VPC Border Firewall Overview

CFW can protect VPC traffic. After protection is enabled, your service traffic will pass through CFW. All traffic will be allowed by default.

After protection is enabled, you can configure an access control policy or IPS mode. CFW will block or allow traffic based on the configuration. For details about how to configure access control, see Configuring Protection Rules. For details about IPS, see Configuring Intrusion Prevention.

This section describes the basic concept of VPC border and related CFW configuration.

What Is VPC Border Traffic?

VPC border traffic, a type of east-west traffic, is exchanged between a VPC and an integrated data center (IDC), or between two VPCs. You can configure a VPC border firewall on CFW and use Enterprise Router to visualize and protect internal service access.

A VPC border firewall supports cross-account protection. For example, if account A has VPC_A and account B has VPC_B, you only need to configure an enterprise router and a firewall under account A, share the enterprise router with account B, and add an attachment to VPC_B. In this way, the VPCs of accounts A and B can both be protected.

Figure 1 Traffic between a VPC and an IDC
Click to enlarge

Figure 2 Traffic between VPCs
Click to enlarge

Introduction to VPC Border Traffic Protection

Supported Protected Objects

VPC
Virtual gateway (VGW) attachment
VPN
Global DC gateway (DGW)

Protection Specifications

The protection specifications of a VPC border firewall include the number of protected VPCs and the VPC border protection bandwidth.

**Table 1** VPC border firewall protection specifications
Specifications	Description	Yearly/Monthly Billing	Pay-per-Use Billing
Protected VPCs	Total number of VPCs that can be protected by the current firewall instance.	It depends on the number of protected VPCs. By default, two VPCs and 200 Mbit/s VPC border traffic can be protected. If the quota is insufficient, you can purchase expansion packages. For details, see Modifying an Extension Package.	Up to 20 VPCs, and up to 1 Gbit/s traffic protection for Internet and VPC borders are available. The capacities cannot be expanded.
VPC Border Protection Bandwidth	Maximum VPC border traffic that can be protected by the current firewall instance.

Constraints

Only the professional edition supports VPC border firewalls.
The number of VPCs that can be protected by a single firewall instance by default is as follows:
- Professional edition (yearly/monthly): 2
  You can purchase expansion packages to increase the number to a maximum of 1,000. For details, see Changing the Number of CFW Expansion Packages.
- Professional edition (pay-per-use): 20. It cannot be increased.
Traffic diversion depends on the enterprise router.
To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify private network CIDR blocks or submit a service ticket to expand your private IP CIDR blocks, or CFW may fail to forward traffic between your VPCs.

Impacts on Services

If there is no protection rule or blacklist that blocks all traffic, enabling or disabling VPC protection will not interrupt services.
If a protection rule or blacklist is configured to block all traffic, enabling VPC protection may interrupt services. Before enabling protection, check for persistent connections and services that do not support session reestablishment.
- For details about how to edit a protection rule, see Managing Protection Rules.
- For details about how to edit a blacklist, see Managing the Blacklist and the Whitelist.

Configuration and Usage Process

Because of dependency issues, the new and old versions of the VPC border firewall in enterprise router mode are used in different projects. You can check which version you are using on the firewall configuration page.

Figure 3 shows the configuration page. Table 2 shows the configuration process. For details about the configuration document, see Enterprise Router Mode (New).

Figure 3 VPC border firewall (new version)
Click to enlarge

**Table 2** Configuration and usage process in enterprise router mode (new)
Procedure	Description
Creating a VPC Border Firewall	Plan CIDR blocks for traffic diversion on the VPC border firewall. NOTE: The traffic diversion VPC does not occupy the VPC protection quotas under your account.
Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall	Use an enterprise router to transmit traffic among VPCs and CFW. Add connections between protected VPCs and an enterprise router. In the enterprise router, create an association route table and a propagation route table to transmit traffic between VPCs and firewall. Add a route pointing to the enterprise router for each VPC.
Enabling the VPC Border Firewall and Ensuring the Traffic Passes Through CFW	Enable VPC border traffic protection and check whether the traffic passes through CFW.
Adding a VPC Border Protection Rule	Allow or block traffic based on protection rules. (Allowed traffic will be checked by IPS and antivirus functions.)
Adding Blacklist or Whitelist Items to Block or Allow Traffic	Allow or block traffic based on the blacklist and whitelist. (Traffic allowed or blocked in this way will not be checked by other functions.)
Access Control Logs	Check whether protection policies take effect.
Adding a Protected VPC	Add a VPC to be protected.

Figure 4 shows the configuration page. Figure 5 shows the configuration process. For details about the configuration document, see Enterprise Router Mode (Old).

Figure 4 Creating a VPC border firewall (old version)
Click to enlarge