All Products
Search

This Product

    Cloud Firewall:Protect traffic between VPCs connected by using a CEN transit router

    Document Center

    Cloud Firewall:Protect traffic between VPCs connected by using a CEN transit router

    Last Updated:Aug 14, 2024

    If you use a Cloud Enterprise Network (CEN) transit router, you must manually configure routing between the transit router and a virtual private cloud (VPC) firewall before you can use the VPC firewall to protect traffic between the VPCs that are connected by using the transit router. This topic describes how to configure routing between a transit router and a VPC firewall.

    Application scope

    Cloud Firewall can protect traffic between network instances that are connected by using CEN transit routers. The network instances include VPCs, virtual border routers (VBRs), Cloud Connect Network (CCN) instances, and VPN gateways.

    If you want to protect the traffic between VPCs in the same region by using a VPC firewall, you can follow the procedure described in this topic.

    Prerequisites

    A CEN instance is created in the CEN console. Two VPCs are created. In this topic, VPC-01 and VPC-02 are used. For more information, see CEN instances.

    Step 1: Create a VPC for a VPC firewall

    A VPC firewall requires a VPC. Therefore, you must create a VPC for the VPC firewall.

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region in which you want to create a VPC and click Create VPC.

    3. On the Create VPC page, configure the following parameters and click OK.

      Parameter

      Description

      Region

      Select the region in which you want to enable a VPC firewall.

      Name

      Enter a name for the VPC. In this example, enter Cfw-TR-manual-VPC.

      IPv4 CIDR Block

      Specify a primary IPv4 CIDR block for the VPC. The subnet mask of the CIDR block must be at least 26 bits in length, and the CIDR block cannot conflict with the CIDR blocks that are used in your workloads.

      vSwitch

      Specify the vSwitches that you can connect to the transit router. The subnet mask of each CIDR block must be at least 28 bits in length.

      You must specify two vSwitches to connect to the transit router and select two different zones that support transit routers. We recommend that you select the zones in which your workloads are deployed to reduce latency. You must also specify a vSwitch for the VPC firewall, and you can select an arbitrary zone for this vSwitch.

      In this example, specify a primary vSwitch named TR-Vswitch-01and a secondary vSwitch named TR-VSwitch-02 for the transit router, and a vSwitch named Cfw-Vswitch for the VPC firewall.

    4. On the VPC page, find and click the ID of the created VPC named Cfw-TR-manual-VPC.

    5. On the page that appears, click the Resource Management tab, and move the pointer over Route Table and click Add below Route Table. Alternatively, you can go to the Route Tables page and click Create Route Table.

    6. On the Create Route Table page, configure the following parameters to create a route table and click OK.

      Parameter

      Description

      VPC

      Select the VPC that is created in the preceding step. In this example, select Cfw-TR-manual-VPC.

      Associated Resource Type

      Select vSwitch as the resource type with which the route table can be associated.

      Name

      Enter a name for the route table. In this example, enter VPC-CFW-RouteTable.

    Step 2: Connect the created VPC to the transit router

    This step establishes a connection between the created VPC named Cfw-TR-manual-VPC and an Enterprise Edition transit router.

    1. Log on to the CEN console.

    2. On the Instances page, find the CEN instance whose traffic you want to redirect to a VPC firewall and click the ID of the instance.

    3. On the Basic Information tab, find a CEN transit router and click Create Connection in the Actions column, or click the 添加图标 icon to the right of VPC in the upper part of the tab.

    4. On the Connection with Peer Network Instance page, configure the parameters.

      The following table describes the key parameters.

      Parameter

      Description

      Network Type

      The type of the network instance that you want to connect to the CEN instance. In this example, select VPC.

      Region

      The region in which the network instance resides. In this example, select the region that you specify when you create Cfw-TR-manual-VPC.

      Network Instance

      The network instance that you want to connect to the CEN instance. In this example, select the ID of Cfw-TR-manual-VPC.

      VSwitch

      The vSwitches that you can associate with the network instance. In this example, select TR-Vswitch-01 as the primary vSwitch and TR-VSwitch-02 as the secondary vSwitch.

      For more information about other parameters, see Use an Enterprise Edition transit router to connect VPCs.

    Step 3: Connect VPC-01 and VPC-02 to the transit router

    This step establishes a connection between VPC-01 and the transit router and a connection between VPC-02 and the transit router. This way, both VPCs are connected to the transit router.

    For more information, see Use an Enterprise Edition transit router to connect VPCs.

    Step 4: Create a VPC firewall

    This step creates a VPC firewall for Cfw-TR-manual-VPC.

    To create a VPC firewall, log on to the Cloud Firewall console. In the left-side navigation pane, choose Firewall Settings > VPC Firewall > CEN (Enterprise Edition). On the CEN (Enterprise Edition) tab, find the required transit router and click Create in the Actions column. In the Create VPC Firewall dialog box, select Manual for Traffic Redirection Mode, Cfw-TR-manual-VPC for VPC, and Cfw-Vswitch for vSwitch. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

    Note

    After this step is complete, an elastic network interface (ENI) named cfw-bonding-eni is created in Cfw-Vswitch. To view the ENI, log on to the Elastic Compute Service (ECS) console and choose Network & Security > Elastic Network Interfaces in the left-side navigation pane.

    Step 5: Configure routes for Cfw-TR-manual-VPC

    This step creates routes to redirect traffic that is forwarded by the transit router to Cfw-TR-manual-VPC to the VPC firewall and then redirect traffic that is processed by the VPC firewall to the transit router.

    1. Log on to the VPC console.

    2. On the Route Tables page, click the system route table that is created for Cfw-TR-manual-VPC.

    3. On the Route Entry List tab, click the Custom Route tab.

    4. Click Add Route Entry and configure the parameters. If other custom routes exist, delete the custom routes.

      Parameter description:

      • Destination CIDR Block: Specify 0.0.0.0/0.

      • Next Hop Type: Select ENI.

      • ENI: Select Cfw-bonding-eni, which is created in Step 4.

      After this step is complete, the traffic that is forwarded by the transit router to Cfw-TR-manual-VPC is redirected to the VPC firewall.

    5. On the Route Tables page, click the custom route table VPC-CFW-RouteTable that you created. On the page that appears, click the Associated vSwitch tab and click Associate vSwitch. In the Associate vSwitch dialog box, select Cfw-Vswitch for vSwitch. Then, click OK.

    6. On the Route Entry List tab, click the Custom Route tab. Click Add Route Entry and configure the parameters. If other custom routes exist, delete the custom routes.

      Parameter description:

      • Destination CIDR Block: Specify 0.0.0.0/0.

      • Next Hop Type: Select Transit Router.

      • Transit Router: Select the transit router for which the VPC firewall is created.

      After this step is complete, the traffic that is processed by the VPC firewall is forwarded to the transit router.

    Step 6: Configure routes for the transit router

    This step creates routes for VPC-01, VPC-02, and Cfw-TR-manual-VPC to allow traffic between VPC-01 and VPC-02 to pass through the VPC firewall.

    1. Log on to the CEN console.

    2. Log on to the CEN console, and find and click the transit router for which you want to enable a VPC firewall. The Route Table tab appears.

    3. On the Route Table tab, click the system route table in the left-side route table list.

    4. In the Route Table Details section, click the Route Propagation tab.

    5. On the Route Propagation tab, create route learning correlations for VPC-01 and VPC-02. To create a route learning correlation for VPC-01, select VPC-01 for Attachment. To create a route learning correlation for VPC-02, select VPC-02 for Attachment.

      After route learning correlations are created, the system learns routes from VPC-01 and VPC-02.

      In addition, you can view information about the routes that the system learns on the Route Entry tab.

    6. Click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.

    7. On the Route Table Association tab, click Create Association.

    8. In the Add Association dialog box, select Cfw-TR-manual-VPC for Association.

      After this step is complete, Cfw-TR-manual-VPC can automatically forward traffic that is destined for VPC-01 and VPC-02 by using the transit router.

    9. Click Create Route Table on the left side of the Route Table tab. In the Create Route Table dialog box, configure the parameters.

      Set Transit Router to the transit router for which you want to enable the VPC firewall and specify a route table. Set the Route Table Name parameter to Cfw-TR-RouteTable.

      The Cfw-TR-RouteTable route table is used to forward traffic from VPC-01 and VPC-02 to Cfw-TR-manual-VPC.

    10. Click the Cfw-TR-RouteTable route table. Then, click Add Route Entry. In the Add Route Entry dialog box, configure the parameters.

      Parameter description:

      • Destination CIDR: Retain the default value 0.0.0.0/0.

      • Blackhole Route: Retain the default value No.

      • Next Hop: Select the transit router that is connected to Cfw-TR-manual-VPC.

    11. On the Route Table tab, click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.

      Warning

      When you perform operations 12 to 14, persistent TCP connections may be closed due to route switchover. We recommend that you perform the operations during off-peak hours or during a change window.

    12. On the Route Table Association tab, delete the associated forwarding correlations that are created for VPC-01 and VPC-02. On the Route Table tab, click the Cfw-TR-RouteTable route table in the left-side route table list.

    13. In the Route Table Details section, click the Route Table Association tab and click Create Association.

    14. In the Add Association dialog box, select VPC-01 and VPC-02 for Association and click OK.

      After this step is complete, the traffic of VPC-01 and VPC-02 is forwarded to Cfw-TR-RouteTable, and the traffic between VPC-01 and VPC-02 is forwarded to Cfw-TR-manual-VPC.

    Step 7: Check whether the forwarding configuration is successful

    You can go to the Traffic Logs tab of the Log Audit page to check whether the traffic logs of the CEN instance are recorded. If the traffic logs are recorded, the forwarding configuration is successful. For more information, see Log audit.