Cloud Firewall：Configure a VPC firewall for VPCs connected by using an Express Connect circuit

Feature description

Protection diagram

For more information about the protection scope of Cloud Firewall, see What is Cloud Firewall?

Impacts

You can directly create a VPC firewall to protect your business assets without the need to change the current network topologies. The creation duration is approximately 5 minutes and your workloads are not affected. We recommend that you enable a VPC firewall during off-peak hours.

The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent TCP connections may be interrupted for several seconds. Short-lived connections are not affected.

Create and enable a VPC firewall

Procedure

1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

2. On the VPC Firewall tab, click the Express Connect Circuit tab.

3. Click Synchronize Assets to synchronize the information about the assets of the current account and the members.

   The process requires 1 minute to 2 minutes to complete.

4. Find the Express Connect circuit for which you want to create a VPC firewall and click Create in the Actions column.

   If a large number of Express Connect circuits exist, you can search for the circuit by region or VPC.

5. In the Create VPC Firewall dialog box, configure the required parameters. The following table describes the parameters.

   Parameter	Description
   Instance Name	The name of the VPC firewall. We recommend that you enter a unique name to help you identify the VPC firewall.
   Connection Type	The type of the connection between VPCs or between a VPC and a data center. In this example, the value is fixed to Express Connect.
   VPC	The information about the VPC. Confirm the regions and IDs of the VPCs and specify the route tables and destination CIDR blocks. Route table When you create a VPC, the system automatically creates a default route table and adds system route entries to the route table. You can create multiple route tables for a VPC based on your business requirements. For more information, see Route table overview. When you create a VPC firewall in the Cloud Firewall console, Cloud Firewall automatically reads your VPC route tables. Express Connect supports multiple route tables. When you create a VPC firewall for an Express Connect circuit, you can view multiple VPC route tables and select the route tables that you want to use. Destination CIDR block After you select a route table from the Route Table or Peer Route Table drop-down list, the default destination CIDR block of the route table is displayed in the Destination CIDR Block or Peer Destination CIDR Blocks section. If you want to protect traffic that is destined for other CIDR blocks, you can change the destination CIDR block. You can add multiple CIDR blocks. Separate the CIDR blocks with commas (,).
   Peer VPC	The region and the name of the peer VPC. Confirm the information and configure the Peer Route Table and Peer Destination CIDR Block parameters.
   Intrusion Prevention	The intrusion prevention policies that you want to enable. Valid values: IPS Mode Monitoring Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic. Traffic Control Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. IPS Capabilities Basic Policies: Basic policies provide basic intrusion prevention capabilities such as protection against brute-force attacks and attacks that exploit command execution vulnerabilities. Basic policies also allow you to manage the connections from compromised hosts to a command and control (C&C) server. Virtual Patches: You can use virtual patching to defend against the common high-risk application vulnerabilities in real time.
   Enable VPC Firewall	If you turn on Enable VPC Firewall, a VPC firewall is automatically enabled after you create the firewall.

6. Click Submit. In the message that appears, click Submit.

   Note

   If you add or delete routes in your VPC route table after you enable a VPC firewall, wait for 15 minutes to 30 minutes until Cloud Firewall learns the routes. After Cloud Firewall learns the routes, we recommend that you check whether your route table takes effect. You can also join the DingTalk group 33081734 to obtain technical support for Cloud Firewall.

   After you create the VPC firewall, Cloud Firewall automatically creates the following resources:

   • A VPC named Cloud_Firewall_VPC.

     Important

     Do not add cloud resources to Cloud_Firewall_VPC. Otherwise, the cloud resources cannot be deleted when you delete the VPC firewall. Do not modify or delete the network resources in Cloud_Firewall_VPC.

   • A vSwitch named Cloud_Firewall_VSWITCH.

   • A custom route entry that has the following remarks: Created by cloud firewall. Do not modify or delete it.

   After you enable the VPC firewall, Elastic Compute Service (ECS) automatically creates a security group named Cloud_Firewall_Security_Group and adds a security group rule whose Action parameter is set to Allow to the security group. The rule allows inbound traffic from the VPC firewall to ECS.

   Important

   Do not delete Cloud_Firewall_Security_Group or the security group rule. Otherwise, inbound traffic from the VPC firewall to ECS cannot be protected by the VPC firewall.

   If you want to perform batch operations on VPC firewalls or frequently enable and disable VPC firewalls, we recommend that you perform the operations during off-peak hours to prevent impacts on your business.

7. On the Express Connect Circuit tab, find and enable the VPC firewall that is created.

   Cloud Firewall can protect your network resources only after you enable your VPC firewall. If the value of Firewall Status for the VPC firewall changes to Enabled, the VPC firewall is enabled.

More operations

Disable a VPC firewall

If you want to disable a VPC firewall, you can go to the Express Connect Circuit tab, find the VPC firewall, and turn off the switch in the Firewall Settings column.

If the value of Firewall Status for the VPC firewall changes to Disabled, the VPC firewall is disabled.

Delete a VPC firewall

If you no longer require a VPC firewall, you can go to the Express Connect Circuit tab, find the VPC firewall, and click Delete in the Actions column.

Modify a VPC firewall

If you want to modify the configurations of a VPC firewall, you can go to the Express Connect Circuit tab, find the VPC firewall, and click Edit in the Actions column.