Help Center/ Virtual Private Cloud/ Best Practices/ VPC Security/ Using a Third-Party Firewall to Scrub Traffic for VPCs Connected by VPC Peering Connections
Updated on 2024-08-07 GMT+08:00

Using a Third-Party Firewall to Scrub Traffic for VPCs Connected by VPC Peering Connections

Application Scenario

VPC allows you to configure and manage virtual networks. You can use security groups and network ACLs to control network access. You can also use third-party firewalls to ensure the security of cloud services.

This section describes how to use a firewall to scrub traffic across VPCs that are connected using VPC peering connections.

Architecture

In this example, services are deployed in VPC-A, VPC-B, and VPC-C, and the firewall is deployed in VPC-X. These VPCs communicate with each other through VPC peering connections. The traffic across VPC-A, VPC-B, and VPC-C must flow through the firewall in VPC-X. The default route table of VPC-X directs all inbound traffic to the firewall. After being scrubbed by the firewall, the traffic is sent to a service VPC based on the custom route table.

Figure 1 shows how ecs-A01 accesses ecs-C01. You can view the request and response traffic paths.

Figure 1 Networking planning when a third-party firewall is used for scrubbing traffic across VPCs

Resource Planning

In this example, you need to create VPCs, ECSs, and VPC peering connections. For details about required resources, see Table 1.

The following resource planning details are only examples for your reference. You need to plan resources based on actual service requirements.

Table 1 Required resources

Resource

Description

VPC

Table 2 shows details about the required VPCs.

In this example, there are four VPCs, including three VPCs where services are deployed and one VPC where the firewall is deployed. These VPCs are from the same region, and their subnet CIDR blocks do not overlap.

  • Services are deployed in VPC-A, VPC-B, and VPC-C, and the firewall is deployed in VPC-X. These VPCs communicate with each other through VPC peering connections.
  • VPC-A, VPC-B, VPC-C and VPC-X each have a subnet.
  • The subnets of VPC-A, VPC-B, VPC-C are associated with their default route table.
  • VPC X has a default route table and a custom route table. The subnet of VPC X is associated with the custom route table.

    The default route table controls the inbound traffic to VPC-X, and the custom route table controls the outbound traffic from VPC-X.

NOTICE:

The subnet CIDR blocks of the VPCs that need to communicate with each other through a VPC peering connection cannot overlap. Otherwise, the VPC peering connection does not take effect. For details, see Unsupported VPC Peering Configurations.

ECS

Table 3 shows details about the required ECSs.

The four ECSs are in different VPCs. If the ECSs are in different security groups, add rules to the security groups to allow access to each other.

VPC peering connection

Table 4 shows details about the required VPC peering connections.

There are three VPC peering connections.
  • peer-AX: connects VPC-A and VPC-X
  • peer-BX: connects VPC-B and VPC-X
  • peer-CX: connects VPC-C and VPC-X

VPC peering connections are transitive. After routes are configured, VPC-A, VPC-B, and VPC-C can communicate with each other through VPC-X.

Table 2 VPC details

VPC Name

VPC CIDR Block

Subnet Name

Subnet CIDR Block

Route Table

Subnet Is Used to Deploy

VPC-A

10.1.0.0/16

subnet-A01

10.1.0.0/24

Default route table

Services

VPC-B

10.2.0.0/16

subnet-B01

10.2.0.0/24

Default route table

Services

VPC-C

10.3.0.0/16

subnet-C01

10.3.0.0/24

Default route table

Services

VPC-X

192.168.0.0/16

subnet-X01

192.168.0.0/24

Custom route table

Firewall

Table 3 ECS details

ECS Name

VPC Name

Subnet Name

Private IP Address

Image

Security Group

ECS Is Used to Deploy

ecs-A01

VPC-A

subnet-A01

10.1.0.139

Public image:

CentOS 8.2 64bit

sg-demo:

General-purpose web server

Services

ecs-B01

VPC-B

subnet-B01

10.2.0.93

Services

ecs-C01

VPC-C

subnet-C01

10.3.0.220

Services

ecs-X01

VPC-X

subnet-X01

192.168.0.5

Firewall

Table 4 VPC peering connection details

Connection Name

Local VPC

Peer VPC

peer-AX

VPC-A

VPC-X

peer-BX

VPC-B

VPC-X

peer-CX

VPC-C

VPC-X

Route Configuration

You need to add routes to VPC route tables to allow communication between VPCs and scrub traffic through the firewall. For details, see Table 5.

The following routes are only examples for your reference. You need to plan routes based on actual service requirements.

Table 5 Required route tables

Route Table

Description

Route tables of service VPCs

Table 6 shows details about route tables of service VPCs.

The default route tables of VPC-A, VPC-B, and VPC-C have routes with destinations set to other VPC subnets and with next hop set to VPC peering connection.

Route tables of firewall VPC

Table 7 shows details about route tables of the firewall VPC-X.

  1. In the default route table of VPC-X:
    • If the firewall is deployed on an ECS, add a route with destination set to 0.0.0.0/0 and next hop set to ecs-X01 to direct traffic to the ECS with the firewall deployed.
    • If the firewall is deployed on two ECSs and the ECSs communicate with external systems through a virtual IP address, the virtual IP address is dynamically switched to the standby ECS to continue providing services when the active ECS is faulty and cannot provide services. In this scenario, add a route with destination set to 0.0.0.0/0 and next hop set to the virtual IP address to direct traffic to the ECS with the firewall deployed.

    In this example, the firewall is deployed on an ECS. The traffic across VPC-A, VPC-B, and VPC-C needs to pass through VPC-X and be directed to the firewall for scrubbing.

  2. In the custom route table of VPC-X, add routes with destination set to subnet CIDR blocks of service VPCs (VPC-A, VPC-B, and VPC-C) and next hop set to VPC peering connection.
Table 6 Details about route tables of service VPCs

VPC Name

Route Table

Destination

Next Hop Type

Next Hop

Route Type

Route Function

VPC-A

Default route table: rtb-vpc-A

10.2.0.0/24

VPC peering connection

peer-AX

Custom

  • Destination: subnet-B01 in VPC-B
  • Connects subnet-A01 to subnet-B01

10.3.0.0/24

VPC peering connection

peer-AX

Custom

  • Destination: subnet-C01 in VPC-C
  • Connects subnet-A01 to subnet-C01

192.168.0.0/24

VPC peering connection

peer-AX

Custom

  • Destination: subnet-X01 in VPC-X
  • Connects subnet-A01 to subnet-X01

VPC-B

Default route table: rtb-vpc-B

10.1.0.0/24

VPC peering connection

peer-BX

Custom

  • Destination: subnet-A01 in VPC-A
  • Connects subnet-A01 to subnet-B01

10.3.0.0/24

VPC peering connection

peer-BX

Custom

  • Destination: subnet-C01 in VPC-C
  • Connects subnet-B01 to subnet-C01

192.168.0.0/24

VPC peering connection

peer-BX

Custom

  • Destination: subnet-X01 in VPC-X
  • Connects subnet-B01 to subnet-X01

VPC-C

Default route table: rtb-vpc-C

10.1.0.0/24

VPC peering connection

peer-CX

Custom

  • Destination: subnet-A01 in VPC-A
  • Connects subnet-A01 to subnet-C01

10.2.0.0/24

VPC peering connection

peer-CX

Custom

  • Destination: subnet-B01 in VPC-B
  • Connects subnet-B01 to subnet-C01

192.168.0.0/24

VPC peering connection

peer-CX

Custom

  • Destination: subnet-X01 in VPC-X
  • Connects subnet-C01 to subnet-X01
Table 7 Details about route tables of firewall VPC

VPC Name

Route Table

Destination

Next Hop Type

Next Hop

Route Type

Route Function

VPC-X

Default route table: rtb-vpc-X

0.0.0.0/0

Server

ECS-X

Custom

  • Destination: ecs-X with firewall deployed
  • Direct inbound traffic of VPC-X to the firewall.

If your firewall is deployed on multiple ECSs and these ECSs communicate with external networks through a virtual IP address, set the next hop of the route to the virtual IP address.

Custom route table: rtb-vpc-custom-X

10.1.0.0/24

VPC peering connection

peer-AX

Custom

  • Destination: subnet-A01 in VPC-A
  • Connects subnet-A01 to subnet-X01

10.2.0.0/24

VPC peering connection

peer-BX

Custom

  • Destination: subnet-B01 in VPC-B
  • Connects subnet-B01 to subnet-X01

10.3.0.0/24

VPC peering connection

peer-CX

Custom

  • Destination: subnet-C01 in VPC-C
  • Connects subnet-C01 to subnet-X01

Notes and Constraints

  • A VPC peering connection can only enable communication between VPCs in the same region.
  • The subnet CIDR blocks of the VPCs that need to communicate with each other through a VPC peering connection cannot overlap.
  • The subnet where the ECS deployed with a third-party firewall resides needs to be associated with a custom route table. Ensure that the region where your resources are located supports custom route tables.

    If Route Tables is displayed in the left pane of the network console, custom route tables are supported.

Procedure

  1. Create four VPCs and their subnets in region A.

    For details, see Creating a VPC.

    For details about VPCs and their subnets, see Table 2.

  2. Create a custom route table in VPC-X and associate subnet-X01 with the custom route table.

    1. Create a custom route table in VPC-X.

      For details, see Creating a Custom Route Table.

    2. Associate subnet-X01 with the custom route table created in 2.a.

      After subnet-X01 is created, it is automatically associated with the default route table of VPC-X. You need to associate the custom route table created in 2.a to subnet-X01.

      For details, see Changing the Route Table Associated with a Subnet.

  3. Create an ECS in each VPC.

    For details, see Creating an ECS.

  4. Configure the NIC of ecs-X and install the third-party firewall on ecs-X.

    1. Disable source/destination check for the NIC of ecs-X.
      1. In the ECS list, click the name of the target ECS.

        The ECS details page is displayed.

      2. On the Network Interfaces tab, click to expand the details area and check whether Source/Destination Check is disabled.
        Figure 2 Disabling Source/Destination Check
    2. Install a third-party firewall on ecs-X.

  5. (Optional) Configure a virtual IP address for ECSs.

    You can create two ECSs in VPC-X and bind them to the same virtual IP address so that they can work in the active and standby mode. If the active ECS is faulty and cannot provide services, the virtual IP address will be dynamically switched to the standby ECS to continue providing services. Skip this step if the ECS where the firewall is deployed does not need to work in the active/standby mode.
    1. Assign a virtual IP address in the VPC-X subnet.

      For details, see Assigning a Virtual IP Address.

    2. Bind the virtual IP address to the active and standby ECSs where the firewall is deployed.

      For details, see Binding a Virtual IP Address to an EIP or ECS.

  6. Create three VPC peering connections and configure routes.

    1. Create three VPC peering connections.

      For details about VPC peering connections, see Table 4.

    2. In the default route tables of the three service VPCs, add routes with destination set to the other three VPCs and with next hop set to the VPC peering connection.

      For details, see Adding a Custom Route.

      In this example, add the routes planned in Table 6 to the route tables of VPC-A, VPC-B, and VPC-C.

    3. Add routes to the default and custom route tables of the firewall VPC.

      For details, see Adding a Custom Route.

      In this example, add the routes planned in Table 7 to the default and custom route tables of VPC-X.

  7. Log in to the ECS and check whether the firewall takes effect.

    Multiple methods are available for logging in to an ECS. For details, see Logging In to an ECS.

    In this example, use VNC provided on the management console to log in to an ECS.

    1. Log in to ecs-A01 and verify the network connectivity between VPC-A and VPC-B.

      ping Private IP address of ecs-B01

      Example command:

      ping 10.2.0.93

      If information similar to the following is displayed, the two VPCs can communicate with each other.

      [root@ecs-A01 ~]# ping 10.2.0.93
      PING 10.2.0.93 (10.2.0.93) 56(84) bytes of data.
      64 bytes from 10.2.0.93: icmp_seq=1 ttl=64 time=0.849 ms
      64 bytes from 10.2.0.93: icmp_seq=2 ttl=64 time=0.455 ms
      64 bytes from 10.2.0.93: icmp_seq=3 ttl=64 time=0.385 ms
      64 bytes from 10.2.0.93: icmp_seq=4 ttl=64 time=0.372 ms
      ...
      --- 10.2.0.93 ping statistics ---
    2. Keep the network connectivity between VPC-A and VPC-B in 7.a and log in to ecs-X01 to verify whether the traffic from VPC-A to VPC-B flows through ecs-X01.
    3. On ecs-X01, check the traffic change on eth0.

      Run the following command at least twice consecutively to check whether the values of RX packets and TX packets change:

      ifconfig eth0

      If the packets change, the traffic flows through ecs-X01 and is scrubbed by the firewall.
      [root@ecs-X01 ~]# ifconfig eth0
      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
              inet 192.168.0.5  netmask 255.255.255.0  broadcast 192.168.0.255
              inet6 fe80::f816:3eff:feb6:a632  prefixlen 64  scopeid 0x20<link>
              ether fa:16:3e:b6:a6:32  txqueuelen 1000  (Ethernet)
              RX packets 726222  bytes 252738526 (241.0 MiB)
              RX errors 0  dropped 0  overruns 0  frame 0
              TX packets 672597  bytes 305616882 (291.4 MiB)
              TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
      
      [root@ecs-X01 ~]# ifconfig eth0
      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
              inet 192.168.0.5  netmask 255.255.255.0  broadcast 192.168.0.255
              inet6 fe80::f816:3eff:feb6:a632  prefixlen 64  scopeid 0x20<link>
              ether fa:16:3e:b6:a6:32  txqueuelen 1000  (Ethernet)
              RX packets 726260  bytes 252748508 (241.0 MiB)
              RX errors 0  dropped 0  overruns 0  frame 0
              TX packets 672633  bytes 305631756 (291.4 MiB)
              TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    4. Repeat 7.a to 7.c to check the communication between other VPCs.