On the Firewall Toggles page, you can control traffic between VPCs through inter-VPC firewall toggles. You don't need to adjust the firewall settings when there is an asset change, as CFW can automatically sync assets in a short time. Important
Enabling/Disabling firewall toggles involves switching networks and routes. This can cause a short network jitter and interruption.
Route Modes
There are four route modes available for firewall toggles.
Point-to-point mode: A firewall toggle is set for one pair of interconnected VPCs. A pair of interconnected VPCs is enabled by one peering connection or CCN instance.
Point to multipoint mode: A firewall toggle is set for one VPC and controls all traffic entering or leaving this VPC. Traffic exchanges between two VPCs go through two separate firewall toggles.
Fullmesh mode: A firewall toggle is set for all associated VPCs.
Custom route: Only associated VPCs are displayed.
Changes made to a VPC peering connection or CCN instance are synced to firewall toggles, which must be disabled to avoid any business interruption.
Important:
Though CFW cannot connect to the classic network, firewall toggles can be automatically created based on reachable routes. If there is no toggle, check whether there is a peering connection or CCN instance.
Enabling Firewall Toggles
After the toggle is turned on, the system automatically modifies the routing policy of the relevant route table. The traffic between the local network and the peer network, which are associated with the firewall toggle, is directed to the inter-VPC firewall.
1. On the Inter-VPC toggle page, firewall toggles can be turned on in the following ways. Single: Select a firewall toggle and click the icon in the Firewall toggle column. Click OK in the pop-up confirmation window. Batch: After selecting multiple firewall toggles, click Batch enable in the top left corner. Click OK in the pop-up confirmation window.
All: Click Enable all in the top left corner.
2. In the confirmation window displayed, click OK to enable protection.
Important
If the VPC peering connection or CCN instance is not correctly configured, the firewall cannot be enabled.
When the firewall toggle is on, don't change the corresponding routes manually in the VPC console. Otherwise, the network gets interrupted due to the missing routes.
Disabling Firewall Toggles
When the firewall is disabled, the original route policies are restored. The traffic between the local network and peer network goes through the original path instead of the inter-VPC firewall.
1. On the Inter-VPC toggle page, click Firewall toggle. You can turn off firewall toggles individually, in a batch, or all of them. Single: Select a firewall and click the icon in the Firewall toggle column. Click OK in the pop-up window to disable it. Batch: After selecting multiple firewall toggles, click Batch disable in the top left corner. Click OK in the pop-up confirmation window.
All: Click Disable all in the top left corner.
2. In the confirmation window displayed, click OK to disable the protection.
Important
After the firewall toggle is disabled, you can switch the VPC routes as needed. Do not manually enable the firewall routes, otherwise this will cause network interruptions and firewall toggle failure.
Viewing Rules
2. On the Firewall toggle page, click View rules on the right of the target firewall toggle.
3. On the Private network rules page, view and edit the rules as needed.
Viewing Logs
2. On the page that appears, select More > View logs to view access control logs or traffic logs.
Was this page helpful?