You can use virtual private cloud (VPC) firewalls to monitor and manage traffic between VPCs and traffic between a VPC and a data center. If two VPCs are connected by using an Express Connect circuit or if the VPCs are attached to the same Cloud Enterprise Network (CEN) instance, you can create a VPC firewall for the Express Connect circuit or the CEN instance to manage traffic between the VPCs. This topic describes how to configure a VPC firewall.
Usage notes
- A VPC named
Cloud_Firewall_VPC
.Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not manually modify or delete the network resources in Cloud_Firewall_VPC.
- A vSwitch named
Cloud_Firewall_VSWITCH
. - A custom route entry that has the following remarks:
Created by cloud firewall. Do not modify or delete it.
If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.
- If you disable or delete a VPC firewall, transient connections may occur.
- If you change the vSwitch and route table after a VPC firewall is created, connections may be interrupted.
- If you disable or delete a VPC firewall that is created for an Enterprise Edition transit router of a CEN instance in manual traffic redirection mode, connections may be interrupted.
Configure a VPC firewall for an Enterprise Edition transit router of a CEN instance
Limits
Item | Solution |
---|---|
When you enable a VPC firewall for a Cloud Enterprise Network (CEN) instance, you
can add up to 100 network instances such as VPCs, Virtual Border Routers (VBRs), and
Cloud Connect Network (CCN) instances to the transit router in each region.
Note The VPCs that you can add to a transit router include the VPC that is automatically
created when you enable the VPC firewall and is named Cloud_Firewall_VPC. For more
information about how to view the information about the VPC, see View a VPC.
|
None. |
A transit router is subject to the following limits:
|
To add a VPC to the whitelist, contact the after-sales service in the specified DingTalk group. |
If you enabled a VPC firewall and a Basic Edition transit router is upgraded to an Enterprise Edition transit router, traffic over the CIDR blocks of the newly added routes is interrupted when the traffic passes through the firewall. | Before you upgrade a Basic Edition transit router to an Enterprise Edition transit router, you must delete the VPC firewall in the region where the Basic Edition transit router is deployed. After you delete the VPC firewall, upgrade the Basic Edition transit router to an Enterprise Edition transit router. Then, you must reconfigure a VPC firewall. |
VPC Firewall is supported only if a paid edition of Cloud Firewall is purchased within the Alibaba Cloud account to which the required CEN instance belongs. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase a paid edition of Cloud Firewall to protect traffic between VPC_1 and VPC_2. |
None. |
VPC firewalls can protect traffic between VPCs in the same region, between cross-region VPCs that are connected by using CEN transit routers, between a VPC and a VBR, and between a VPC and a CCN instance. VPC firewalls cannot protect traffic between VBRs, between CCN instances, or between a CCN instance and a VBR. |
None. |
The automatic traffic redirection mode is subject to the following limits:
|
None. |
Scenarios
- VPC firewalls can protect traffic in the following scenarios:
- Traffic between VPCs in the same region
- Traffic between cross-region VPCs that are connected by using a transit router
- Traffic between a VPC and a VBR or a data center
- Traffic between a VPC and a CCN instance
- In automatic traffic redirection mode, VPC firewalls cannot protect traffic in the
following scenarios:
- A static route other than 100.64.0.0/10 exists in the route tables of an Enterprise Edition transit router for a CEN instance.
- A network element is specified in multiple types of traffic redirection scenarios. For example, Network Element A is specified in both an Instance-Instance scenario and an Instance to Instances scenario.
- A Basic Edition transit router of a CEN instance is specified in an automatic traffic redirection scenario.
- Network instances whose traffic you want a VPC firewall to redirect are transit routers that have route conflicts or VBRs that use equal-cost multi-path routing (ECMP).
Prerequisites
- Cloud Firewall Enterprise Edition or Ultimate Edition is purchased.
- A CEN instance is purchased. VPCs are connected by using an Enterprise Edition transit router, or on-premises resources are connected to Alibaba Cloud. For more information, see Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks and Use Enterprise Edition transit routers to connect VPCs across regions and accounts.
- Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.
Create a VPC firewall
Manage an automatic traffic redirection scenario
Modify or delete a VPC firewall
If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, go to the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the transit router of the CEN instance for which the VPC firewall is enabled, and then click Edit or Delete in the Actions column.
- Manual: If you want to delete a VPC firewall, you must manually delete the routes that are used to route traffic to the VPC firewall before you delete the VPC firewall. This helps ensure that your workloads are not affected.
- Automatic: If you want to delete a VPC firewall that is enabled, you must delete all traffic redirection scenarios that are created for the VPC firewall before you can delete the VPC firewall.
Configure a VPC firewall for a Basic Edition transit router of a CEN instance
Limits
Item | Solution |
---|---|
If multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall runs Ultimate Edition and is authorized to access all VPCs. Otherwise, VPC firewalls cannot be created. |
|
VPC Firewall can be enabled for a CEN instance only if VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. | Make sure that VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. For more information, see Supported regions. |
If you enabled a VPC firewall before May 1, 2021 and you used a public IP address
as a private IP address in your network topology, your access to Server Load Balancer
(SLB) and ApsaraDB RDS is interrupted.
Important If you enable a VPC firewall on or after May 1, 2021, you are not subject to this
limit.
|
We recommend that you develop a network plan based on the standards. We also recommend that you do not use a public IP address as a private IP address. |
You can advertise up to 100 routes in a CEN instance. | We recommend that you advertise less than or equal to 100 routes. For more information, contact the after-sales service in the specified DingTalk group. |
|
Increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account. For more information, see Manage resource quotas. |
If a VPC in a CEN instance has a custom route table that is associated with a vSwitch, you cannot enable a VPC firewall for the CEN instance. | Delete the custom route table or disassociate the custom route table from the vSwitch. |
Cloud Firewall does not protect the following traffic that does not pass through Cloud
Firewall:
|
For more information, contact the after-sales service in the specified DingTalk group. |
When you enable or disable VPC Firewall for an SLB or ApsaraDB RDS instance, existing persistent connections may fail. |
|
The total number of VPCs and regions for which VPC Firewall is enabled must be less than or equal to 32. | None. |
When you enable a VPC firewall for a CEN instance, you can add up to 15 network instances. | We recommend that you use a transit router. For more information, contact the after-sales service in the specified DingTalk group. |
If a CEN instance has routing policies whose Routing Policy Action is set to Deny, services are interrupted when you create a VPC firewall for the CEN instance. The routing policies exclude system routing policies whose priority is set to 5000 and Routing Policy Action is set to Deny. | We recommend that you delete the relevant routing policies or contact the after-sales service in the specified DingTalk group. |
If you create or delete routing policies for a CEN instance after you enable a VPC firewall for the instance, you must wait 15 to 30 minutes until Cloud Firewall learns routes. | After Cloud Firewall learns routes, we recommend that you check whether your routing policies take effect. You can check whether routing policies take effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group. |
If your CEN is connected by using a single leased line, traffic is interrupted when you enable a VPC firewall or start a network cutover. | Before you enable a VPC firewall or start a network cutover, we recommend that you contact the after-sales service in the specified DingTalk group. |
VPC Firewall is supported only if a paid edition of Cloud Firewall is purchased within the Alibaba Cloud account to which the required CEN instance belongs. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase a paid edition of Cloud Firewall to protect traffic between VPC_1 and VPC_2. |
None. |
VPC firewalls can protect traffic between VPCs in the same region, between cross-region VPCs that are connected by using CEN transit routers, between a VPC and a VBR, and between a VPC and a CCN instance. VPC firewalls cannot protect traffic between VBRs, between CCN instances, or between a CCN instance and a VBR. |
None. |
The automatic traffic redirection mode is subject to the following limits:
|
None. |
Prerequisites
- Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. Cloud Firewall Ultimate Edition is purchased if multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts.
- A CEN instance is purchased, and VPCs are attached to the CEN instance. For more information, see Use Basic Edition transit routers to connect VPCs in the same region and Use Basic Edition transit routers to connect VPCs across regions.
- Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.
Create a VPC firewall
Enable or disable a VPC firewall
Modify or delete a VPC firewall
If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, go to the VPC Firewall tab, click the CEN (Basic) tab, find the VPC firewall, and then click Modify or Delete in the Actions column.
Configure a VPC firewall for VPCs connected by using an Express Connect circuit
Limits
Item | Solution |
---|---|
If you enable a VPC firewall for Express Connect, the firewall does not protect the traffic between VPCs that reside in different regions or belong to different Alibaba Cloud accounts. The firewall also does not protect the traffic between VPCs and VBRs. | If you want to protect the traffic in these scenarios, we recommend that you use CEN to replace Express Connect. For more information, contact the after-sales service in the specified DingTalk group. |
|
Increase the maximum number of custom routes allowed for each VPC route table within your Alibaba Cloud account. For more information, see Manage resource quotas. |
You cannot advertise routes that use 32-bit subnet masks in Express Connect. If the routes that use 32-bit subnet masks are advertised and a VPC firewall is enabled, the connections to the network of the subnet masks are interrupted. | Before you enable a VPC firewall, we recommend that you use the subnet masks that are less than or equal to 30 bits in length. Alternatively, contact the after-sales service in the specified DingTalk group. |
If you add or delete routes in your VPC route table for an Express Connect circuit after you enable a VPC firewall for the circuit, you must wait for 15 to 30 minutes until Cloud Firewall learns routes. | After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can check whether your route table takes effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group. |
Prerequisites
- An Express Connect circuit is purchased, and VPCs are connected by using the Express Connect circuit. For more information, see Connect two VPCs under the same Alibaba Cloud account.
- Cloud Firewall Enterprise Edition or Ultimate Edition is purchased.
Create a VPC firewall
Enable or disable a VPC firewall
Modify or delete a VPC firewall
If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, you can go to the VPC Firewall tab, click the Express Connect tab, find the VPC firewall, and then click Modify or Delete in the Actions column.
Use a VPC firewall to protect traffic between a VPC and a data center
Prerequisites
Cloud Firewall Enterprise Edition or Ultimate Edition is purchased.
A VPC firewall can protect traffic between a VPC and a data center that are connected by a VBR. If a VPC and a data center are connected by using a CEN instance, traffic between the VPC and the data center is automatically protected after you enable the VPC firewall created for the CEN instance. You do not need to create or enable a VPC firewall for the VBR.
Log on to https://yundun.console.aliyun.com/?p=cfwnext. On the Firewall Settings page, click the VPC Firewall tab. On the CEN (Basic) or CEN (Enterprise Edition) tab, you can view the information about VBR that is involved.
What to do next
- After a VPC firewall is created, you can go to the Create an access control policy for a VPC firewall. page to configure access control policies for the VPC firewall to manage traffic between VPCs. For more information, see
- After the VPC firewall is enabled, you can go to the VPC Access page to view information about the traffic between VPCs.