Protect traffic between network instances that are connected by using an Enterprise Edition transit router of a CEN instance - Cloud Firewall

If your network instances are connected by using an Enterprise Edition transit router of a Cloud Enterprise Network (CEN) instance, you can use a virtual private cloud (VPC) firewall to protect traffic between the network instances. This helps improve the security of your assets. The network instances can be VPCs, virtual border routers (VBRs), Cloud Connect Network (CCN) instances, and VPN gateways. This topic describes how to create a VPC firewall for an Enterprise Edition transit router and manage the VPC firewall.

Overview

Protection diagram

For more information about the protection scope, see What is Cloud Firewall?

Limits

Before you enable a VPC firewall, make sure that a VPC named Cloud_Firewall_VPC is created and the VPC quota within your account is sufficient. For more information about the VPC quota, see Limits and quotas.
The automatic traffic redirection mode is not supported in the following scenarios:
- A static route other than 100.64.0.0/10 exists in the route tables of an Enterprise Edition transit router.
- Multiple traffic redirection scenarios are configured for VPCs, VBRs, or transit routers.
- Basic Edition transit routers are added to the automatic traffic redirection mode.
- Transit routers have route conflicts.
- The VPC prefix list feature is used.
VPN gateways that are directly associated with VPCs by using the IPSec-VPN or SSL VPN feature are not supported. However, VPN gateways that are added to transit routers by using an IPsec-VPN connection are supported. For more information, see Associate IPsec-VPN connections with transit routers.

Prerequisites

Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.
Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to create VPC firewalls for Enterprise Edition transit routers.
Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.
A CEN instance is purchased. VPCs are connected by using an Enterprise Edition transit router, or on-premises resources are connected to Alibaba Cloud. For more information, see Use Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks and Use Enterprise Edition transit routers to connect VPCs across regions and accounts.
Note
If multiple VPCs in a CEN instance are created by different Alibaba Cloud accounts, Cloud Firewall must meet the following conditions: Cloud Firewall runs Ultimate Edition and is authorized to access all VPCs. Otherwise, VPC firewalls cannot be created. We recommend that you complete the authorization or upgrade Cloud Firewall to Ultimate Edition before you create a VPC firewall. To complete the authorization, you must use your Alibaba Cloud account to log on to the Cloud Firewall console. For more information, see Authorize Cloud Firewall to access other cloud resources and Upgrade and downgrade Cloud Firewall.
The regions in which your network resources reside are supported by the VPC Firewall feature. Otherwise, you cannot create VPC firewalls. For more information, see Supported regions.

View statistical information

Cloud Firewall displays statistical information about VPC firewalls within the current account.

Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the VPC Firewall tab, view the following information: number of VPC firewalls in the Not Created state, number of VPC firewalls in the Created state, and available quota for VPC firewalls. You can also view the total number of network elements, number of protected network elements, and number of unprotected network elements.
If the quota for VPC firewalls in your Cloud Firewall edition is exhausted, you can click Increase Quota to increase the quota based on your business requirements. For more information about the number of VPC firewalls that can be created in each edition, see Subscription.
Click the icon in the VPC Firewall section to view the numbers of VPC firewalls in the Not Created and Created states. The VPC firewalls are configured for Enterprise Edition transit routers, Basic Edition transit routers, and VPCs connected by using Express Connect circuits.
Click the icon in the Protected Network Elements section to view the total number of network elements, number of protected network elements, and number of unprotected network elements. The network elements are VPCs, VBRs, transit routers, and VPN gateways.

The following list describes the statistical items:

CEN (Enterprise Edition)
- Unprotected network elements: the number of network elements that are not protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.
- Protected network elements: the number of network elements that are protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.
- Available quota: the number of VPC firewalls that are enabled. Each transit router corresponds to a VPC firewall.
CEN (Basic Edition)
- Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.
- Protected network elements: the number of VPCs that are protected by VPC firewalls.
- Available quota: the number of VPC firewalls that are enabled. Each VPC corresponds to a VPC firewall.
Express Connect circuits
- Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.
- Protected network elements: the number of VPCs that are protected by VPC firewalls.
- Available quota: the number of VPC firewalls that are enabled. A local VPC and its peer VPC correspond to a VPC firewall.

Create a VPC firewall

Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the Firewall Settings page, click the VPC Firewall tab.
On the VPC Firewall tab, click the CEN (Enterprise Edition) tab.

Find the transit router of the CEN instance for which you want to create a VPC firewall and click Create in the Actions column.

Automatic (Recommended)

In automatic traffic redirection mode, you can create a traffic forwarding scenario for network instances based on your business requirements. The VPC Firewall feature automatically configures routing in the Enterprise Edition transit router based on the scenario and creates an elastic network interface (ENI) for the VPC firewall to redirect traffic.

In the Create VPC Firewall panel, configure the following parameters. Then, click Start Creation.

Parameter	Description
Firewall Basic Information	Firewall Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
VPC Configurations of Firewall	Allocate a CIDR block to the VPC that is automatically created for the VPC firewall and allocate three subnet CIDR blocks from the specified CIDR block to the vSwitches associated with the VPC. The mask of each subnet CIDR block must be less than or equal to 28 bits in length, and each subnet CIDR block cannot conflict with your network plan. If your service is latency-sensitive, we recommend that you use the same primary and secondary zones for the vSwitches of the VPC that is created for the VPC firewall and the VPC that is used in your workloads. This helps reduce latency. The first zone that you select for Available vSwitch Regions is the primary zone, and the second is the secondary zone. If you do not configure Available vSwitch Regions, Cloud Firewall automatically allocates zones.
Intrusion Prevention	Specify the working mode of the intrusion prevention system (IPS) and the intrusion prevention policies that you want to enable. IPS Mode Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Block Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patching: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time. Note This setting applies to all network instances that belong to the same CEN instance.

After the VPC firewall is created, click Next. Configure a traffic redirection scenario based on the following table.

You can also configure a traffic redirection scenario later. To configure a traffic redirection scenario, go to the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the required transit router of your CEN instance, and then click Configure Now in the Firewall Status column. On the Traffic Redirection Scenario tab of the panel that appears, click Immediately Create Traffic Redirection Scenario. In the Create Traffic Redirection Scenario panel, configure the parameters.

Parameter	Description
Basic Information	Template Name: Specify a name for the traffic redirection template.
Select a scenario	Select the type of the scenario in which the VPC firewall manages and protects traffic. Instance-Instance: If you select this option, Cloud Firewall manages traffic between two network elements. This option is suitable for simple network topologies. Instance to Instances: If you select this option, Cloud Firewall manages traffic between one network element and multiple network elements. This option is suitable for star network topologies. If you select this option, you can set Instance Type to ALL for the secondary instance. This way, Cloud Firewall manages all traffic of the primary instance. Interconnected Instances: If you select this option, Cloud Firewall manages traffic between multiple network elements. This option is suitable for full mesh network topologies. Note Network elements are network instances that are connected by using Enterprise Edition transit routers. The network elements can be VPCs, VBRs, or transit routers.
Select Traffic Redirection Instance	Configure Instance Type and Instance ID.

Important

In automatic traffic redirection mode, the number of VPCs that can be protected is calculated based on the number of network elements configured for the traffic redirection scenario. The network elements can be VPCs, transit routers, VBRs, or VPN gateways.

Click OK.
The creation process requires approximately 30 minutes to complete. After the traffic redirection scenario is created, Cloud Firewall protects traffic between the network instances that are connected by using the transit router.

Manual traffic redirection mode

In manual traffic redirection mode, you can create an ENI for the VPC firewall in the Enterprise Edition transit router and configure routes to redirect traffic to the ENI.

Important

In manual traffic redirection mode, you must select a VPC that is attached to the CEN instance and a vSwitch that is available. In addition, you must renew your Cloud Firewall at the earliest opportunity before it expires. If your Cloud Firewall expires, the features of Cloud Firewall become unavailable, and traffic cannot be redirected to the VPC firewall that you created. As a result, network interruptions occur.

In the Create VPC Firewall panel, configure the parameters.

Parameter

Description

Firewall Basic Information

Firewall Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.
VPC: Select the VPC for which you want to create a VPC firewall.
vSwitch: Select a vSwitch for the VPC firewall.

Intrusion Prevention

Specify the working mode of the IPS and the intrusion prevention policies that you want to enable.

IPS Mode
- Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic.
- Block Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts.
IPS Capabilities
- Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a C&C server.
- Virtual Patching: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time.

Note

This setting applies to all network instances that belong to the same CEN instance.

Click Start Creation.

Note

If you add or delete routes in your VPC route table after you enable a VPC firewall, wait for 15 to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can also join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.

After you create the VPC firewall, Cloud Firewall automatically creates the following resources:

A VPC named Cloud_Firewall_VPC.
Important
Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not manually modify or delete the network resources in Cloud_Firewall_VPC.
A vSwitch named Cloud_Firewall_VSWITCH.
A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it.

After you enable the VPC firewall, ECS automatically creates a security group named Cloud_Firewall_Security_Group and adds a security group rule whose Action is set to Allow to the security group to allow inbound traffic from the VPC firewall to ECS.

Important

Do not delete the security group Cloud_Firewall_Security_Group or the security group rule whose Action is set to Allow. Otherwise, the inbound traffic from the VPC firewall to ECS cannot be protected by the VPC firewall.

Warning

If you change the vSwitch and route table after a VPC firewall is created, network interruptions may occur.
If you disable or delete a VPC firewall that is created for an Enterprise Edition transit router in manual traffic redirection mode, network interruptions may occur.

If you want to perform batch operations on VPC firewalls or if you frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.

Manage the automatic traffic redirection mode

On the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the transit router of the CEN instance, and then click Details in the Actions column.
In the VPC Firewall Details panel, click the Traffic Redirection Scenario tab and perform the following operations based on your business requirements:
- Disable a traffic redirection scenario
  1. Turn off the switch for an enabled traffic redirection scenario in the scenario card.
  2. In the Disable Traffic Redirection Scenario dialog box, disable the traffic redirection scenario by using the Withdraw Route or Roll Back Route method.
    - Withdraw Route (Recommended): If you select this option, the routes that are specified when you create the traffic redirection scenario are removed. The route tables that are created by the firewall are retained. The period of time that the process requires varies based on the number of routes. Wait until the scenario is disabled.
    - Roll Back Route: If you select this option, the route table that is configured before the traffic redirection scenario is created is restored. The route table that is created by the firewall is deleted. After you select Roll Back Route, the information about the route table that is configured before the traffic redirection scenario is created is automatically displayed. Make sure that the route table that is configured before the traffic redirection scenario is created is available.
  3. Click OK.
    Important
    The disable operation cannot be cancelled. Before you disable a traffic redirection scenario, make sure that you no longer require the scenario. After the scenario is disabled, check whether your workloads are normal at the earliest opportunity.
- Delete an automatic traffic redirection scenario
  Move the pointer over the card of the scenario that you want to delete and click Delete. Before you delete an automatic traffic redirection scenario, you must disable the scenario.
- Modify an automatic traffic redirection scenario
  Move the pointer over the card of the scenario that you want to modify and click Edit.
- View the details of routes
  Move the pointer over the card of the scenario whose route details you want to view and click Route Details. You can view the details of the routes that are configured for the VPC firewall.

Modify or delete a VPC firewall

If you want to modify the configurations of a VPC firewall or you no longer require a VPC firewall, go to the VPC Firewall tab, click the CEN (Enterprise Edition) tab, find the transit router of the CEN instance for which the VPC firewall is created, and then click Edit or Delete in the Actions column.

Important

Manual: If you want to delete a VPC firewall, you must manually delete the routes that are used to route traffic to the VPC firewall before you delete the VPC firewall. This helps ensure that your workloads are not affected.
Automatic: If you want to delete a VPC firewall that is enabled, you must delete all traffic redirection scenarios that are created for the VPC firewall before you can delete the VPC firewall.

What to do next

After you enable a VPC firewall, you can create an access control policy for the VPC firewall to control traffic between VPCs. For more information, see Access control policies for VPC firewalls.
After you enable a VPC firewall, you can view the traffic between VPCs on the VPC Access page. For more information, see View VPC access data.
After you enable a VPC firewall, you can view the information about intrusion events that are detected in VPCs on the VPC Traffic Blocking tab of the Intrusion Prevention page. For more information, see VPC Traffic Blocking.