Help Center/ Cloud Firewall/ User Guide/ Enabling VPC Border Traffic Protection/ VPC Border Firewall Overview
Updated on 2024-10-09 GMT+08:00
View PDF
Share

VPC Border Firewall Overview

The VPC border firewall supports access control for communication traffic between VPCs, visualizing and protecting internal service access.

Supported Protected Objects

  • VPC
  • Virtual gateway (VGW) attachment
  • VPN gateway
  • Enterprise Connect Network (ECN)
  • Global DC gateways (DGW)

Constraints

  • Only the professional edition supports VPC border firewalls.
  • Traffic diversion depends on the enterprise router
  • Only VPCs in the enterprise project to which the current account belongs can be protected.
  • To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10 as private network CIDR blocks, submit a service ticket, or CFW may fail to forward traffic between your VPCs.

Configuration and Usage Process

The new and old versions of the VPC border firewall in enterprise router are available in different regions due to dependency reasons.
  • New version of VPC border firewall: For details about the configuration process, see Table 1. For details about the configuration document, see Enterprise Router Mode (New).
    Figure 1 VPC border firewall (new version)
  • Old version of VPC border firewall: For details about the configuration process, see Figure 3. For details about the configuration document, see Enterprise Router Mode (Old).
    Figure 2 Creating a VPC border firewall (old version)
Table 1 Configuration and usage process in enterprise router mode (new)

Procedure

Description

Creating a VPC Border Firewall

Plan CIDR blocks for traffic diversion on the VPC border firewall.

NOTE:

The traffic diversion VPC does not occupy the VPC protection quotas under your account.

Configuring the Enterprise Router to Direct Traffic to the Cloud Firewall
Use an enterprise router to transmit traffic among VPCs and CFW.
  • Add connections between protected VPCs and an enterprise router.
  • In the enterprise router, create an association route table and a propagation route table to transmit traffic between VPCs and firewall.
  • Add a route pointing to the enterprise router for each VPC.

Enabling the VPC Border Firewall and Ensuring the Traffic Passes Through CFW

Enable VPC border traffic protection and check whether the traffic passes through CFW.

Adding a VPC Border Protection Rule

Allow or block traffic based on protection rules. (Allowed traffic will be checked by IPS and antivirus functions.)

Adding Blacklist or Whitelist Items to Block or Allow Traffic

Allow or block traffic based on the blacklist and whitelist. (Traffic allowed or blocked in this way will not be checked by other functions.)

Access Control Logs

Check whether protection policies take effect.

Adding a Protected VPC

Add a VPC to be protected.
The following figure shows the configuration process in enterprise router mode (old).
Figure 3 Configuration process of the enterprise router mode
Parent Topic: Enabling VPC Border Traffic Protection