All Products
Search
Document Center

Cloud Firewall:Configure a VPC firewall for a Basic Edition transit router

Last Updated:Sep 05, 2024

If your network instances are connected by using a Basic Edition transit router, you can use a virtual private cloud (VPC) firewall to protect the traffic between the network instances. The network instances can be VPCs, virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. This helps improve the security of your assets. This topic describes how to configure a VPC firewall for a Basic Edition transit router.

Feature description

Implementation

After you enable a VPC firewall, Cloud Firewall filters traffic between VPCs based on deep packet inspection (DPI)-based traffic analysis policies, intrusion prevention policies, threat intelligence rules, virtual patching policies, and access control policies. Then, Cloud Firewall checks whether the traffic matches the specified conditions, and blocks unauthorized traffic. This ensures the security of the traffic between internal-facing assets.

The following figure provides an example of a VPC firewall created for a Basic Edition transit router.

image

For more information about the protection scope, see What is Cloud Firewall?

Impacts

You can create a VPC firewall with a few clicks and configure the traffic redirection mode without the need to change the current network topology. You can set the traffic redirection mode to the automatic or manual mode. Your workloads are not affected during the creation. The creation duration is approximately 5 minutes. We recommend that you enable a VPC firewall during off-peak hours.

The system requires approximately 5 minutes to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent TCP connections may be interrupted for several seconds. Short-lived connections are not affected.

Note

Before you enable a VPC firewall, we recommend that you check whether your application is configured to automatically launch reconnections over TCP, and pay close attention to the connection status of your application. This helps avoid connection interruptions.

Limits

Item

Description

Solution

VPC quota

Before you enable a VPC firewall, make sure that a VPC named Cloud_Firewall_VPC is created and the VPC quota within your account is sufficient. For more information about the VPC quota, see Limits and quotas.

For example, the VPC quota in a region is 10. If you enable a VPC firewall, you can create up to nine VPCs because a VPC is automatically created for the VPC firewall.

If the VPC quota is exhausted, you must increase the VPC quota. For more information, see Manage VPC quotas.

You must make sure that the number of network instances that are connected to a Basic Edition transit router in each region does not exceed the upper limit. The network instances can be VPCs, VBRs, and CCN instances. The VPCs that you can connect to a Basic Edition transit router include the VPC that is automatically created when you enable the VPC firewall and is named Cloud_Firewall_VPC. For more information about the maximum number of network instances that you can connect to a Basic Edition transit router, see Limits.

For example, the default maximum number of network instances that you can connect to a Basic Edition transit router is 10. If you enable a VPC firewall, you can create up to 9 VPCs because a VPC is automatically created for the VPC firewall.

We recommend that you use an Enterprise Edition transit router. For more information, join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.

The maximum number of VPCs that can be attached to a Cloud Enterprise Network (CEN) instance in a region is 31.

None.

Route quota

CEN instances cannot have routing policies whose Routing Policy Action is set to Deny. Otherwise, services are interrupted. The routing policies exclude a CEN-generated policy whose priority is set to 5000 and Routing Policy Action is set to Deny.

We recommend that you delete the Deny routing policies. You can join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.

After you enable a VPC firewall, Cloud Firewall automatically adds a custom route to your VPC route table. By default, up to 200 custom routes can be added to each VPC route table. If the number of custom routes in your VPC route table reaches the upper limit, you can no longer enable VPC firewalls.

Increase the maximum number of custom routes allowed for each VPC route table within your Alibaba Cloud account. For more information, see Manage resource quotas.

You must make sure that the number of routes that are advertised to a CEN instance does not exceed the upper limit. In this case, the advertised routes include the route that is automatically added when you enable the VPC firewall. For more information about the maximum number of routes that can be advertised to a CEN instance, see Limits.

We recommend that you advertise no more than 100 routes to a CEN instance. You can join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.

If a VPC has a custom route table that is associated with a vSwitch, you cannot enable a VPC firewall.

You can delete the custom route table or disassociate the vSwitch from the custom route table.

Traffic type

VPC firewalls cannot protect traffic of IPv6 addresses.

None.

Others

If you enabled a VPC firewall before May 1, 2021 and your private network uses a public IP address other than 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 or uses a 32-bit CIDR block XX.XX.XX.XX/32 for two-way traffic redirection, your workloads may be affected.

  • If you access assets across VPCs, only one-way traffic may pass through the VPC firewall in some cases. In this case, traffic log data may be lost and exceptions may occur to access control and intrusion prevention system (IPS)-based protection at Layer 4 and Layer 7.

  • If you access a Server Load Balancer (SLB) or ApsaraDB RDS instance across VPCs, packets may be lost because the flows of outbound and inbound traffic of the instance are inconsistent. As a result, the SLB or RDS instance cannot be accessed.

Note

If you enable a VPC firewall on or after May 1, 2021, you are not subject to this limit.

We recommend that you develop a network plan based on standards. We also recommend that you do not use a public IP address in a private network or a 32-bit CIDR block for traffic redirection.

If you have special requirements, join the DingTalk group 33081734 and contact the after-sales service to add your account to the whitelist.

When you enable or disable a VPC firewall for an Alibaba Cloud asset such as an SLB or ApsaraDB RDS instance, existing TCP persistent connections may fail.

  • When you enable or disable a VPC firewall, you can temporarily specify the local VPC as the backend server in health checks of SLB to prevent network jitters during health checks. You can restore the settings after VPC Firewall is enabled or disabled. For more information, see Configure and manage CLB health checks.

  • Configure the connection protection and reconnection mechanisms on the client.

Create and enable a VPC firewall

Prerequisites

Procedure

Warning
  • If you change the vSwitch and route table after you create a VPC firewall, your business may be interrupted.

  • If single VBRs exist in your CEN instance, your business may be interrupted when you create a VPC firewall or perform a network cutover.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

  2. On the Firewall Settings page, click the VPC Firewall tab.

  3. On the VPC Firewall tab, click the CEN (Basic) tab.

  4. Find the CEN instance for which you want to create a VPC firewall and click Create in the Actions column.

    If no available assets is displayed in the asset list, you can click Synchronize Assets to synchronize the asset information of the current Alibaba Cloud account and members of the Alibaba Cloud account.

  5. In the Create Firewall panel, configure parameters to complete the wizard.

    If you want to create a VPC firewall for a Basic Edition transit router, you can click Quick Diagnosis to check whether the required conditions are met. After the check is complete, you can view the check results in the Check Details section. If you are familiar with the rules for creating a VPC firewall, you can skip one-click diagnostics and directly create a VPC firewall.

    The following table describes the parameters that are required to create a VPC firewall for CEN-connected VPCs.

    Parameter

    Description

    Basic Information

    Instance Name: Specify a name for the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall based on your business requirements.

    VPC Configurations of Firewall

    Allocate a CIDR block to the vSwitch and Cloud_Firewall_VPC VPC that are automatically created for the VPC firewall for traffic redirection. Allocate a subnet CIDR block of the CIDR block to the vSwitch that is associated with the VPC. The mask of the subnet CIDR block must be less than or equal to 29 bits in length, and cannot conflict with your network plan.

    Important

    You must complete the configurations based on your business requirements because you cannot modify the configurations after the VPC firewall is created. If you want to use different configurations, you must delete the VPC firewall and create another VPC firewall.

    • VPC of Firewall: The default value is 10.0.0.0/8. You can allocate a different CIDR block to the VPC. The following CIDR blocks and their subnet CIDR blocks are supported: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

    • vSwitch CIDR Block: The default value is 10.219.219.216/29. If the default value conflicts with your network plan, you can specify a different value.

    • vSwitch Zone: The system automatically assigns a zone for the vSwitch. You can specify a different zone. If your business is latency-sensitive, you can specify the same zone for the vSwitch of the firewall and the vSwitch of your business VPC to minimize latency.

    Assign vSwitch for Firewall

    Specify a vSwitch for the business VPC for which you want to enable traffic redirection. The vSwitch is used to associate with the elastic network interface (ENI) that is required by the VPC firewall. The system automatically assigns a vSwitch. If your business is latency-sensitive, you can select the zone where your business VPC resides to minimize latency.

    Important

    You cannot modify the configurations after the VPC firewall is created. If you want to modify the configurations, you must delete the VPC firewall and create another VPC firewall.

    • Zone: Select the zone of the vSwitch.

    • vSwitch: Select a vSwitch for the business VPC.

    Redirection Configuration

    Turn on or turn off Enable Traffic Redirection and view the protected CIDR blocks.

    Intrusion Prevention

    Specify the working mode of the IPS and the intrusion prevention policies that you want to enable.

    • IPS Mode

      • Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic.

      • Block Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts.

    • IPS Capabilities

      • Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server.

      • Virtual Patches: Virtual patching can be used to defend against the common high-risk application vulnerabilities in real time.

    Note

    This setting applies to all network instances that belong to the same CEN instance.

  6. Click Start Creation to create the VPC firewall.

  7. On the CEN (Basic) tab, enable the created VPC firewall.

    Cloud Firewall can protect your network resources only after you enable your VPC firewall. If the status in the Firewall Status column of the VPC firewall changes to Enabled, the VPC firewall is enabled.

    Note

    If you add or delete routes in your VPC route table after you enable a VPC firewall, you must wait for 15 minutes to 30 minutes until Cloud Firewall learns routes. After Cloud Firewall learns routes, we recommend that you check whether your route table takes effect. You can also join the DingTalk group 33081734 to obtain technical support on Cloud Firewall.

    After you create the VPC firewall, Cloud Firewall automatically creates the following resources:

    • A VPC named Cloud_Firewall_VPC.

      Important

      Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not manually modify or delete the network resources in Cloud_Firewall_VPC.

    • A vSwitch named Cloud_Firewall_VSWITCH.

    • A custom route that has the following remarks: Created by cloud firewall. Do not modify or delete it.

    After you enable the VPC firewall, Elastic Compute Service (ECS) automatically creates a security group named Cloud_Firewall_Security_Group and adds a security group rule whose Action is set to Allow to the security group to allow inbound traffic from the VPC firewall to ECS.

    Important

    Do not delete the security group Cloud_Firewall_Security_Group or the security group rule whose Action parameter is set to Allow. Otherwise, your business may be interrupted.

    If you want to perform batch operations on VPC firewalls or if you frequently enable and disable VPC firewalls, we recommend that you perform such operations during off-peak hours to prevent impacts on your business.

What to do next

  • After you enable a VPC firewall, you can create access control policies for the VPC firewall to control traffic between VPCs. For more information, see Access control policies for VPC firewalls.

  • After you enable a VPC firewall, you can view the traffic between VPCs on the VPC Access page. For more information, see VPC Access.

  • After you enable a VPC firewall, you can view the information about intrusion events that are detected in VPCs on the VPC Traffic Blocking tab of the Intrusion Prevention page. For more information, see View VPC traffic blocking events.

More operations

Modify a VPC firewall

To modify the configurations of a VPC firewall, go to the CEN (Basic Edition) tab of the VPC Firewall tab, find the CEN instance for which the VPC firewall is created, and click Edit in the Actions column.

Enable or disable a VPC firewall

Warning

When you disable a VPC firewall, transient connections may occur.

  1. On the Firewall Settings page, click the VPC Firewall tab.

  2. On the CEN (Basic Edition) tab, find the CEN instance for which the VPC firewall is created and turn off the switch in the Switch column.

    Wait until the VPC firewall is disabled. If the value of Firewall Status for the VPC firewall changes to Disabled, the VPC firewall is disabled.

Delete a VPC firewall

Warning

When you delete a VPC firewall, transient connections may occur.

If you no longer require a VPC firewall, go to the CEN (Basic Edition) tab of the VPC Firewall tab, find the CEN instance for which the VPC firewall is created, and click Delete in the Actions column.

References