- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User Group and Granting Permissions
- Checking the Dashboard
- Purchasing and Changing the Specifications of CFW
- Enabling Internet Border Traffic Protection
- Enabling VPC Border Traffic Protection
- Enabling NAT Gateway Traffic Protection
-
Configuring Access Control Policies to Control Traffic
- Access Control Policy Overview
- Configuring Protection Rules to Block or Allow Traffic
- Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Viewing Protection Information Using the Policy Assistant
- Managing Access Control Policies
- Managing IP Address Groups
- Domain Name Management
- Service Group Management
- Attack Defense
- Viewing Traffic Statistics
- Viewing CFW Protection Logs
- System Management
- Permissions Management
- Using Cloud Eye to Monitor CFW
- CTS Auditing
-
Best Practices
- CFW Best Practice Summary
- Purchasing and Querying CFW via API
- Migrating Security Policies to CFW in Batches
- Configuration Suggestions for Using CFW with WAF, Advanced Anti-DDoS, and CDN
- Allowing Internet Traffic Only to a Specified Port
- Allowing Outbound Traffic from Cloud Resources Only to a Specified Domain Name
- Using CFW to Defend Against Network Attacks
- Configuring a Protection Rule to Protect Traffic Between Two VPCs
- Configuring a Protection Rule to Protect SNAT Traffic
- Using CFW to Protect Enterprise Resources
- Using CFW to Protect EIPs Across Accounts
- Using CFW to Protect VPCs Across Accounts
-
API Reference
- Before You Start
- API Overview
- API Calling
-
API
-
Firewall Management
- Creating a Firewall
- Obtaining the Status of a CFW Task
- Deleting a Firewall
- Querying the Firewall List
- Changing the East-West Firewall Protection Status
- Querying Firewall Details
- Obtaining East-West Firewall Information
- Creating an East-West Firewall
- Querying the Number of Protected VPCs
- Creating a Tag
- Deleting a Tag
- EIP Management
-
ACL Rule Management
- Creating an ACL Rule
- Deleting an ACL Rule
- Deleting ACL Rules in Batches
- Deleting the Number of Rule Hits
- Updating an ACL Rule
- Updating Rule Actions in Batches
- Setting the Priority of an ACL Protection Rule
- Querying a Protection Rule
- Querying Rule Tags
- Obtaining the Number of Rule Hits
- Viewing the Region List
- Checking the ACL Import Status
- Blacklist/Whitelist Management
- Address Group Management
- Service Group Management
-
Domain Name Resolution and Domain Name Group Management
- Adding a Domain Name Group
- Deleting a Domain Name Group
- Updating a Domain Name Group
- Updating the DNS Server List
- Querying the Domain Name Group List
- Querying the DNS Server List
- Querying an IP Address for Domain Name Resolution
- Obtain the list of domain names in a domain name group
- Adding a Domain Name List
- Deleting a Domain Name List
- Viewing Domain Group Details
- Obtaining the DNS Resolution Result of a Domain Name
- Deleting Domain Groups in Batches
- IPS management
- Log Management
- Packet Capture Management
- Antivirus Management
- Alarm Configuration Management
- Tag Management
- IPS Management
-
Firewall Management
- Appendix
- SDK Reference
-
FAQs
-
About the Product
- Does CFW Support Off-Cloud Servers?
- What Are the QPS, New Connections, and Concurrent Connections Supported by CFW?
- Can CFW Be Shared Across Accounts?
- What Are the Differences Between CFW and WAF?
- What Are the Differences Between CFW, Security Groups, and Network ACLs?
- How Does CFW Control Access?
- What Are the Priorities of the Protection Settings in CFW?
- Can WAF, Advanced Anti-DDoS, and CFW Be Deployed Together?
- Can CFW Protect Resources Across Enterprise Projects?
- How Long Are CFW Logs Stored by Default?
- Regions and AZs
-
Troubleshooting
- What Do I Do If Service Traffic is Abnormal?
- Why Are Traffic and Attack Logs Incomplete?
- Why Does a Protection Rule Not Take Effect?
- What Do I Do If IPS Blocks Normal Services?
- Why Is No Data Displayed on the Access Control Logs Page?
- Why Is the IP Address Translated Using NAT64 Blocked?
- Why Some Permissions Become Invalid After a System Policy Is Granted to an Enterprise Project?
- What Do I Do If a Message Indicating Insufficient Permissions Is Displayed When I Configure LTS Logs?
-
Network Traffic
- How Do I Calculate the Number of Protected VPCs and the Peak Protection Traffic at the VPC Border?
- How Does CFW Collect Traffic Statistics?
- What Is the Protection Bandwidth Provided by CFW?
- What Do I Do If My Service Traffic Exceeds the Protection Bandwidth?
- What Are the Differences Between the Data Displayed in Traffic Trend Module and the Traffic Analysis Page?
- How Do I Verify the Validity of an Outbound HTTP/HTTPS Domain Protection Rule?
- How Do I Obtain the Real IP Address of an Attacker?
- What Do I Do If a High Traffic Warning Is Received?
-
About the Product
- Videos
-
More Documents
-
User Guide (Ankara Region)
- Product Overview
- Checking the Dashboard
- Creating Cloud Firewall
- Enabling Internet Border Traffic Protection
- Enabling VPC Border Traffic Protection
-
Configuring Access Control Policies to Control Traffic
- Access Control Policy Overview
- Configuring Protection Rules to Block or Allow Traffic
- Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Viewing Protection Information Using the Policy Assistant
- Managing Access Control Policies
- Managing IP Address Groups
- Domain Name Management
- Service Group Management
- Attack Defense
- Viewing Traffic Statistics
- Viewing CFW Protection Logs
- System Management
-
FAQs
-
About the Product
- Does CFW Support Off-Cloud Servers?
- What Are the QPS, New Connections, and Concurrent Connections Supported by CFW?
- Can CFW Be Shared Across Accounts?
- What Are the Differences Between CFW and WAF?
- What Are the Differences Between CFW, Security Groups, and Network ACLs?
- How Does CFW Control Access?
- What Are the Priorities of the Protection Settings in CFW?
- Can WAF and CFW Be Deployed Together?
- Troubleshooting
- Network Traffic
-
About the Product
- Change History
- API Reference (Ankara Region)
-
User Guide (Ankara Region)
- General Reference
Copied.
SNAT Protection Overview
Context
The CFW standard edition protects traffic between EIPs, for example, traffic generated when the Network Address Translation (NAT) gateway is used for multiple VPCs or subnets to use EIPs to initiate external access. The CFW professional edition provides more fine-grained access control, for example, on the traffic generated when private IP addresses are used to initiate access to the public network.
This section describes how to configure the CFW professional edition to protect access from private IP addresses to the public network in the SNAT scenario.
Prerequisites
- An enterprise router has been configured. For more information, see What's an Enterprise Router?
- A firewall has been created. For more information, see Creating a Firewall.
Constraints
- Only the professional edition supports access control over private IP addresses.
- By default, CFW supports standard private network CIDR blocks. To enable non-standard CIDR block communication, submit a service ticket.
Networking for SNAT Protection
The request traffic and response traffic are transmitted along the same path.
Suggestion
- You are advised to create an independent VPC for the NAT gateway. To avoid affecting access control, do not use the VPC in the network configurations of Elastic Cloud Servers (ECSs) or other instances.
- If the existing network is complex or improperly configured (for example, VPC CIDR blocks overlap, the NAT gateway has complex configurations, or east-west communication has been configured using VPC Peering), fully evaluate risks in network interconnections, route loops, and route conflicts.
- Test firewall configurations before applying them to a network. You can create a test server, configure the destination address route in the VPC route table, use and the test server in the VPC to check whether the entire service flow runs properly and whether the configured rules are effective. Switch the service flow over to the live network after the configurations pass the test.
- Do not configure interception rules immediately after CFW is enabled. Check whether workloads are normal after traffic passes through the firewall. Gradually add rules and verify them in a timely manner. Once a problem is detected, disable protection in a timely manner to avoid affecting workloads.
- SNAT EIPs do not allow inbound access from the external network. Their outbound access control rules use the Internet border protection capabilities. You are not advised to enable protection for EIPs bound to SNAT on the EIPs page, because doing to may interrupt rule implementation and logging.
Configuration Process
- Connecting VPC1 and VPC-NAT to an Enterprise Router
- Configuring a NAT Gateway
- Configuring a Route Table for VPC1
- (Optional) Test network connectivity. Use the test server in the service VPC to access the external network. If the access is successful, the NAT configuration is proper.
- Enable firewall protection between VPCs. For details, see Enabling a VPC Border Firewall.
- (Optional) Use the test server in the service VPC to test the network connectivity again. If the firewall traffic log contains response records, traffic has been successfully diverted to the firewall. For details about how to query traffic logs, see Traffic Logs.
- Perform the operations described in Configuring a NAT Protection Rule on the firewall.
- (Optional) Use the test server to access the IP address or domain name and check whether the access control log contains a log that matches the rule. If it does, the protection rule has taken effect. For more information, see Access Control Logs.
- After the configurations pass the verification, gradually switch workloads from the production-like or live network environment to CFW.
Figure 1 SNAT protection configuration process
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot