FAQ about enabling and disabling firewalls - Cloud Firewall

This topic provides answers to some frequently asked questions about enabling and disabling firewalls in Cloud Firewall, including impacts of enabling firewalls and changes on routes and traffic after enabling firewalls.

Why am I unable to activate Cloud Firewall for my account?
Internet firewall
NAT firewalls
VPC firewalls

What are the impacts of enabling a firewall?

Firewall type	Impact
Internet firewall	When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds. You do not need to change the current network topology. Your workloads are not affected.
NAT firewall	When you create a NAT firewall or delete a NAT firewall after it is disabled, your workloads are not affected. The creation duration varies based on the number of elastic IP addresses (EIPs) associated with the NAT gateway. The creation duration increases by approximately 2 minutes to 5 minutes for each additional EIP. The system requires approximately 10 seconds to enable or disable a NAT firewall. Persistent connections may be interrupted for 1 second to 2 seconds. Short-lived connections are not affected.
A virtual private cloud (VPC) firewall that is created for an Express Connect circuit A VPC firewall that is created for a Basic Edition transit router	When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected. The creation duration is approximately 5 minutes. The system requires approximately 5 minutes to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent connections may be interrupted for several seconds. Short-lived connections are not affected. Note Before you enable a VPC firewall, we recommend that you check whether your application is configured to automatically re-establish connections over TCP, and pay close attention to the connection status of your application. This helps avoid connection interruptions.
A VPC firewall that is created for an Enterprise Edition transit router	Automatic traffic redirection When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected. The creation duration is approximately 5 minutes. The system requires approximately 5 minutes to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Your workloads are not affected. Manual traffic redirection When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected. The creation duration is approximately 5 minutes. When you enable or disable a VPC firewall, the time period during which your workloads are affected varies based on the traffic redirection mode.

Why am I unable to activate Cloud Firewall for my account?

Causes

When you log on to the Cloud Firewall console, the Your account cannot be used to activate Cloud Firewall. message appears. The issue may occur in the following scenarios:

Your account is an Alibaba Cloud account and is added as a member for centralized management.
Your account is a Resource Access Management (RAM) user and does not have the required permissions.

Solutions

You can move the pointer over the profile picture in the upper-right corner of the Cloud Firewall console to view the value of Account ID.

If the value of Account ID is a string of digits that starts with 1, your account is an Alibaba Cloud account.
If your account is a member, you must use the management account of the member to log on to the Cloud Firewall console and activate Cloud Firewall. Then, enable protection for cloud assets that belong to the member. For more information, see Purchase Cloud Firewall.
If the value of Account ID is a string of digits that starts with 2, your account is a RAM user. If your account is a RAM user, you must attach the following policies to the RAM user by using the Alibaba Cloud account to which the RAM user belongs: createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess. For more information, see Grant permissions to a RAM user.
createSlr is a custom policy that you need to create. The following code provides an example on the content of the policy. For more information, see Create a custom policy.
```
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:166032244439****:role/*",
            "Effect": "Deny",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
```
Note
You must specify the value of the Resource parameter in the following format: acs:ram:*:ID of the Alibaba Cloud account:role/*. The ID is the ID of the Alibaba Cloud account to which the RAM user belongs.

What is the purpose of the Internet firewall?

You can add multiple types of Internet-facing assets to the Internet firewall for protection, including public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of Server Load Balancer (SLB) instances, and elastic IP addresses (EIPs). After you enable the Internet firewall, the system forwards inbound and outbound traffic at the Internet border to Cloud Firewall. Then, Cloud Firewall filters the traffic and allows only traffic that meets the specified conditions. For more information, see Internet Firewall.

Can the Internet firewall protect IPv6 addresses?

No, the Internet firewall cannot protect IPv6 addresses. For more information about the cloud assets that can be protected by the Internet firewall, see Protection scope.

Is network traffic affected after I enable the Internet firewall?

If you enable the Internet firewall but do not configure access control policies or policies for the intrusion prevention system (IPS), Cloud Firewall monitors traffic and generates alerts for suspicious traffic but does not block suspicious traffic.

By default, the Internet firewall is enabled after you activate Cloud Firewall.

What are the impacts of disabling the Internet firewall?

If you disable the Internet firewall, network traffic does not pass through the firewall, and the following issues may occur:

The protection capabilities of the Internet firewall become invalid. For example, the access control policies that you created become invalid, and intrusion prevention is disabled.
The statistics of traffic at the Internet border are not updated, including network traffic analysis reports and traffic logs.

When I enable the Internet firewall, the system prompts SLB instance-related network restrictions. Why?

Cause

When you enable the Internet firewall, the "You cannot enable a firewall for the IP address because the network of the SLB instance does not support this operation" message appears. The cause may be that an SLB instance has only private IP addresses and does not support Cloud Firewall.

Solution

If your asset is an internal-facing SLB instance, we recommend that you associate an EIP with the instance to redirect traffic to Cloud Firewall. For more information, see Associate an EIP with an internal-facing CLB instance.

Why are my public IP addresses not displayed after I perform asset synchronization in Cloud Firewall Free Edition?

Cloud Firewall Free Edition can synchronize only EIPs. Information about newly added EIPs is displayed in Cloud Firewall one day later. Cloud Firewall Free Edition cannot synchronize public IP addresses of ECS instances or SLB instances.

Are the security group rules in ECS affected after VPC Firewall is enabled?

No, the security group rules are not affected.

After you enable VPC Firewall, a security group named Cloud_Firewall_Security_Group and an access control policy are automatically created to allow traffic to your VPC firewall. The security group controls only traffic between VPCs. The existing security group rules are not affected. You do not need to migrate or modify security group rules in ECS.

Why am I prompted that unauthorized network instances exist when I create a VPC firewall?

Cause

Your Cloud Enterprise Network (CEN) instance is associated with a VPC that belongs to a different Alibaba Cloud account, and Cloud Firewall is not authorized to access the cloud resources that belong to the Alibaba Cloud account of the VPC.

Solution

Log on to the Cloud Firewall console with the Alibaba Cloud account, and authorize Cloud Firewall to access the cloud resources within the account by using a service-linked role as prompted. For more information, see Authorize Cloud Firewall to access other cloud resources.

I have enabled a VPC firewall for a Basic Edition transit router. Why is a routing policy whose Routing Policy Action is set to Deny added to the route table of the transit router?

After you create and enable a VPC firewall for a VPC that is named VPC-test and is connected to a Basic Edition transit router, the VPC Firewall feature creates a VPC named Cloud_Firewall_VPC and advertises a static route to redirect the traffic of other VPCs that are connected to the transit router and not protected by firewalls to Cloud Firewall.

Cloud Firewall also adds a static route whose next hop points to the ENI that is created for Cloud_Firewall_VPC to the route table of Cloud_Firewall_VPC and creates a routing policy whose Routing Policy Action is set to Deny. This way, VPC-test does not learn the routes that are advertised by CEN. The outbound traffic of VPC-test is redirected to Cloud Firewall based on the static route.

Important

Do not modify or delete the routing policy or the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.

Why does Cloud Firewall create a route table and add the static route 0.0.0.0/0 to the route table after I enable a NAT firewall?

After you enable a NAT firewall, Cloud Firewall automatically creates the custom route table Cloud_Firewall_ROUTE_TABLE and adds the static route 0.0.0.0/0 that points to the involved NAT gateway protected by Cloud Firewall to the custom route table. In addition, Cloud Firewall changes the next hop of the static route 0.0.0.0/0 in the system route table to the ENI of the NAT firewall. This way, the outbound traffic of the NAT gateway is redirected to Cloud Firewall.

Important

Do not modify or delete the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.

How does Cloud Firewall match outbound traffic against access control policies of the Internet firewall, a NAT firewall, and a DNS firewall?

When an ECS instance accesses a domain name, traffic is matched in the following procedure if the Internet firewall, a NAT firewall, and a Domain Name System (DNS) firewall are enabled:

The ECS instance initiates a DNS request. The DNS request passes through the DNS firewall and is matched against the access control policies created for the DNS firewall.
The private network traffic that originates from the ECS instance passes through the NAT firewall and is matched against the access control policies created for the NAT firewall.
The allowed private network traffic passes through the NAT gateway, and the source IP address of the private traffic is converted to the public IP address of the NAT gateway.
The Internet traffic is forwarded by the NAT gateway to the Internet firewall and is matched against the access control policies created for the Internet firewall.
The traffic is matched against threat intelligence rules, basic protection policies, intelligence defense rules, and virtual patching rules of Cloud Firewall in sequence.

If the traffic does not hit a Deny policy in the preceding procedure, the traffic reaches the domain name. If the traffic hits a Deny policy, the traffic is denied and cannot reach the domain name.

How do I efficiently enable and configure access control policies for the Internet firewall?

Cloud computing has become an inevitable choice for the digital transformation of enterprises. A wider range of cloud-based solutions constitute a more complex business architecture, and security borders become more indistinct. Enterprises can use Cloud Firewall to deliver protection at cloud network borders. However, if a large number of public IP addresses are used, the configuration of access control policies is complex.

Cloud Firewall provides intelligent policies. Cloud Firewall automatically learns the traffic characteristics in the previous 30 days and the access and outbound connections of cloud services and IP addresses and automatically recommends appropriate access control policies for each destination IP address or domain name. This reduces Internet exposures and intrusion risks, and blocks malicious outbound IP addresses and domain names.

For more information about how to apply intelligent access control policies to the Internet firewall, see Create access control policies for the Internet firewall.