When resources such as Elastic Compute Service (ECS) instances and elastic container instances in virtual private clouds (VPCs) directly access the Internet by using NAT gateways, security risks, such as unauthorized access, data leaks, and traffic attacks, may occur. To reduce these risks, you can enable NAT firewalls to block unauthorized traffic. This topic describes how to configure a NAT firewall.
The following video tutorial walks you through how to enable NAT firewalls for NAT gateways.
Feature description
Implementation
You can enable NAT firewalls and synchronize asset information with a few clicks, configure access control policies for NAT firewalls, view traffic analysis results, and audit logs.
After you enable a NAT firewall or a NAT gateway, the NAT firewall monitors all outbound traffic from internal-facing resources in VPCs to the NAT gateway, including resources in the same VPC and resources across VPCs. The NAT firewall matches information about traffic against user-defined access control policies and the built-in threat intelligence library to determine whether to allow the traffic. The information includes the source address, destination address, port, protocol, application, and domain name. This way, unauthorized access to the Internet is blocked.
The following figure provides an example.
Impacts
When you enable or disable a NAT firewall, Cloud Firewall switches NAT entries. As a result, persistent connections are temporarily closed for 1 second to 2 seconds but short-lived connections are not affected. We recommend that you enable or disable a NAT firewall during off-peak hours.
When you create a NAT firewall, your workloads are not affected. However, if you turn on Status when you create a NAT firewall, persistent connections are temporarily closed for 1 second to 2 seconds but short-lived connections are not affected.
NoteThe period of time that is required to create a NAT firewall varies based on the number of elastic IP addresses (EIPs) associated with the NAT gateway. The period of time required increases by approximately 2 minutes to 5 minutes for each additional EIP. During the period of time, your workloads are not affected.
If you delete a NAT firewall after it is disabled, your workloads are not affected.
Limits
After you enable a NAT firewall, we recommend that you do not modify the routes of the vSwitch of the NAT firewall or the routes whose next hop is the NAT firewall. Otherwise, service interruptions may occur.
If your Cloud Firewall expires and you do not renew Cloud Firewall, the NAT firewall that you create is automatically released and the traffic is switched back to the original route. Service interruptions may occur during the switch.
We recommend that you enable auto-renewal or renew Cloud Firewall at the earliest opportunity to ensure that Cloud Firewall runs as expected. For more information, see Renewal.
If your NAT firewall is created before September 1, 2023, the maximum protection bandwidth of the NAT firewall for connections with the same destination IP address and destination port is 20 Mbit/s. Network jitters may occur if the bandwidth of connections with the same destination IP address and destination port exceeds 20 Mbit/s. If you want to increase the maximum protection bandwidth of your NAT firewall, we recommend that you delete the NAT firewall and create a NAT firewall.
If your NAT firewall is created on or after September 1, 2023, no limits are imposed on the protection bandwidth.
NAT firewalls cannot protect traffic of IPv6 addresses.
Workflow
The following flowchart shows how to use NAT firewalls.
Cloud Firewall provides a default quota for NAT firewalls. If the default quota cannot meet your business requirements, you can purchase additional quotas. For more information, see Purchase Cloud Firewall.
Prerequisites
Cloud Firewall is activated, and a sufficient quota for NAT firewalls is purchased. For more information, see Purchase Cloud Firewall.
An Internet NAT gateway is created. For more information, see Create and manage an Internet NAT gateway
ImportantThe NAT Firewall feature supports only Internet NAT gateways.
The Internet NAT gateway must meet the following requirements:
The Internet NAT gateway resides in the region where the NAT Firewall feature is available. For more information about the regions where the NAT Firewall feature is available, see Supported regions.
At least 1 EIP is associated with the Internet NAT gateway, and the number of EIPs associated with the NAT gateway is no more than 10. For more information, see Create and manage an Internet NAT gateway.
An SNAT entry is created, and no DNAT entries exist on the Internet NAT gateway. For more information, see Create and manage SNAT entries.
If a DNAT entry exists on the Internet NAT gateway, you must delete the DNAT entry before you can enable a NAT firewall. For more information, see Create and manage DNAT entries.
A 0.0.0.0 route that points to the Internet NAT gateway is added for the VPC of the Internet NAT gateway. For more information, see Create and manage a route table.
The subnet mask of the CIDR block that is allocated to the VPC of the Internet NAT gateway is at least 28 bits in length. Secondary CIDR blocks of the VPC are also supported.
Create and enable a NAT firewall
This section describes how to create a NAT firewall. You can create a NAT firewall for each NAT gateway.
Usage notes
The system requires approximately 1 minute to 5 minutes to synchronize information about new NAT gateways to the NAT Firewall feature.
The system requires approximately 1 minute to 2 minutes to synchronize the EIPs that are associated with the NAT gateway and the SNAT entries that are configured on the NAT gateway to the NAT Firewall feature. The EIPs and SNAT entries do not take effect until the synchronization is complete.
You can also click Synchronize Assets on the
tab to manually synchronize the number of EIPs and the SNAT entries.The system requires 30 minutes to synchronize the routes that point to the NAT gateway to the NAT Firewall feature.
You can also click Synchronize Assets on the
tab to manually synchronize the routes.When you create a NAT firewall, Cloud Firewall performs the following operations:
Adds the 0.0.0.0/0 route that points to the NAT gateway to the route table of the vSwitch created for the NAT firewall.
Modifies the 0.0.0.0/0 route in the system route table to point the next hop to the ENI of Cloud Firewall.
NoteWhen you create a NAT firewall, Cloud Firewall creates a custom route table in the VPC of the NAT firewall. If a Container Service for Kubernetes (ACK) cluster that uses the Flannel network plug-in is deployed in the VPC, you must configure multiple route tables for the VPC by using the cloud controller manager (CCM) to add the system route table of the VPC after you create the NAT firewall. Otherwise, the node scale-out operations of the cluster may be affected. For more information, see Configure multiple route tables for a VPC.
If you already configured multiple route tables for the VPC of the NAT firewall by using the CCM, ignore this note.
Procedure
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
Click the NAT Firewall tab. On the NAT Firewall tab, find the required NAT gateway and click Create in the Actions column.
In the Create NAT Firewall panel, click Check Now. After the check is complete and all diagnostic items are passed, click Next.
If you confirm that the NAT gateway meets all conditions required to create a NAT firewall, click Skip and start creation.
In the Create NAT Firewall panel, configure the following parameters.
Parameter
Description
Basic Information
Name
Enter a name for the NAT firewall.
Traffic Redirection Configurations
Select Route Table
Select the route table whose next hop is the NAT gateway. The system automatically changes the next hop to the route table created for Cloud Firewall. This way, the next hop of the traffic destined for internal-facing assets points to the NAT firewall.
vSwitch for Traffic Redirection and vSwitch CIDR Block
You can create a new vSwitch or select an existing vSwitch.
Usage notes for creating a CIDR block of the vSwitch:
You must allocate a CIDR block of the vSwitch to the NAT firewall for traffic redirection. The CIDR block must have a subnet mask of at least 28 bits in length and must not conflict with your network planning.
The CIDR block of the vSwitch must be a subnet of the CIDR block that is allocated to the VPC and does not conflict with the current service CIDR block. Secondary CIDR blocks of the VPC are also supported. After you allocate a CIDR block of the vSwitch, Cloud Firewall automatically associates the vSwitch with a custom route table.
Usage notes for selecting an existing vSwitch:
The NAT firewall must have a vSwitch that meets the following requirements: For more information, see Create and manage a VPC.
The vSwitch, NAT gateway, and NAT firewall must be deployed in the same VPC.
The vSwitch must reside in the same zone as the NAT gateway.
The subnet mask of the CIDR block of the vSwitch must be at least 28 bits in length, and the number of available IP addresses within the CIDR block must be greater than the number of EIPs that are specified in the SNAT entries of the NAT gateway.
No other cloud resource is connected to the vSwitch.
Create a route table and associate the route table with the vSwitch. For more information, see Create and manage a route table.
Optional. Add custom routes other than the 0.0.0.0/0 entry to the route table based on your business requirements. For more information, see Use custom route tables to manage network traffic.
For example, if your workloads require communications between VPCs, you must manually add the backhaul route of the VPC to the route table.
NoteIf no vSwitch is displayed in the drop-down list or the required vSwitch is dimmed, check whether the vSwitch is associated with other cloud resources and whether the vSwitch is associated with a custom route table. After you specify a vSwitch, you can click Synchronize Assets in the upper-right corner of the NAT Firewall tab.
Engine Mode
Engine Mode
Select the matching mode of the access control policy.
Loose Mode (default): Traffic whose application type or domain name is identified as Unknown is allowed to ensure normal access.
Strict Mode: Traffic whose application type or domain name is identified as Unknown is processed by all policies that you configure. If you configure a Deny policy, the traffic is denied.
Select I have read the preceding notes and click Enable Firewall.
After the NAT firewall is created, you must manually turn on Status.
Traffic can be routed to the NAT firewall only after you enable the NAT firewall.
What to do next
After you enable a NAT firewall, you can configure an access control policy for the NAT firewall and view audit logs to control traffic that originates from private assets and is destined for the Internet.
Configure access control policies
If you do not configure an access control policy, Cloud Firewall automatically allows all traffic. You can create access control policies for NAT firewalls to manage traffic from internal-facing assets to the Internet in a fine-grained manner.
Go to the
tab, find the NAT firewall that you want to manage, click the icon in the Actions column, and then click Access Control.On the page that appears, create an access control policy for the NAT firewall. For more information, see Create an access control policy for a NAT firewall.
View audit logs
Go to the
tab, find the NAT firewall that you want to manage, click the icon in the Actions column, and then click Log Audit.On the page that appears, query the logs of traffic that originates from the private network and is destined for the Internet. For more information, see Log Audit.
View traffic analysis results
Go to the
tab, find the NAT firewall that you want to manage, click the icon in the Actions column, and then click Traffic Analysis.On the page that appears, view the analysis results of outbound connections that are initiated from the assets to the Internet by using the IP address of the NAT gateway. For more information, see Outbound Connection.
View statistics about protected traffic
In the left-side navigation pane, click Overview. In the upper-right corner of the Overview page, click Purchased Specification Usage to view the peak traffic that can be protected by a NAT firewall, the recent traffic peak, and the quota used for NAT firewalls.
View the vSwitches for a NAT firewall
Go to the
tab, click Firewall vSwitch List in the upper-right corner of the NAT firewall list.Disable and delete a NAT firewall
When you disable a NAT firewall, Cloud Firewall switches NAT entries. As a result, persistent connections are temporarily closed for 1 second to 2 seconds but short-lived connections are not affected. If you delete a NAT firewall after it is disabled, your workloads are not affected.
If you directly delete a NAT firewall when it is enabled, Cloud Firewall disables and deletes the NAT firewall at the same time. Persistent connections are temporarily closed for 1 second to 2 seconds.
Disable a NAT firewall
Go to the
tab, find the NAT firewall that you want to disable, and then turn off the switch in the Switch column.Delete a NAT firewall
Go to the
tab, find the NAT firewall that you want to delete, click the icon in the Actions column, and then click Delete.
References
For more information about how to manage traffic from internal-facing assets to a specific domain name, see Configure a policy to allow only internal-facing servers to access a specific domain name.
For more information about how to view the traffic logs of NAT firewalls, see Log Audit.
For more information about the Internet firewall, see the following topics: