When resources such as Elastic Compute Service (ECS) instances and elastic container instances in virtual private clouds (VPCs) directly access the Internet by using NAT gateways, security risks, such as unauthorized access, data leaks, and traffic attacks, may occur. To reduce these risks, you can enable NAT firewalls to block unauthorized traffic. This topic describes how to configure a NAT firewall.
Feature description
Implementation
You can enable NAT firewalls and synchronize asset information with a few clicks, configure access control policies for NAT firewalls, view traffic analysis results, and audit logs.
After you enable a NAT firewall or a NAT gateway, the NAT firewall monitors all outbound traffic from internal-facing resources in VPCs to the NAT gateway, including resources in the same VPC and resources across VPCs. The NAT firewall matches information about traffic against user-defined access control policies and the built-in threat intelligence library to determine whether to allow the traffic. The information includes the source address, destination address, port, protocol, application, and domain name. This way, unauthorized access to the Internet is blocked.
The following figure provides an example.
Impacts
When you enable or disable a NAT firewall, Cloud Firewall switches NAT entries. As a result, persistent connections are temporarily closed for 1 to 2 seconds but short-lived connections are not affected. We recommend that you enable or disable a NAT firewall during off-peak hours.
When you create a NAT firewall, your workloads are not affected. However, if you turn on Status when you create a NAT firewall, persistent connections are temporarily closed for 1 to 2 seconds but short-lived connections are not affected.
NoteThe period of time that is required to create a NAT firewall varies based on the number of elastic IP addresses (EIPs) associated with the NAT gateway. The period of time required increases by approximately 2 to 5 minutes for each additional EIP. During the period of time, your workloads are not affected.
If you delete a NAT firewall after it is disabled, your workloads are not affected.
After you enable a NAT firewall, we recommend that you do not modify the routes of the vSwitch of the NAT firewall or the routes whose next hop is the NAT firewall. Otherwise, service interruptions may occur.
If your Cloud Firewall expires and you do not renew Cloud Firewall, the NAT firewall that you create is automatically released and the traffic is switched back to the original route. Service interruptions may occur during the switch.
We recommend that you enable auto-renewal or renew Cloud Firewall at the earliest opportunity to ensure that Cloud Firewall runs as expected. For more information, see Renewal.
If your NAT firewall is created before September 1, 2023, the maximum protection bandwidth of the NAT firewall for connections with the same destination IP address and destination port is 20 Mbit/s. Network jitters may occur if the bandwidth of connections with the same destination IP address and destination port exceeds 20 Mbit/s. If you want to increase the maximum protection bandwidth of your NAT firewall, we recommend that you delete the NAT firewall and create a NAT firewall.
If your NAT firewall is created on or after September 1, 2023, no limits are imposed on the protection bandwidth.
Procedure
The following flowchart shows how to use NAT firewalls.
Cloud Firewall provides a default quota for NAT firewalls. If the default quota cannot meet your business requirements, you can purchase additional quotas. For more information, see Purchase Cloud Firewall.
Prerequisites
Cloud Firewall is activated, and a sufficient quota for NAT firewalls is purchased. For more information, see Purchase Cloud Firewall.
An Internet NAT gateway is created, and the NAT gateway meets the following requirements:
ImportantThe NAT Firewall feature supports only Internet NAT gateways.
The NAT gateway resides in the region where the NAT Firewall feature is available. For information about the regions where NAT Firewall is available, see Supported regions.
At least one EIP is associated with the NAT gateway, and the number of EIPs associated with the NAT gateways is no more than 10. For more information, see Create and manage an Internet NAT gateway.
An SNAT entry is created, and no DNAT entries exist on the NAT gateway. For more information, see Create and manage SNAT entries.
If a DNAT entry exists on the NAT gateway, you must delete the DNAT entry before you can enable a NAT firewall. For more information, see Create and manage DNAT entries.
The VPC in which the NAT gateway is deployed supports advanced VPC features. For more information, see Advanced VPC features.
A 0.0.0.0 route that points to the NAT gateway is added for the VPC of the NAT gateway. For more information, see Create and manage a route table.
The mask of the subnet CIDR block that is allocated to the VPC of the NAT gateway must be at least 28 bits in length.
Create a NAT firewall
This section describes how to create a NAT firewall. You can create a NAT firewall for each NAT gateway.
Usage notes
The system requires approximately 30 minutes to synchronize the information about new NAT gateways to Cloud Firewall.
You can also perform the following operations to manually synchronize the information about new NAT gateways: In the left-side navigation pane, choose and click Synchronize Assets.
After you enable a NAT firewall, the system requires approximately 30 minutes to synchronize the EIPs that are associated with the NAT gateway and the SNAT entries that are configured on the NAT gateway to the NAT firewall. The EIPs and SNAT entries do not take effect until the synchronization is complete.
You can also perform the following operations to manually synchronize the routes associated with the NAT gateway: In the left-side navigation pane, choose and click Synchronize Assets.
Procedure
You can create the NAT firewall in Automatic Mode or Manual Mode.
Automatic Mode: In this mode, Cloud Firewall automatically creates a vSwitch and advertises routes. You do not need to perform additional operations.
When you create a NAT firewall, Cloud Firewall performs the following operations:
Creates a vSwitch and randomly assigns a CIDR block to the vSwitch.
Creates a custom route table named Cloud_Firewall_ROUTE_TABLE and adds a 0.0.0.0/0 route that points to the NAT gateway to the route table. Cloud Firewall also automatically learns other routes in the route tables of the VPC.
Modifies the 0.0.0.0/0 route in the system route table to set the next hop to the elastic network interface (ENI) of Cloud Firewall.
Manual Mode: If you want to specify a custom CIDR block of the NAT firewall, you can select Manual Mode. In this mode, if routes are not configured, service communications may fail.
Before you create a NAT firewall, you must complete the following operations:
Create a vSwitch and assign a CIDR block whose mask is at least 28 bits in length to the vSwitch.
Create a custom route table and associate it with the newly created vSwitch.
Add custom routes other than the 0.0.0.0/0 entry to the route table based on your business requirements. For example, you can add cross-VPC backhaul routes.
When you create a NAT firewall, Cloud Firewall performs the following operations:
Adds the 0.0.0.0/0 route that points to the NAT gateway to the custom route table that you created.
Modifies the 0.0.0.0/0 route in the system route table to set the next hop to the ENI of Cloud Firewall.
Automatic Mode (recommended)
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
Click the NAT Firewall tab. On the NAT Firewall tab, find the required NAT gateway and click Create in the Actions column.
In the Create NAT Firewall panel, configure following parameters and click OK.
Parameter
Description
Name
Enter a name for the NAT firewall.
New Next Hop
If you select the check box, the next hop of the traffic from the private IP addresses of the host is allowed to point to the NAT firewall.
vSwitch
Select Automatic Mode. Cloud Firewall automatically creates a vSwitch and associates the vSwitch with a custom route table.
Exposure Control Policy for NAT Gateway
This parameter is optional. You can click Edit Access Control Policy to modify the access control policy. For more information, see Create an access control policy for a NAT firewall.
Engine Mode
Select the prevention mode of the access control policy.
Loose Mode: Traffic whose application type or domain name is identified as Unknown is allowed to help ensure normal access.
Strict Mode: Traffic whose application type or domain name is identified as Unknown is processed by all policies that you configure. If you configure a Deny policy, the traffic is denied.
Status
Specify the status of the NAT firewall.
Traffic can be routed to the NAT firewall only after you enable the NAT firewall.
Manual Mode
Create a vSwitch for the NAT firewall. For more information, see Create and manage a VPC.
Make sure that the vSwitch meets the following requirements:
The vSwitch, NAT gateway, and NAT firewall must be deployed in the same VPC.
The vSwitch must reside in the same zone as the NAT gateway.
The mask of the CIDR block of the vSwitch must be at least 28 bits in length, and the number of available IP addresses within the CIDR block of the vSwitch must be greater than the number of EIPs that are specified in the SNAT entries of the NAT gateway.
No other cloud resource is connected to the vSwitch.
Create a route table and associate the route table with the vSwitch. For more information, see Create and manage a route table.
Optional. Add custom routes other than the 0.0.0.0/0 entry to the route table based on your business requirements. For more information, see Subnet routing.
For example, if your workloads require communications between VPCs, you must manually add the backhaul route of the VPC to the route table.
Create a NAT firewall in manual mode.
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
Click the NAT Firewall tab, find the required NAT gateway and click Create in the Actions column.
In the Create NAT Firewall panel, configure following parameters and click OK.
Parameter
Description
Name
Enter a name for the NAT firewall.
New Next Hop
If you select the check box, the next hop of the traffic from the private IP addresses of the host is allowed to point to the NAT firewall.
vSwitch
Select Manual Mode and select a vSwitch that you created from the drop-down list.
NoteIf no vSwitch is displayed in the drop-down list or the required vSwitch is dimmed, check whether the vSwitch is associated with other cloud resources and whether the vSwitch is associated with a custom route table. After you specify a vSwitch, click Synchronize Assets in the upper-right corner of the NAT Firewall tab.
Exposure Control Policy for NAT Gateway
This parameter is optional. You can click Edit Access Control Policy to modify the access control policy. For more information, see Create an access control policy for a NAT firewall.
Engine Mode
Select the prevention mode of the access control policy.
Loose Mode: Traffic whose application type or domain name is identified as Unknown is allowed to help ensure normal access.
Strict Mode: Traffic whose application type or domain name is identified as Unknown is processed by all policies that you configure. If you configure a Deny policy, the traffic is denied.
Status
Specify the status of the NAT firewall.
Traffic can be routed to the NAT firewall only after you turn on Status.
What to do next
After you enable a NAT firewall, you can configure an access control policy for the NAT firewall and view audit logs to control traffic that originates from private assets and is destined for the Internet.
Configure access control policies
If you do not configure an access control policy, Cloud Firewall automatically allows all traffic. You can create access control policies for NAT firewalls to manage traffic from internal-facing assets to the Internet in a fine-grained manner.
Go to the tab, find the NAT firewall for which you want to create an access control policy, click the 
icon in the Actions column, and then click Access Control.
On the page that appears, create an access control policy for the NAT firewall. For more information, see Create an access control policy for a NAT firewall.
View audit logs
Go to the tab, find the NAT firewall whose audit logs you want to view, click the 
icon in the Actions column, and then click Log Audit.
On the page that appears, query the logs of traffic that originates from the private network and is destined for the Internet. For more information, see Log Audit.
View traffic analysis results
Go to the tab, find the NAT firewall whose traffic analysis results you want to view, click the icon in the Actions column, and then click Traffic Analysis.
On the page that appears, view the analysis results of outbound connections that are initiated from the assets to the Internet by using the IP address of the NAT gateway. For more information, see Outbound Connection.
View statistics about protected traffic
In the left-side navigation pane, click Overview. In the upper-right corner of the Overview page, click More to view the peak traffic that can be protected by a NAT firewall, recent peak traffic, and used quota for NAT firewalls.
View the vSwitches for a NAT firewall
Go to the tab, and click Firewall vSwitch List in the upper-right corner of the NAT firewall list.
Disable and delete a NAT firewall
When you disable a NAT firewall, Cloud Firewall switches NAT entries. As a result, persistent connections are temporarily closed for 1 to 2 seconds but short-lived connections are not affected. If you delete a NAT firewall after it is disabled, your workloads are not affected.
If you directly delete a NAT firewall when it is enabled, Cloud Firewall disables and deletes the NAT firewall at the same time. Persistent connections are temporarily closed for 1 to 2 seconds.
Disable a NAT firewall
Go to the tab, find the NAT firewall that you want to disable, and then turn off the switch in the Switch column.
Delete a NAT firewall
Go to the tab, find the NAT firewall that you want to delete, click the
icon in the Actions column, and then click Delete.
References
For more information about how to manage traffic from internal-facing assets to a specific domain name, see Configure a policy to allow only internal-facing servers to access a specific domain name.
For more information about how to view the traffic logs of NAT firewalls, see Log Audit.
For more information about the Internet firewall, refer to the following topics: