What is a VPC firewall? What are the protection principle and application scenarios of a VPC firewall? - Cloud Firewall

This topic introduces the basic concept of a virtual private cloud (VPC) firewall and describes the scenarios of VPC firewalls.

What is a VPC firewall?

A VPC firewall monitors and manages traffic between VPCs and traffic between a VPC and a data center. If two VPCs are attached to the same Cloud Enterprise Network (CEN) instance or are connected by using an Express Connect circuit, you can create a VPC firewall to manage traffic between the VPCs and traffic between each VPC and a data center.

Centralized account management is supported when you use a VPC firewall. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase Cloud Firewall Enterprise Edition or Ultimate Edition to protect traffic between VPC_1 and VPC_2.

Diagram

Scenarios

Cloud Firewall provides three types of VPC firewalls. You can select a type based on your networking architecture.

VPC firewall type	Scenario	References
Virtual private cloud (VPC) firewall that is created for an Enterprise Edition transit router	This type of VPC firewall can protect the following types of traffic: Traffic between VPCs in the same region Traffic between cross-region VPCs that are connected by using an Enterprise Edition transit router Traffic between a VPC and a virtual border router (VBR) or a data center Traffic between a VPC and a Cloud Connect Network (CCN) instance Traffic between VBRs Traffic between a VBR and a CCN instance Traffic between a VPC and a public VPN gateway This type of VPC firewall cannot protect traffic between CCN instances.	Configure a VPC firewall for an Enterprise Edition transit router
VPC firewall that is created for a Basic Edition transit router	This type of VPC firewall can protect the following types of traffic: Traffic between VPCs in the same region Traffic between cross-region VPCs that are connected by using a Basic Edition transit router Traffic between a VPC and a VBR or a data center Traffic between a VPC and a CCN instance This type of VPC firewall cannot protect the following types of traffic: Traffic between VBRs Traffic between a VBR and a CCN instance Traffic between CCN instances	Configure a VPC firewall for a Basic Edition transit router
VPC firewall that is created for an Express Connect circuit	This type of VPC firewall can protect the following types of traffic: Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region This type of VPC firewall cannot protect the following types of traffic: Traffic between cross-region and cross-account VPCs that are connected by using an Express Connect circuit Traffic between a VPC and a VBR Note If you want to protect the preceding types of traffic, we recommend that you use Cloud Enterprise Network (CEN) to replace Express Connect. For more information, join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.	Configure a VPC firewall for VPCs connected by using an Express Connect circuit