Using CFW to Protect VPCs Across Accounts

Application Scenarios

Protect resources across accounts. For example, different departments in an enterprise use different accounts but need to share CFW protection policies.

This section describes how to use CFW to protect the VPC of account A and add the VPC of another account to CFW.

Solution Overview

VPC border protection has been enabled for account A for a period of time, and you need to add the VPCs of accounts B and C for protection. The solution is as follows:

Account A shares an enterprise router with accounts B and C. Accounts B and C add attachments to the enterprise router. Account A accepts the attachments in the enterprise router and adds associations and propagations. Accounts B and C add routes to their VPCs to configure access for protection. In this way, CFW protection policies will protect the VPC resources of accounts B and C as well.

Figure 1 Cross-account protection solution

Figure 2 Procedure

Resource and Cost Planning

Adding VPCs of Another Account to CFW

VPC border protection has been enabled for account A (for details, see Configuring a Protection Rule to Protect Traffic Between Two VPCs) and has been running for a period of time. To add the VPCs of accounts B and C to protection, perform the following steps:

1. Use account A to share the enterprise router with accounts B and C. For details, see Creating a Sharing.
2. Use accounts B and C to add attachments to the enterprise router. For details, see Creating a VPC Attachment.
   • One attachment needs to be added for each VPC.
   • In the following example, account B has a VPC named VPC1 and an attachment named VPC_B. Account C has a VPC named VPC2 and an attachment named VPC_C.

3. Use account A to configure the route table.
   1. Accept the attachment requests from accounts B and C. For details, see Accepting an Attachment Request.
   2. Add associations.

      Click an enterprise router and click the Route Tables tab. On the page that is displayed, select the association route table (er-RT1), click the Associations tab, and click Create Association.

      How to identify the association route table: The association route table is used to transmit traffic from VPC to CFW. The current configurations are as follows:

      • Associations tab (having multiple attachments):
        • Attachment Type: VPC
        • Attachment: connections to multiple VPCs under account A
      • Key parameters on the Routes tab:
        • Attachment Type: CFW instance
        • Next Hop: firewall connection (cfw-er-auto-attach)

      This section uses account B as an example to describe how to add VPCs. If you need to add multiple (for example, three) VPCs, you need to add the corresponding number (for example, three) of associations.

      • Attachment Type: VPC
      • Attachment: Select the VPC attachment of account B, that is, VPC_B.
      

      In this case, the configurations of the association route table are as follows:

      • Associations tab (having multiple attachments + VPC_B):
        • Attachment Type: VPC
        • Attachment: attachments of VPCs of accounts A and B
      • Key parameters on the Routes tab:
        • Attachment Type: CFW instance
        • Next Hop: firewall connection (cfw-er-auto-attach)
   3. Add propagations.

      Select the propagation route table (er-RT2), click the Propagations tab, and click Create Propagation.

      How to identify the propagation route table: The propagation route table is used to transmit traffic from CFW to VPC. The current configurations are as follows:

      • Key parameters on the Associations tab:
        • Attachment Type: CFW instance
        • Attachment: firewall connection (cfw-er-auto-attach)
      • Propagations tab (having multiple propagations):
        • Attachment Type: VPC
        • Attachment: connections to multiple VPCs under account A

      This section uses account B as an example to describe how to add VPCs. If you need to add multiple (for example, three) VPCs, you need to add the corresponding number (for example, three) of propagations.

      • Attachment Type: VPC
      • Attachment: Select the VPC attachment of account B, that is, VPC_B.
      

      In this case, the configurations of the propagation route table are as follows:

      • Key parameters on the Associations tab:
        • Attachment Type: CFW instance
        • Attachment: firewall connection (cfw-er-auto-attach)
      • Propagations tab (having multiple propagations + VPC_B):
        • Attachment Type: VPC
        • Attachment: attachments of VPCs of accounts A and B

4. Use accounts B and C to configure VPC route tables.
   For example, to protect traffic between VPC1 and VPC2, configure the route of VPC1 to point to VPC2 and the route of VPC2 to point to VPC1.

   1. Return to the Enterprise Router page. In the navigation pane on the left, choose Network > Virtual Private Cloud > Route Tables.
   2. In the Name/ID column, click the route table name of a VPC. The Summary page is displayed.
   3. Click Add Route and configure parameters as follows:
      • Add a route to VPC1 of account B:
        • Destination Type: Select IP address.
        • Destination: Enter the CIDR block of VPC2.
        • Next Hop Type: Enterprise Router
      • Add a route to VPC2 of account C:
        • Destination Type: Select IP address.
        • Destination: Enter the CIDR block of VPC1.
        • Next Hop Type: Enterprise Router

5. Configure a protection policy.

   By default, VPC resources connected to the same enterprise router use the protection policies of the CFW instance bound to the enterprise router.

   • Configure protection rules, blacklists, and whitelists to control traffic. For details, see Access Control Policy Overview .
   • Configure attack defense to detect and protect traffic. For details, see Attack Defense Overview .

6. View log information. For details, see Protection Log Overview.

References

To protect EIP resources across accounts, see Using CFW to Protect EIPs Across Accounts.