Configure a VPC firewall - Cloud Firewall - Alibaba Cloud Documentation Center

You can use virtual private cloud (VPC) firewalls to monitor and manage traffic between VPCs and traffic between a VPC and a data center. If two VPCs are connected by using an Express Connect circuit or if the VPCs are attached to the same Cloud Enterprise Network (CEN) instance, you can create a VPC firewall for the Express Connect circuit or the CEN instance to manage traffic between the VPCs. This topic describes how to configure a VPC firewall.

Usage notes

After you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically creates the following resources:

A VPC named Cloud_Firewall_VPC.
Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not manually modify or delete the network resources in Cloud_Firewall_VPC.
A vSwitch named Cloud_Firewall_VSWITCH.
A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it.

After you enable the VPC firewall, Elastic Compute Service (ECS) automatically creates a security group named Cloud_Firewall_Security_Group and add a security group rule whose Action parameter is set to Allow to the security group to allow inbound traffic from the VPC firewall to ECS.

Note Do not delete the security group Cloud_Firewall_Security_Group and the security group rule whose Action parameter is set to Allow. Otherwise, the inbound traffic from the VPC firewall to ECS cannot be protected by the VPC firewall.

If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.

Warning

If you disable or delete a VPC firewall, transient connections may occur.
If you change the vSwitch and route table after a VPC firewall is created, connections may be interrupted.
If you disable or delete a VPC firewall that is created for an Enterprise Edition transit router of a CEN instance in manual traffic redirection mode, connections may be interrupted.

Configure a VPC firewall for an Enterprise Edition transit router of a CEN instance

Limits


Item	Solution
When you enable a VPC firewall for a Cloud Enterprise Network (CEN) instance, you can add up to 100 network instances such as VPCs, Virtual Border Routers (VBRs), and Cloud Connect Network (CCN) instances to the transit router in each region. Note The VPCs that you can add to a transit router include the VPC that is automatically created when you enable the VPC firewall and is named Cloud_Firewall_VPC. For more information about how to view the information about the VPC, see View a VPC.	None.
A transit router is subject to the following limits: After you create a VPC firewall in automatic mode, you must contact the after-sales service to add the automatically created VPC named Cloud_Firewall_VPC to the required whitelist. After the VPC is added to the whitelist, you can enable the VPC firewall. After you create a VPC firewall in manual mode, you must contact the after-sales service to add the newly created VPC to the required whitelist. After the VPC is added to the whitelist, you can enable the VPC firewall.	To add a VPC to the whitelist, contact the after-sales service in the specified DingTalk group.
If you enabled a VPC firewall and a Basic Edition transit router is upgraded to an Enterprise Edition transit router, traffic over the CIDR blocks of the newly added routes is interrupted when the traffic passes through the firewall.	Before you upgrade a Basic Edition transit router to an Enterprise Edition transit router, you must delete the VPC firewall in the region where the Basic Edition transit router is deployed. After you delete the VPC firewall, upgrade the Basic Edition transit router to an Enterprise Edition transit router. Then, you must reconfigure a VPC firewall.
VPC Firewall is supported only if a paid edition of Cloud Firewall is purchased within the Alibaba Cloud account to which the required CEN instance belongs. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase a paid edition of Cloud Firewall to protect traffic between VPC_1 and VPC_2.	None.
VPC firewalls can protect traffic between VPCs in the same region, between cross-region VPCs that are connected by using CEN transit routers, between a VPC and a VBR, and between a VPC and a CCN instance. VPC firewalls cannot protect traffic between VBRs, between CCN instances, or between a CCN instance and a VBR.	None.
The automatic traffic redirection mode is subject to the following limits: If a static route other than 100.64.0.0/10 exists in the route tables of an Enterprise Edition transit router for a CEN instance, you cannot configure a traffic redirection scenario. A network element cannot be specified in multiple traffic redirection scenarios at the same time. You cannot specify a Basic Edition transit router of a CEN instance in a traffic redirection scenario. Transit routers that have route conflicts are not supported. Routes that are added to VBRs for equal-cost multi-path routing (ECMP) are not supported.	None.

Scenarios

VPC firewalls can protect traffic in the following scenarios:
- Traffic between VPCs in the same region
- Traffic between cross-region VPCs that are connected by using a transit router
- Traffic between a VPC and a VBR or a data center
- Traffic between a VPC and a CCN instance
In automatic traffic redirection mode, VPC firewalls cannot protect traffic in the following scenarios:
- A static route other than 100.64.0.0/10 exists in the route tables of an Enterprise Edition transit router for a CEN instance.
- A network element is specified in multiple types of traffic redirection scenarios. For example, Network Element A is specified in both an Instance-Instance scenario and an Instance to Instances scenario.
- A Basic Edition transit router of a CEN instance is specified in an automatic traffic redirection scenario.
- Network instances whose traffic you want a VPC firewall to redirect are transit routers that have route conflicts or VBRs that use equal-cost multi-path routing (ECMP).

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased.
A CEN instance is purchased. VPCs are connected by using an Enterprise Edition transit router, or on-premises resources are connected to Alibaba Cloud. For more information, see Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks and Use Enterprise Edition transit routers to connect VPCs across regions and accounts.
Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.

Create a VPC firewall

Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the Firewall Settings page, click the VPC Firewall tab.
On the VPC Firewall tab, click the CEN (Enterprise Edition) tab.

Find the transit router of the CEN instance for which you want to create a VPC firewall and click Create in the Actions column.

Cloud Firewall can manage traffic between network instances that are connected by using a CEN transit router. A network instance can be a VPC, a VBR, or a transit router.

Automatic (recommended)

In automatic traffic redirection mode, you can create traffic redirection scenarios for network instances based on your business requirements. VPC Firewall automatically configure routes for CEN transit routers based on the scenarios and creates elastic network interfaces (ENIs) for VPC firewalls to redirect traffic.

In the Create VPC Firewall panel, configure the following parameters. Then, click OK.


Parameter	Description
Firewall Basic Information	Firewall Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
Assign CIDR Block for Firewall	Specify a CIDR block for the VPC firewall and specify three CIDR blocks that are at least 28 bits in length and do not conflict with your network planning. The three CIDR blocks are assigned to the vSwitches that are required to create the VPC firewall.
Intrusion Prevention	Specify the working mode of the intrusion prevention system (IPS) and the intrusion prevention policies that you want to enable. IPS Mode Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patches: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time. Note This setting applies to all network instances that belong to the same CEN instance.

On the CEN (Enterprise Edition) tab, find the transit router of the CEN instance and click Configure Now in the Firewall Status column.
If no traffic redirection scenario is created, click Immediately Create Traffic Redirection Scenario on the Traffic Redirection Scenario tab.

On the Traffic Redirection Scenario tab, click Create Traffic Redirection Scenario. In the Create Traffic Redirection Scenario panel, configure the following parameters.


Parameter	Description
Basic Information	Template Name: Specify a name for the traffic redirection template.
Scenario Type	Select the type of the scenario in which the VPC firewall manages and protects traffic. Instance-Instance: If you select this option, Cloud Firewall manages traffic between two network elements. This option is suitable for simple network topologies. Instance to Instances: If you select this option, Cloud Firewall manages traffic between one network element and multiple network elements. This option is suitable for star network topologies. If you select this option, you can set Instance Type to ALL for the secondary instance. This way, Cloud Firewall manages all traffic of the primary instance. Interconnected Instances: If you select this option, Cloud Firewall manages traffic between multiple network elements. This option is suitable for full mesh network topologies. Note Network elements refer to VPCs, VBRs, and transit routers.
Traffic Redirection Instance	Configure Instance Type and Instance ID.

Important In automatic traffic redirection mode, the number of VPCs that can be protected by Cloud Firewall is calculated based on the number of network elements configured for the traffic redirection scenario. The network elements include VPCs, transit routers, and VBRs.

Click OK.
The creation process requires approximately 30 minutes to complete. After the traffic redirection scenario is created, Cloud Firewall protects traffic between the network instances that are connected by using the transit router.

Manual

In manual traffic redirection mode, you can create an ENI for the VPC firewall in the CEN transit router and create routes based on your business requirements to redirect traffic to the ENI.

Important In manual traffic redirection mode, you must select the VPC that is attached to the CEN instance and the vSwitch that is available. In addition, you must renew your Cloud Firewall at the earliest opportunity before it expires. If your Cloud Firewall expires, the features of Cloud Firewall become unavailable, and traffic cannot be redirected to the VPC firewall that you created. As a result, network interruptions occur.

In the Create VPC Firewall panel, configure the following parameters.


Parameter	Description
Firewall Basic Information	Firewall Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements. VPC: Select the VPC for which you want to create the VPC firewall. vSwitch: Select a vSwitch for the VPC firewall.
Intrusion Prevention	Specify the working mode of the IPS and the intrusion prevention policies that you want to enable. IPS Mode Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a C&C server. Virtual Patches: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time. Note This setting applies to all network instances that belong to the same CEN instance.

Click OK.

The VPC firewall is automatically enabled after it is created. You can manually configure routes between the transit router and the VPC firewall to protect traffic between the network instances that are connected by using the transit router. For more information, see Protect traffic between VPCs connected by using a CEN transit router.

Manage an automatic traffic redirection scenario

On the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find a transit router of the CEN instance, and then click Details in the Actions column.
In the VPC Firewall Details panel, click the Traffic Redirection Scenario tab and perform the following operations based on your business requirements:
- Disable a traffic redirection scenario
  1. Turn off the switch for an enabled traffic redirection scenario in the scenario card.
  2. In the Disable Traffic Redirection Scenario dialog box, disable the traffic redirection scenario by using the Withdraw Route or Roll Back Route method.
    - Withdraw Route (Recommended): If you select this option, the routes that are specified when you create the traffic redirection scenario are cancelled. Your workloads are not affected. The period of time that the process requires varies based on the number of routes. The process requires approximately 30 minutes to complete. Wait until the scenario is disabled.
    - Roll Back Route: If you select this option, the route table that is configured before the traffic redirection scenario is created is restored. This option is suitable for the scenario in which you want to modify or disable a newly created traffic redirection scenario. Your workloads may be interrupted. After you select Roll Back Route, the details of the route table to restore are displayed in the Disable Traffic Redirection Scenario dialog box.
  3. Click OK.
    
    Important The disable operation cannot be cancelled. Before you disable a traffic redirection scenario, make sure that you no longer require the scenario. After the scenario is disabled, check whether your workloads are normal at the earliest opportunity.
- Delete an automatic traffic redirection scenario
  Move the pointer over the card of the scenario that you want to delete and click Delete. Before you delete an automatic traffic redirection scenario, you must disable the scenario.
- Modify an automatic traffic redirection scenario
  Move the pointer over the card of the scenario that you want to modify and click Edit.
- View the details of routes
  Move the pointer over the card of the scenario whose route details you want to view and click Route Details. You can view the details of the routes that are configured for the VPC firewall.

Modify or delete a VPC firewall

If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, go to the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the transit router of the CEN instance for which the VPC firewall is enabled, and then click Edit or Delete in the Actions column.

Important

Manual: If you want to delete a VPC firewall, you must manually delete the routes that are used to route traffic to the VPC firewall before you delete the VPC firewall. This helps ensure that your workloads are not affected.
Automatic: If you want to delete a VPC firewall that is enabled, you must delete all traffic redirection scenarios that are created for the VPC firewall before you can delete the VPC firewall.

Configure a VPC firewall for a Basic Edition transit router of a CEN instance

Limits


Item	Solution
If multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall runs Ultimate Edition and is authorized to access all VPCs. Otherwise, VPC firewalls cannot be created.	Before you enable a VPC firewall, you must use Alibaba Cloud accounts to separately log on to the Cloud Firewall console and complete the authorization. For more information, see Authorize Cloud Firewall to access other cloud resources. You must upgrade your Cloud Firewall to Ultimate Edition. For more information, see Renewal.
VPC Firewall can be enabled for a CEN instance only if VPC Firewall is supported in all regions where the VPCs in the CEN instance reside.	Make sure that VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. For more information, see Supported regions.
If you enabled a VPC firewall before May 1, 2021 and you used a public IP address as a private IP address in your network topology, your access to Server Load Balancer (SLB) and ApsaraDB RDS is interrupted. Important If you enable a VPC firewall on or after May 1, 2021, you are not subject to this limit.	We recommend that you develop a network plan based on the standards. We also recommend that you do not use a public IP address as a private IP address.
You can advertise up to 100 routes in a CEN instance.	We recommend that you advertise less than or equal to 100 routes. For more information, contact the after-sales service in the specified DingTalk group.
After you enable a VPC firewall, Cloud Firewall automatically adds a custom route to your VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls. By default, up to 200 custom routes can be added to each VPC route table.	Increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account. For more information, see Manage resource quotas.
If a VPC in a CEN instance has a custom route table that is associated with a vSwitch, you cannot enable a VPC firewall for the CEN instance.	Delete the custom route table or disassociate the custom route table from the vSwitch.
Cloud Firewall does not protect the following traffic that does not pass through Cloud Firewall: Traffic between VBRs Traffic between CCN instances Traffic between VBRs and CCN instances	For more information, contact the after-sales service in the specified DingTalk group.
When you enable or disable VPC Firewall for an SLB or ApsaraDB RDS instance, existing persistent connections may fail.	Before you enable or disable VPC Firewall, make sure that the SLB instance and its backend server reside in the current VPC. This way, network latency and network jitter are prevented. Configure the keep-connection-alive and reconnection mechanisms on the client.
The total number of VPCs and regions for which VPC Firewall is enabled must be less than or equal to 32.	None.
When you enable a VPC firewall for a CEN instance, you can add up to 15 network instances.	We recommend that you use a transit router. For more information, contact the after-sales service in the specified DingTalk group.
If a CEN instance has routing policies whose Routing Policy Action is set to Deny, services are interrupted when you create a VPC firewall for the CEN instance. The routing policies exclude system routing policies whose priority is set to 5000 and Routing Policy Action is set to Deny.	We recommend that you delete the relevant routing policies or contact the after-sales service in the specified DingTalk group.
If you create or delete routing policies for a CEN instance after you enable a VPC firewall for the instance, you must wait 15 to 30 minutes until Cloud Firewall learns routes.	After Cloud Firewall learns routes, we recommend that you check whether your routing policies take effect. You can check whether routing policies take effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group.
If your CEN is connected by using a single leased line, traffic is interrupted when you enable a VPC firewall or start a network cutover.	Before you enable a VPC firewall or start a network cutover, we recommend that you contact the after-sales service in the specified DingTalk group.
VPC Firewall is supported only if a paid edition of Cloud Firewall is purchased within the Alibaba Cloud account to which the required CEN instance belongs. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase a paid edition of Cloud Firewall to protect traffic between VPC_1 and VPC_2.	None.
VPC firewalls can protect traffic between VPCs in the same region, between cross-region VPCs that are connected by using CEN transit routers, between a VPC and a VBR, and between a VPC and a CCN instance. VPC firewalls cannot protect traffic between VBRs, between CCN instances, or between a CCN instance and a VBR.	None.
The automatic traffic redirection mode is subject to the following limits: If a static route other than 100.64.0.0/10 exists in the route tables of an Enterprise Edition transit router for a CEN instance, you cannot configure a traffic redirection scenario. A network element cannot be specified in multiple traffic redirection scenarios at the same time. You cannot specify a Basic Edition transit router of a CEN instance in a traffic redirection scenario. Transit routers that have route conflicts are not supported. Routes that are added to VBRs for equal-cost multi-path routing (ECMP) are not supported.	None.

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. Cloud Firewall Ultimate Edition is purchased if multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts.
A CEN instance is purchased, and VPCs are attached to the CEN instance. For more information, see Use Basic Edition transit routers to connect VPCs in the same region and Use Basic Edition transit routers to connect VPCs across regions.
Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.

Create a VPC firewall

Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the Firewall Settings page, click the VPC Firewall tab.
On the VPC Firewall tab, click the CEN (Basic) tab.
Find the CEN instance for which you want to create a VPC firewall and click Create in the Actions column.
Cloud Firewall can manage traffic between two VPCs that are connected by using a transit router of the CEN instance.

In the Create Firewall panel, configure the parameters by following the wizard.

If the transit router of the CEN instance runs Basic Edition, you can click Start Check Now to check whether you can create a VPC firewall for the CEN instance. After the check is complete, you can view the check results in the Check Details section. If you understand the rules for creating a VPC firewall, you can skip one-click diagnostics and directly create a VPC firewall.

The following table describes the parameters that are required to create a VPC firewall for CEN-connected VPCs.


Parameter	Description
Instance Name	Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
Configure Traffic Redirection	Turn on Enable Traffic Redirection and specify the CIDR block for protection.
Intrusion Prevention	Specify the working mode of the IPS and the intrusion prevention policies that you want to enable. IPS Mode Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patches: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time. Note This setting applies to all network instances that belong to the same CEN instance.

Click Start to create the VPC firewall.
On the CEN (Basic) tab, enable the created VPC firewall.

Note

Enable or disable a VPC firewall

On the Firewall Settings page, click the VPC Firewall tab.
On the CEN (Basic) tab, find the CEN instance of the VPC firewall, and turn on or turn off the switch in the Firewall Settings column.
Wait until the VPC firewall is enabled or disabled. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall is enabled. If the status in the Firewall Status column of the VPC firewall changes to Disabled, the VPC firewall is disabled.

Modify or delete a VPC firewall

If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, go to the VPC Firewall tab, click the CEN (Basic) tab, find the VPC firewall, and then click Modify or Delete in the Actions column.

Configure a VPC firewall for VPCs connected by using an Express Connect circuit

Limits


Item	Solution
If you enable a VPC firewall for Express Connect, the firewall does not protect the traffic between VPCs that reside in different regions or belong to different Alibaba Cloud accounts. The firewall also does not protect the traffic between VPCs and VBRs.	If you want to protect the traffic in these scenarios, we recommend that you use CEN to replace Express Connect. For more information, contact the after-sales service in the specified DingTalk group.
After you enable a VPC firewall, Cloud Firewall automatically adds a custom route to your VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls. By default, up to 200 custom routes can be added to each VPC route table.	Increase the maximum number of custom routes allowed for each VPC route table within your Alibaba Cloud account. For more information, see Manage resource quotas.
You cannot advertise routes that use 32-bit subnet masks in Express Connect. If the routes that use 32-bit subnet masks are advertised and a VPC firewall is enabled, the connections to the network of the subnet masks are interrupted.	Before you enable a VPC firewall, we recommend that you use the subnet masks that are less than or equal to 30 bits in length. Alternatively, contact the after-sales service in the specified DingTalk group.
If you add or delete routes in your VPC route table for an Express Connect circuit after you enable a VPC firewall for the circuit, you must wait for 15 to 30 minutes until Cloud Firewall learns routes.	After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can check whether your route table takes effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group.

Prerequisites

An Express Connect circuit is purchased, and VPCs are connected by using the Express Connect circuit. For more information, see Connect two VPCs under the same Alibaba Cloud account.
Cloud Firewall Enterprise Edition or Ultimate Edition is purchased.

Create a VPC firewall

Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the Firewall Settings page, click the VPC Firewall tab.
On the VPC Firewall tab, click the Express Connect tab.
Find the Express Connect circuit for which you want to create a VPC firewall and click Create in the Actions column.
If a large number of Express Connect circuits exist, you can search for the circuit by region, VPC, or configuration status of Cloud Firewall. For example, you can select Unconfigured from the configuration status drop-down list and click Search to query all Express Connect circuits for which VPC firewalls are not configured.

In the Create VPC Firewall dialog box, configure the following parameters. The following table describes the parameters.


Parameter	Description
Instance Name	Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
Connection Type	The type of the connection between VPCs or between a VPC and a data center. In this example, set the value to Express Connect.
VPC	The region and the name of the VPC. Confirm the information and configure Route Table and Destination CIDR Block. Route tables When you create a VPC, the system automatically creates a default route table. You can add system route entries to the route table to manage VPC traffic. VPC allows you to create multiple route tables based on your business requirements. For more information, see Route table overview. When you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically reads your VPC route tables. Express Connect supports multiple route tables. When you create a VPC firewall for an Express Connect circuit, you can view multiple VPC route tables and select the route tables that you want to protect. Destination CIDR block After you select a route table from the Route Table drop-down list, the default destination CIDR block of the route table is displayed in the Destination CIDR Block section. If you want to protect traffic that is destined for other CIDR blocks, you can modify the destination CIDR block. You can add multiple CIDR blocks. Separate the CIDR blocks with commas (,).
Peer VPC	The region and the name of the peer VPC. Confirm the information and configure Peer Route Table and Peer Destination CIDR Blocks.
Intrusion Prevention	The intrusion prevention policies that you want to enable. Valid values: IPS Mode Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patches: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time.
Enable VPC Firewall	If you turn on Enable VPC Firewall, a VPC firewall is automatically enabled after you create the firewall.

Click Submit. In the message that appears, click Submit.

Enable or disable a VPC firewall

On the Firewall Settings page, click the VPC Firewall tab.
On the Express Connect tab, find the VPC firewall that you want to enable or disable, and turn on or turn off the switch in the Firewall Settings column.
Wait until the VPC firewall is enabled or disabled. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall is enabled. If the status in the Firewall Status column of the VPC firewall changes to Disabled, the VPC firewall is disabled.

Modify or delete a VPC firewall

If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, you can go to the VPC Firewall tab, click the Express Connect tab, find the VPC firewall, and then click Modify or Delete in the Actions column.

Use a VPC firewall to protect traffic between a VPC and a data center

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased.

A VPC firewall can protect traffic between a VPC and a data center that are connected by a VBR. If a VPC and a data center are connected by using a CEN instance, traffic between the VPC and the data center is automatically protected after you enable the VPC firewall created for the CEN instance. You do not need to create or enable a VPC firewall for the VBR.

Log on to https://yundun.console.aliyun.com/?p=cfwnext. On the Firewall Settings page, click the VPC Firewall tab. On the CEN (Basic) or CEN (Enterprise Edition) tab, you can view the information about VBR that is involved.

What to do next

After a VPC firewall is created, you can go to the Access Control > VPC Border page to configure access control policies for the VPC firewall to manage traffic between VPCs. For more information, see Create an access control policy for a VPC firewall.
After the VPC firewall is enabled, you can go to the VPC Access page to view information about the traffic between VPCs.