This topic describes the limits of virtual private cloud (VPC) firewalls and the solutions that are provided.

General limits

Item Solution
A VPC quota of 20 is allowed for each region. A VPC firewall that is created by Cloud Firewall consumes this quota. After you enable a VPC firewall, Cloud Firewall automatically creates a VPC named Cloud_Firewall_VPC for each region. This VPC is displayed on the VPCs page of the VPC console. If a region has 20 VPCs, you cannot enable VPC firewalls for this region. If the VPC quota is exhausted, log on to the VPC console and go to the Quota Management page to increase the VPC quota.
Notice If the VPC quota reaches the upper limit, contact the after-sales service in the specified DingTalk group.

Limits on Cloud Enterprise Network (CEN)

Item Solution
If multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall is authorized to access all VPCs and runs the Ultimate Edition. Otherwise, VPC firewalls cannot be created.
VPC Firewall can be enabled for a CEN instance only if VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. Make sure that VPC Firewall is supported in all regions where the VPCs in the CEN instance reside. For more information, see Supported regions.
If you enabled a VPC firewall before May 1, 2021 and you used a public IP address as a private IP address in your network topology, your access to Server Load Balancer (SLB) and ApsaraDB RDS is interrupted.
Notice If you enable a VPC firewall on or after May 1, 2021, you are not subject to this limit.
We recommend that you develop a network plan based on the standards. We also recommend that you do not use a public IP address as a private IP address.
You can advertise up to 100 routes in a CEN instance. We recommend that you advertise less than or equal to 100 routes. For more information, contact the after-sales service in the specified DingTalk group.
After you enable a VPC firewall, a custom route is added to your VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls. The maximum number of custom routes allowed for each VPC route table is 400. Increase the maximum number of custom routes allowed for each VPC route table.

Log on to the VPC console. Then, go to the Quota Management page and increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account.

If a VPC in a CEN instance has a custom route table that is associated with a vSwitch, you cannot enable a VPC firewall for the CEN instance. Delete the custom route table or disassociate the custom route table from the vSwitch.
Cloud Firewall does not protect the following mutual access traffic that does not pass through Cloud Firewall:
  • Mutual access traffic between Virtual Border Routers (VBRs)
  • Mutual access traffic between Cloud Connect Networks (CCNs)
  • Mutual access traffic between VBRs and CCNs
For more information, contact the after-sales service in the specified DingTalk group.
When you enable or disable VPC Firewall for an SLB or ApsaraDB RDS instance, existing persistent connections may fail.
  • Before you enable or disable VPC Firewall, make sure that the SLB instance and its backend server reside in the current VPC. This way, network latency and network jitter are prevented.
  • Configure the keep-connection-alive and reconnection mechanisms on the client.
The total number of VPCs and regions for which VPC Firewall is enabled must be less than or equal to 32. None.
When you enable a VPC firewall for a CEN instance, you can add up to 15 network instances. We recommend that you use a CEN transit router. For more information, contact the after-sales service in the specified DingTalk group.
If a CEN instance has routing policies whose Routing Policy Action is set to Deny, services are interrupted if you create a VPC firewall for the CEN instance. The routing policies exclude system routing policies whose priority is set to 5000 and Routing Policy Action is set to Deny. We recommend that you delete the relevant routing policies or contact the after-sales service in the specified DingTalk group.
If you create or delete routing policies for a CEN instance after you enable a VPC firewall for the instance, you must wait for 15 to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that check whether your routing policies take effect. You can check whether routing policies in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group.
If your CEN is connected by using a single leased line, traffic is interrupted when you enable a VPC firewall or start a network cutover. Before you enable a VPC firewall or start a network cutover, we recommend that you contact the after-sales service in the specified DingTalk group.

Limits on a CEN transit router

Item Solution
When you enable a VPC firewall for a CEN instance, you can add up to 100 network instances such as VPCs, VBRs, and CCNs to the transit router in each region.
Note The total number of VPCs that you can add to a transit router includes the VPC that is automatically created when you enable the VPC firewall. The created VPC is named Cloud_Firewall_VPC and is displayed on the VPCs page of the VPC console.
None.
A transit router is subject to the following limits:
  • After you create a VPC firewall in automatic mode, you must contact the after-sales service to add the automatically created VPC named Cloud_Firewall_VPC to the required whitelist. After the VPC is added to the whitelist, you can enable the VPC firewall.
  • After you create a VPC firewall in manual mode, you must contact the after-sales service to add the newly created VPC to the required whitelist. After the VPC is added to the whitelist, you can enable the VPC firewall.
To add a VPC to the whitelist, contact the after-sales service in the specified DingTalk group.

Limits on Express Connect

Item Solution
If you enable a VPC firewall for Express Connect, the firewall does not protect the mutual access traffic between VPCs that reside in different regions or belong to different Alibaba Cloud accounts. The firewall also does not protect the mutual access traffic between VPCs and VBRs. If you want to protect the mutual access traffic in these scenarios, we recommend that you use CEN to replace Express Connect. For more information, contact the after-sales service in the specified DingTalk group.
After you enable a VPC firewall, a custom route is added to your VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls. The maximum number of custom routes allowed for each VPC route table is 400. Increase the maximum number of custom routes allowed for each route table.

Log on to the VPC console. Then, go to the Quota Management page and increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account.

You cannot advertise routes that use 32-bit subnet masks in Express Connect. If the routes that use 32-bit subnet masks are advertised and a VPC firewall is enabled, the connections to the network of the subnet masks are interrupted. Before you enable a VPC firewall, we recommend that you use the subnet masks that are less than or equal to 30 bits in length. Alternatively, contact the after-sales service in the specified DingTalk group.
If you add or delete route entries in your VPC route table for an Express Connect circuit after you enable a VPC firewall for the circuit, you must wait for 15 to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can check whether your route table takes effect in the Cloud Firewall console or by contacting the after-sales service in the specified DingTalk group.