Configuring the VPC Border Firewall
Application Scenarios
A VPC border firewall can collect statistics on communication traffic between VPCs, helping you detect abnormal traffic.
Constraints
- Only the professional edition supports VPC border firewalls.
- Traffic diversion depends on the enterprise router
- Only VPCs in the enterprise project to which the current account belongs can be protected.
- To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10 as private network CIDR blocks, submit a service ticket, or CFW may fail to forward traffic between your VPCs.
Applicable Version
New VPC border firewall version.
You can check the GUI to determine your version.
How to Configure
The process is as follows:
- Create a firewall (for example, vpc-cfw-er) and associate it with subnets. For details, see Creating a Firewall.
- If you have just created a new enterprise router, configure it.
- Configure all VPCs (including the firewall VPC and the VPC to be connected) to let them route traffic to the enterprise router. For details, see step 3.
- Create attachments for all VPCs (including the firewall VPC and the VPC to be connected). For details, see step 5.
- Create two route tables (er-RT1 and er-RT2, for example). For details, see step 6.
- Configure the association route table er-RT1 to transmit traffic from the VPC to the CFW. For details, see step 7.
Configure the propagation route table er-RT2 to transmit traffic from the CFW to the VPC. For details, see step 8.
- Verify that the communication is normal when the traffic passes only through the enterprise router. For details, see Verifying Configurations.
- If your enterprise router has generated traffic, perform the following operations. For details, see Configuring a Used Enterprise Router.
- Create a connection named vpc-cfw-er to the firewall VPC. For details, see step 4.
- Delete the associations and propagations of the automatically generated firewall VPC (vpc-cfw-er) from the default route table (er-RT1). For details, see step 5.
- Create a route table (er-RT2) and configure the associations and propagations. For details, see step 6 and step 7.
- Configure static routes in the default route table (er-RT1) and delete all propagations in the table. For details, see step 8.
- (Optional) Set the propagation route table. After setting the propagation route table to er-RT2, if you add new VPCs, you only need to configure attachments. For more information, see step 9.
Creating a Firewall
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
- Click Create Firewall, select an enterprise router, and configure a CIDR block.
- An enterprise router is used for traffic diversion. It must meet the following requirements:
- Not associated with other firewall instances.
- Belongs to the current account and is not shared with other users.
- Default Route Table Association, Default Route Table Propagation, and Auto Accept Shared Attachments must be disabled.
- After a CIDR block is configured, an inspection VPC is created by default to forward traffic to CFW. A CFW-associated subnet is automatically allocated to forward traffic to an enterprise router. Pay attention to the following restrictions:
- After a firewall is created, its CIDR block cannot be modified.
- The CIDR block must meet the following requirements:
- Only private network address segments (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are supported. Otherwise, route conflicts may occur in public network access scenarios, such as SNAT.
- The CIDR block 10.6.0.0/16-10.7.0.0/16 is reserved for CFW and cannot be used.
- This CIDR block cannot overlap with the private CIDR block to be protected, or routing conflicts and protection failures may occur.
- An enterprise router is used for traffic diversion. It must meet the following requirements:
- Click OK. The firewall will be created in 3 to 5 minutes.
Configuring a New Enterprise Router
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Configure the route tables of VPCs (VPC1, VPC2, and vpc-cfw-er) to divert traffic to the enterprise router.
In the service list, choose Networking > Virtual Private Cloud. In the navigation pane, choose Route Tables. In the Name/ID column, click the route table name of the VPC to be protected.
Click Add Route. The following table describes the parameters.
Table 1 Route parameters Parameter
Description
Example Value
Destination
Destination CIDR block.
NOTICE:The value cannot conflict with existing routes or subnet CIDR blocks in the VPC.
xx.xx.xx.0/16
Next Hop Type
Select Enterprise Router from the drop-down list.
Enterprise Router
Next Hop
Select a resource for the next hop.
The enterprise routers you created are displayed in the drop-down list.
cfw-er
Description
(Optional) Supplementary information about the route.
NOTE:Enter up to 255 characters. Angle brackets (< or >) are not allowed.
-
- In the service list, Choose Networking > Enterprise Router.
Add a VPC connection to the enterprise router. For details, see Adding VPC Attachments to an Enterprise Router.
- Add at least three VPC attachments (for CFW and the two protected VPCs). An attachment is required for each protected VPC you add.
For example, the firewall attachment (automatically generated after the firewall is created) is named cfw-er-auto, the VPC1 attachment is named vpc-1, the VPC2 attachment is named vpc-2, and the VPC3 attachment is named vpc-3.
- To use the enterprise router of account A to protect VPCs under account B, share the router with account B. For details, see Creating a Sharing.
- In this section, the firewall attachment is named cfw-er-auto (automatically created with the firewall), the VPC1 connection is named vpc-1, and the VPC2 connection is named vpc-2.
- Add at least three VPC attachments (for CFW and the two protected VPCs). An attachment is required for each protected VPC you add.
- Create two route tables er-RT1 and er-RT2 for connecting to the VPC and the firewall, respectively.
Click the enterprise router name and click the Route Table tab. Click Create Route Table.
For details about the parameters, see Table 2.
Table 2 Route table parameters Parameter
Description
Example Value
Name
Route table name. The name:
- Must contain 1 to 64 characters.
- Can contain letters, digits, underscores (_), hyphens (-), and periods (.).
er-RT1/er-RT2
Description
Route table description
-
Tag
During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.
For details about tags, see Tag Overview.
Tag key: test
Tag value: 01
- Configure the association route table er-RT1. Set the associations and routing.
- Select the route table (er-RT1) to be connected to the VPC. On the Route Tables tab, click the Associations tab and click Create Association.
For more information, see Association parameters.Figure 4 Creating an association
Table 4 VPC2 association parameters Parameter
Description
Example Value
Attachment Type
Select VPC.
VPC
Attachment
Select an item from the Attachment drop-down list.
vpc-2
- Create the routing of the route table (er-RT1). Click the Routes tab and click Create Route. You can create one or more routes as needed.
For more information, see Route parameters.
Figure 5 Creating a route
Table 5 Route parameters Parameter
Description
Destination
Set it to 0.0.0.0/0.
Blackhole Route
You are advised to disable this function. If it is enabled, the packets from a route that matches the destination address of the blackhole route will be discarded.
Attachment Type
Set Attachment Type to CFW instance.
Next Hop
Select the automatically generated firewall attachment cfw-er-auto-attach.
- Select the route table (er-RT1) to be connected to the VPC. On the Route Tables tab, click the Associations tab and click Create Association.
- Configure the propagation route table er-RT2. Set the associations and routing.
- Select the route table (er-RT2) to be connected to the firewall. Click the Associations tab and click Create Association.
For more information, see Association parameters.
Figure 6 Creating an association
- Create propagations for the route table (er-RT2). Click the Propagations tab and click Create Propagation.
For more information, see Propagation parameters.
Figure 7 Creating a propagation
Table 7 Propagation parameters Parameter
Description
Example Value
Attachment Type
Select VPC.
VPC
Attachment
Select an item from the Attachment drop-down list.
vpc-1
Table 8 Propagation parameters Parameter
Description
Example Value
Attachment Type
Select VPC.
VPC
Attachment
Select an item from the Attachment drop-down list.
vpc-2
- Add at least two propagations. A propagation is required for each protected VPC you add.
For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.
- After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
- You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
- If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.
- Add at least two propagations. A propagation is required for each protected VPC you add.
- Select the route table (er-RT2) to be connected to the firewall. Click the Associations tab and click Create Association.
Verifying Configurations
Prerequisites
- You have completed configuration.
- Each of the two VPCs has an ECS.
Method
Ping ECSs in the VPC from each other to check whether they can properly communication if there is no traffic passing through the firewall.
Troubleshooting
Configuring a Used Enterprise Router
Applicable Scenario
An enterprise router (for example, vpc-cfw-er) has been deployed and generated traffic, and the associations and propagations of its default route table (er-RT1) have been enabled.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the service list, Choose Networking > Enterprise Router.
- Add a firewall attachment.
Click Manage Attachment to go to the Attachments tab. Click Create Attachment and configure parameters. The following table describes the parameters. After the attachment is created, the associations and propagations of the firewall VPC will be generated too.
Table 9 Attachment parameters Parameter
Description
Example Value
Name
Attachment name The name:
- Must contain 1 to 64 characters.
- Can contain letters, digits, underscores (_), hyphens (-), and periods (.).
cfw-er-auto
Attachment Type
- Attachment Type: VPC
- VPC: Select a firewall from the drop-down list.
- Subnet: Select the subnet associated with CFW.
- Attachment Type: VPC
- VPC: vpc-cfw-er
- Subnet: cfw-er-1 (xx.xx.1.0/24)
Auto Add Routes
- Enable this option if you want to automatically add routes (with this enterprise router as the next hop and 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as the destinations) to all route tables of the selected VPC.
- Do not enable this option if an existing route in the VPC route tables has a destination set to 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 because the routes will fail to be added. After the attachment is created, manually add routes to the VPC route tables.
Enable
Description
Route table description
-
Tag
During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.
For details about tags, see Tag Overview.
Tag key: test
Tag value: 01
- Delete the associations and propagations of the firewall VPC (vpc-cfw-er) from the default route table er-RT1.
Click the route table and click the Associations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.
Click the Propagations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.
- Create route table er-RT2.
Click Create Route Table.
For more information, see Route table parameters.
Table 10 Route table parameters Parameter
Description
Example Value
Name
Route table name. The name:
- Must contain 1 to 64 characters.
- Can contain letters, digits, underscores (_), hyphens (-), and periods (.).
er-RT2
Description
Route table description
-
Tag
During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.
For details about tags, see Tag Overview.
Tag key: test
Tag value: 01
- Configure the route table er-RT2. Set the associations and propagations.
- Select the route table er-RT2, click the Associations tab, and click Create Association.
For more information, see Association parameters.
Figure 8 Creating an association
- Create propagations for the route table (er-RT2). Click the Propagations tab and click Create Propagation.
For more information, see Propagation parameters.
Figure 9 Creating a propagation
Table 12 Propagation parameters Parameter
Description
Example Value
Attachment Type
Select VPC.
VPC
Attachment
Select an item from the Attachment drop-down list.
vpc-1
Table 13 Propagation parameters Parameter
Description
Example Value
Attachment Type
Select VPC.
VPC
Attachment
Select an item from the Attachment drop-down list.
vpc-2
- Add at least two propagations. A propagation is required for each protected VPC you add.
For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.
- After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
- You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
- If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.
- Add at least two propagations. A propagation is required for each protected VPC you add.
- Select the route table er-RT2, click the Associations tab, and click Create Association.
- Configure the default route table er-RT1.
- Add a static route. Select the route table er-RT1, click the Routes tab, click Create Route, and configure the following parameters:
- Destination: 0.0.0.0/0
- Attachment Type: CFW instance.
- Next Hop: cfw-er-auto (attachment of the firewall VPC)
Figure 10 Adding a static route
- Delete the propagation in the route table er-RT1.
Click the Propagations tab. In the Operation column, click Delete. In the confirmation dialog box, click Yes.
Delete all the propagations in the route table er-RT1.
- Add a static route. Select the route table er-RT1, click the Routes tab, click Create Route, and configure the following parameters:
- (Optional) You are advised to change the propagation route table of the enterprise router to the new route table (er-RT2), so that you simply need to configure an attachment when adding a VPC.
Go to the Enterprise Router page, choose More > Modify Settings, and set the propagation route table to er-RT2.Figure 11 Modifying configurations
To use the enterprise router of account A to protect VPCs under account B, share the router with account B, and add an attachment in account B. For details, see Creating a Sharing.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot