Cloud Firewall:Configure a VPC firewall for VPCs connected by using an Express Connect circuit

Overview

Protection diagram

For more information about the protection scope of Cloud Firewall, see What is Cloud Firewall?

Limits

Prerequisites

• Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.

  Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to create VPC firewalls for VPCs that are connected by using an Express Connect circuit.

• Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.

• An Express Connect circuit is purchased, and VPCs are connected by using the Express Connect circuit or a VPC peering connection. For more information, see Create and manage a VPC peering connection.

• The VPC Firewall feature is supported in the regions in which your network resources reside. For more information, see Supported regions.

View statistical information

Cloud Firewall displays statistical information about VPC firewalls within the current account.

1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

2. On the VPC Firewall tab, view the following information: number of VPC firewalls in the Not Created state, number of VPC firewalls in the Created state, and available quota for VPC firewalls. You can also view the total number of network elements, number of protected network elements, and number of unprotected network elements.

   If the quota for VPC firewalls in your Cloud Firewall edition is exhausted, you can click Increase Quota to increase the quota based on your business requirements. For more information about the number of VPC firewalls that can be created in each edition, see Subscription.

   

3. Click the icon in the VPC Firewall section to view the numbers of VPC firewalls in the Not Created and Created states. The VPC firewalls are configured for Enterprise Edition transit routers, Basic Edition transit routers, and VPCs connected by using Express Connect circuits.

4. Click the icon in the Protected Network Elements section to view the total number of network elements, number of protected network elements, and number of unprotected network elements. The network elements are VPCs, VBRs, transit routers, and VPN gateways.

The following list describes the statistical items:

• CEN (Enterprise Edition)

  • Unprotected network elements: the number of network elements that are not protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.

  • Protected network elements: the number of network elements that are protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.

  • Available quota: the number of VPC firewalls that are enabled. Each transit router corresponds to a VPC firewall.

• CEN (Basic Edition)

  • Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.

  • Protected network elements: the number of VPCs that are protected by VPC firewalls.

  • Available quota: the number of VPC firewalls that are enabled. Each VPC corresponds to a VPC firewall.

• Express Connect circuits

  • Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.

  • Protected network elements: the number of VPCs that are protected by VPC firewalls.

  • Available quota: the number of VPC firewalls that are enabled. A local VPC and its peer VPC correspond to a VPC firewall.

Create a VPC firewall

1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

2. On the VPC Firewall tab, click the Express Connect tab.

3. Click Synchronize Assets to synchronize the information about the assets of the current account and the member accounts.

   The process requires 1 minute to 2 minutes to complete.

4. Find the Express Connect circuit for which you want to create a VPC firewall and click Create in the Actions column.

   If a large number of Express Connect circuits exist, you can search for the circuit by region, VPC, or Cloud Firewall configuration status. For example, you can select Unconfigured from the configuration status drop-down list and click Search to query all Express Connect circuits for which VPC firewalls are not configured.

5. In the Create VPC Firewall dialog box, configure the required parameters. The following table describes the parameters.

   Parameter	Description
   Instance Name	The name of the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall.
   Connection Type	The type of the connection between VPCs or between a VPC and a data center. In this example, the value is fixed to Express Connect.
   VPC	The information about the VPC. Confirm the regions and IDs of the VPCs and specify the route tables and destination CIDR blocks. Route table When you create a VPC, the system automatically creates a default route table and adds system route entries to the route table. You can create multiple route tables for a VPC based on your business requirements. For more information, see Route table overview. When you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically reads your VPC route tables. Express Connect supports multiple route tables. When you create a VPC firewall for an Express Connect circuit, you can view multiple VPC route tables and select the route tables that you want to use. Destination CIDR block After you select a route table from the Route Table or Peer Route Table drop-down list, the default destination CIDR block of the route table is displayed in the Destination CIDR Block or Peer Destination CIDR Blocks section. If you want to protect traffic that is destined for other CIDR blocks, you can change the destination CIDR block. You can add multiple CIDR blocks. Separate the CIDR blocks with commas (,).
   Peer VPC	The region and the name of the peer VPC. Confirm the information and configure the Peer Route Table and Peer Destination CIDR Block parameters.
   Intrusion Prevention	The intrusion prevention policies that you want to enable. Valid values: IPS Mode Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patches: You can use virtual patching to defend against the common high-risk application vulnerabilities in real time.
   Enable VPC Firewall	If you turn on Enable VPC Firewall, a VPC firewall is automatically enabled after you create the firewall.

6. Click Submit. In the message that appears, click Submit.

   Note

   If you add or delete routes in your VPC route table after you enable a VPC firewall, wait for 15 minutes to 30 minutes until Cloud Firewall learns the routes. After Cloud Firewall learns the routes, we recommend that you check whether your route table takes effect. You can also join the DingTalk group 33081734 to obtain technical support for Cloud Firewall.

   After you create the VPC firewall, Cloud Firewall automatically creates the following resources:

   • A VPC named Cloud_Firewall_VPC.

     Important

     Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not modify or delete the network resources in Cloud_Firewall_VPC.

   • A vSwitch named Cloud_Firewall_VSWITCH.

   • A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it.

   After you enable the VPC firewall, Elastic Compute Service (ECS) automatically creates a security group named Cloud_Firewall_Security_Group and adds a security group rule whose Action parameter is set to Allow to the security group. The rule allows inbound traffic from the VPC firewall to ECS.

   Important

   Do not delete Cloud_Firewall_Security_Group or the security group rule. Otherwise, inbound traffic from the VPC firewall to ECS cannot be protected by the VPC firewall.

   If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform the operations during off-peak hours to prevent impacts on your business.

Enable or disable a VPC firewall

Cloud Firewall can protect your network resources only after you enable your VPC firewall.

1. On the Firewall Settings page, click the VPC Firewall tab.

2. On the Express Connect tab, find the VPC firewall that you want to manage and turn on or turn off the switch in the Firewall Settings column.

   Wait until the VPC firewall is enabled or disabled. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall is enabled. If the status in the Firewall Status column of the VPC firewall changes to Disabled, the VPC firewall is disabled.

Modify or delete a VPC firewall

If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, you can go to the VPC Firewall tab, click the Express Connect tab, find the VPC firewall that you want to manage, and then click Modify or Delete in the Actions column.