Updated on 2025-07-23 GMT+08:00

VPC Border Firewall Overview

CFW can protect VPC traffic. After protection is enabled, your service traffic will pass through CFW. All traffic will be allowed by default.

For more information, see Adding a Protection Rule. For details about IPS, see Configuring an IPS Policy.

This section describes the basic concept of a VPC border firewall and related CFW configuration.

What Is VPC Border Traffic?

VPC border traffic, a type of east-west traffic, is exchanged between a VPC and an integrated data center (IDC), or between two VPCs. You can configure a VPC border firewall on CFW to visualize and protect internal service access.

Constraints

  • Only the professional edition supports VPC border firewalls.
  • The number of VPCs that can be protected by a single firewall instance by default is as follows:
    • Professional edition (yearly/monthly): 2

      You can purchase expansion packages to increase the number to a maximum of 500. For details, see Changing the Number of Extended CFW Packages.

    • Professional edition (pay-per-use): 20. It cannot be increased.
  • To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify private network CIDR blocks or submit a service ticket to expand your private network CIDR blocks. If private network CIDR blocks are insufficient, CFW may fail to forward traffic between your VPCs.

Impacts on Services

Before enabling VPC protection, check whether there is any protection rule or blacklist that blocks all traffic.

  • If protection is enabled for a VPC, such a protection rule or blacklist will take effect and block all the traffic of the VPC. This may interrupt services. Before enabling protection, check for persistent connections and services that do not support session reestablishment. If any, handle them first.

    For details about how to edit a protection rule, see Managing Protection Rules. For details about how to edit a blacklist, see Managing the Blacklist and the Whitelist.

  • If there is no protection rule or blacklist that blocks all traffic, enabling or disabling VPC protection will not interrupt services.

Configuration Process

The following figure shows the configuration process in VPC mode.
Figure 1 Configuration process in VPC mode