Help Center/ Cloud Firewall/ User Guide/ Enabling VPC Border Traffic Protection/ Enterprise Router Mode (New)/ Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall
Updated on 2024-07-31 GMT+08:00
View PDF

Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall

This document describes how to use an enterprise router to divert traffic to CFW and verify network connectivity.

Prerequisites

Configuration Principle and Process

Figure 1 shows the traffic flow when an enterprise router is configured. Figure 2 shows the process for configuring an enterprise router.

Figure 1 Traffic flow
Figure 2 Operation process

Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall

  1. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  2. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  3. In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
  4. Add VPC connections.

    Click Edit Protected VPCs next to the firewall status. Add attachments on the enterprise router page that is displayed. For details about the supported attachment types, see Attachment Overview.

    Assume you want to protect two VPCs. (At least two VPC attachments are required to connect the two VPCs to the enterprise router.) For details, see Adding VPC Attachments to an Enterprise Router.

    Figure 3 Adding VPC connections
    • After a firewall is created, a firewall connection (named cfw-er-auto-attach and connected to the CFW instance) is automatically generated. You need to manually add a connection for each protected VPC.

      For example, the VPC1 connection is named vpc-1, the VPC2 connection is named vpc-2, and the VPC3 connection is named vpc-3.

    • To use the enterprise router of account A to protect VPCs under account B, share the router with account B. For details, see Creating a Sharing.

  5. Create an association route table and a propagation route table, used for connecting to a protected VPC and a firewall, respectively.

    Click the Route Tables tab. Click Create Route Table. For more information, see Table 1.

    Table 1 Route table parameters

    Parameter

    Description

    Name

    Route table name.

    It must meet the following requirements:
    • Must contain 1 to 64 characters.
    • Can contain letters, digits, underscores (_), hyphens (-), and periods (.).

    Description

    Route table description

    Tag

    During the route table creation, you can tag the route table resources. Tags identify cloud resources for purposes of easy categorization and quick search.

    For details about tags, see Tag Overview.

  6. Configure the association route table.

    1. Configure associations. On the route table configuration page, select the association table, click the Associations tab, and click Create Association. For more information, see Table 2.
      Figure 4 Creating an association
      Table 2 Association parameters

      Parameter

      Description

      Attachment Type

      Select VPC.

      Attachment

      Select an item from the Attachment drop-down list.

      Add at least two associations. An association is required for each protected VPC you add.

      For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add an association and select attachment vpc-3.

    2. Configure routes. Click the Routes tab and click Create Route. Create routes as needed. For more information, see Table 3.
      Figure 5 Creating a route
      Table 3 Route parameters

      Parameter

      Description

      Destination

      Set the destination address.

      • If 0.0.0.0/0 is configured, all the traffic of the VPC is protected by CFW.
      • If a CIDR block is configured, the traffic of the CIDR block is protected by CFW.

      Blackhole Route

      You are advised to disable this function. If it is enabled, the packets from a route that matches the destination address of the blackhole route will be discarded.

      Attachment Type

      Set Attachment Type to CFW instance.

      Next Hop

      Select the automatically generated firewall attachment cfw-er-auto-attach.

      Description

      (Optional) Description of a route.

  7. Configure the propagation route table.

    1. Configure associations. On the route table configuration page, select the propagation table, click the Associations tab, and click Create Association. For more information, see Table 4.
      Figure 6 Creating an association
      Table 4 Association parameters

      Parameter

      Description

      Attachment Type

      Set Attachment Type to CFW instance.

      Attachment

      Select the automatically generated firewall attachment cfw-er-auto-attach.
    2. Configure propagations. Click the Propagations tab, and click Create Propagation. For more information, see Table 5.
      Figure 7 Creating a propagation
      Table 5 Propagation parameters

      Parameter

      Description

      Attachment Type

      Select VPC.

      Attachment

      Select an item from the Attachment drop-down list.
      • Add at least two propagations. A propagation is required for each protected VPC you add.

        For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.

      • After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
      • You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
      • If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.

  8. Modify the VPC route table.

    1. In the service list, click Virtual Private Cloud under Networking. In the navigation pane, choose Route Tables.
    2. In the Name/ID column, click the route table name of a VPC. The Summary page is displayed.
    3. Click Add Route. For more information, see Table 6.
      Table 6 Route parameters

      Parameter

      Description

      Destination Type

      Select IP address.

      Destination

      The CIDR block that the traffic reaches.

      For example, to protect traffic between two VPCs, set the destination address of the route of VPC1 to the CIDR block of VPC2.

      NOTE:

      The value cannot conflict with existing routes or subnet CIDR blocks in the VPC.

      Next Hop Type

      Select Enterprise Router from the drop-down list.

      Next Hop

      Select a resource for the next hop.

      The enterprise routers you created are displayed in the drop-down list.

      Description

      (Optional) Description of a route.

      NOTE:

      Enter up to 255 characters. Angle brackets (< or >) are not allowed.

      You need to add routes for at least two VPCs. Each time a protected VPC is added, you need to add a route for that VPC.

Modifying an Enterprise Router to Direct Traffic to Cloud Firewall

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click in the upper left corner and choose Networking > Enterprise Router.
  4. Delete the associations and propagations of the firewall VPC (vpc-cfw-er) from the default route table er-RT1.

    Click the route table and click the Associations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.

    Click the Propagations tab. In the Operation column of the firewall VPC, click Delete. In the confirmation dialog box, click Yes.

  5. Create route table er-RT2.

    Click Create Route Table. For more information, see Table 7.

    Table 7 Route table parameters

    Parameter

    Description

    Example Value

    Name

    Route table name. The name:

    • Must contain 1 to 64 characters.
    • Can contain letters, numbers, underscores (_), hyphens (-), and periods (.).

    er-RT2

    Description

    Route table description

    -

    Tags

    During the route table creation, you can add tags to enterprise routers to quickly identify and search for your enterprise router.

    For details about tags, see Tag Overview.

    Tag key: test

    Tag value: 01

  6. Configure the route table er-RT2. Set the associations and propagations.

    1. Select the route table er-RT2, click the Associations tab, and click Create Association. See, Figure 8. For more information, see Table 8.
      Figure 8 Creating an association
      Table 8 Association parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Set Attachment Type to CFW instance.

      CFW instance

      Attachment

      Select an item from the Attachment drop-down list.

      cfw-er-auto
    2. Create propagations for the route table (er-RT2). Click the Propagations tab and click Create Propagation. For more information, see Table 9.
      Figure 9 Creating a propagation
      Table 9 Propagation parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-1
      Table 10 Propagation parameters

      Parameter

      Description

      Example Value

      Attachment Type

      Select VPC.

      VPC

      Attachment

      Select an item from the Attachment drop-down list.

      vpc-2
      • Add at least two propagations. A propagation is required for each protected VPC you add.

        For example, select attachment vpc-1 for VPC1 and vpc-2 for VPC2. To add VPC3 for protection, add a propagation and select attachment vpc-3.

      • After a propagation is created, its route information will be extracted to the route table of the enterprise router, and a propagation route will be generated. In the same route table, the destinations of different propagation routes may be the same, and cannot be modified or deleted.
      • You can add static routes for the attachments in a route table. The destinations of static routes in a table must be unique, and can be modified or deleted.
      • If a static route and a propagation route in the same route table happen to use the same destination, the static route takes effect first.

  7. Configure the default route table er-RT1.

    1. Add a static route. Select the route table er-RT1, click the Routes tab, click Create Route, and configure the following parameters:
      • Destination: 0.0.0.0/0
      • Attachment Type: CFW instance
      • Next Hop: cfw-er-auto (attachment of the firewall VPC)
      Figure 10 Adding a static route
    2. Delete the propagation in the route table er-RT1.

      Click the Propagations tab. In the Operation column, click Delete. In the confirmation dialog box, click Yes.

      Delete all the propagations in the route table er-RT1.

  8. (Optional) You are advised to change the propagation route table of the enterprise router to the new route table (er-RT2), so that you simply need to configure an attachment when adding a VPC.

    Go to the Enterprise Router page, choose More > Modify Settings, and set the propagation route table to er-RT2, as shown in Figure 11.
    Figure 11 Modifying configurations

    To use the enterprise router of account A to protect VPCs under account B, share the router with account B, and add an attachment in account B. For details, see Creating a Sharing.

Follow-up Operations

After the configuration, enable VPC border protection. For details, see Enabling the VPC Border Firewall and Ensuring the Traffic Passes Through CFW.