Updated on 2024-10-22 GMT+08:00

Creating a VPC Border Firewall

A VPC border firewall can collect statistics on the traffic between VPCs, helping you detect abnormal traffic. Before enabling a VPC border firewall, create it and associate it with an enterprise router first.

Prerequisites

The current account must have an available enterprise router. (See Enterprise router constraints.)
  • For details about Enterprise Router pricing, see Pricing.
  • For details about how to create an enterprise router, see Creating an Enterprise Router.

    You are advised to deselect Default Route Table Association and Default Route Table Propagation while creating a route.

Constraints

When creating a firewall, select an enterprise router and configure an IPv4 CIDR block for traffic diversion.
  • An enterprise router is used for traffic diversion. It must meet the following requirements:
    • Not associated with other firewall instances.
    • Belongs to the current account and is not shared with other users.
    • Default Route Table Association, Default Route Table Propagation, and Auto Accept Shared Attachments must be disabled.
  • A CIDR block is used to forward traffic to CFW. It must comply with the following restrictions:
    • This CIDR block cannot overlap with the private network segment to be protected, or routing conflicts may occur.
    • The CIDR block 10.6.0.0/16-10.7.0.0/16 is reserved for CFW and cannot be specified.

Creating a VPC Border Firewall

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
  6. Click Create Firewall, select an enterprise router, and configure a CIDR block.

    Figure 1 Creating a VPC Border Firewall
    • An enterprise router is used for traffic diversion. It must meet the following requirements:
      • Not associated with other firewall instances.
      • Belongs to the current account and is not shared with other users.
      • Default Route Table Association, Default Route Table Propagation, and Auto Accept Shared Attachments must be disabled.
    • After a CIDR block is configured, an inspection VPC is created by default to forward traffic to CFW. A CFW-associated subnet is automatically allocated to forward traffic to an enterprise router. Pay attention to the following restrictions:
      • After a firewall is created, its CIDR block cannot be modified.
      • The CIDR block must meet the following requirements:
        • Only private network address segments (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) are supported. Otherwise, route conflicts may occur in public network access scenarios, such as SNAT.
        • The CIDR block 10.6.0.0/16-10.7.0.0/16 is reserved for CFW and cannot be used.
        • This CIDR block cannot overlap with the private CIDR block to be protected, or routing conflicts and protection failures may occur.
    • If the page shown in Figure 2 is displayed, you are using the old CFW version. For details about how to configure the VPC border firewall, see Enterprise Router Mode (Old).
      Figure 2 Creating a VPC border firewall (old version)

  7. Click OK. The firewall will be created in 3 to 5 minutes.

    During the creation, you can only check the Dashboard page. The firewall status will change to Upgrading.

Related Operations

Disabling a firewall: After a firewall is created, it cannot be deleted or unsubscribed from. You can disable firewall protection. For details, see Disabling VPC Border Protection. If VPC border protection is no longer required, after you disable protection, you still need to manually restore the configuration of the enterprise router.