All Products
Search
Document Center

Cloud Firewall:Configure a VPC firewall for VPCs connected by using an Express Connect circuit

Last Updated:Sep 11, 2024

If your virtual private clouds (VPCs) are connected by using a VPC peering connection or an Express Connect circuit, you can use a VPC firewall to protect the traffic between the VPCs. This helps improve the security of your assets. This topic describes how to configure a VPC firewall for VPCs that are connected by using an Express Connect circuit.

Feature description

Protection diagram

image

For more information about the protection scope of Cloud Firewall, see What is Cloud Firewall?

Impacts

You can directly create a VPC firewall to protect your business assets without the need to change the current network topologies. The creation duration is approximately 5 minutes and your workloads are not affected. We recommend that you enable a VPC firewall during off-peak hours.

The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent TCP connections may be interrupted for several seconds. Short-lived connections are not affected.

Note

Before you enable a VPC firewall, we recommend that you check whether your application is configured to automatically to launch reconnections over TCP, and pay close attention to the connection status of your application. This helps avoid connection interruptions.

Limits

Item

Description

Suggestion

VPC quota

Before you enable a VPC firewall, make sure that a VPC named Cloud_Firewall_VPC is created and the VPC quota within your account is sufficient. For more information about the VPC quota, see VPC quotas.

For example, the VPC quota in a region is 10. If you enable a VPC firewall, you can create up to nine VPCs because a VPC is automatically created for the VPC firewall.

If the VPC quota is exhausted, you must increase the VPC quota. For more information, see Manage VPC quotas.

Traffic type

VPC firewalls cannot protect traffic of IPv6 addresses.

None.

Route quota

You cannot advertise routes that use 32-bit subnet masks in Express Connect. If the routes that use 32-bit subnet masks are advertised and a VPC firewall is enabled, the connections to the network of the subnet masks are interrupted.

Before you enable VPC Firewall, we recommend that you change the subnet mask length to less than or equal to 30 bits. You can also join the DingTalk group 33081734 to obtain technical support for Cloud Firewall.

Create and enable a VPC firewall

Prerequisites

  • Cloud Firewall Enterprise Edition or Ultimate Edition is purchased. For more information, see Purchase Cloud Firewall.

    Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to create VPC firewalls for VPCs that are connected by using an Express Connect circuit.

  • Cloud Firewall is authorized to access other cloud resources. For more information, see Authorize Cloud Firewall to access other cloud resources.

  • An Express Connect circuit is purchased, and VPCs are connected by using the Express Connect circuit or a VPC peering connection. For more information, see Create and manage a VPC peering connection.

  • The VPC Firewall feature is supported in the regions in which your network resources reside. For more information, see Supported regions.

Warning

If you change the vSwitch and route table after you create a VPC firewall, your business may be interrupted.

Procedure

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

  2. On the VPC Firewall tab, click the Express Connect Circuit tab.

  3. Click Synchronize Assets to synchronize the information about the assets of the current account and the members.

    The process requires 1 minute to 2 minutes to complete.

  4. Find the Express Connect circuit for which you want to create a VPC firewall and click Create in the Actions column.

    If a large number of Express Connect circuits exist, you can search for the circuit by region or VPC.

  5. In the Create VPC Firewall dialog box, configure the required parameters. The following table describes the parameters.

    Parameter

    Description

    Instance Name

    The name of the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall.

    Connection Type

    The type of the connection between VPCs or between a VPC and a data center. In this example, the value is fixed to Express Connect.

    VPC

    The information about the VPC. Confirm the regions and IDs of the VPCs and specify the route tables and destination CIDR blocks.

    • Route table

      When you create a VPC, the system automatically creates a default route table and adds system route entries to the route table. You can create multiple route tables for a VPC based on your business requirements. For more information, see Route table overview.

      When you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically reads your VPC route tables. Express Connect supports multiple route tables. When you create a VPC firewall for an Express Connect circuit, you can view multiple VPC route tables and select the route tables that you want to use.

    • Destination CIDR block

      After you select a route table from the Route Table or Peer Route Table drop-down list, the default destination CIDR block of the route table is displayed in the Destination CIDR Block or Peer Destination CIDR Blocks section. If you want to protect traffic that is destined for other CIDR blocks, you can change the destination CIDR block. You can add multiple CIDR blocks. Separate the CIDR blocks with commas (,).

    Peer VPC

    The region and the name of the peer VPC. Confirm the information and configure the Peer Route Table and Peer Destination CIDR Block parameters.

    Intrusion Prevention

    The intrusion prevention policies that you want to enable. Valid values:

    • IPS Mode

      • Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic.

      • Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts.

    • IPS Capabilities

      • Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server.

      • Virtual Patches: You can use virtual patching to defend against the common high-risk application vulnerabilities in real time.

    Enable VPC Firewall

    If you turn on Enable VPC Firewall, a VPC firewall is automatically enabled after you create the firewall.

  6. Click Submit. In the message that appears, click Submit.

    Note

    If you add or delete routes in your VPC route table after you enable a VPC firewall, wait for 15 minutes to 30 minutes until Cloud Firewall learns the routes. After Cloud Firewall learns the routes, we recommend that you check whether your route table takes effect. You can also join the DingTalk group 33081734 to obtain technical support for Cloud Firewall.

    After you create the VPC firewall, Cloud Firewall automatically creates the following resources:

    • A VPC named Cloud_Firewall_VPC.

      Important

      Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not modify or delete the network resources in Cloud_Firewall_VPC.

    • A vSwitch named Cloud_Firewall_VSWITCH.

    • A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it.

    After you enable the VPC firewall, Elastic Compute Service (ECS) automatically creates a security group named Cloud_Firewall_Security_Group and adds a security group rule whose Action parameter is set to Allow to the security group. The rule allows inbound traffic from the VPC firewall to ECS.

    Important

    Do not delete Cloud_Firewall_Security_Group or the security group rule. Otherwise, inbound traffic from the VPC firewall to ECS cannot be protected by the VPC firewall.

    If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform the operations during off-peak hours to prevent impacts on your business.

  7. On the Express Connect Circuit tab, find and enable the VPC firewall that is created.

    Cloud Firewall can protect your network resources only after you enable your VPC firewall. If the value of Firewall Status for the VPC firewall changes to Enabled, the VPC firewall is enabled.

What to do next

  • After you enable a VPC firewall, you can create an access control policy for the firewall to control traffic between VPCs. For more information, see Access control policies for VPC firewalls.

  • After you enable a VPC firewall, you can view the traffic between VPCs on the VPC Access page. For more information, see VPC Access.

  • After you enable a VPC firewall, you can view the information about intrusion events that are detected in VPCs on the VPC Traffic Blocking tab of the Intrusion Prevention page. For more information, see View VPC traffic blocking events.

More operations

Disable a VPC firewall

Warning

When you disable a VPC firewall, transient connections may occur.

If you want to disable a VPC firewall, you can go to the Express Connect Circuit tab, find the VPC firewall, and turn off the switch in the Firewall Settings column.

If the value of Firewall Status for the VPC firewall changes to Disabled, the VPC firewall is disabled.

Delete a VPC firewall

Warning

When you delete a VPC firewall, transient connections may occur.

If you no longer require a VPC firewall, you can go to the Express Connect Circuit tab, find the VPC firewall, and click Delete in the Actions column.

Modify a VPC firewall

If you want to modify the configurations of a VPC firewall, you can go to the Express Connect Circuit tab, find the VPC firewall, and click Edit in the Actions column.

What to do next

  • After you enable a VPC firewall, you can create an access control policy for the firewall to control traffic between VPCs. For more information, see Access control policies for VPC firewalls.

  • After you enable a VPC firewall, you can view the traffic between VPCs on the VPC Access page. For more information, see VPC Access.

  • After you enable a VPC firewall, you can view the information about intrusion events that are detected in VPCs on the VPC Traffic Blocking tab of the Intrusion Prevention page. For more information, see View VPC traffic blocking events.