Updated on 2025-06-27 GMT+08:00

VPC Border Firewall Overview

CFW can protect VPC traffic. After protection is enabled, your service traffic will pass through CFW. All traffic will be allowed by default.

After protection is enabled, you can configure an access control policy or IPS mode. CFW will block or allow traffic based on the configuration. For details about how to configure access control, see Configuring Protection Rules. For details about IPS, see Configuring Intrusion Prevention.

This section describes the basic concept of VPC border and related CFW configuration.

What Is VPC Border Traffic?

VPC border traffic, a type of east-west traffic, is exchanged between a VPC and an integrated data center (IDC), or between two VPCs. You can configure a VPC border firewall on CFW and use Enterprise Router to visualize and protect internal service access.

A VPC border firewall supports cross-account protection. For example, if account A has VPC_A and account B has VPC_B, you only need to configure an enterprise router and a firewall under account A, share the enterprise router with account B, and add an attachment to VPC_B. In this way, the VPCs of accounts A and B can both be protected.

Figure 1 Traffic between a VPC and an IDC
Figure 2 Traffic between VPCs

Introduction to VPC Border Traffic Protection

Supported Protected Objects

  • VPC
  • Virtual gateway (VGW) attachment
  • VPN
  • Global DC gateway (DGW)

Protection Specifications

The protection specifications of a VPC border firewall include the number of protected VPCs and the VPC border protection bandwidth.

Table 1 VPC border firewall protection specifications

Specifications

Description

Yearly/Monthly Billing

Pay-per-Use Billing

Protected VPCs

Total number of VPCs that can be protected by the current firewall instance.

It depends on the number of protected VPCs. By default, two VPCs and 200 Mbit/s VPC border traffic can be protected. If the quota is insufficient, you can purchase expansion packages. For details, see Modifying an Extension Package.

Up to 20 VPCs, and up to 1 Gbit/s traffic protection for Internet and VPC borders are available. The capacities cannot be expanded.

VPC Border Protection Bandwidth

Maximum VPC border traffic that can be protected by the current firewall instance.

Constraints

  • Only the professional edition supports VPC border firewalls.
  • The number of VPCs that can be protected by a single firewall instance by default is as follows:
    • Professional edition (yearly/monthly): 2

      You can purchase expansion packages to increase the number to a maximum of 1,000. For details, see Changing the Number of CFW Expansion Packages.

    • Professional edition (pay-per-use): 20. It cannot be increased.
  • Traffic diversion depends on the enterprise router.
  • To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify private network CIDR blocks or submit a service ticket to expand your private IP CIDR blocks, or CFW may fail to forward traffic between your VPCs.

Impacts on Services

  • If there is no protection rule or blacklist that blocks all traffic, enabling or disabling VPC protection will not interrupt services.
  • If a protection rule or blacklist is configured to block all traffic, enabling VPC protection may interrupt services. Before enabling protection, check for persistent connections and services that do not support session reestablishment.

Configuration and Usage Process

Because of dependency issues, the new and old versions of the VPC border firewall in enterprise router mode are used in different projects. You can check which version you are using on the firewall configuration page.

Figure 3 shows the configuration page. Table 2 shows the configuration process. For details about the configuration document, see Enterprise Router Mode (New).

Figure 3 VPC border firewall (new version)
Table 2 Configuration and usage process in enterprise router mode (new)

Procedure

Description

Creating a VPC Border Firewall

Plan CIDR blocks for traffic diversion on the VPC border firewall.

NOTE:

The traffic diversion VPC does not occupy the VPC protection quotas under your account.

Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall

Use an enterprise router to transmit traffic among VPCs and CFW.
  • Add connections between protected VPCs and an enterprise router.
  • In the enterprise router, create an association route table and a propagation route table to transmit traffic between VPCs and firewall.
  • Add a route pointing to the enterprise router for each VPC.

Enabling the VPC Border Firewall and Ensuring the Traffic Passes Through CFW

Enable VPC border traffic protection and check whether the traffic passes through CFW.

Adding a VPC Border Protection Rule

Allow or block traffic based on protection rules. (Allowed traffic will be checked by IPS and antivirus functions.)

Adding Blacklist or Whitelist Items to Block or Allow Traffic

Allow or block traffic based on the blacklist and whitelist. (Traffic allowed or blocked in this way will not be checked by other functions.)

Access Control Logs

Check whether protection policies take effect.

Adding a Protected VPC

Add a VPC to be protected.

Figure 4 shows the configuration page. Figure 5 shows the configuration process. For details about the configuration document, see Enterprise Router Mode (Old).

Figure 4 Creating a VPC border firewall (old version)
Figure 5 Configuration process in enterprise router mode