Cloud Firewall:NAT Firewall

The following video tutorial walks you through how to enable NAT firewalls for NAT gateways.

Feature description

Implementation

You can enable NAT firewalls and synchronize asset information with a few clicks, configure access control policies for NAT firewalls, view traffic analysis results, and audit logs.

After you enable a NAT firewall or a NAT gateway, the NAT firewall monitors all outbound traffic from internal-facing resources in VPCs to the NAT gateway, including resources in the same VPC and resources across VPCs. The NAT firewall matches information about traffic against user-defined access control policies and the built-in threat intelligence library to determine whether to allow the traffic. The information includes the source address, destination address, port, protocol, application, and domain name. This way, unauthorized access to the Internet is blocked.

The following figure provides an example.

Impacts

When you enable or disable a NAT firewall, Cloud Firewall switches NAT entries. As a result, persistent connections are temporarily closed for 1 to 2 seconds but short-lived connections are not affected. We recommend that you enable or disable a NAT firewall during off-peak hours.

• When you create a NAT firewall, your workloads are not affected. However, if you turn on Status when you create a NAT firewall, persistent connections are temporarily closed for 1 to 2 seconds but short-lived connections are not affected.

  Note

  The period of time that is required to create a NAT firewall varies based on the number of elastic IP addresses (EIPs) associated with the NAT gateway. The period of time required increases by approximately 2 to 5 minutes for each additional EIP. During the period of time, your workloads are not affected.

• If you delete a NAT firewall after it is disabled, your workloads are not affected.

Limits

• After you enable a NAT firewall, we recommend that you do not modify the routes of the vSwitch of the NAT firewall or the routes whose next hop is the NAT firewall. Otherwise, service interruptions may occur.

• If your Cloud Firewall expires and you do not renew Cloud Firewall, the NAT firewall that you create is automatically released and the traffic is switched back to the original route. Service interruptions may occur during the switch.

  We recommend that you enable auto-renewal or renew Cloud Firewall at the earliest opportunity to ensure that Cloud Firewall runs as expected. For more information, see Renewal.

• If your NAT firewall is created before September 1, 2023, the maximum protection bandwidth of the NAT firewall for connections with the same destination IP address and destination port is 20 Mbit/s. Network jitters may occur if the bandwidth of connections with the same destination IP address and destination port exceeds 20 Mbit/s. If you want to increase the maximum protection bandwidth of your NAT firewall, we recommend that you delete the NAT firewall and create a NAT firewall.

  If your NAT firewall is created on or after September 1, 2023, no limits are imposed on the protection bandwidth.

• NAT firewalls cannot protect traffic of IPv6 addresses.

Procedure

The following flowchart shows how to use NAT firewalls.

Prerequisites

• Cloud Firewall is activated, and a sufficient quota for NAT firewalls is purchased. For more information, see Purchase Cloud Firewall.

• An Internet NAT gateway is created. For more information, see Create and manage a VPC.

  Important

  The NAT Firewall feature supports only Internet NAT gateways.

  The Internet NAT gateway must meet the following requirements:

  • The Internet NAT gateway resides in the region where the NAT Firewall feature is available. For more information about the regions where the NAT Firewall feature is available, see Supported regions.

  • At least one EIP is associated with the Internet NAT gateway, and the number of EIPs associated with the NAT gateway is no more than 10. For more information, see Create and manage an Internet NAT gateway.

  • An SNAT entry is created, and no DNAT entries exist on the Internet NAT gateway. For more information, see Create and manage SNAT entries.

    If a DNAT entry exists on the Internet NAT gateway, you must delete the DNAT entry before you can enable a NAT firewall. For more information, see Create and manage DNAT entries.

  • The VPC in which the Internet NAT gateway is deployed supports advanced VPC features. For more information, see Advanced VPC features.

  • A 0.0.0.0 route that points to the Internet NAT gateway is added for the VPC of the Internet NAT gateway. For more information, see Create and manage a route table.

  • The subnet mask of the CIDR block that is allocated to the VPC of the Internet NAT gateway is at least 28 bits in length.

Create and enable a NAT firewall

This section describes how to create a NAT firewall. You can create a NAT firewall for each NAT gateway.

Usage notes

• The system requires approximately 1 minute to 5 minutes to synchronize information about new NAT gateways to the NAT Firewall feature.

• The system requires approximately 1 minute to 2 minutes to synchronize the EIPs that are associated with the NAT gateway and the SNAT entries that are configured on the NAT gateway to the NAT Firewall feature. The EIPs and SNAT entries do not take effect until the synchronization is complete.

  You can also click Synchronize Assets on the Firewall Settings > Internet Firewall tab to manually synchronize the number of EIPs and the SNAT entries.

• The system requires 30 minutes to synchronize the routes that point to the NAT gateway to the NAT Firewall feature.

  You can also click Synchronize Assets on the Firewall Settings > NAT Firewall tab to manually synchronize the routes.

• When you create a NAT firewall, Cloud Firewall performs the following operations:

  • Adds the 0.0.0.0/0 route that points to the NAT gateway to the route table of the vSwitch created for the NAT firewall.

  • Modifies the 0.0.0.0/0 route in the system route table to point the next hop to the ENI of Cloud Firewall.

Procedure

1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

2. Click the NAT Firewall tab. On the NAT Firewall tab, find the required NAT gateway and click Create in the Actions column.

3. In the Create NAT Firewall panel, click Check Now. After the check is complete and all diagnostic items are passed, click Next.

   If you confirm that the NAT gateway meets all conditions required to create a NAT firewall, click Skip and Create.

4. In the Create NAT Firewall panel, configure the following parameters.

   Parameter		Description
   Basic Information	Name	Enter a name for the NAT firewall.
   Traffic Redirection Configurations	Select Route Table	Select the route table whose next hop is the NAT gateway and change the next hop to the route table created for Cloud Firewall. This way, the next hop of traffic destined for internal-facing assets points to the NAT firewall.
   	vSwitch for Traffic Redirection and vSwitch CIDR Block	You can create a new vSwitch or select an existing vSwitch. Usage notes for creating a CIDR block of the vSwitch: You must allocate a CIDR block of the vSwitch to the NAT firewall for traffic redirection. The CIDR block must have a subnet mask of at least 28 bits in length and must not conflict with your network planning. The CIDR block of the vSwitch must be within the CIDR block of the VPC and does not conflict with the current service CIDR block. After you allocate a CIDR block of the vSwitch, Cloud Firewall automatically associates the vSwitch with a custom route table. Usage notes for selecting an existing vSwitch: The NAT firewall must have a vSwitch that meets the following requirements: For more information, see Create and manage a VPC. The vSwitch, NAT gateway, and NAT firewall must be deployed in the same VPC. The vSwitch must reside in the same zone as the NAT gateway. The subnet mask of the CIDR block of the vSwitch must be at least 28 bits in length, and the number of available IP addresses within the CIDR block must be greater than the number of EIPs that are specified in the SNAT entries of the NAT gateway. No other cloud resource is connected to the vSwitch. Create a route table and associate the route table with the vSwitch. For more information, see Create and manage a route table. Optional. Add custom routes other than the 0.0.0.0/0 entry to the route table based on your business requirements. For more information, see Subnet routing. For example, if your workloads require communications between VPCs, you must manually add the backhaul route of the VPC to the route table. Note If no vSwitch is displayed in the drop-down list or the required vSwitch is dimmed, check whether the vSwitch is associated with other cloud resources and whether the vSwitch is associated with a custom route table. After you specify a vSwitch, you can click Synchronize Assets in the upper-right corner of the NAT Firewall tab.
   Engine Mode	Engine Mode	Select the matching mode of the access control policy. Loose Mode (default): Traffic whose application type or domain name is identified as Unknown is allowed to ensure normal access. Strict Mode: Traffic whose application type or domain name is identified as Unknown is processed by all policies that you configure. If you configure a Deny policy, the traffic is denied.

5. Select I have read the preceding notes. and click Enable Firewall.

6. After the NAT firewall is created, you must manually turn on Status.

   Traffic can be routed to the NAT firewall only after you enable the NAT firewall.

What to do next

After you enable a NAT firewall, you can configure an access control policy for the NAT firewall and view audit logs to control traffic that originates from private assets and is destined for the Internet.

Disable and delete a NAT firewall

• Disable a NAT firewall

  Go to the Firewall Settings > NAT Firewall tab, find the NAT firewall that you want to disable, and then turn off the switch in the Switch column.

• Delete a NAT firewall

  Go to the Firewall Settings > NAT Firewall tab, find the NAT firewall that you want to delete, click the icon in the Actions column, and then click Delete.

References

• For more information about how to manage traffic from internal-facing assets to a specific domain name, see Configure a policy to allow only internal-facing servers to access a specific domain name.

• For more information about how to view the traffic logs of NAT firewalls, see Log Audit.

• For more information about the Internet firewall, refer to the following topics:

  • What are the impacts of enabling a NAT firewall?

  • Why does Cloud Firewall create a route table and add the static route 0.0.0.0/0 to the route table after I enable a NAT firewall?

  • How does Cloud Firewall match outbound traffic against access control policies of the Internet firewall, a NAT firewall, and a DNS firewall?