How Do I Configure the CIDR Block of an Inspection VPC When Creating an Inter-VPC Firewall?

When you create an inter-VPC firewall, CFW creates an inspection VPC by default for traffic check. This VPC is used to divert traffic. It forwards inter-VPC traffic to CFW for check and protection, and automatically allocates a dedicated subnet associated with CFW to carry and forward east-west traffic (traffic exchanged between VPCs).

Pay attention to the following principles when you configure the CIDR block of an inspection VPC:

• Resource ownership and CIDR block planning: The inspection VPC does not belong to your account (it is not displayed in the resource list of your account), but you need to specify its CIDR blocks. The larger the available space in the CIDR block, the more flexibility it will have in expanding CFW capacity, such as adding protected nodes or increasing traffic processing capacity.
• CIDR block conflict prevention: The planned CIDR block of the inspection VPC must not overlap with the CIDR blocks of the services that are already protected or scheduled for protection. Otherwise, traffic routing will be abnormal.
• CIDR blocks cannot be modified after saving. In the east-west traffic diversion scenario, the CIDR block of the inspection VPC cannot be modified once saved. You are strongly advised to fully evaluate the subsequent service expansion requirements and reserve sufficient CIDR blocks before the configuration. To ensure your CIDR block can support long-term use, refer to the following table when configuring the CIDR block mask of the inspection VPC.

  CIDR block mask	Max. Protected Traffic
  / 24	20 Gbps
  / 23	45 Gbps
  / 22	95 Gbps
  / 21	195 Gbps
  / 20	395 Gbps

• Restriction on CIDR block masks: CFW needs to reserve some addresses for critical operations including O&M management and system update. Therefore, the CIDR block mask of the inspection VPC cannot be less than /24 (that is, the subnet mask cannot be greater than 255.255.255.0), or CFW cannot run properly.