Help Center/ Cloud Firewall/ Best Practices/ Using CFW and Enterprise Router to Protect VPN Traffic
Updated on 2025-11-06 GMT+08:00
View PDF
Share

Using CFW and Enterprise Router to Protect VPN Traffic

Application Scenarios

In the digital transformation of enterprises, many companies use virtual private networks (VPNs) to establish encrypted public communication tunnels between remote users and virtual private clouds (VPCs). Although VPNs provide encryption and tunnel-based transmission, they still face challenges such as abuse, malicious traffic propagation, and compliance auditing. Companies need to find a way to ensure VPN traffic security and compliance.

CFW provides a comprehensive solution to protect VPN traffic. It has the following capabilities:

  1. VPN abuse prevention: CFW provides fine-grained access control policies to protect sensitive areas on the cloud and on-premises, restricting access to highly sensitive services. It also prevents users from accessing intranet resources beyond their service or permission scope, or accessing Internet resources irrelevant to their services.
  2. Suspicious traffic blocking: If a VPN user's device is intruded, security risks may spread to other assets via VPN. CFW provides powerful intrusion prevention. It can detect and block attacks transmitted through VPN traffic. When CFW detects abnormal traffic or known malicious activities, it immediately takes actions to contain the risk and protect corporate assets.
  3. Compliance audit: CFW can record detailed logs on VPN traffic, including the access source, destination, and application type, to meet compliance audit requirements.

Solution Overview

When creating a VPN, you need to bind an EIP to connect the VPN gateway to the peer gateway. In this way, you can view the EIP information of the VPN gateway in the CFW protection list. (CFW automatically synchronizes the EIPs from the region of the login account). However, if you enable CFW protection for the EIP of the VPN, CFW will be unable to parse the traffic encapsulated in the tunnel. The details are as follows:

To perform access control or security checks on VPN traffic, the VPC border firewall of CFW needs to work with an enterprise router. The networking is as follows.

  1. For details about how to associate a VPN gateway with an enterprise router, see Adding a VPN Attachment to an Enterprise Router.
  2. For details about how to associate a CFW with an enterprise router, see Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall.
  3. After you configure routes, you can apply CFW access control policies to control VPN traffic, isolate specified traffic, thus implementing multi-dimensional protection.

Prerequisites

Constraints

Only the CFW professional edition supports VPC border firewalls.

Example of Using CFW and Enterprise Router to Protect VPN Traffic

The context of this example is as follows:

An enterprise has enabled the enterprise edition VPN gateway on the cloud. A subnet of its on-premises data center is 172.16.0.0/16. The subnet needs to communicate with the VPC whose CIDR block is 192.168.0.0/24. Enterprise Router and CFW are used to control VPN traffic.

Step 1: Add a VPC Attachment

Create a VPC attachment to connect the VPN gateway to the enterprise router. For details, see Adding VPC Attachments to an Enterprise Router.

Step 2: Create a VPC Border Firewall

For details, see Creating a Firewall.

After the firewall is created, an attachment is automatically generated (named cfw-er-auto-attach and connected to the CFW instance).

Step 3: Configure the Enterprise Router to Direct Traffic to the Cloud Firewall

  1. Create and configure an association route table and a propagation route table, used for connecting to a protected VPC and a firewall, respectively.

    1. Go to the enterprise router page.
      1. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
      2. In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
      3. On the VPC border firewall management page, click Edit Protected VPC to the right of Firewall Status. The enterprise router page is displayed.
    2. Create and configure an association route table.
      1. Create a route table.
        1. Click the Route Tables tab. Click Create Route Table.
        2. Enter the association route table name (for example, RouteTable1) and click OK.
      2. Create an association.
        1. Select the association route table, click the Associations tab, and click Create Association.
        2. Configure association parameters.
          Figure 1 Creating an association
          Table 1 Association parameters

          Parameter

          Description

          Attachment Type

          Select VPC.

          Attachment

          Select the attachment of the VPC to be protected.
        3. Click OK.
      3. Configure routes.
        1. Click the Routes tab. Click Create Route Table.
        2. Configure route parameters.
          Figure 2 Creating a route
          Table 2 Route parameters

          Parameter

          Description

          Destination

          Set the destination address.

          In this example, enter 0.0.0.0/0, indicating that all IPv4 traffic of the VPC is protected by the CFW.

          Blackhole Route

          You are advised to disable it.

          Attachment Type

          Set Attachment Type to CFW instance.

          Next Hop

          Select the automatically generated firewall attachment cfw-er-auto-attach.

          Description

          (Optional) Description of a route.
        3. Click OK.
    3. Create and configure a propagation route table.
      1. Create a route table.
        1. Click the Route Tables tab. Click Create Route Table.
        2. Enter the association route table name (for example, RouteTable2) and click OK.
      2. Create an association.
        1. Select the association route table, click the Associations tab, and click Create Association.
        2. Configure association parameters.
          Figure 3 Creating an association
          Table 3 Association parameters

          Parameter

          Description

          Attachment Type

          Set Attachment Type to CFW instance.

          Attachment

          Select the automatically generated firewall attachment cfw-er-auto-attach.
        3. Click OK.
      3. Configure propagation.
        1. Click the Propagations tab, click Create Propagation, and configure propagation parameters.
          Figure 4 Creating a propagation
          Table 4 Propagation parameters

          Parameter

          Description

          Attachment Type

          Select VPC.

          Attachment

          Select the attachment of the VPC to be protected.
        2. Click OK.

  2. Modify the VPC route table.

    1. In the service list, click Virtual Private Cloud under Networking. In the navigation pane, choose Route Tables.
    2. In the Name/ID column, click the route table name of a VPC. The Summary page is displayed.
    3. Click Add Route and configure route parameters.
      Table 5 Route parameters

      Parameter

      Description

      Destination Type

      Select IP address.

      Destination

      Enter the CIDR block that the traffic is sent to.

      In this example, enter 172.16.0.0/16 (data center IP address).

      Next Hop Type

      Select Enterprise Router from the drop-down list.

      Next Hop

      Select a resource for the next hop.

      The enterprise routers you created are displayed in the drop-down list.

      Description

      (Optional) Description of a route.

      Enter up to 255 characters. Angle brackets (< or >) are not allowed.
    4. Click OK.

Step 4: Enable the VPC Border Firewall and Configure Protection Rules

After the configuration is complete, the firewall is in Disabled state. Traffic only passes through the enterprise router and is not forwarded to the firewall. You need to manually enable the VPC border firewall and configure protection rules.

In this section, we will configure a rule to prohibit SSH access to the sensitive asset at 192.168.0.19.

  1. Enable the VPC border firewall.

    1. Log in to the CFW console.
    2. Click in the upper left corner of the management console and select a region or project.
    3. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
    4. In the navigation pane, choose Assets > Inter-VPC Border Firewalls.
    5. Click Enable Protection to the right of Firewall Status.
    6. Click OK.

  2. Verify that traffic passes through CFW.

    1. Generate traffic. For details, see Verifying Network Connectivity.
    2. View logs. In the navigation pane, choose Log Audit > Log Query. Click the Traffic Logs tab and click VPC Border Firewall.

  3. Configure protection rules.

    In this section, we will configure a rule to prohibit SSH access to the sensitive asset at 192.168.0.19.

    1. In the navigation pane on the left of the CFW console, choose Access Control > VPC Border Protection Rules.
    2. On the Protection Rules tab, click Add Rule. Configure protection information.
      Table 6 Adding a protection rule

      Parameter

      Description

      Example Value

      Name

      Rule name.

      --

      Source

      Set the party that originates a session.

      IP Address

      172.16.0.0/16 (data center)

      Destination

      Set the recipient of a session.

      IP Address

      192.168.0.19 (sensitive asset)

      Service

      Set the transport layer protocol type, and specify the protocol type or port number of the traffic.

      Service

      Protocol: TCP

      Source Port: 1-65535

      Destination Port: 1-65535

      Application

      Configure protection policies for application-layer protocols.

      Application: SSH

      Protection Action
      Set the action to be taken when traffic passes through the firewall.
      • Allow: Traffic is forwarded.
      • Blocked: Traffic is not forwarded.

      Block

      Status
      Whether a policy is enabled.
      • : The policy takes effect immediately after being configured.
      • : The policy is disabled.

      Enabled

      Priority
      Priority of the rule. Its value can be:
      • Pin on top: indicates that the priority of the policy is set to the highest.
      • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

      Pin on top

      Schedule Management

      (Optional) Click Schedule Management and configure when the rule takes effect.

      --

      Allow Long Connection

      If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).

      --

      Long Connection Duration

      If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.

      --

      Tags

      (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

      --

      Description

      (Optional) Usage and application scenario

      --
    3. Click OK.

Checking Protection Outcomes

  1. In the data center (172.16.0.0/16), use a server (172.16.0.32) to try accessing the sensitive asset (192.168.0.19) via SSH.
  2. View CFW access control logs.
    • In the navigation pane of the CFW console, choose Access Control > VPC Border Protection Rules. On the Protection Rules tab page, check the number of times a rule is matched in the Hits column.
    • In the navigation pane, choose Log Audit > Log Query. On the Attack Event Logs tab page, check the CFW access control logs for the blocking record.