tencent cloud

Feedback

Overview

Last updated: 2023-11-28 20:33:04

    Features

    Cloud Firewall allows you to enable or disable the firewall toggle between VPCs. You can create a firewall instance to carry the access traffic between different VPCs. In addition, Cloud Firewall provides access control rules and a log auditing system.
    The inter-VPC firewall in the current version can protect Direct Connect gateways. The firewall instance supports multi-level routing provided by Cloud Connect Network (CCN). The Direct Connect gateways connect to the cloud-based VPC assets via CCN. This way, the inter-VPC firewall can detect the traffic in the connections.
    This document describes how to create a firewall instance and view its bandwidth usage, specification, network topologies, and firewall toggles on the Inter-VPC Firewall Toggles page.

    Architecture

    Before using this feature, make sure that you understand the components of an inter-VPC firewall.
    An inter-VPC firewall comprises multiple firewall instances. Each firewall instance connects a VPC to the firewall.
    
    In essence, it directs traffic to its firewall instances by modifying VPC routes. Whether firewall instances can communicate with each other depends on the reachability of the routes in VPCs, as the firewall instances cannot establish basic networking. However, this can be implemented by modifying the next hop in a VPC route table or multi-route table in CCN.

    Handling Abnormal Scenarios

    When an inter-VPC firewall is turned on or off, the routing policy changes accordingly, triggering short network interruptions. If you need to perform batch or frequent operations on the firewall toggles, it is better to operate at late night.
    Notes
    Such problem does not occur to edge firewall toggles.
    The inter-VPC firewall toggle is on top of the peering connection between VPCs or CCN. If you change or delete the configurations of the peering connection or CCN, the firewall toggle will also be automatically changed or deleted. In order not to affect your business, Cloud Firewall can immediately change or delete only the toggles that are off.
    Notes
    When the associated Tencent Cloud asset is changed or deleted, the edge firewall toggle will be synced as well within 5 minutes.
    If there is no working route between the two VPCs, the firewall cannot be enabled.
    Notes
    To configure peering ‍connections, see Configuring the Route to Peering Connection. To configure CNN routes, see Route Overview.
    When the Cloud Firewall toggle is on, DO NOT change the associated VPC route tables manually in the VPC console. This can invalidate the firewall and disconnect the network as the changes to the route tables are not synced to the Cloud Firewall.
    When the Cloud Firewall toggle is off, you can change the route of ‍a peer connection or CCN instance. Please DO NOT enable the route marked with "Firewall". This can invalidate the firewall and disconnect the network.

    See Also

    For more information about configuring firewall toggles for your public IPs and associated cloud assets, see Edge Firewall Toggle.
    For more information about managing traffic and protecting assets in the private network or forwarding network traffic based on SNAT and DNAT, see NAT Edge Firewall Toggle.
    For more information about the inter-VPC firewall, see Inter-VPC Firewall.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support