If you want to protect the preceding types of traffic, we recommend that you use Cloud Enterprise Network (CEN) to replace Express Connect. For more information, submit a ticket. |
VPC firewalls do not support the jumbo frame feature.
Specifications
The specifications of a VPC firewall include the number of public IP addresses that can be protected and the Protected Internet Traffic quota.
Specification | Description | Cloud Firewall Subscription (Enterprise and Ultimate Editions) | Cloud Firewall pay-as-you-go |
Number of VPC Firewalls | The number of VPC firewalls that can be created. | This depends on the number of VPC firewalls that you create and the Protected VPC Traffic that you purchase. If the quota is insufficient, upgrade the specifications. For more information, see Configure a VPC firewall for an Enterprise Edition transit router. The quota varies based on the Cloud Firewall edition. For more information, see Subscription 2.0. Note If your service traffic exceeds the purchased traffic processing specifications of Cloud Firewall, the product Service-Level Agreement (SLA) cannot be guaranteed. This may trigger service degradation rules. These rules include but are not limited to security feature failures such as access control, intrusion prevention system (IPS), and log audit, firewall shutdown for top assets that exceed the traffic limit, and packet loss due to throttling. If your service traffic is at risk of exceeding the limit, see Pay-as-you-go for elastic traffic. | You are charged based on the number of protected instances and the total processed traffic. No quota limit exists. For more information about billing, see Pay-as-you-go 2.0. |
Protected VPC Traffic | The peak total traffic between VPCs that can be protected. |
View the protection status of assets and quota usage
You can view the protected assets in your account on the VPC Firewall page.
Log on to the Cloud Firewall console. In the navigation pane on the left, click Firewall Settings.
On the VPC Firewall tab, you can view the number of created and uncreated VPC firewalls, the number of available authorizations, the total number of network elements, and the number of protected and unprotected network elements in your account.
If you exhaust the available authorizations for your edition, which correspond to the number of VPC firewall instances you can protect, you can click Upgrade Authorizations to purchase more. For more information about the number of VPC firewall instances that each edition supports, see Subscription 2.0.
Click the
icon in the VPC Firewall section to view the number of created and uncreated VPC firewall instances for CEN (Enterprise Edition), CEN (Basic Edition), and Express Connect.Click the
icon in the Protected Network Elements section to view the total number of protected and unprotected VPCs, VBRs, TRs, and VPNs.
The following describes the data:
CEN (Enterprise Edition)
Unprotected network elements: The number of network elements that are not protected by VPC firewalls. These network elements include VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.
Protected network elements: The number of network elements that are protected by VPC firewalls. These network elements include VPCs, VBRs, transit routers, and VPN gateways that are added in manual mode.
Available quota: The number of VPC firewalls that you are authorized to enable. Each transit router corresponds to one VPC firewall.
CEN (Basic Edition)
Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.
Protected network elements: the number of VPCs that are protected by VPC firewalls.
Available quota: The number of VPC firewalls that you are authorized to enable. Each VPC corresponds to one VPC firewall.
Express Connect
Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.
Protected network elements: the number of VPCs that are protected by VPC firewalls.
Available quota: The number of VPC firewalls that you are authorized to enable. A local VPC and its peer VPC correspond to one VPC firewall.