This topic introduces the basic concept of a virtual private cloud (VPC) firewall and describes the scenarios of VPC firewalls.
What is a VPC firewall?
A VPC firewall monitors and manages traffic between VPCs and traffic between a VPC and a data center. If two VPCs are attached to the same Cloud Enterprise Network (CEN) instance or are connected by using an Express Connect circuit, you can create a VPC firewall to manage traffic between the VPCs and traffic between each VPC and a data center.
Centralized account management is supported when you use a VPC firewall. For example, a CEN instance and VPC_1 are created by using Account A, and VPC_2 is created by using Account B. VPC_1 and VPC_2 are connected by using the CEN instance. In this example, you can use Account A to purchase Cloud Firewall Enterprise Edition or Ultimate Edition to protect traffic between VPC_1 and VPC_2.
Implementation
For more information about the protection diagrams of VPC firewalls, refer to the following topics:
Protection scope
Cloud Firewall provides three types of VPC firewalls. You can select a type based on your networking architecture.
VPC firewall type | Scenario | References |
VPC firewall that is created for an Enterprise Edition transit router | This type of VPC firewall can protect the following types of traffic:
This type of VPC firewall cannot protect traffic between CCN instances. | Configure a VPC firewall for an Enterprise Edition transit router |
VPC firewall that is created for a Basic Edition transit router | This type of VPC firewall can protect the following types of traffic:
This type of VPC firewall cannot protect the following types of traffic:
| |
VPC firewall that is created for an Express Connect circuit | This type of VPC firewall can protect the following types of traffic:
This type of VPC firewall cannot protect the following types of traffic:
Note If you want to protect the preceding types of traffic, we recommend that you use CEN to replace Express Connect. For more information, submit a ticket. | Configure a VPC firewall for VPCs connected by using an Express Connect circuit |
Specifications
The specifications of VPC firewalls are the number of public IP addresses that can be protected and the peak Internet traffic that can be protected.
Specifications | Description | Enterprise Edition and Ultimate Edition of Cloud Firewall that uses the subscription billing method | Cloud Firewall that uses the pay-as-you-go billing method |
Number of VPC Firewalls | The number of VPC firewalls that can be created. | The value varies based on the number of VPC firewalls that you create and the cross-VPC traffic processing capability that you purchase. If the quotas are insufficient, you can upgrade the specifications. For more information, see Configure a VPC firewall for an Enterprise Edition transit router. The quotas vary based on the Cloud Firewall edition. For more information, see Subscription. | You are charged based on the number of protected assets and the total amount of processed traffic. No limits are imposed. For more information, see Pay-as-you-go. |
Protected VPC Traffic | The peak cross-VPC traffic that can be protected. |
View the protection status of assets and quota usage
You can view the protected assets within the current account on the VPC Firewall tab.
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the VPC Firewall tab, view the following information: number of VPC firewalls in the Not Created state, number of VPC firewalls in the Created state, and available quota for VPC firewalls. You can also view the total number of network elements, number of protected network elements, and number of unprotected network elements.
If the quota for VPC firewalls in your Cloud Firewall edition is exhausted, you can click Increase Quota to increase the quota based on your business requirements. For more information about the number of VPC firewalls that can be created in each edition, see Subscription.
Click the
icon in the VPC Firewall section to view the numbers of VPC firewalls in the Not Created and Created states. The VPC firewalls are configured for Enterprise Edition transit routers, Basic Edition transit routers, and VPCs connected by using Express Connect circuits. Click the
icon in the Protected Network Elements section to view the total number of network elements, number of protected network elements, and number of unprotected network elements. The network elements are VPCs, virtual border routers (VBRs), transit routers, and VPN gateways.
The following list describes the statistical items:
CEN (Enterprise Edition)
Unprotected network elements: the number of network elements that are not protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.
Protected network elements: the number of network elements that are protected by VPC firewalls. The network elements are VPCs, VBRs, transit routers, and VPN gateways that are not added in manual mode.
Available quota: the number of VPC firewalls that are enabled. Each transit router corresponds to a VPC firewall.
CEN (Basic Edition)
Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.
Protected network elements: the number of VPCs that are protected by VPC firewalls.
Available quota: the number of VPC firewalls that are enabled. Each VPC corresponds to a VPC firewall.
Express Connect circuits
Unprotected network elements: the number of VPCs that are not protected by VPC firewalls.
Protected network elements: the number of VPCs that are protected by VPC firewalls.
Available quota: the number of VPC firewalls that are enabled. A local VPC and its peer VPC correspond to a VPC firewall.