Help Center/ Cloud Firewall/ Best Practices/ Configuring the VPC Border Firewall
Updated on 2024-05-14 GMT+08:00
View PDF

Configuring the VPC Border Firewall

Application Scenarios

A VPC border firewall can collect statistics on communication traffic between VPCs, helping you detect abnormal traffic.

Constraints

  • Only the professional edition supports VPC border firewalls.
  • Traffic diversion depends on the enterprise router
  • Only VPCs in the enterprise project to which the current account belongs can be protected.
  • To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10 as private network CIDR blocks, submit a service ticket, or CFW may fail to forward traffic between your VPCs.

Applicable Version

New VPC border firewall version.

You can check the GUI to determine your version.

The pages for creating a VPC border firewall differ, as shown in VPC border firewall (new version) and VPC border firewall (old version).
Figure 1 VPC border firewall (new version)
Figure 2 Creating a VPC border firewall (old version)

How to Configure

The process is as follows:

  1. Create a firewall (for example, vpc-cfw-er) and associate it with subnets. For details, see Creating a Firewall.
  2. If you have just created a new enterprise router, configure it.
    1. Configure all VPCs (including the firewall VPC and the VPC to be connected) to let them route traffic to the enterprise router. For details, see step 3.
    2. Create attachments for all VPCs (including the firewall VPC and the VPC to be connected). For details, see step 5.
    3. Create two route tables (er-RT1 and er-RT2, for example). For details, see step 6.
    4. Configure the association route table er-RT1 to transmit traffic from the VPC to the CFW. For details, see step 7.

      Configure the propagation route table er-RT2 to transmit traffic from the CFW to the VPC. For details, see step 8.

    5. Verify that the communication is normal when the traffic passes only through the enterprise router. For details, see Verifying Configurations.
  3. If your enterprise router has generated traffic, perform the following operations. For details, see Configuring a Used Enterprise Router.
    1. Create a connection named vpc-cfw-er to the firewall VPC. For details, see step 4.
    2. Delete the associations and propagations of the automatically generated firewall VPC (vpc-cfw-er) from the default route table (er-RT1). For details, see step 5.
    3. Create a route table (er-RT2) and configure the associations and propagations. For details, see step 6 and step 7.
    4. Configure static routes in the default route table (er-RT1) and delete all propagations in the table. For details, see step 8.
    5. (Optional) Set the propagation route table. After setting the propagation route table to er-RT2, if you add new VPCs, you only need to configure attachments. For more information, see step 9.
Figure 3 Traffic flow

Creating a Firewall

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
  5. Click Create Firewall, select an enterprise router, and configure a CIDR block.

    • An enterprise router is used for traffic diversion. It must meet the following requirements:
      • Not associated with other firewall instances.
      • Belongs to the current account and is not shared with other users.
      • Default Route Table Association, Default Route Table Propagation, and Auto Accept Shared Attachments must be disabled.
    • After a CIDR block is configured, an inspection VPC is created by default to forward traffic to CFW. A CFW-associated subnet is automatically allocated to forward traffic to an enterprise router. Pay attention to the following restrictions:
      • After a firewall is created, its CIDR block cannot be modified.
      • The CIDR block must meet the following requirements:
        • Only private network address segments (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are supported. Otherwise, route conflicts may occur in public network access scenarios, such as SNAT.
        • The CIDR block 10.6.0.0/16-10.7.0.0/16 is reserved for CFW and cannot be used.
        • This CIDR block cannot overlap with the private CIDR block to be protected, or routing conflicts and protection failures may occur.

  6. Click OK. The firewall will be created in 3 to 5 minutes.

Configuring a New Enterprise Router

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Configure the route tables of VPCs (VPC1, VPC2, and vpc-cfw-er) to divert traffic to the enterprise router.

    In the service list, choose Networking > Virtual Private Cloud. In the navigation pane, choose Route Tables. In the Name/ID column, click the route table name of the VPC to be protected.

    Click Add Route. The following table describes the parameters.

    Table 1 Route parameters

    Parameter

    Description

    Example Value

    Destination

    Destination CIDR block.

    NOTICE:

    The value cannot conflict with existing routes or subnet CIDR blocks in the VPC.

    xx.xx.xx.0/16

    Next Hop Type

    Select Enterprise Router from the drop-down list.

    Enterprise Router

    Next Hop

    Select a resource for the next hop.

    The enterprise routers you created are displayed in the drop-down list.

    cfw-er

    Description

    (Optional) Supplementary information about the route.

    NOTE:

    Enter up to 255 characters. Angle brackets (< or >) are not allowed.

    -

  4. In the service list, Choose Networking > Enterprise Router.

    Add a VPC connection to the enterprise router. For details, see Adding VPC Attachments to an Enterprise Router.

    • Add at least three VPC attachments (for CFW and the two protected VPCs). An attachment is required for each protected VPC you add.

      For example, the firewall attachment (automatically generated after the firewall is created) is named cfw-er-auto, the VPC1 attachment is named vpc-1, the VPC2 attachment is named vpc-2, and the VPC3 attachment is named vpc-3.

    • To use the enterprise router of account A to protect VPCs under account B, share the router with account B. For details, see Creating a Sharing.
    • In this section, the firewall attachment is named cfw-er-auto (automatically created with the firewall), the VPC1 connection is named vpc-1, and the VPC2 connection is named vpc-2.

  5. Create two route tables er-RT1 and er-RT2 for connecting to the VPC and the firewall, respectively.

    Click the enterprise router name and click the Route Table tab. Click Create Route Table.

    For details about the parameters, see Table 2.

    Table 2 Route table parameters

    Parameter

    Description

    Example Value

    Name

    Route table name. The name:

    • Must contain 1 to 64 characters.
    • Can contain letters, digits, underscores (_), hyphens (-), and periods (.).

    er-RT1/er-RT2

    Description

    Route table description

    -

    Tag

    During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.

    For details about tags, see Tag Overview.

    Tag key: test

    Tag value: 01

  6. Configure the association route table er-RT1. Set the associations and routing.

    1. Select the route table (er-RT1) to be connected to the VPC. On the Route Tables tab, click the Associations tab and click Create Association.
      For more information, see Association parameters.
      Figure 4 Creating an association
      Table 3 VPC1 association parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-1
      Table 4 VPC2 association parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-2
    2. Create the routing of the route table (er-RT1). Click the Routes tab and click Create Route. You can create one or more routes as needed.

      For more information, see Route parameters.

      Figure 5 Creating a route
      Table 5 Route parameters

      Parameter

      Description

      Destination

      Set it to 0.0.0.0/0.

      Blackhole Route

      You are advised to disable this function. If it is enabled, the packets from a route that matches the destination address of the blackhole route will be discarded.

      Attachment Type

      Set Attachment Type to CFW instance.

      Next Hop

      Select the automatically generated firewall attachment cfw-er-auto-attach.

  7. Configure the propagation route table er-RT2. Set the associations and routing.

    1. Select the route table (er-RT2) to be connected to the firewall. Click the Associations tab and click Create Association.

      For more information, see Association parameters.

      Figure 6 Creating an association
      Table 6 Association parameters

      Parameter

      Description

      Attachment Type

      Set Attachment Type to CFW instance.

      Attachment

      Select the automatically generated firewall attachment cfw-er-auto-attach.
    2. Create propagations for the route table (er-RT2). Click the Propagations tab and click Create Propagation.

      For more information, see Propagation parameters.

      Figure 7 Creating a propagation
      Table 7 Propagation parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-1
      Table 8 Propagation parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-2
      • Add at least two propagations. A propagation is required for each protected VPC you add.

        For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.

      • After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
      • You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
      • If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.

Verifying Configurations

Prerequisites

  • You have completed configuration.
  • Each of the two VPCs has an ECS.

Method

Ping ECSs in the VPC from each other to check whether they can properly communication if there is no traffic passing through the firewall.

Troubleshooting

  1. Check whether the two route tables of the enterprise router are correctly configured. For details, see step 7 and step 8.
  2. Check whether the default route tables of VPC1 and VPC2 direct routes to the enterprise router. For details, see step 3.

Configuring a Used Enterprise Router

Applicable Scenario

An enterprise router (for example, vpc-cfw-er) has been deployed and generated traffic, and the associations and propagations of its default route table (er-RT1) have been enabled.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the service list, Choose Networking > Enterprise Router.
  4. Add a firewall attachment.

    Click Manage Attachment to go to the Attachments tab. Click Create Attachment and configure parameters. The following table describes the parameters. After the attachment is created, the associations and propagations of the firewall VPC will be generated too.

    Table 9 Attachment parameters

    Parameter

    Description

    Example Value

    Name

    Attachment name The name:

    • Must contain 1 to 64 characters.
    • Can contain letters, digits, underscores (_), hyphens (-), and periods (.).

    cfw-er-auto

    Attachment Type
    • Attachment Type: VPC
    • VPC: Select a firewall from the drop-down list.
    • Subnet: Select the subnet associated with CFW.
    • Attachment Type: VPC
    • VPC: vpc-cfw-er
    • Subnet: cfw-er-1 (xx.xx.1.0/24)

    Auto Add Routes
    • Enable this option if you want to automatically add routes (with this enterprise router as the next hop and 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as the destinations) to all route tables of the selected VPC.
    • Do not enable this option if an existing route in the VPC route tables has a destination set to 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 because the routes will fail to be added. After the attachment is created, manually add routes to the VPC route tables.

    Enable

    Description

    Route table description

    -

    Tag

    During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.

    For details about tags, see Tag Overview.

    Tag key: test

    Tag value: 01

  5. Delete the associations and propagations of the firewall VPC (vpc-cfw-er) from the default route table er-RT1.

    Click the route table and click the Associations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.

    Click the Propagations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.

  6. Create route table er-RT2.

    Click Create Route Table.

    For more information, see Route table parameters.

    Table 10 Route table parameters

    Parameter

    Description

    Example Value

    Name

    Route table name. The name:

    • Must contain 1 to 64 characters.
    • Can contain letters, digits, underscores (_), hyphens (-), and periods (.).

    er-RT2

    Description

    Route table description

    -

    Tag

    During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.

    For details about tags, see Tag Overview.

    Tag key: test

    Tag value: 01

  7. Configure the route table er-RT2. Set the associations and propagations.

    1. Select the route table er-RT2, click the Associations tab, and click Create Association.

      For more information, see Association parameters.

      Figure 8 Creating an association
      Table 11 Association parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Set Attachment Type to CFW instance.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      cfw-er-auto
    2. Create propagations for the route table (er-RT2). Click the Propagations tab and click Create Propagation.

      For more information, see Propagation parameters.

      Figure 9 Creating a propagation
      Table 12 Propagation parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-1
      Table 13 Propagation parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-2
      • Add at least two propagations. A propagation is required for each protected VPC you add.

        For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.

      • After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
      • You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
      • If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.

  8. Configure the default route table er-RT1.

    1. Add a static route. Select the route table er-RT1, click the Routes tab, click Create Route, and configure the following parameters:
      • Destination: 0.0.0.0/0
      • Attachment Type: CFW instance.
      • Next Hop: cfw-er-auto (attachment of the firewall VPC)
        Figure 10 Adding a static route
    2. Delete the propagation in the route table er-RT1.

      Click the Propagations tab. In the Operation column, click Delete. In the confirmation dialog box, click Yes.

      Delete all the propagations in the route table er-RT1.

  9. (Optional) You are advised to change the propagation route table of the enterprise router to the new route table (er-RT2), so that you simply need to configure an attachment when adding a VPC.

    Go to the Enterprise Router page, choose More > Modify Settings, and set the propagation route table to er-RT2.
    Figure 11 Modifying configurations

    To use the enterprise router of account A to protect VPCs under account B, share the router with account B, and add an attachment in account B. For details, see Creating a Sharing.