VPC Border Firewall Overview
CFW can protect VPC traffic. After protection is enabled, your service traffic will pass through CFW. All traffic will be allowed by default.
After protection is enabled, you can configure an access control policy or IPS mode. CFW will block or allow traffic based on the configuration. For details about how to configure access control, see Configuring Protection Rules. For details about IPS, see Configuring Intrusion Prevention.
This section describes the basic concept of VPC border and related CFW configuration.
What Is VPC Border Traffic?
VPC border traffic, a type of east-west traffic, is exchanged between a VPC and an integrated data center (IDC), or between two VPCs. You can configure a VPC border firewall on CFW and use Enterprise Router to visualize and protect internal service access.
A VPC border firewall supports cross-account protection. For example, if account A has VPC_A and account B has VPC_B, you only need to configure an enterprise router and a firewall under account A, share the enterprise router with account B, and add an attachment to VPC_B. In this way, the VPCs of accounts A and B can both be protected.


Introduction to VPC Border Traffic Protection
Supported Protected Objects
- VPC
- Virtual gateway (VGW) attachment
- VPN
- Global DC gateway (DGW)
Protection Specifications
The protection specifications of a VPC border firewall include the number of protected VPCs and the VPC border protection bandwidth.
Specifications |
Description |
Yearly/Monthly Billing |
Pay-per-Use Billing |
---|---|---|---|
Protected VPCs |
Total number of VPCs that can be protected by the current firewall instance. |
It depends on the number of protected VPCs. By default, two VPCs and 200 Mbit/s VPC border traffic can be protected. If the quota is insufficient, you can purchase expansion packages. For details, see Modifying an Extension Package. |
Up to 20 VPCs, and up to 1 Gbit/s traffic protection for Internet and VPC borders are available. The capacities cannot be expanded. |
VPC Border Protection Bandwidth |
Maximum VPC border traffic that can be protected by the current firewall instance. |
Constraints
- Only the professional edition supports VPC border firewalls.
- The number of VPCs that can be protected by a single firewall instance by default is as follows:
- Professional edition (yearly/monthly): 2
You can purchase expansion packages to increase the number to a maximum of 1,000. For details, see Changing the Number of CFW Expansion Packages.
- Professional edition (pay-per-use): 20. It cannot be increased.
- Professional edition (yearly/monthly): 2
- Traffic diversion depends on the enterprise router.
- To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify private network CIDR blocks or submit a service ticket to expand your private IP CIDR blocks, or CFW may fail to forward traffic between your VPCs.
Impacts on Services
- If there is no protection rule or blacklist that blocks all traffic, enabling or disabling VPC protection will not interrupt services.
- If a protection rule or blacklist is configured to block all traffic, enabling VPC protection may interrupt services. Before enabling protection, check for persistent connections and services that do not support session reestablishment.
- For details about how to edit a protection rule, see Managing Protection Rules.
- For details about how to edit a blacklist, see Managing the Blacklist and the Whitelist.
Configuration and Usage Process
Because of dependency issues, the new and old versions of the VPC border firewall in enterprise router mode are used in different projects. You can check which version you are using on the firewall configuration page.
Figure 3 shows the configuration page. Table 2 shows the configuration process. For details about the configuration document, see Enterprise Router Mode (New).
Procedure |
Description |
---|---|
Plan CIDR blocks for traffic diversion on the VPC border firewall.
NOTE:
The traffic diversion VPC does not occupy the VPC protection quotas under your account. |
|
Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall |
Use an enterprise router to transmit traffic among VPCs and CFW.
|
Enabling the VPC Border Firewall and Ensuring the Traffic Passes Through CFW |
Enable VPC border traffic protection and check whether the traffic passes through CFW. |
Allow or block traffic based on protection rules. (Allowed traffic will be checked by IPS and antivirus functions.) |
|
Adding Blacklist or Whitelist Items to Block or Allow Traffic |
Allow or block traffic based on the blacklist and whitelist. (Traffic allowed or blocked in this way will not be checked by other functions.) |
Check whether protection policies take effect. |
|
Add a VPC to be protected. |
Figure 4 shows the configuration page. Figure 5 shows the configuration process. For details about the configuration document, see Enterprise Router Mode (Old).
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot