Help Center/ Cloud Firewall/ User Guide/ CFW Protection/ Enabling VPC Border Traffic Protection/ Enterprise Router Mode (New)/ Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall

Updated on 2025-06-27 GMT+08:00

View PDF

Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall

This document describes how to use an enterprise router to divert traffic to CFW and verify network connectivity.

Prerequisites

Ensure the communication is normal when the traffic does not pass through the firewall. For details about traffic verification, see Verifying Network Connectivity.

Configuration Principle and Process

Figure 1 shows the traffic flow when an enterprise router is configured. Figure 2 shows the process for configuring an enterprise router.

Figure 1 Traffic flow
Click to enlarge

Figure 2 Operation process
Click to enlarge

Diverting Traffic to the CFW

Select a configuration mode based on whether an enterprise router has been configured for the current service.

A VPC border firewall has been created. For details, see Creating a VPC Border Firewall.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
Add VPC attachments.

Click Edit Protected VPC next to Firewall Status. The enterprise router page is displayed. Add attachments to an enterprise router. For details about the attachment types that can be added, see Attachment Overview.

Assume you want to protect two VPCs. (At least two VPC attachments are required to connect the two VPCs to the enterprise router.) For details, see Adding a VPC Attachment to an Enterprise Router.

Figure 3 Adding VPC attachments
- After a firewall is created, a firewall attachment (named cfw-er-auto-attach and connected to the CFW instance) is automatically generated. You need to manually add an attachment for each protected VPC.
  For example, the VPC1 attachment is named vpc-1, the VPC2 attachment is named vpc-2, and the VPC3 attachment is named vpc-3.
- To use the enterprise router of account A to protect VPCs under account B, share the router with account B, and add an attachment in account B. For details, see Creating a Sharing. After the sharing is successful, add attachments in account B. Subsequent configurations should still be performed on account A.

Create an association route table and a propagation route table, used for connecting to a protected VPC and a firewall, respectively.

Click the Route Tables tab. Click Create Route Table. For more information, see Table 1.

**Table 1** Route table parameters
Parameter	Description
Name	Route table name. It must meet the following requirements: Must contain 1 to 64 characters. Can contain letters, numbers, underscores (_), hyphens (-), and periods (.).
Description	Route table description
Tag	During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search. For details about tags, see Tag Overview.

Configure the association route table.

Configure associations. On the route table configuration page, select the association table, click the Associations tab, and click Create Association. For more information, see Table 2.

Add at least two associations. An association is required for each protected VPC you add.

For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add an association and select attachment vpc-3.

Figure 4 Creating an association
Click to enlarge

**Table 2** Association parameters
Parameter	Description
Attachment Type	Select VPC.
Attachment	Select an item from the Attachment drop-down list.

Configure routes. Click the Routes tab and click Create Route. Create routes as needed. For more information, see Table 3.

Figure 5 Creating a route
Click to enlarge

**Table 3** Route parameters
Parameter	Description
Destination	Set the destination address. If 0.0.0.0/0 is configured, all the traffic (IPv4) of the VPC is protected by CFW. If a CIDR block is configured, the traffic of the CIDR block is protected by CFW.
Blackhole Route	You are advised to disable this function. If it is enabled, the packets from a route that matches the destination address of the blackhole route will be discarded.
Attachment Type	Set Attachment Type to CFW instance.
Next Hop	Select the automatically generated firewall attachment cfw-er-auto-attach.
Description	(Optional) Description of a route.

Configure the propagation route table.

Configure associations. On the route table configuration page, select the propagation table, click the Associations tab, and click Create Association. For more information, see Table 4.

Figure 6 Creating an association
Click to enlarge

**Table 4** Association parameters
Parameter	Description
Attachment Type	Set Attachment Type to CFW instance.
Attachment	Select the automatically generated firewall attachment cfw-er-auto-attach.

Set the propagation function. Click the Propagations tab and click Create Propagation. For more information, see Table 5.

Figure 7 Creating a propagation
Click to enlarge

**Table 5** Propagation parameters
Parameter	Description
Attachment Type	Select VPC.
Attachment	Select an item from the Attachment drop-down list.

Add at least two propagations. A propagation is required for each protected VPC you add.
For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.
After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.

Modify the VPC route table.

In the service list, click Virtual Private Cloud under Networking. In the navigation pane, choose Route Tables.
In the Name/ID column, click the route table name of a VPC. The Summary page is displayed.

Click Add Route. For details, see Table 6.

You need to add routes for at least two VPCs. Each time a protected VPC is added, you need to add a route for that VPC.

**Table 6** Route parameters
Parameter	Description
Destination Address Type	Select IP address.
Destination	Destination CIDR block. It cannot conflict with existing routes or subnet CIDR blocks in the VPCs. For example, to protect traffic between two VPCs, set the destination address of the route of VPC1 to the CIDR block of VPC2.
Next Hop Type	Select Enterprise Router from the drop-down list.
Next Hop	Select a resource for the next hop. The enterprise routers you created are displayed in the drop-down list.
Description	(Optional) Description of a route. Enter up to 255 characters. Angle brackets (< or >) are not allowed.

A VPC border firewall has been created. For details, see Creating a VPC Border Firewall.
Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane, click in the upper left corner and choose Networking > Enterprise Router.
Delete the associations and propagations of the firewall VPC (vpc-cfw-er) from the default route table er-RT1.

Click the route table and click the Associations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.

Click the Propagations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.

Create route table er-RT2.

Click Create Route Table. For details, see Table 7.

**Table 7** Route table parameters
Parameter	Description	Example Value
Name	Route table name. The name: Must contain 1 to 64 characters. Can contain letters, numbers, underscores (_), hyphens (-), and periods (.).	er-RT2
Tags	During the route table creation, you can add tags to the route table resources for easy categorization and quick search. For details about tags, see Tag Overview.	Tag key: test Tag value: 01
Description	Route table description	-

Configure the route table er-RT2. Set the associations and propagations.

Select the route table er-RT2, click the Associations tab, and click Create Association. See Creating an association. For more information, see Table 8.

Figure 8 Creating an association
Click to enlarge

**Table 8** Association parameters
Parameter	Description	Example Value
Attachment Type	Set Attachment Type to CFW instance.	CFW instance
Attachment	Select an item from the Attachment drop-down list.	cfw-er-auto

Create propagations for the route table (er-RT2). Click the Propagations tab and click Create Propagation. For details, see Table 9.

Figure 9 Creating a propagation
Click to enlarge

**Table 9** Propagation parameters
Parameter	Description	Example Value
Attachment Type	Select VPC.	VPC
Attachment	Select an item from the Attachment drop-down list.	vpc-1

**Table 10** Propagation parameters
Parameter	Description	Example Value
Attachment Type	Select VPC.	VPC
Attachment	Select an item from the Attachment drop-down list.	vpc-2

Add at least two propagations. A propagation is required for each protected VPC you add.
For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.
After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.

Configure the default route table er-RT1.
1. Add a static route. Select the route table er-RT1, click the Routes tab, click Create Route, and configure the following parameters:
  - Destination: 0.0.0.0/0
  - Attachment Type: CFW instance
  - Next Hop: cfw-er-auto (attachment of the firewall VPC)
  Figure 10 Adding a static route
2. Delete all the propagations in the route table er-RT1.
  Click the Propagations tab. In the Operation column, click Delete. In the confirmation dialog box, click Yes.
(Optional) You are advised to change the propagation route table of the enterprise router to the new route table (er-RT2), so that you simply need to configure an attachment when adding a VPC.

Go to the Enterprise Router page, choose More > Modify Settings, and set the propagation route table to er-RT2, as shown in Figure 11.
Figure 11 Modifying configurations

To use the enterprise router of account A to protect VPCs under account B, share the router with account B, and add an attachment in account B. For details, see Creating a Sharing. After the sharing is successful, add attachments to account B.