This topic describes how to create a virtual private cloud (VPC) firewall to protect traffic between two VPCs that are connected by using an Express Connect circuit.
Note
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.
Before you begin
An Alibaba Cloud account has all permissions on resources within the account. If an Alibaba Cloud account is leaked, the resources are exposed to major risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.
For more information, see Grant permissions to RAM users.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-cloudfirewall:*", "yundun-ndr:*", "vpc:CreateVpc", "vpc:DeleteVpc", "vpc:DescribeVpcs", "vpc:CreateVSwitch", "vpc:DeleteVSwitch", "vpc:DescribeVSwitches", "vpc:CreateRouteEntry", "vpc:DeleteRouteEntry", "vpc:DescribeRouteEntries", "vpc:CreateVpcPeerConnection", "vpc:DeleteVpcPeerConnection", "vpc:DescribeVpcPeerConnections", "cloudfirewall:CreateVpcFirewall", "cloudfirewall:DeleteVpcFirewall", "cloudfirewall:DescribeVpcFirewalls" ], "Resource": "*" } ] }Prepare the Terraform environment. You can use one of the following methods to use Terraform:
Use Terraform in Terraform Explorer: Alibaba Cloud provides Terraform Explorer, an online runtime environment for Terraform. You can use Terraform after you log on to Terraform Explorer without the need to install Terraform. For more information, see Explorer. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at no additional cost.
Use Terraform in Cloud Shell: Terraform is preinstalled in Cloud Shell and identity credentials are configured. You can directly run Terraform commands in Cloud Shell. For more information, see Use Terraform in Cloud Shell. This method is suitable for scenarios in which you want to use and debug Terraform in a fast and convenient manner at low cost.
Install and configure Terraform on your on-premises machine: This method is suitable for scenarios in which network conditions are poor or a custom development environment is used. For more information, see Install and configure Terraform in the local PC.
ImportantYou must install Terraform 0.12.28 or later. You can run the
terraform --versioncommand to query the Terraform version.
Resource
alicloud_cloud_firewall_vpc_firewall: creates a VPC firewall.
Procedure
This section describes how to create a VPC firewall.
Create a working directory and a configuration file named
main.tfin the directory. main.tf is the main file of Terraform and defines the resources that you want to deploy.variable "region" { default = "cn-heyuan" } provider "alicloud" { region = var.region } # Obtain the ID of the current Alibaba Cloud account. data "alicloud_account" "current" { } # Create VPC 1. resource "alicloud_vpc" "vpc" { vpc_name = "dd-tf-vpc-01" cidr_block = "192.168.0.0/16" } # Create VPC 2. resource "alicloud_vpc" "vpc1" { vpc_name = "dd-tf-vpc-02" cidr_block = "172.16.0.0/12" } # Create a vSwitch and allocate the CIDR block 192.168.10.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-01-example-1" } # Create a vSwitch and allocate the CIDR block 192.168.20.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw1" { vpc_id = alicloud_vpc.vpc.id cidr_block = "192.168.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-01-example-2" } # Create a vSwitch and allocate the CIDR block 172.16.10.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw2" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.10.0/24" zone_id = "cn-heyuan-a" vswitch_name = "dd-tf-vpc-02-example-11" } # Create a vSwitch and allocate the CIDR block 172.16.20.0/24 to the vSwitch. resource "alicloud_vswitch" "vsw3" { vpc_id = alicloud_vpc.vpc1.id cidr_block = "172.16.20.0/24" zone_id = "cn-heyuan-b" vswitch_name = "dd-tf-vpc-02-example-22" } # Create a VPC peering connection. resource "alicloud_vpc_peer_connection" "default" { # The name of the VPC peering connection. peer_connection_name = "terraform-example-vpc-peer-connection" # The ID of the initiator VPC. vpc_id = alicloud_vpc.vpc.id # The Alibaba Cloud account ID of the acceptor VPC. accepting_ali_uid = data.alicloud_account.current.id # The region ID of the acceptor VPC. If the two VPCs are in the same region, enter the region ID of the initiator VPC. If the VPCs are in different regions, enter a different region ID. accepting_region_id = "cn-heyuan" # The ID of the acceptor VPC. accepting_vpc_id = alicloud_vpc.vpc1.id # The description. description = "terraform-example" # Specifies whether to forcibly delete the VPC peering connection. force_delete = true } # The acceptor VPC. resource "alicloud_vpc_peer_connection_accepter" "default" { instance_id = alicloud_vpc_peer_connection.default.id } # Configure a route vpc-A. resource "alicloud_route_entry" "foo" { # The ID of the route table VPC-A. route_table_id = alicloud_vpc.vpc.route_table_id # The custom destination CIDR block. destination_cidrblock = "1.2.3.4/32" # The type of the next hop. nexthop_type = "VpcPeer" # The ID of the next hop. nexthop_id = alicloud_vpc_peer_connection.default.id } # Configure a route vpc-B. resource "alicloud_route_entry" "foo1" { # The ID of the route table VPC-A. route_table_id = alicloud_vpc.vpc1.route_table_id # The custom destination CIDR block. destination_cidrblock = "4.3.X.X/32" # The type of the next hop. nexthop_type = "VpcPeer" # The ID of the next hop. nexthop_id = alicloud_vpc_peer_connection.default.id } # Create other required resources. resource "time_sleep" "wait_before_firewall" { # Make sure that a Cloud Enterprise Network (CEN) instance and network instance connections are created. depends_on = [ alicloud_route_entry.foo, alicloud_route_entry.foo1 ] create_duration = "720s" # Specify a value based on your business requirements. } # The latency. resource "null_resource" "wait_for_firewall" { provisioner "local-exec" { command = "echo waiting for firewall to be ready" } # Make sure that a CEN instance is created. depends_on = [time_sleep.wait_before_firewall] } # The VPC peering connection or Express Connect circuit. resource "alicloud_cloud_firewall_vpc_firewall" "default" { # The required dependencies. depends_on = [ null_resource.wait_for_firewall ] timeouts { create = "30m" # The timeout period of the creation operation. } # The name of the instance. vpc_firewall_name = "tf-test" # The ID of the user. member_uid = data.alicloud_account.current.id local_vpc { # The ID of the initiator VPC. vpc_id = alicloud_vpc.vpc.id # The region. region_no = "cn-heyuan" # The route. local_vpc_cidr_table_list { # The ID of the route table. local_route_table_id = alicloud_vpc.vpc.route_table_id local_route_entry_list { # The next hop. local_next_hop_instance_id = alicloud_vpc_peer_connection.default.id # The destination CIDR block. local_destination_cidr = alicloud_route_entry.foo.destination_cidrblock } } } peer_vpc { # The ID of the acceptor VPC. vpc_id = alicloud_vpc.vpc1.id # The region. region_no = "cn-heyuan" # The route. peer_vpc_cidr_table_list { # The ID of the route table. peer_route_table_id = alicloud_vpc.vpc1.route_table_id peer_route_entry_list { # The destination CIDR block. peer_destination_cidr = alicloud_route_entry.foo1.destination_cidrblock # The next hop. peer_next_hop_instance_id = alicloud_vpc_peer_connection.default.id } } } # The status of the VPC firewall. Valid values: # open: The VPC firewall is automatically enabled after it is created. # close: The VPC firewall is not automatically enabled after it is created. status = "open" } output "vpc_id" { value = alicloud_vpc.vpc.id } output "vpc1_id" { value = alicloud_vpc.vpc1.id } output "route_table_id_vpc" { value = alicloud_vpc.vpc.route_table_id } output "route_table_id_vpc1" { value = alicloud_vpc.vpc1.route_table_id } output "foo_nexthop_id" { value = alicloud_vpc_peer_connection.default.id } output "foo1_nexthop_id" { value = alicloud_vpc_peer_connection.default.id } output "cidrblock" { value = alicloud_route_entry.foo.destination_cidrblock } output "cidrblock1" { value = alicloud_route_entry.foo1.destination_cidrblock }Run the following command to initialize
Terraform:terraform initIf the following information is returned, Terraform is initialized:
Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.203.0... Warning: registry.terraform.io: For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers. Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.Create an execution plan and preview the changes.
terraform planRun the following command to create the VPC firewall:
terraform applyDuring the execution, enter
yesas prompted and press the Enter key. Wait until the command is successfully executed. If the following information appears, the operation is successful:Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_vpc.vpc: Creating... alicloud_vpc.vpc1: Creating... alicloud_vpc.vpc1: Creation complete after 6s [id=vpc-f8z3bgpc9436064a***] alicloud_vswitch.vsw2: Creating... alicloud_vswitch.vsw3: Creating... alicloud_vpc.vpc: Creation complete after 6s [id=vpc-f8zbmuyrti2q3t3exi***] alicloud_vpc_peer_connection.default: Creating... alicloud_vswitch.vsw1: Creating... alicloud_vswitch.vsw: Creating... alicloud_vswitch.vsw3: Creation complete after 4s [id=vsw-f8zxfkuawt6h3zorst***] alicloud_vswitch.vsw: Creation complete after 4s [id=vsw-f8zbfkhc4odb6fv3y4***] alicloud_vpc_peer_connection.default: Creation complete after 6s [id=pcc-rwz8io7yddag5y***] alicloud_vpc_peer_connection_accepter.default: Creating... alicloud_vswitch.vsw1: Creation complete after 7s [id=vsw-f8z88qcqyfbb5x2nj9***] alicloud_vswitch.vsw2: Creation complete after 7s [id=vsw-f8zqv2i961em95c7bv***] alicloud_vpc_peer_connection_accepter.default: Creation complete after 6s [id=pcc-rwz8io7yddag5ya***] alicloud_route_entry.foo: Creating... alicloud_route_entry.foo1: Creating... alicloud_route_entry.foo1: Creation complete after 6s [id=vtb-f8zbaphqlvdnb7njt1***:vrt-f8ze0dot16bcip5o8d***:4.3.2.1/32:VpcPeer:pcc-rwz8io7yddag5y***] alicloud_route_entry.foo: Creation complete after 6s [id=vtb-f8zukaban4cfna8f8k***:vrt-f8z23psp6f1ecy44z7***:1.2.3.4/32:VpcPeer:pcc-rwz8io7yddag5ya***] time_sleep.wait_before_firewall: Creating... time_sleep.wait_before_firewall: Still creating... [10s elapsed] time_sleep.wait_before_firewall: Still creating... [20s elapsed] time_sleep.wait_before_firewall: Still creating... [30s elapsed] time_sleep.wait_before_firewall: Still creating... [40s elapsed] time_sleep.wait_before_firewall: Still creating... [50s elapsed] time_sleep.wait_before_firewall: Still creating... [1m0s elapsed] time_sleep.wait_before_firewall: Still creating... [1m10s elapsed] time_sleep.wait_before_firewall: Still creating... [1m20s elapsed] time_sleep.wait_before_firewall: Still creating... [1m30s elapsed] time_sleep.wait_before_firewall: Still creating... [1m40s elapsed] time_sleep.wait_before_firewall: Still creating... [1m50s elapsed] time_sleep.wait_before_firewall: Still creating... [2m0s elapsed] time_sleep.wait_before_firewall: Still creating... [2m10s elapsed] time_sleep.wait_before_firewall: Still creating... [2m20s elapsed] time_sleep.wait_before_firewall: Still creating... [2m30s elapsed] time_sleep.wait_before_firewall: Still creating... [2m40s elapsed] time_sleep.wait_before_firewall: Still creating... [2m50s elapsed] time_sleep.wait_before_firewall: Still creating... [3m0s elapsed] time_sleep.wait_before_firewall: Still creating... [3m10s elapsed] time_sleep.wait_before_firewall: Still creating... [3m20s elapsed] time_sleep.wait_before_firewall: Still creating... [3m30s elapsed] time_sleep.wait_before_firewall: Still creating... [3m40s elapsed] time_sleep.wait_before_firewall: Still creating... [3m50s elapsed] time_sleep.wait_before_firewall: Still creating... [4m0s elapsed] time_sleep.wait_before_firewall: Still creating... [4m10s elapsed] time_sleep.wait_before_firewall: Still creating... [4m20s elapsed] time_sleep.wait_before_firewall: Still creating... [4m30s elapsed] time_sleep.wait_before_firewall: Still creating... [4m40s elapsed] time_sleep.wait_before_firewall: Still creating... [4m50s elapsed] time_sleep.wait_before_firewall: Still creating... [5m0s elapsed] time_sleep.wait_before_firewall: Still creating... [5m10s elapsed] time_sleep.wait_before_firewall: Still creating... [5m20s elapsed] time_sleep.wait_before_firewall: Still creating... [5m30s elapsed] time_sleep.wait_before_firewall: Still creating... [5m40s elapsed] time_sleep.wait_before_firewall: Creation complete after 12m0s [id=2024-11-05T01:44:57Z] null_resource.wait_for_firewall: Creating... null_resource.wait_for_firewall: Provisioning with 'local-exec'... null_resource.wait_for_firewall (local-exec): Executing: ["/bin/sh" "-c" "echo waiting for firewall to be ready"] null_resource.wait_for_firewall (local-exec): waiting for firewall to be ready null_resource.wait_for_firewall: Creation complete after 0s [id=5344790266853010843] alicloud_cloud_firewall_vpc_firewall.default: Creating... alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m10s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m20s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m30s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m40s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m50s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Still creating... [12m0s elapsed] alicloud_cloud_firewall_vpc_firewall.default: Creation complete after 12m1s [id=vfw-782be77253a0462e8***] Apply complete! Resources: 13 added, 0 changed, 0 destroyed.Verify the result.
Run the terraform show command
You can run the following command to view the details of the created VPC firewall:
terraform show
Log on to the Cloud Firewall console
Log on to the Cloud Firewall console, go to the Firewall Settings page, and then click the VPC Firewall tab. Then, search for the VPC firewall by using the firewall ID to view the details of the VPC firewall.
Resource release
If you no longer require the preceding resources that are created or managed by using Terraform, run the following command to release the resources. For more information about the terraform destroy command, see Common commands.
terraform destroyComplete sample code
Note
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.