Inter-VPC Firewall
Last updated: 2025-06-23 18:07:49
Why can’t some Inter-VPC firewall switches be enabled?
Due to routing or IP range conflicts, the inter-VPC firewall restricts conflicting switches. You can resolve these conflicts based on the error prompts and then try enabling the Inter-VPC firewall again.
What are the automatically created firewall subnets and firewall routes in a VPC?
After enabling the Inter-VPC firewall, firewall subnets (required for traffic redirection) and firewall routes will be automatically created. Do not manually delete them, as this may disrupt the firewall’s functionality. To modify the firewall subnet’s IP range, please submit a ticket to contact us.
Which subnets between VPCs does the Inter-VPC firewall redirect traffic from?
The redirection scope depends on your inter-VPC routing configuration. The firewall only redirects traffic from subnets with correctly configured inter-VPC routes.
What happens if the Inter-VPC firewall reaches its bandwidth limit? How to handle this?
In the current version, the Inter-VPC firewall uses dedicated resources and does not support elastic scaling. When bandwidth exceeds limits, excess packets will be dropped, potentially causing latency, congestion, or service disruption. To ensure business continuity, we recommend proactively estimating bandwidth requirements and scaling in advance.
Can the Inter-VPC firewall protect traffic accessing third-party VPCs?
Yes, via the Cloud Connect Network (CCN) Mode.
What is the maximum bandwidth supported by the Inter-VPC firewall?
20Gbps.
Does the Inter-VPC firewall support blocking UDP traffic?
Yes. The firewall is directly integrated into the user’s network (modifying routes), so it can block all UDP traffic.
Does the Inter-VPC firewall cover protection between VPN and dedicated lines?
Why split Inter-VPC firewall instances?
A firewall is essentially composed of multiple firewall instances. In previous versions, the concept of instances was weakened, making it difficult to monitor and analyze the status of each firewall instance. Therefore, in the latest version, we have strengthened the concept of firewall instances, aligning their information hierarchy with that of the NAT firewall and making the interface structure clearer.
What problem does multi-instance deployment in the same region solve?
In previous versions, we would deploy a firewall instance in each region to achieve network access. However, due to routing strategy limitations, effective protection cannot be achieved when there are too many VPCs.
Currently, the inter-VPC firewall supports deploying multiple firewall instances (private network mode) in the same region, thereby achieving protection for more VPCs.
How does routing mode configuration address pain points?
Since the network structures of different users are different, the quantity of switches will become complex and difficult to maintain when there are too many VPCs. Through flexible selection of single-point mode, multi-point mode, fullmesh mode, and custom routing mode, users can choose appropriate traffic diversion schemes according to the network topology, thereby simplifying the control logic of switches.
Does the Cloud Connect Network (CCN) mode support adding new firewall deployment regions after setup?
Not supported. If you want to add new deployment regions, you need to terminate instances and rebuild them.
How does the CFW block UDP port 53 (DNS) requests?
When an ACL interception rule is triggered, the CFW will forge a DNS response packet, that is, the CFW will send an NXDOMAIN response packet on behalf of the DNS server to block the DNS request. This is done to prevent blocked DNS requests from retrying and succeeding. If it is necessary to allow DNS requests, it is recommended to place the DNS bypass rule at the frontmost in the configuration. This configuration will cause the DNS server specified in
/etc/resolv.conf not to attempt to request resolution from the next address.Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback