All Products
Search

This Product

    Cloud Firewall:VPC firewall

    Document Center

    Cloud Firewall:VPC firewall

    Last Updated:Apr 01, 2026

    This topic describes the basic concepts and application scenarios of the VPC firewall feature in Cloud Firewall.

    What is a VPC firewall

    A VPC firewall helps you inspect and control traffic between Virtual Private Cloud (VPC) instances, and between VPCs and on-premises data centers. If your VPCs are attached to a Cloud Enterprise Network (CEN) instance or connected by using Express Connect, you can create a VPC firewall to control traffic across these connections.

    VPC firewall also supports cross-account management. For example, consider a scenario where Account A owns a Cloud Enterprise Network (CEN) instance and VPC_1, while Account B owns VPC_2. If both VPCs are connected through the CEN instance of Account A, Account A can purchase the Enterprise or Ultimate edition of Cloud Firewall to protect the traffic between VPC_1 and VPC_2.

    How it works

    For architecture diagrams of VPC firewalls, see the following topics:

    Protection scope

    Cloud Firewall provides three types of VPC firewalls. You can select the appropriate VPC firewall based on your network topology.

    VPC firewall type

    Application Scenario

    Operation guide

    VPC firewall for an Enterprise Edition transit router

    Protects:

    • Traffic between multiple virtual private clouds (VPCs) in the same region

    • Traffic between multiple cross-region VPCs that are connected using an Enterprise Edition transit router (TR)

    • Traffic between a VPC and a virtual border router (VBR), which represents traffic between a VPC and a data center

    • Traffic between a VPC and a Cloud Connect Network (CCN) instance

    • Traffic between multiple VBRs

    • Traffic between a CCN instance and a VBR

    • Traffic between a VPC and a public VPN gateway

    Does not protect traffic between multiple CCN instances.

    Configure a VPC firewall for an Enterprise Edition transit router

    VPC firewall for a Basic Edition transit router

    Protects:

    • Traffic between multiple virtual private clouds (VPCs) in the same region

    • Traffic between multiple cross-region VPCs that are connected using a Basic Edition transit router (TR)

    • Traffic between a VPC and a virtual border router (VBR), which represents traffic between a VPC and a data center

    • Traffic between a VPC and a Cloud Connect Network (CCN) instance

    Does not protect:

    • Traffic between multiple VBRs

    • Traffic between a CCN instance and a VBR

    • Traffic between multiple CCN instances

    Configure a VPC firewall for a Basic Edition transit router

    VPC firewall for an Express Connect circuit

    Protects:

    • Traffic between multiple VPCs that are in the same region, belong to the same account, and are connected using an Express Connect circuit in virtual private cloud (VPC) mode

    • Traffic between multiple VPCs in the same region that are connected using a VPC peering connection. The VPCs can belong to the same account or different accounts.

    Does not protect:

    • Traffic between multiple cross-account and cross-region VPCs that are connected using an Express Connect circuit in virtual private cloud (VPC) mode

    • Traffic between a VPC and a virtual border router (VBR)

    Note

    To protect traffic between cross-region or cross-account VPCs, or traffic between a VPC and a VBR, we recommend that you use a CEN network. For more information, submit a .

    Configure the VPC firewall for a peering connection

    Note

    VPC firewall does not support the jumbo frame feature.

    Specifications

    VPC firewall specifications are based on two key metrics: the number of VPC firewall instances and the Protected VPC Traffic.

    Specifications

    Description

    Subscription

    Pay-as-you-go

    Number of VPC firewall instances

    The number of VPC firewall instances that you can create.

    Your available quota is determined by your purchased specifications. If the quota is insufficient, you can upgrade the specifications. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

    The quota varies by Cloud Firewall edition. For more information, see Subscription 2.0.

    Note

    If your traffic exceeds the purchased processing capacity, the Service Level Agreement (SLA) is not guaranteed. This can lead to service degradation, such as disabled security features (ACL, IPS, and log auditing), firewall shutdown for assets that exceed traffic limits, and packet loss due to throttling.

    If you anticipate traffic spikes, we recommend using Pay-as-you-go for elastic traffic.

    Billing is based on the actual number of protected instances and the total processed traffic. There are no quota limits. For more information about billing, see Pay-as-you-go 2.0.

    Protected VPC Traffic

    The peak total traffic between VPCs that the firewall can protect.

    View protection status and quota usage

    You can view the protection status of your assets on the VPC Firewall page.

    1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall.

    2. On the VPC Firewall tab, you can view the number of created and uncreated VPC firewall instances and the VPC Firewall for your account. You can also view the counts of total, protected, and unprotected VPC Firewall.

      If you run out of the Increase Quota for your edition, click Increase Quota to purchase more. For more information about the number of supported VPC firewall instances for each edition, see Subscription 2.0.

      image.png

    3. In the VPC Firewall section, click the 查看 icon to view the number of uncreated and created firewall instances for CEN (Enterprise Edition), CEN (Basic Edition), and Express Connect.

    4. In the Protected Network Elements section, click the 查看 icon to view the total, protected, and unprotected counts of network elements, including VPCs, VBRs, TRs, and VPN Gateways.

    The following list describes how the statistics are calculated:

    • CEN (Enterprise Edition)

      • Unprotected network elements: The number of network elements, such as VPCs, VBRs, TRs, and VPN Gateways, that are not protected by a VPC firewall. This count excludes network elements in manual mode.

      • Protected network elements: The number of network elements, such as VPCs, VBRs, TRs, and VPN Gateways, that are protected by a VPC firewall. This count excludes network elements in manual mode.

      • Available quota: The number of created VPC firewall instances. Each Enterprise Edition transit router counts as one instance.

    • CEN (Basic Edition)

      • Unprotected network elements: The number of VPCs that are not protected by a VPC firewall.

      • Protected network elements: The number of VPCs that are protected by a VPC firewall.

      • Available quota: The number of created VPC firewall instances. Each VPC counts as one instance.

    • Express Connect

      • Unprotected network elements: The number of VPCs that are not protected by a VPC firewall.

      • Protected network elements: The number of VPCs that are protected by a VPC firewall.

      • Available quota: The number of created VPC firewall instances. Each pair of VPCs (a local VPC and a peer VPC) counts as one instance.