If you use Cloud Enterprise Network (CEN) transit routers to connect cross-region network instances, you must configure routing between the transit routers and virtual private cloud (VPC) firewalls before you can use the VPC firewalls to protect traffic between the network instances. This topic describes how to protect traffic between VPC firewalls and cross-region network instances that are connected by using CEN transit routers.

Scenarios

Cloud Firewall can protect traffic between network instances that are connected to a transit router. The network instances include VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. In this topic, two cross-region VPCs that are connected by using transit routers are used.

Note If you want to protect traffic between cross-region VPCs by manually configuring routing, you can follow the steps that are described in this topic.

An enterprise deploys two VPCs named HZ-VPC-1 and HZ-VPC-2 in the China (Hangzhou) region, deploys two VPCs named BJ-VPC-1 and BJ-VPC-2 in the China (Beijing) region, and connects the cross-region VPCs by using transit routers. The enterprise also deploys a VBR named HZ-IDC-1 in the China (Hangzhou) region and a VBR named BJ-IDC-1 in the China (Beijing) region to enable access between on-cloud and on-premises resources.

To ensure the security of traffic between the VPCs, the enterprise wants to create VPC firewalls in Cloud Firewall to monitor and manage the communication traffic between two VPCs.

Prerequisites

  • A CEN instance is created. For more information, see Create a CEN instance.
  • VPCs and VBRs are created in the China (Hangzhou) and China (Beijing) regions. The VPCs and VBRs are connected to CEN transit routers. The CEN transit routers in the two regions are connected.
    • China (Hangzhou): Two VPCs named HZ-VPC-1 and HZ-VPC-2 are created, and a VBR named HZ-IDC-1 is created.
    • China (Beijing): Two VPCs named BJ-VPC-1 and BJ-VPC-2 are created, and a VBR named BJ-IDC-1 is created.
  • A VPC named Cfw-HZ-VPC is created in the China (Hangzhou) region, and a VPC named Cfw-BJ-VPC is created in the China (Beijing) region. VPC firewalls are created in the two VPCs. In this topic, the two VPCs are referred to as firewall VPCs. vSwitches and custom route tables are also created for the firewall VPCs. For more information, see Create a VPC connection, Create and manage a VPC, and Create and manage a route table.

    Region Firewall VPC vSwitch and zone Custom route table of each firewall VPC
    China (Hangzhou) Cfw-HZ-VPC HZ-TR-vSwitch-1

    The vSwitch is used by the transit router HZ-TR to connect the network instance. The zone of the vSwitch is the same as the primary zone that you select when you connect the network instance to the transit router. In this example, Hangzhou Zone H is selected as the primary zone.

    HZ-VPC-CFW-RouteTable
    HZ-TR-vSwitch-2

    The vSwitch is used by the transit router HZ-TR to connect the network instance. The zone of the vSwitch is the same as the secondary zone that you select when you connect the network instance to the transit router. In this example, Hangzhou Zone I is selected as the secondary zone.

    HZ-Cfw-vSwitch

    The vSwitch is used by the VPC firewall that is created for Cfw-HZ-VPC.

    China (Beijing) Cfw-BJ-VPC BJ-TR-vSwitch-1

    The vSwitch is used by the transit router BJ-TR to connect the network instance. The zone of the vSwitch is the same as the primary zone that you select when you connect the network instance to the transit router. In this example, Beijing Zone H is selected as the primary zone.

    BJ-VPC-CFW-RouteTable
    BJ-TR-vSwitch-2

    The vSwitch is used by the transit router BJ-TR to connect the network instance. The zone of the vSwitch is the same as the secondary zone that you select when you connect the network instance to the transit router. In this example, Beijing Zone G is selected as the secondary zone.

    BJ-Cfw-vSwitch

    The vSwitch is used by the VPC firewall that is created for Cfw-BJ-VPC.

  • The IDs of firewall VPCs Cfw-HZ-VPC and Cfw-BJ-VPC are added to the required whitelist. This allows you to create VPC firewalls for the firewall VPCs.

    Only after-sales support engineers can add the IDs of the firewall VPCs to the required whitelist.

    Notice If you want to use the feature, contact the after-sales support engineers to add the IDs of the firewall VPCs to the required whitelist. If the IDs are not added to the required whitelist, the Create button is dimmed on the VPC Firewall tab in the Cloud Firewall console. The system prompts you to add the IDs of firewall VPCs to the required whitelist.

Step 1: Connect firewall VPCs to CEN transit routers

This step establishes connections between HZ-TR and Cfw-HZ-VPC and between BJ-TR and Cfw-BJ-VPC.

  1. Log on to the CEN console.
  2. On the Instances page, click the CEN instance whose traffic you want to protect by using a VPC firewall.
  3. On the Transit Router tab of the Basic Settings tab, find HZ-TR and click Create Connection in the Actions column.
  4. On the Connection with Peer Network Instance page, configure the following parameters and click OK.
    Parameter Description Example for Cfw-HZ-VPC Example for Cfw-BJ-VPC
    Network Type The type of the network instance that you want to connect to the transit router. VPC. VPC.
    Region The region where the network instance resides. China (Hangzhou). China (Beijing).
    Networks The network instance. The ID of Cfw-HZ-VPC. The ID of Cfw-BJ-VPC.
    VSwitch The vSwitches that you can bind to the network instance.
    • Primary vSwitch: HZ-TR-vSwitch-1.
    • Secondary vSwitch: HZ-TR-vSwitch-2.
    • Primary vSwitch: BJ-TR-vSwitch-1.
    • Secondary vSwitch: BJ-TR-vSwitch-2.

    For more information about other parameters, see Use an Enterprise Edition transit router to create VPC connections.

Step 2: Create VPC firewalls

This step creates a VPC firewall for Cfw-HZ-VPC and Cfw-BJ-VPC.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
  2. On the Firewall Settings page, click the VPC Firewall tab and the CEN tab, find Cfw-HZ-VPC and Cfw-BJ-VPC, and then click Create in the Actions column. Then, configure the following parameters.
    Parameter Description Example for Cfw-HZ-VPC Example for Cfw-BJ-VPC
    Routing Mode The routing mode of traffic that passes through the VPC firewall. Manual Manual
    VPC The VPC for which the VPC firewall is created. Cfw-HZ-VPC Cfw-BJ-VPC
    vSwitch The vSwitch to which an elastic network interface (ENI) belongs. The ENI is used to establish a connection between the firewall VPC and the transit router. HZ-Cfw-vSwitch BJ-Cfw-vSwitch

    For more information about other parameters, see Create a VPC firewall for a CEN instance.

    After this step is complete, an ENI named cfw-bonding-eni is created for each of Cfw-HZ-VPC and Cfw-BJ-VPC.

    In the Cloud Firewall console, you can view the ID of each ENI on the details page of Cfw-HZ-VPC and Cfw-BJ-VPC.

Step 3: Configure route tables for Cfw-HZ-VPC

This step forwards the traffic of Cfw-HZ-VPC to the VPC firewall that is created for Cfw-HZ-VPC.

  1. Log on to the VPC console. In the top navigation bar, select the China (Hangzhou) region. In the left-side navigation pane, click Route Tables.
  2. On the Route Tables page, configure route tables for Cfw-HZ-VPC.
    1. On the Route Tables page, click Create Route Table to create a custom route table.
    2. Click the custom route table. On the page that appears, click the Associated vSwitch tab and click Associate vSwitch to associate vSwitches with the custom route table and the system route table.
    3. Click the Route Entry List tab. Then, click the Custom Route tab and click Add Route Entry to create routes for the custom route table and the system route table.
    For more information, see Create and manage a route table.
    The following table describes the details of the custom route table and the system route table.
    Purpose Route table vSwitch Route
    The custom route table is used to forward the outbound traffic of the VPC firewall to the transit router HZ-TR. Custom route table: HZ-VPC-CFW-RouteTable HZ-Cfw-vSwitch
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Specify Transit Router.
    • Transit Router: Retain the default value.
    The system route table is used to forward the traffic of Cfw-HZ-VPC to the VPC firewall. System route table
    • HZ-TR-vSwitch-1
    • HZ-TR-vSwitch-2

    You must create a route on the Custom Route tab of the details page of the system route table.

    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Select Secondary ENI.
    • Secondary ENI: Select Cfw-bonding-eni.
  3. Find the system route table for Cfw-HZ-VPC in the route table list and go to the Custom Route tab. Then, click Delete in the Actions column to delete all custom route entries other than the route 0.0.0.0/0 that you created.

Step 4: Configure route tables for Cfw-BJ-VPC

This step forwards the traffic of Cfw-BJ-VPC to the VPC firewall that is created for Cfw-BJ-VPC.

  1. Log on to the VPC console. In the top navigation bar, select the China (Beijing) region. In the left-side navigation pane, click Route Tables.
  2. On the Route Tables page, configure route tables for Cfw-BJ-VPC.
    1. On the Route Tables page, click Create Route Table to create a custom route table.
    2. Click the custom route table. On the page that appears, click the Associated vSwitch tab and click Associate vSwitch to associate vSwitches with the custom route table and the system route table.
    3. Click the Route Entry List tab. Then, click the Custom Route tab and click Add Route Entry to create routes for the custom route table and the system route table.
    For more information, see Create and manage a route table.

    The following table describes the details of the custom route table and the system route table.

    Purpose Route table vSwitch Route
    The custom route table is used to forward the outbound traffic of the VPC firewall to the transit router BJ-TR. Custom route table: BJ-VPC-CFW-RouteTable BJ-Cfw-vSwitch
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Specify Transit Router.
    • Transit Router: Retain the default value.
    The system route table is used to forward the traffic of Cfw-BJ-VPC to the VPC firewall. System route table
    • BJ-TR-vSwitch-1
    • BJ-TR-vSwitch-2
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Select Secondary ENI.
    • Secondary ENI: Select Cfw-bonding-eni.
  3. Find the system route table for Cfw-BJ-VPC in the route table list and go to the Custom Route tab. Then, click Delete in the Actions column to delete all custom route entries other than the route 0.0.0.0/0 that you created.

Step 5: Configure a route table for the transit router in the China (Hangzhou) region

This step creates a custom route table named Cfw-HZ-TR-RouteTable, an associated forwarding correlation, and a route learning correlation for the transit router to which the network instances in the China (Hangzhou) region are connected. The network instances include HZ-VPC-1, HZ-VPC-2, and HZ-IDC-1. This way, the traffic of the network instances is forwarded to Cfw-HZ-VPC.

In the following steps, HZ-VPC-1 is used as an example to show the configuration. You must repeat the steps to configure HZ-VPC-2 and HZ-IDC-1 in a similar manner as HZ-VPC-1.

  1. Log on to the CEN console. In the left-side navigation pane, click Instances.
  2. On the Instances page, create a custom route table for HZ-VPC-1 and create a route for the custom route table.
    1. Click HZ-VPC-1. On the Basic Settings tab, click Create Transit Router to create a transit router.
    2. Click the transit router. On the page that appears, click the Route Table tab and click Create Route Table to create a custom route table for the transit router.
    3. Click the custom route table. On the Route Table Details page, click the Route Entry tab and click Add Route Entry to create a route for the custom route table.
    For more information, see Custom route tables and Manage custom routes of a transit router.

    The following table describes the details.

    Purpose Route table Route
    The custom route table is used to forward the traffic of the network instances in the China (Hangzhou) region to Cfw-HZ-VPC. Cfw-HZ-TR-RouteTable

    Transit Router: Retain the default value.

    Parameter description:
    • Destination CIDR: Retain the default value 0.0.0.0/0.
    • Blackhole Route: Retain the default value No.
    • Next Hop: Select Cfw-HZ-VPC.
  3. Create an associated forwarding correlation for the custom route table Cfw-HZ-TR-RouteTable and a route learning correlation for the system route table.
    1. Create an associated forwarding correlation to forward the outbound traffic of Cfw-HZ-VPC to the system route table.
      1. On the Route Table tab, click the system route table.
      2. On the Route Table Details page, click the Route Table Association tab.
      3. On the Route Table Association tab, delete the associations that are created for HZ-VPC-1, HZ-VPC-2, HZ-IDC-1, and HZ-BJ.

        Check whether an associated forwarding correlation is created for Cfw-HZ-VPC. If the correlation is not created, you must create a correlation for Cfw-HZ-VPC.

      For more information, see Associated forwarding.

    2. Forward the cross-region traffic of HZ-VPC-1, HZ-VPC-2, and HZ-IDC-1 to the custom route table.
      1. On the Route Table tab, click the Cfw-HZ-TR-RouteTable route table in the route table list.
      2. On the Route Table Details page, click the Route Table Association tab and click Create Association.
      3. In the Add Association dialog box, select HZ-VPC-1, HZ-VPC-2, HZ-IDC-1, and HZ-BJ for Association.

      For more information, see Associated forwarding.

    3. Create a route learning correlation for the system route table.
      1. On the Route Table tab, click the system route table in the route table list.
      2. On the Route Table Details page, click the Route Propagation tab.
      3. On the Route Propagation tab, delete the correlations that are created for HZ-BJ and Cfw-HZ-VPC.

        Make sure that route learning correlations are created for HZ-VPC-1, HZ-VPC-2, and HZ-IDC-1.

      For more information, see Route learning.

  4. On the Route Entry tab, click Add Route Entry to create a static route for the system route table.
    Purpose Route
    The static route is used to forward traffic between the network instances in the China (Hangzhou) and China (Beijing) regions.
    Parameter description:
    • Destination CIDR: Specify 192.168.100.0/24, 192.168.200.0/24, or 192.168.10.0/24. 192.168.100.0/24 is the CIDR block of BJ-VPC-1, 192.168.200.0/24 is the CIDR block of BJ-VPC-2, and 192.168.10.0/24 is the CIDR block of BJ-IDC-1.
    • Blackhole Route: Retain the default value No.
    • Next Hop: Select HZ-BJ.

    For more information, see Manage custom routes of a transit router.

    Note To prevent the default route 0.0.0.0/0 from being advertised to data centers, you can create a custom route table and an associated forwarding correlation for HZ-IDC-1. When you create the custom route table, you must add a route whose next hop is Cfw-HZ-VPC.

Step 5: Configure a route table for the transit router in the China (Beijing) region

This step creates a custom route table named Cfw-BJ-TR-RouteTable, an associated forwarding correlation, and a route learning correlation for the transit router to which the network instances in the China (Beijing) region are connected. The network instances include BJ-VPC-1, BJ-VPC-2, and BJ-IDC-1. This way, the traffic of the network instances is forwarded to Cfw-BJ-VPC.

In the following steps, BJ-VPC-1 is used as an example to show the configuration. You must repeat the steps to configure BJ-VPC-2 and BJ-IDC-1 in a similar manner as BJ-VPC-1.

  1. Log on to the CEN console. In the left-side navigation pane, click Instances.
  2. On the Instances page, create a custom route table for BJ-VPC-1 and create a route for the custom route table.
    1. Click BJ-VPC-1. On the Basic Settings tab, click Create Transit Router to create a transit router.
    2. Click the transit router. On the page that appears, click the Route Table tab and click Create Route Table to create a custom route table for the transit router.
    3. Click the custom route table. On the Route Table Details page, click the Route Entry tab and click Add Route Entry to create a route for the custom route table.
    For more information, see Create and manage a route table.

    The following table describes the details.

    Purpose Route table Route
    The custom route table is used to forward the traffic of the network instances in the China (Beijing) region to Cfw-BJ-VPC. Cfw-BJ-TR-RouteTable

    Transit Router: Retain the default value.

    Parameter description:
    • Destination CIDR: Retain the default value 0.0.0.0/0.
    • Blackhole Route: Retain the default value No.
    • Next Hop: Select Cfw-BJ-VPC.
  3. Create an associated forwarding correlation for the custom route table Cfw-BJ-TR-RouteTable and a route learning correlation for the system route table.
    1. Create an associated forwarding correlation to forward the outbound traffic of BJ-VPC-1 to the system route table.
      1. On the Route Table tab, click the system route table.
      2. On the Route Table Details page, click the Route Table Association tab.
      3. On the Route Table Association tab, delete the associations that are created for BJ-VPC-1, BJ-VPC-2, BJ-IDC-1, and HZ-BJ.

        Check whether an associated forwarding correlation is created for Cfw-BJ-VPC. If the correlation is not created, you must create a correlation for Cfw-BJ-VPC.

      For more information, see Associated forwarding.

    2. Forward the cross-region traffic of BJ-VPC-1, BJ-VPC-2, and BJ-IDC-1 to the custom route table.
      1. On the Route Table tab, click the Cfw-BJ-TR-RouteTable route table in the route table list.
      2. On the Route Table Details page, click the Route Table Association tab and click Create Association.
      3. In the Add Association dialog box, select BJ-VPC-1, BJ-VPC-2, BJ-IDC-1, and HZ-BJ for Association.

      For more information, see Associated forwarding.

    3. Create a route learning correlation for the system route table.
      1. On the Route Table tab, click the system route table in the route table list.
      2. In the Route Table Details page, click the Route Propagation tab.
      3. On the Route Propagation tab, delete the correlations that are created for HZ-BJ and Cfw-BJ-VPC.

        Make sure that route learning correlations are created for BJ-VPC-1, BJ-VPC-2, and BJ-IDC-1.

      For more information, see Route learning.

  4. On the Route Entry tab, click Add Route Entry to create a static route for the system route table.
    Purpose Route
    The static route is used to forward traffic between the network instances in the China (Beijing) and China (Hangzhou) regions.
    Parameter description:
    • Destination CIDR: Select 172.16.100.0/24, 172.16.200.0/24, or 172.16.10.0/24. 172.16.100.0/24 is the CIDR block of HZ-VPC-1, 172.16.200.0/24 is the CIDR block of HZ-VPC-2, and 172.16.10.0/24 is the CIDR block of HZ-IDC-1.
    • Blackhole Route: Retain the default value No.
    • Next Hop: Select HZ-BJ.

    For more information, see Manage custom routes of a transit router.

    Note To prevent the default route 0.0.0.0/0 from being advertised to data centers, you can create a custom route table and an associated forwarding correlation for BJ-IDC-1. When you create the custom route table, you must add a route whose next hop is Cfw-BJ-VPC.

Step 7: Check whether the forwarding configuration is successful

If the traffic of cross-region VPCs exists, you can view the traffic logs of the CEN instance by choosing Traffic Logs > VPC Firewall on the Log Audit page. If traffic logs are recorded, the forwarding configuration is successful.

For more information, see Traffic logs.