You can use a virtual private cloud (VPC) firewall to detect and manage traffic between two VPCs. If your VPCs are connected by using an Express Connect circuit or if the VPCs belong to the same Cloud Enterprise Network (CEN) instance, you can create a VPC firewall for the Express Connect circuit or the CEN instance. Cloud Firewall can be used to manage the traffic between two VPCs only after a VPC firewall is created and enabled.

Prerequisites

A CEN instance or an Express Connect circuit is created, and two VPCs are connected by using the instance or circuit. For more information, see Connect two VPCs under the same Alibaba Cloud account.

Background information

A VPC firewall can protect the traffic between two connected VPCs and the traffic between a VPC and a data center.
A VPC firewall is suitable for the following scenarios:

Editions that support VPC Firewall

Cloud Firewall Enterprise Edition and Ultimate Edition support VPC Firewall. Cloud Firewall Premium Edition does not support VPC Firewall. The VPC Firewall tab is not displayed in the console of Cloud Firewall Premium Edition.

Usage notes

After you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically creates the following resources:
  • A VPC named Cloud_Firewall_VPC.
  • A vSwitch named Cloud_Firewall_VSWITCH. The vSwitch uses the CIDR block 10.219.219.216/29.
  • A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it. Remarks of a custom route entry
Take note of the following items:
  • Do not add other cloud resources to the created VPC.
  • Do not manually modify or delete the network resources in the created VPC.
  • Do not use the CIDR block 10.219.219.216/29 that the created vSwitch uses during network planning. This way, you can prevent CIDR block conflicts that cause communication failures between two VPCs.

Create a VPC firewall for a CEN instance

Cloud Firewall can protect cross-account VPCs that are connected by using a CEN instance. A cross-account VPC indicates that the Alibaba Cloud account used to create the VPC is different from the current Alibaba Cloud account of the CEN instance in which the VPC exists. If a cross-account VPC exists in a CEN instance, you must authorize Cloud Firewall to access the cloud resources of the account that is used to create the cross-account VPC. If you create a VPC firewall for the cross-account VPC but do not authorize Cloud Firewall to access the cloud resources, a message indicating that unauthorized VPCs exist and you cannot create a VPC firewall is displayed.

To authorize Cloud Firewall to access the cloud resources of an Alibaba Cloud account, perform the following steps:
  1. Log on to the Cloud Firewall console by using the Alibaba Cloud account.
  2. In the Service-Linked Role for Cloud Firewall dialog box, click OK.
Note If you want to create a VPC firewall for a CEN instance, take note of the following items:
  • The VPC firewall can be used to protect the cross-region VPCs and cross-account VPCs. If the Alibaba Cloud account of the CEN instance uses a paid edition of Cloud Firewall, VPC Firewall is supported for a cross-account VPC in the CEN instance regardless of whether the Alibaba Cloud account of the VPC uses a paid edition. The paid editions of Cloud Firewall are Enterprise and Ultimate. VPC Firewall is supported only if the Alibaba Cloud account that is used to create the CEN instance purchases a paid edition of Cloud Firewall.
  • VPC Firewall can be enabled for a maximum of 10 VPCs in a region of a CEN instance. If you want to increase the quota, submit a ticket.
  • VPC firewalls can protect traffic between VPCs, between a VPC and a Virtual Border Router (VBR) or a data center, and between a VPC and a Cloud Connect Network (CCN) instance. However, VPC firewalls cannot protect traffic between VBRs, between CCN instances, or between a CCN instance and a VBR.
To create a VPC firewall for a CEN instance, perform the following steps:
Note When you create, enable, disable, or delete a Virtual Private Cloud (VPC) firewall, the system automatically modifies the custom routes in your VPC route table, which causes a short network interruption. If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.
  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
  3. On the Firewall Settings page, click the VPC Firewall tab.
  4. On the VPC Firewall tab, click the CEN tab.
  5. Find the CEN instance for which you want to create a VPC firewall and click Create in the Actions column.
    Cloud Firewall can manage traffic between two VPCs that are connected by using an Enterprise Edition transit router of the CEN instance. CEN transit router
    If a large number of CEN instances exist, you can search for CEN instances by region, CEN name, VPC name, or configuration status of Cloud Firewall. For example, you can select Unconfigured from the configuration status drop-down list and click Search to query all CEN instances for which Cloud Firewall is not configured.
  6. In the Create VPC Firewall dialog box, configure the parameters.

    The following table describes the parameters that are required to create a VPC firewall for CEN-connected VPCs.

    Parameter Description
    Instance Name The name of the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
    Routing Mode The routing mode of the traffic that passes through Cloud Firewall. This parameter is required only when you use an Enterprise Edition transit router of the CEN instance. Valid values:
    • Automatic: If you select this option, Cloud Firewall automatically assigns a VPC and a CIDR block that the vSwitch uses for the VPC firewall.
    • Manual: You can select this option to manually assign a VPC and a CIDR block that the vSwitch uses for the VPC firewall without affecting the existing network architecture. This option applies if you deployed multiple VPCs and CIDR blocks in your network, used CEN transit routers to connect the VPCs, and planned CIDR blocks for Cloud Firewall.
      Notice If you select this option, you must select the VPC with which the CEN instance is associated and the vSwitch that the CEN instance uses. In manual mode, you must renew your Cloud Firewall at the earliest opportunity before it expires. If your Cloud Firewall expires, the features of Cloud Firewall become unavailable, and traffic cannot be directed to the VPC firewall that you created. As a result, network interruptions occur.
    IPS Mode The working mode of the intrusion prevention system (IPS). Valid values:
    • Monitoring Mode: If you select this option, Cloud Firewall monitors traffic and sends alerts when malicious traffic is detected.
    • Traffic Control Mode: If you select this option, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts.
    Note This setting applies to all VPCs that belong to a CEN instance.
    IPS Capabilities The intrusion prevention policies that you want to enable. Valid values:
    • Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server.
    • Virtual Patches: Virtual patches can be used to defend against the common high-risk application vulnerabilities in real time.
    Note This setting applies to all VPCs that belong to a CEN instance.
  7. Click Submit. In the message that appears, click Submit. The VPC firewall is created.
  8. Turn on Firewall switch in the Firewall Settings column.
    Wait until the VPC firewall takes effect. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall takes effect. VPC Firewall enabled
Note After a Virtual Private Cloud (VPC) firewall is enabled, a security group named Cloud_Firewall_Security_Group is automatically created and an access control policy is created to allow traffic to the VPC firewall. Do not modify or delete this security group and the access control policy.

Create a VPC firewall for an Express Connect circuit

Note If your VPCs are connected by using an Express Connect circuit, you can create a VPC firewall to protect traffic between VPCs in the same region. However, the VPC firewall cannot protect traffic between a VPC and a VBR or between the VPCs that are deployed in different regions or created by using different Alibaba Cloud accounts.

To create a VPC firewall for an Express Connect circuit, perform the following steps:

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Firewall Settings > Firewall Settings.
  3. On the Firewall Settings page, click the VPC Firewall tab.
  4. On the VPC Firewall tab, click the Express Connect tab.
  5. Find the Express Connect circuit for which you want to create a VPC firewall and click Create in the Actions column.
    If a large number of Express Connect circuits exist, you can search for circuits by region, VPC, or configuration status of Cloud Firewall. For example, you can select Unconfigured from the configuration status drop-down list and click Search to query all Express Connect circuits for which Cloud Firewall is not configured.
  6. In the Create VPC Firewall dialog box, configure the parameters. The following table describes the parameters.
    Parameter Description
    Instance Name The name of the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
    Connection Type The type of the connection between VPCs or between a VPC and a data center. In this scenario, the value is fixed to Express Connect.
    VPC The region and the name of the VPC. Confirm the information and configure Route Table and Destination CIDR Block.
    • Route table

      When you create a VPC, the system automatically creates a default route table. You can add system routes to the route table to manage VPC traffic. VPC allows you to create multiple route tables based on your business requirements. For more information, see Overview.

      When you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically reads your VPC route tables. Express Connect supports multiple route tables. When you create a VPC firewall for an Express Connect circuit, you can view multiple VPC route tables and select the route tables that you want to protect.

    • Destination CIDR block

      After you select a route table from the Route Table drop-down list, the default destination CIDR block of the route table is displayed in the Destination CIDR Block section. If you need to protect traffic that is destined for other CIDR blocks, you can modify the destination CIDR block. You can add multiple CIDR blocks. Separate the CIDR blocks with commas (,).

    Peer VPC The region and the name of the peer VPC. Confirm the information and configure Peer Route Table and Peer Destination CIDR Blocks. For more information about route tables and destination CIDR blocks, see the VPC configuration description.
    Intrusion Prevention The intrusion prevention policies that you want to enable. Valid values:
    • Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server.
    • Virtual Patches: Virtual patches can be used to defend against the common high-risk application vulnerabilities in real time.
    Enable VPC Firewall After you turn on Enable VPC Firewall, a VPC firewall is automatically enabled after you create the firewall. If you do not require the VPC firewall to be automatically enabled after it is created, turn off Enable VPC Firewall.
  7. Click Submit. In the message that appears, click Submit.
    The VPC firewall is created. If you turn on Enable VPC Firewall when you configure the VPC firewall, wait until the VPC firewall is enabled. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall takes effect. VPC Firewall enabled

Use a VPC firewall to protect traffic between a VPC and a data center

A VPC firewall can protect traffic between a VPC and a data center that are connected by a VBR. If a VPC and a data center are connected by the VBR of a CEN instance, traffic between the VPC and the data center is automatically protected after you enable the VPC firewall created for the CEN instance. You do not need to create or enable a VPC firewall for the VBR.

You can perform the following operations to view the protection details of the VBR: Log on to the Cloud Firewall console, go to the Firewall Settings page, and then click the VPC Firewall tab. On the CEN tab of the tab that appears, view the details about the VBR. VBR-VPC

What to do next

After a VPC firewall is created, you can perform the following operations:
  • On the VPC Firewall tab, click Modify or Delete in the Actions column to modify or delete an existing VPC firewall.
  • On the VPC Firewall tab, enable or disable the VPC firewall. For more information, see Enable or disable VPC Firewall.
  • In the left-side navigation pane, choose Access Control > Access Control. On the Access Control page, click the VPC Firewall tab. On the VPC Firewall tab, configure VPC firewall policies to manage traffic between VPCs. For more information, see Create an access control policy for a VPC firewall.

After a VPC firewall is enabled, VPC access traffic is collected and analyzed. You can view the statistics and analysis results on the VPC Access page. To go to the VPC Access page, choose Traffic Analysis > VPC Access in the left-side navigation pane. For more information, see VPC access.