All Products
Search
Document Center

Cloud Firewall:Overview

Last Updated:Jul 18, 2024

This topic introduces the basic concept of a virtual private cloud (VPC) firewall and describes the scenarios of VPC firewalls.

What is a VPC firewall?

A VPC firewall monitors and manages traffic between VPCs and traffic between a VPC and a data center. If two VPCs are attached to the same Cloud Enterprise Network (CEN) instance or are connected by using an Express Connect circuit, you can create a VPC firewall to manage traffic between the VPCs and traffic between each VPC and a data center.

Centralized account management is supported when you use a VPC firewall. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase Cloud Firewall Enterprise Edition or Ultimate Edition to protect traffic between VPC_1 and VPC_2.

Implementation

For more information about the protection diagrams of VPC firewalls, refer to the following topics:

Protection scope

Cloud Firewall provides three types of VPC firewalls. You can select a type based on your networking architecture.

VPC firewall type

Scenario

References

VPC firewall that is created for an Enterprise Edition transit router

This type of VPC firewall can protect the following types of traffic:

  • Traffic between VPCs in the same region

  • Traffic between cross-region VPCs that are connected by using an Enterprise Edition transit router

  • Traffic between a VPC and a virtual border router (VBR) or a data center

  • Traffic between a VPC and a Cloud Connect Network (CCN) instance

  • Traffic between VBRs

  • Traffic between a VBR and a CCN instance

  • Traffic between a VPC and a public VPN gateway

This type of VPC firewall cannot protect traffic between CCN instances.

Configure a VPC firewall for an Enterprise Edition transit router

VPC firewall that is created for a Basic Edition transit router

This type of VPC firewall can protect the following types of traffic:

  • Traffic between VPCs in the same region

  • Traffic between cross-region VPCs that are connected by using a Basic Edition transit router

  • Traffic between a VPC and a VBR or a data center

  • Traffic between a VPC and a CCN instance

This type of VPC firewall cannot protect the following types of traffic:

  • Traffic between VBRs

  • Traffic between a VBR and a CCN instance

  • Traffic between CCN instances

Configure a VPC firewall for a Basic Edition transit router

VPC firewall that is created for an Express Connect circuit

This type of VPC firewall can protect the following types of traffic:

  • Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account

  • Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region, including VPCs that belong to the same account or different accounts

This type of VPC firewall cannot protect the following types of traffic:

  • Traffic between cross-region and cross-account VPCs that are connected by using an Express Connect circuit

  • Traffic between a VPC and a VBR

Note

If you want to protect the preceding types of traffic, we recommend that you use CEN to replace Express Connect. For more information, submit a ticket.

Configure a VPC firewall for VPCs connected by using an Express Connect circuit

Specifications

The specifications of VPC firewalls are the number of public IP addresses that can be protected and the peak Internet traffic that can be protected.

Specifications

Description

Enterprise Edition and Ultimate Edition of Cloud Firewall that uses the subscription billing method

Cloud Firewall that uses the pay-as-you-go billing method

Number of VPC Firewalls

The number of VPC firewalls that can be created.

The value varies based on the number of VPC firewalls that you create and the cross-VPC traffic processing capability that you purchase. If the quotas are insufficient, you can upgrade the specifications. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

The quotas vary based on the Cloud Firewall edition. For more information, see Subscription.

You are charged based on the number of protected assets and the total amount of processed traffic. No limits are imposed. For more information, see Pay-as-you-go.

Protected VPC Traffic

The peak cross-VPC traffic that can be protected.

View the protection status of assets and quota usage

You can view the protected assets within the current account on the VPC Firewall tab.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

  2. On the VPC Firewall tab, view the following information: number of VPC firewalls in the Not Created state, number of VPC firewalls in the Created state, and available quota for VPC firewalls. You can also view the total number of network elements, number of protected network elements, and number of unprotected network elements.

    If the quota for VPC firewalls in your Cloud Firewall edition is exhausted, you can click Increase Quota to increase the quota based on your business requirements. For more information about the number of VPC firewalls that can be created in each edition, see Subscription.

    image.png

  3. Click the 查看 icon in the VPC Firewall section to view the numbers of VPC firewalls in the Not Created and Created states. The VPC firewalls are configured for Enterprise Edition transit routers, Basic Edition transit routers, and VPCs connected by using Express Connect circuits.

  4. Click the 查看 icon in the Protected Network Elements section to view the total number of network elements, number of protected network elements, and number of unprotected network elements. The network elements are VPCs, virtual border routers (VBRs), transit routers, and VPN gateways.

The following list describes the statistical items:

  • CEN (Enterprise Edition)

    • Unprotected network elements: the number of network elements that are not protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.

    • Protected network elements: the number of network elements that are protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.

    • Available quota: the number of VPC firewalls that are enabled. Each transit router corresponds to a VPC firewall.

  • CEN (Basic Edition)

    • Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.

    • Protected network elements: the number of VPCs that are protected by VPC firewalls.

    • Available quota: the number of VPC firewalls that are enabled. Each VPC corresponds to a VPC firewall.

  • Express Connect circuits

    • Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.

    • Protected network elements: the number of VPCs that are protected by VPC firewalls.

    • Available quota: the number of VPC firewalls that are enabled. A local VPC and its peer VPC correspond to a VPC firewall.