This topic describes the limits of virtual private cloud (VPC) firewalls and the solutions that are provided.

General limits

Item Solution
A VPC quota of 10 is allowed for each region. A VPC firewall that is created by Cloud Firewall consumes this quota. After you enable a VPC firewall, Cloud Firewall automatically creates a VPC named Cloud_Firewall_VPC for each region. For more information about how to view the information about the VPC, see View a VPC. If the VPC quota in a region is insufficient, you cannot enable VPC firewalls for the region. If the VPC quota is exhausted, you must increase the VPC quota. For more information, see Manage resource quotas.

Limits on the Basic Edition transit routers of CEN instances

Item Solution
If multiple VPCs in a Cloud Enterprise Network (CEN) instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall runs Ultimate Edition and is authorized to access all VPCs. Otherwise, VPC firewalls cannot be created.
VPC Firewall can be enabled for a CEN instance only if VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. Make sure that VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. For more information, see Supported regions.
If you enabled a VPC firewall before May 1, 2021 and you used a public IP address as a private IP address in your network topology, your access to Server Load Balancer (SLB) and ApsaraDB RDS is interrupted.
Notice If you enable a VPC firewall on or after May 1, 2021, you are not subject to this limit.
We recommend that you develop a network plan based on the standards. We also recommend that you do not use a public IP address as a private IP address.
You can advertise up to 100 routes in a CEN instance. We recommend that you advertise less than or equal to 100 routes. For more information, contact the after-sales service in the specified DingTalk group.
  • After you enable a VPC firewall, Cloud Firewall automatically adds a custom route to your VPC route table.
  • If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls.
  • By default, up to 200 custom routes can be added to a VPC route table.

Increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account. For more information, see Manage resource quotas.

If a VPC in a CEN instance has a custom route table that is associated with a vSwitch, you cannot enable a VPC firewall for the CEN instance. Delete the custom route table or disassociate the custom route table from the vSwitch.
Cloud Firewall does not protect the following mutual access traffic that does not pass through Cloud Firewall:
  • Mutual access traffic between Virtual Border Routers (VBRs)
  • Mutual access traffic between Cloud Connect Network (CCN) instances
  • Mutual access traffic between VBRs and CCN instances
For more information, contact the after-sales service in the specified DingTalk group.
When you enable or disable VPC Firewall for an SLB or ApsaraDB RDS instance, existing persistent connections may fail.
  • Before you enable or disable VPC Firewall, make sure that the SLB instance and its backend server reside in the current VPC. This way, network latency and network jitter are prevented.
  • Configure the keep-connection-alive and reconnection mechanisms on the client.
The total number of VPCs and regions for which VPC Firewall is enabled must be less than or equal to 32. None.
When you enable a VPC firewall for a CEN instance, you can add up to 15 network instances. We recommend that you use a transit router. For more information, contact the after-sales service in the specified DingTalk group.
If a CEN instance has routing policies whose Routing Policy Action is set to Deny, services are interrupted when you create a VPC firewall for the CEN instance. The routing policies exclude system routing policies whose priority is set to 5000 and Routing Policy Action is set to Deny. We recommend that you delete the relevant routing policies or contact the after-sales service in the specified DingTalk group.
If you create or delete routing policies for a CEN instance after you enable a VPC firewall for the instance, you must wait 15 to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that you check whether your routing policies take effect. You can check whether routing policies take effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group.
If your CEN is connected by using a single leased line, traffic is interrupted when you enable a VPC firewall or start a network cutover. Before you enable a VPC firewall or start a network cutover, we recommend that you contact the after-sales service in the specified DingTalk group.

Limits on the Enterprise Edition transit routers of CEN instances

Item Solution
When you enable a VPC firewall for a CEN instance, you can add up to 100 network instances such as VPCs, VBRs, and CCN instances to the transit router in each region.
Note The VPCs that you can add to a transit router include the VPC that is automatically created when you enable the VPC firewall and is named Cloud_Firewall_VPC. For more information about how to view the information about the VPC, see View a VPC.
None.
A transit router is subject to the following limits:
  • After you create a VPC firewall in automatic mode, you must contact the after-sales service to add the automatically created VPC named Cloud_Firewall_VPC to the required whitelist. After the VPC is added to the whitelist, you can enable the VPC firewall.
  • After you create a VPC firewall in manual mode, you must contact the after-sales service to add the newly created VPC to the required whitelist. After the VPC is added to the whitelist, you can enable the VPC firewall.
To add a VPC to the whitelist, contact the after-sales service in the specified DingTalk group.
If you enabled a VPC firewall and a Basic Edition transit router is upgraded to an Enterprise Edition transit router, traffic over the CIDR blocks of the newly added learnt routes is interrupted when the traffic passes through the firewall. Before you upgrade a Basic Edition transit router to an Enterprise Edition transit router, you must delete the VPC firewall in the region where the Basic Edition transit router is deployed. After you delete the VPC firewall, upgrade the Basic Edition transit router to an Enterprise Edition transit router. Then, you must reconfigure a VPC firewall.

Limits on Express Connect

Item Solution
If you enable a VPC firewall for Express Connect, the firewall does not protect the mutual access traffic between VPCs that reside in different regions or belong to different Alibaba Cloud accounts. The firewall also does not protect the mutual access traffic between VPCs and VBRs. If you want to protect the mutual access traffic in these scenarios, we recommend that you use CEN to replace Express Connect. For more information, contact the after-sales service in the specified DingTalk group.
  • After you enable a VPC firewall, Cloud Firewall automatically adds a custom route to your VPC route table.
  • If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls.
  • By default, up to 200 custom routes can be added to each VPC route table.

Increase the maximum number of custom routes allowed for each VPC route table within your Alibaba Cloud account. For more information, see Manage resource quotas.

You cannot advertise routes that use 32-bit subnet masks in Express Connect. If the routes that use 32-bit subnet masks are advertised and a VPC firewall is enabled, the connections to the network of the subnet masks are interrupted. Before you enable a VPC firewall, we recommend that you use the subnet masks that are less than or equal to 30 bits in length. Alternatively, contact the after-sales service in the specified DingTalk group.
If you add or delete routes in your VPC route table for an Express Connect circuit after you enable a VPC firewall for the circuit, you must wait for 15 to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can check whether your route table takes effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group.