Cloud Firewall offers an Edge Firewall toggle feature. On the Edge firewalls page, it can automatically detect the public IPs you own and the associated cloud assets, and configure the corresponding firewall toggle for you. The Cloud Firewall toggle supports one-click protection, eliminating the need for any network access deployment or routing policy configuration. Moreover, there is no requirement to install any image files. The Cloud Firewall offers a plug-and-play product experience.
Traffic Mode Explanation
How It Works
Serial Firewall
Deployment Path
The serial firewall is directly deployed on the path of network data flow. All passing packets need to be inspected and processed by the firewall.
Data Processing
Since a serial firewall needs to process all data packets passing through it, it has high performance and processing capacity requirements.
If the firewall performance is insufficient, it may become a network bottleneck, affecting network speed and stability. Therefore, a new firewall instance needs to be created in each region and allocated with the corresponding bandwidth for a serial firewall.
Security Protection
The serial firewall can perform deep inspection and processing of data packets, providing high security. It can prevent malicious packets from entering the network, protecting internal resources from attacks.
Preparation for Serial Firewall
Before using the serial firewall, please do the following preparations:
Allocate Bandwidth to the Serial Firewall
Since a serial firewall has regional cluster attributes and an upper limit on protection performance, users need to allocate bandwidth for the regions that need to use the serial firewall.
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Firewall Toggles page, click Firewall settings.
3. Allocate bandwidth to the regions where you need to use the serial firewall. It is suggested to reasonably estimate based on the business peak. Excessive bandwidth may trigger service degradation, causing some firewall toggles to shut down automatically.
Note:
General bandwidth: General bandwidth will be consumed when allocating bandwidth for the serial firewall with the current version. General bandwidth is shared with the NAT Firewall.
General instance: One general instance quota will be consumed for each newly added serial firewall region of the current version. General instance quota is shared with NAT Firewall.
Serial firewall region: the supported regions of the current version are based on the aforementioned serial firewall setting display regions. More regions are gradually undergoing gray release, so stay tuned.
Confirm Assets Within Protection Range
Due to network architecture limitations, the current version of the serial firewall only supports protecting Elastic Public IPs in the latest network architecture, as specifically shown on the console. If you have any doubts, you can contact the Elastic IP team for confirmation. Public network CLB type is not currently supported. If protection is needed, it is recommended to switch to a form that supports protection through EIP + private network CLB.
Serial Firewall Toggle Operation
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Edge firewalls page, find the assets to be protected.
3. Click the
in the Firewall Toggles column to protect this asset at the edge.
4. The process to enable the serial firewall takes approximately 1 minute and has no effect on the network.
Note:
The serial pattern requires the use of a Private Link to establish a network from VPC to Firewall.
For the first time a EIP within the same VPC enables a serial firewall, a new Terminal Node for Private Link and diversion internal IP needs to be created. There's no additional charge for the Private Link within the scope of your serial firewall, but additional charges may apply beyond that. Please see Private Link Price. A new Private Link does not need to be created when you toggle the serial firewall within the same VPC subsequently.
Status monitoring
Users can monitor and view the bandwidth status based on the public IP in real-time, enabling timely adjustments such as scaling or selectively closing toggles.
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. In the upper right corner of the Status Monitoring panel on the Edge firewalls page, click the
icon.
3. On the Status Monitoring page, you can peek in real time and monitor the bandwidth situation based on public IP, and perform operations such as expanding capacity or turning off some toggles.
Note:
Peak bandwidth refers to the maximum of the upstream and downstream. For example, if you purchase 100 M of bandwidth, then the Cloud Firewall can handle both 100 M upstream and 100 M downstream at the same time.
Automatic Activation for New Assets
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Firewalls Toggles page, click Firewall settings.
3. Click Enable for new assets. Within the allowed Quota of protected public IP, it will automatically enable the Edge firewalls for the newly added public IP assets. You can choose whether to enable the serial traffic pattern by default and whether to automatically create a Private Link.
Excessive Bypass Configuration for Edge Firewall
When the business bandwidth exceeds the Edge Firewall bandwidth limit, specific measures will be taken.
You can specify the weights for firewalls. When the business bandwidth exceeds the Edge Firewall bandwidth limit, firewalls will be disabled based on the weights, and the bypass mode will be used until the bandwidth of the corresponding region decreases to below specifications. Firewalls with the same weight will be disabled automatically in descending order of peak bandwidth. The initial weight is 1 by default and can range from 0 to 100. A larger weight indicates a higher priority.
Directions
1. Log to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Firewall Toggles page, click Firewall settings.
3. On the Firewall settings page, edit the designated Firewall toggle weight.
4. Click Edit weight, you can choose the Firewall toggle, bulk edit switch weight, then click OK to save.
Syncing Assets
The interval for the backend periodically polling user asset information is 5 minutes. Hence, when the user's asset scale changes during this interval and has not been synchronized by the backend, you can go to the top of the list, click Sync assets, to promptly call the backend interface and re-read and synchronize the user's asset information and data.
When new assets do not appear in the Firewall Toggles list, you can go to the top of the list, click Sync assets to attempt asset synchronization.
Viewing Rules, Alerts, or Logs
In addition to enabling Firewall Toggles in the asset list, you can perform some other operations, mainly including viewing asset-related rules, alerts, and logs.
View Rules: In the asset list, click the View Rules in the operations column, you will be redirected to the page of rules associated with the asset.
View Alerts: In the asset list, click More > View Alerts under the operation column, select a specific event type, and you will be redirected to the relevant event page in the alert center.
View Logs: In the asset list, click More > View Logs under the operation column, select a specific log type, and you will be redirected to the relevant log page.
Business Bandwidth Exceeding Edge Firewall Bandwidth Limit
The business will not be affected if the business bandwidth exceeds the Edge Firewall bandwidth limit. Packet loss or traffic rate decrease will not occur, but the protection feature will be unavailable.
Starting from September 25, 2024, the following measures will be taken when the business bandwidth exceeds 100% of the Edge Firewall bandwidth limit:
Some Edge Firewalls will be disabled, and part of the traffic will be forwarded in bypass mode to protect only traffic within the bandwidth specifications.
The measures are the same for the serial mode. Some firewalls will be disabled to limit the traffic.
Weights can be set to determine the priority for automatically disabling firewalls.
If you need to manage traffic and protect assets in the private network, or forward network traffic based on SNAT and DNAT, please refer to the NAT Border Firewall Toggle operation.
If you need to automatically detect VPC information and interconnections, and set a Cloud Firewall toggle for each interconnected pair of VPCs, please refer to the Inter-VPC Firewall Toggle operation.
Yes
No
Was this page helpful?