CFW provides the Internet Boundary Firewall Toggle feature. On the Internet Boundary Firewall Toggle page, it automatically detects your public IP addresses and associated cloud assets, configuring corresponding Firewall Toggles accordingly. The CFW Toggle supports one-click protection enablement, allowing you to activate security without any network deployment, routing policy configuration, or installation of image files. CFW delivers an immediate activation-upon-enabling experience.
Explanation of Access Mode
Working Principles
Serial Firewall
Deployment path
Serial firewalls are deployed directly in the path of network data flow, where all passing packets must be inspected and processed by the firewall.
Processing data
Since serial firewalls need to process all passing packets, they have high requirements for performance and processing capability.
If the firewall performance is insufficient, it may become a network bottleneck, affecting network speed and stability. Therefore, a new firewall instance must be created in each region for serial firewalls, with corresponding bandwidth allocated.
Security Protection
Serial firewalls can perform deep inspection and processing of data packets, providing a high level of security. They prevent malicious packets from entering the network, protecting internal resources from attacks.
Supported Asset Types
Internet Firewall supports the following asset types:
After the EIP is bound to an instance, this feature is supported, subject to whether the firewall toggle can be enabled in the console. If you have any questions, submit a ticket to contact us.
Before using the serial firewall, complete the following preparations:
Assign Bandwidth to the Serial Firewall
Because the serial firewall features regional clustering attributes and has a protection performance limit, you need to allocate bandwidth to regions where the serial firewall is required.
1. Log in to CFW console, and in the left sidebar, select Firewall Toggle.
2. On the Firewall Toggle page, click Firewall settings in the upper-right corner.
3. Allocate bandwidth to regions where the serial firewall is required. It is recommended to make reasonable estimates based on peak business demands. Traffic exceeding the allocated bandwidth will not be protected, though this process will not affect network connectivity. For details, refer to Bandwidth.
Note:
General bandwidth: In the current version, allocating bandwidth for the serial firewall consumes general bandwidth, which is shared with the NAT Firewall.
General instance: In the current version, each time a new serial firewall region is added, it consumes one general instance quota. General instance quotas are shared with the NAT Firewall.
Serial Firewall regions: The regions supported in the current version are subject to those displayed in the Serial Firewall settings. More regions are being gradually rolled out. Stay tuned.
Confirm Assets Fall Within Protection Scope
Due to network architecture limitations, the current version of the serial firewall only supports protecting Elastic Public IPs (EIPs) with the latest network architecture. For specifics, refer to the console display. If you have questions, contact the EIP team for confirmation. Public CLB types are not currently supported. For protection, switch to an EIP + internal CLB configuration.
Serial Firewall Toggle Operations
1. Log in to CFW console, and in the left sidebar, choose Firewall Toggle > Protected Object > Internet Firewall.
2. On the Internet Boundary page, locate the asset that requires protection and confirm that the access mode is displayed as serial.
3. Click
in the Firewall Toggle column to enable boundary protection for this asset.
4. Enabling the serial firewall is expected to take 1 minute and will not affect the network.
Note:
Serial mode requires using Private Link to establish connectivity from the VPC to the firewall.
When enabling the serial firewall for the first time for an EIP within the same VPC, you need to create a new endpoint for Private Link and a private IP address for traffic redirection. Private Link usage within your serial firewall specifications (allocated bandwidth) incurs no additional fees. Exceeding the allocated bandwidth may incur additional charges. For details, see Private Link Pricing. Subsequent toggling of the serial firewall within the same VPC does not require recreating the Private Link.
Firewall Status Monitoring
Users can monitor the bandwidth usage of public IP addresses in real time and make timely adjustments such as scaling out or disabling certain toggles.
1. In the upper-right corner of the status monitoring panel, click the
icon.
2. On the status monitoring page, you can view and monitor the bandwidth usage of public IP addresses in real time, and perform operations such as scaling out or disabling certain toggles.
Note:
Peak bandwidth refers to the maximum value of uplink and downlink, meaning that if you purchase 100M bandwidth, CFW can simultaneously handle 100M uplink and 100M downlink traffic.
New Asset Auto-Enable
1. Log in to CFW console, navigate to the Firewall Toggle page in the left sidebar, and click Firewall settings.
2. Choose Feature Configuration > Enable for New Asset. When the protection quota for public IP addresses allows, the Internet Boundary toggle will be automatically enabled for new public IP address assets. Below, you can choose whether to enable the serial access mode by default and whether to automatically create a Private Link.
Internet Firewall Excess Bypass Weight Setting
When traffic exceeds the bandwidth of the Internet Firewall, it triggers a bypass policy. We will automatically disable some Firewall Toggles to reduce traffic within the bandwidth specification, and when traffic returns to normal, it will automatically enable the toggles.
Weight range: 0 - 100 (default: 1). A higher value indicates a higher priority.
Traffic limiting mechanism: When real-time bandwidth > purchased specification, the system automatically disables high-weight resolutions first (if weights are equal, disable in descending order of peak bandwidth) until real-time bandwidth falls within the purchased specification.
Recovery mechanism: When real-time bandwidth ≤ purchased specification, the system automatically enables high-weight resolutions first (if weights are equal, enable in descending order of peak bandwidth) and automatically enables the Firewall Toggle.
Operation Steps
1. Log in to CFW console, navigate to the Firewall Toggle page in the left sidebar, and click Firewall settings.
2. On the Firewall Settings > Feature Configuration page, edit the weight of the specified Firewall Toggle.
3. Click Edit Weight, you can select Firewall Toggles, batch edit the toggle weights, click OK to save.
Synchronizing Assets
The interval for the backend's scheduled polling of user asset information is 5 minutes. Therefore, when the scale of user assets changes within this interval but has not yet been synchronized by the backend, you can click Sync assets above the list to promptly call the backend interface to re-read and synchronize the user's asset information and data.
When newly added assets do not appear in the Firewall Toggle list, you can click Sync assets above the list to synchronize assets.
View Rules, Alarms, or Logs
In addition to enabling the Firewall Toggle in the asset list, you can perform other operations, primarily including viewing rules, alarms, and logs associated with the asset.
View rules: In the asset list, click View rules in the operation column to redirect to the rules page associated with the asset.
View alarms: In the asset list, choose More > Related alerts in the operation column, select a specific event type, and you will be redirected to the corresponding event page in the Alarm Center.
View logs: In the asset list, choose More > View logs in the operation column, select a specific log type, and you will be redirected to the corresponding log page.
Internet Firewall Bandwidth Overrun Handling
Bandwidth overload of the Internet Firewall will not cause packet loss in customer business traffic or affect the traffic rate, but will be unable to provide the protection feature.
Starting from September 25, 2024, when business bandwidth exceeds 100% of the Internet Firewall bandwidth, the following measures will be taken:
Disable some Internet Firewall Toggles to Bypass a portion of traffic, only protecting traffic within the bandwidth specification.
The handling methods for serial and bypass modes are identical: disable some toggles to restrict traffic.
Support configuring the weight of Firewall Toggles to set the priority for automatically disabling Firewall Toggles.
To perform traffic management and security protection for private network assets, or to configure network traffic forwarding based on SNAT or DNAT, see NAT Firewall Toggle.
To automatically detect VPC information and interconnection relationships, and create CFW Toggles between each pair of interconnected VPCs, see VPC Firewall Toggle.
If you encounter issues related to the Internet Firewall, see the Basic Introduction documentation.
