If you use a Cloud Enterprise Network (CEN) transit router, you must manually configure routing between the CEN transit router and a virtual private cloud (VPC) firewall before you can use the VPC firewall to protect traffic between VPCs and virtual border routers (VBRs) that are connected by using the CEN transit router. This topic describes how to configure routing between a CEN transit router and a VPC firewall.

Prerequisites

  1. A CEN instance is created in the CEN console. Three VPCs are created. In this topic, VPC1, VPC2, and DMZ VPC are used. Two VBRs are created. In this topic, IDC-1 and IDC-2 are used.

    For more information, see Create a CEN instance.

  2. A VPC is created in the VPC console for a VPC firewall. In this topic, FW VPC is used. In addition, three vSwitches are created for the VPC. In this topic, TR-Vswitch-01, TR-VSwitch-02, and Cfw-Vswitch are used. TR-Vswitch-01 and TR-VSwitch-02 are used by a transit router to connect network instances. Cfw-Vswitch is used when you create the VPC firewall.
  3. The ID of FW VPC is added to the required whitelist before you can create a VPC firewall for FW VPC. To add the ID of FW VPC to the required whitelist, you must contact after-sales support engineers in the DingTalk group of Cloud Firewall.
    Notice The feature that Cloud Firewall provides for you to manually configure routing between a CEN transit router and a VPC firewall is in public preview. If you want to use the feature, contact the after-sales support engineers to add the ID of FW VPC to the whitelist. If the ID of FW VPC is not added to the whitelist, the Create button is dimmed on the VPC Firewall tab of the Cloud Firewall console. The system prompts you to add the ID of FW VPC to the whitelist.

In this topic, the traffic between other VPCs and each of the following network instances is protected by Cloud Firewall: VPC1, IDC-1, IDC-2. The traffic between VPC2 and DMZ VPC is not protected by Cloud Firewall. The traffic from any VPC, IDC-1, or IDC-2 to the default route 0.0.0.0/0 is not protected by Cloud Firewall.

Application scope

Cloud Firewall can protect the traffic between network instances that are connected by using CEN transit routers. The network instances include VPCs, VBRs, and Cloud Connect Network (CCN) instances.

If you want to protect the traffic between VPCs in the same region, you can follow the procedure in this topic.

Step 1: Connect FW VPC to a transit router

This step establishes a connection between FW VPC and the transit router.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance whose traffic you want to redirect to a VPC firewall and click the ID of the instance. The ID of the CEN instance
  3. On the Basic Settings tab, click Create Connection in the Actions column or click the Add icon icon to the right of VPC in the upper part of the tab.
  4. On the Connection with Peer Network Instance page, configure the parameters.
    The following table describes the important parameters.
    Parameter Description
    Network Type The type of the network instance that you want to connect to the CEN instance. Select VPC.
    Region The region in which the network instance resides. Set this parameter to the region that you specify when you create FW VPC.
    Networks The network instance that you want to connect to the CEN instance. Select the ID of FW VPC.
    VSwitch The vSwitches that can be bound to the network instance. Select TR-Vswitch-01 for (Primary) and TR-VSwitch-02 for (Secondary).

    For more information about other parameters, see Use Enterprise Edition transit routers to create VPC connections.

Step 2: Connect the VPCs and VBRs to the transit router

You must separately establish a connection between the transit router and each of the following network instances: VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2. This way, the VPCs and VBRs are connected to the CEN instance.

For more information, see Use Enterprise Edition transit routers to create VPC connections.

Step 3: Create a VPC firewall

This step creates a VPC firewall for FW VPC.

To create a VPC firewall, log on to the Cloud Firewall console, go to the Firewall Settings page, and then click the VPC Firewall tab. On the VPC Firewall tab, click the CEN tab, find FW VPC, and then click Create in the Actions column. In the Create VPC Firewall dialog box, select Manual for Routing Mode, FW VPC for VPC, and Cfw-Vswitch for vSwitch.

For more information, see Create a VPC firewall for a CEN instance.

Note After this step is complete, an elastic network interface (ENI) is created. To view the ENI, log on to the ECS console and choose Network & Security > ENIs. By default, an ENI named cfw-bonding-eni is created.

Step 4: Create routes for VPC1, VPC2, and DMZ VPC

This step creates routes between the CEN instance and the VPC firewall.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance whose traffic you want to redirect to the VPC firewall and click the ID of the instance. The ID of the CEN instance
  3. On the Transit Router tab, click the number in the Route Table column.
    Number of route tables
  4. Create route tables named Cfw-Untrust-RouteTable and Cfw-Trust-RouteTable.
    1. On the Route Table tab, click Create Route Table.
    2. In the Create Route Table dialog box, configure the parameters for the Cfw-Untrust-RouteTable and Cfw-Trust-RouteTable route tables.

      Transit Router: Retain the default value.

      Note
      • You can add routes to the Cfw-Untrust-RouteTable route table to forward traffic from VPC1, IDC-1, and IDC-2 to FW VPC.
      • You can add routes to the Cfw-Trust-RouteTable route table to forward traffic from FW VPC to VPC1, VPC2, DMZ VPC, IDC-1, or IDC-2.
  5. Configure the Cfw-Trust-RouteTable route table.
    The routes added to VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2 are automatically propagated to the Cfw-Trust-RouteTable route table. The traffic from FW VPC is forwarded to the Cfw-Trust-RouteTable route table.
    1. Click the Cfw-Trust-RouteTable route table that you create. In the right-side section, click the Route Propagation tab.
    2. On the Route Propagation tab, click Enable Route Propagation.
    3. In the Enable Route Propagation dialog box, select VPC1, VPC2, DMZ VPC, IDC-1, and IDC-2 for Attachment. Then, click OK.
      After route propagation is enabled, you can view the information about the automatically propagated routes on the Route Entry tab.
    4. On the Route Table tab, click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.
    5. On the Route Table Association tab, delete the association created for FW VPC.
    6. Click the Cfw-Trust-RouteTable route table that you create. On the Route Table Association tab, click Create Association.
    7. In the Add Association dialog box, select FW VPC for Association. Then, click OK.
  6. Configure the Cfw-Untrust-RouteTable route table.
    After configuration, traffic is forwarded to the VPC firewall based on the Cfw-Untrust-RouteTable route table.
    1. Click the Cfw-Untrust-RouteTable route table that you create. In the right-side section, click the Route Entry tab.
    2. On the Route Entry tab, click Add Route Entry.
    3. In the Add Route Entry dialog box, configure the parameters.
      Parameter description:
      • Destination CIDR: Retain the default value 10.0.0.0/8.
      • Blackhole Route: Retain the default value No.
      • Next Hop: Select FW VPC.
    4. Repeat the preceding steps to add the following routes:
      • The route whose Destination CIDR is 172.16.0.0/12 and Next Hop is FW VPC.
      • The route whose Destination CIDR is 192.168.0.0/16 and Next Hop is FW VPC.
      • The route whose Destination CIDR is 61.20.0.0/16 and Next Hop is FW VPC.
      • The route whose Destination CIDR is 0.0.0.0/0 and Next Hop is DMZ VPC.
  7. Configure the system route table.
    1. On the Route Table tab, click the system route table in the left-side route table list. In the right-side section, click the Route Propagation tab.
    2. On the Route Propagation tab, delete the routes that are propagated for VPC1, IDC-1, FW VPC, and IDC-2.
      After this operation is complete, only the routes created for VPC2 and DMZ VPC are propagated to the system route table. You can view the information about the automatically propagated routes on the Route Entry tab.
    3. On the Route Entry tab, click Add Route Entry.
    4. In the Add Route Entry dialog box, add the following routes:
      • The route whose Destination CIDR is 10.0.0.0/24 (VPC1) and Next Hop is FW VPC.
      • The route whose Destination CIDR is 172.16.0.0/12 (IDC-1) and Next Hop is FW VPC.
      • The route whose Destination CIDR is 61.20.0.0/16 (IDC-2) and Next Hop is FW VPC.
    5. On the Route Table Association tab, delete the associations whose Next Hop is set to VPC1, IDC-1, and IDC-2.
  8. Configure the Cfw-Untrust-RouteTable route table.
    After the configuration, the traffic from VPC1, IDC-1, and IDC-2 is forwarded to the Cfw-Untrust-RouteTable route table.
    1. Click the Cfw-Untrust-RouteTable route table that you create. In the right-side section, click the Route Table Association tab.
    2. On the Route Table Association tab, click Create Association.
    3. In the Add Association dialog box, select VPC1, IDC-1, and IDC-2 for Association. Click OK.

After the step is complete, the routes between the CEN instance and the VPC firewall are created, and traffic can be forwarded to FW VPC.

Step 5: Configure route tables for the VPC firewall

This step forwards the traffic from FW VPC to the VPC firewall.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables. On the Route Tables page, click Create Route Table. On the Create Route Table page, select FW VPC for VPC and set the Name parameter to VPC-CFW-RouteTable. Click the name of the VPC-CFW-RouteTable route table. On the page that appears, click the Associated vSwitch tab.
  3. Click Associate vSwitch. In the Associate vSwitch dialog box, select Cfw-Vswitch for vSwitch.
  4. On the Route Entry List tab, click the Custom Route tab.
  5. Click Add Route Entry. In the Add Route Entry panel, configure the parameters.
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Specify Transit Router.
    • Transit Router: Retain the default value FW VPC.
    After this operation is complete, the outbound traffic of the VPC firewall is forwarded to the CEN transit router.
  6. On the Route Tables page, click the name of the system route table that is created for FW VPC.
  7. On the page that appears, click the Route Entry List tab and click the Custom Route tab.
  8. Click Add Route Entry. In the Add Route Entry panel, configure the parameters.
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Select Secondary ENI.
    • Secondary ENI: Select Cfw-bonding-eni.
  9. On the Custom Route tab, delete other routes. To delete a route, click Delete in the Actions column.
    After the step is complete, the traffic from FW VPC is redirected to the VPC firewall.

Step 6: Check whether the forwarding configuration is successful

Check whether the traffic logs of the CEN instance are recorded. For more information, see Traffic logs. If the traffic logs are recorded, the forwarding configuration is successful. Examples:
  • VPC1 and VPC2 can communicate with each other, and traffic logs are recorded.
  • VPC2 and DMZ VPC can communicate with each other, but no traffic logs are recorded.