If you use a Cloud Enterprise Network (CEN) transit router, you must configure routing between the CEN transit router and a virtual private cloud (VPC) firewall before you can use the VPC firewall to protect the traffic between two VPCs that are connected by using the CEN transit router. In this topic, a transit router of the Enterprise Edition is used. This topic describes how to configure routing between a CEN transit router and a VPC firewall.

Prerequisites

Note If the prerequisites are met, three VPCs and three vSwitches are created.
  1. A CEN instance is created in the CEN console. Two VPCs are created. In this topic, VPC-01 and VPC-02 are used.

    For more information, see Create a CEN instance.

  2. A VPC is created in the VPC console. In this following procedure, a VPC firewall is created for the VPC. In this topic, Cfw-TR-manual-VPC is used. In addition, three vSwitches are created for the VPC. In this topic, TR-Vswitch-01, TR-VSwitch-02, and Cfw-Vswitch are used. TR-Vswitch-01 and TR-VSwitch-02 are used by a transit router to connect network instances. Cfw-Vswitch is used when you create a VPC firewall.
  3. The ID of Cfw-TR-manual-VPC is added to the required whitelist before you can create a VPC firewall for Cfw-TR-manual-VPC. To add the ID of Cfw-TR-manual-VPC to the required whitelist, contact after-sales support engineers in the DingTalk group.

Usage notes

Cloud Firewall can protect the traffic between network instances that are connected by using CEN transit routers. The network instances refer to VPCs, virtual border routers (VBRs), and Cloud Connect Networks (CCNs).

If you want to protect the traffic between VPCs in the same region, you can follow the procedure in this topic.

Notice The feature that is provided by Cloud Firewall to manually configure routing between a CEN transit router and a VPC firewall is in public preview. If you want to use the feature, contact after-sales support engineers in the DingTalk group to add the ID of Cfw-TR-manual-VPC to the whitelist. If the ID of Cfw-TR-manual-VPC is not added to the whitelist, the Create button is dimmed on the VPC Firewall tab. The system prompts you to add the ID of Cfw-TR-manual-VPC to the whitelist.

Step 1: Connect Cfw-TR-manual-VPC to a transit router

This step establishes a connection between Cfw-TR-manual-VPC and the transit router.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance whose traffic you want to redirect to a VPC firewall and click the ID of the instance. The ID of the CEN instance
  3. On the Basic Settings tab, click Create Connection in the Actions column or click the Add icon icon to the right of VPC in the upper part of the tab.
  4. On the Connection with Peer Network Instance page, configure the parameters.Cfw-TR-manual-VPC
    The following table describes the important parameters.
    Parameter Description
    Network Type The type of the network instance that you want to connect to the CEN instance. Select VPC.
    Region The region where the network instance resides. Set this parameter to the region that you specify when you create Cfw-TR-manual-VPC.
    Networks The network instance that you want to connect to the CEN instance. Select the ID of Cfw-TR-manual-VPC.
    VSwitch The vSwitches that can be bound to the network instance. Select TR-Vswitch-01 for Primary Zone and TR-VSwitch-02 for Secondary Zone.

    For more information about other parameters, see Use Enterprise Edition transit routers to create VPC connections.

Step 2: Connect VPC-01 and VPC-02 to the transit router

You must establish a connection between VPC-01 and the transit router and a connection between VPC-02 and the transit router. This way, both VPCs are connected to the CEN instance.

For more information, see Use Enterprise Edition transit routers to create VPC connections.

Step 3: Create a VPC firewall

This step creates a VPC firewall for Cfw-TR-manual-VPC.

To create a VPC firewall, log on to the Cloud Firewall console, choose Firewall Settings > Firewall Settings, and then click VPC Firewall. On the VPC Firewall tab, click the CEN tab, find Cfw-TR-manual-VPC, and then click Create in the Actions column. In the Create VPC Firewall dialog box, select Manual for Routing Mode, Cfw-TR-manual-VPC for VPC, and Cfw-Vswitch for vSwitch. For more information, see Create a VPC firewall for a CEN instance.

Note After the step is complete, an elastic network interface (ENI) is created. To view the ENI, log on to the ECS console and choose Network & Security > ENIs. By default, the cfw-bonding-eni ENI is created.

Step 4: Create routes for VPC-01 and VPC-02

This step creates routes between the CEN instance and the VPC firewall.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance whose traffic you want to redirect to the VPC firewall and click the ID of the instance. The ID of the CEN instance
  3. On the Transit Router tab, click the number in the Route Table column. The Route Table tab appears.
    Number of route tables
  4. On the Route Table tab, click Create Route Table at the top of the left-side route table list.
  5. In the Create Route Table dialog box, configure the parameters.

    Set the Name parameter to Cfw-TR-RouteTable.

    You can add routes to theCfw-TR-RouteTable route table to forward the traffic from VPC-01 or VPC-02 to Cfw-TR-manual-VPC.

  6. Click the Cfw-TR-RouteTable route table. Then, click Add Route Entry.
  7. In the Add Route Entry dialog box, configure the parameters.
    Parameter description:
    • Destination CIDR: Retain the default value 0.0. 0.0/0
    • Blackhole Route: Retain the default value No.
    • Next Hop: Select Cfw-TR-manual-VPC.
    After you add the route, traffic is forwarded to the VPC firewall based on the Cfw-TR-RouteTable route table.
  8. On the Route Table tab, click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.
  9. On the Route Table Association tab, delete the association created for VPC-01 and VPC-02.
  10. On the Route Table tab, click the Cfw-TR-RouteTable route table in the left-side route table list.
  11. In the Route Table Details section, click the Route Table Association tab and click Create Association.
  12. In the Add Association dialog box, select VPC-01 and VPC-02 for Association and click OK.
    After the association is created, the traffic between the two VPCs is forwarded to the Cfw-TR-RouteTable route table.
  13. On the Route Table tab, click the system route table in the left-side route table list.
  14. In the Route Table Details section, click the Route Propagation tab
  15. On the Route Propagation tab, enable route propagation for VPC-01 and VPC-02. To enable Route Propagation for VPC-01, select VPC-01 for Association. To enable route propagation for VPC-02, select VPC-02 for Association.

    After route propagation is enabled, the routes created for VPC-01 and VPC-02 are automatically propagated to the system route table.

    After route propagation is enabled, you can view the information about the automatically propagated routes on the Route Entry tab.

  16. Click the system route table in the left-side route table list. In the Route Table Details section, click the Route Table Association tab.
  17. On the Route Table Association tab, click Create Association.
  18. In the Add Association dialog box, select Cfw-TR-manual-VPC for Association.

After the step is complete, the routes between the CEN instance and the VPC firewall are created, and traffic can be forwarded to Cfw-TR-manual-VPC.

Step 5: Configure route tables for the VPC firewall

This step redirects the traffic from Cfw-TR-manual-VPC to the VPC firewall.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables. On the Route Tables page, click Create Route Table. On the Create Route Table page, select Cfw-TR-manual-VPC for VPC and set the Name parameter to VPC-CFW-RouteTable.
  3. Click the name of the VPC-CFW-RouteTable route table. On the page that appears, click the Associated vSwitch tab.
  4. Click Associate vSwitch. In the Associate vSwitch dialog box, select Cfw-Vswitch for vSwitch.
  5. On the Route Entry List tab, click the Custom tab.
  6. Click Add Route Entry. In the Add Route Entry panel, configure the parameters.
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Select Forwarding Router.
    • Forwarding Router: Retain the default value Cfw-TR-manual-VPC.
    After this operation is complete, the outbound traffic of the VPC firewall is forwarded to the CEN transit router.
  7. On the Route Tables page, click the name of the system route table that is created for Cfw-TR-manual-VPC.
  8. On the page that appears, click the Route Entry List tab and then click the Custom tab.
  9. Click Add Route Entry. In the Add Route Entry panel, configure the parameters.
    Parameter description:
    • Destination CIDR Block: Specify 0.0.0.0/0.
    • Next Hop Type: Select Secondary ENI.
    • Secondary ENI: Select Cfw-bonding-eni.
  10. On the Custom tab, delete other route entries. To delete a route entry, click Delete in the Actions column.
    After the step is complete, the traffic from Cfw-TR-manual-VPC is redirected to the VPC firewall.

Step 5: Check whether the forwarding configuration is successful

Check whether the traffic logs of the CEN instance are recorded. For more information, see Traffic logs. If the traffic logs are recorded, the forwarding configuration is successful.