1. Log in to the Cloud Firewall console, and select Firewall toggle > Inter-VPC toggle in the left sidebar.
2. On the Inter-VPC toggle page, click the Firewall instances page and then click Create instance.
3. In the pop-up inter-VPC firewall window, enter the instance name, select VPC mode and click Next.
Parameter description:
Instance name: The custom name of the firewall instance.
Modes:
VPC mode: Connect the asset to CFW via VPC. Modify the VPC route table to direct the route.
CCN mode: Connect the asset to CFW via CCN. Modify the CCN route table to direct the route. Note that the CCN instance must support multi-routes.
SASE mode: The feature is currently in beta test. To try it out, submit a ticket.
Privet network mode (CDC): It works the same as the VPC mode and only applies to the CDC environment.
4. Enter the firewall instance name and region, configure the disaster recovery, bandwidth and network settings, and click Next. To create instances as you want, click
.
Parameter description:
Region: Select the region where the VPC to protect locates.
Remote disaster recovery: Select it to enable remote disaster recovery.
Availability zone: Select an availability zone according to your needs.
Instance bandwidth: An instance supports 1-20 Gbps (up to 5 Gbps configurable). To set a bandwidth greater than the configurable limit, submit a ticket or upgrade your service. If you need more than the maximum bandwidth available, another firewall instance can be created. But make sure the throughput limit is not exceeded for each of your firewall instances.
Connect as an instance: Click Connected networks, select VPCs within the region required, and click OK.
Important
A VPC associates with only one firewall instance.
Inter-VPC firewalls cannot communicate with the classic network, so peering connections or CCN instances must be created between VPCs.
An inter-VPC firewall instance allows up to 10 VPCs in the same region. Multiple instances in the same region are supported. Create an inter-VPC firewall instance based on the region where a VPC is located before accessing the network.
5. Configure the routing subnet, firewall VPC, and routing mode, and click Create after checking these settings.
Notes
The creation process takes several minutes to complete.
Parameter
Description
Create routing subnet
CFW creates a 24 subnet in the connected VPC to route traffic to the firewall in three different ways. Once created, the subnet cannot be modified.
Primary network range preferred: Automatically select an idle subnet range in the selected VPC. If the VPC does not have available subnet IPs, a secondary network range is used.
Secondary network range preferred: Choose an idle secondary network range first. This mode does not consume the VPC's subnet quota. For more information about secondary network ranges, see Editing IPv4 CIDR Blocks.
Custom: Specify a 24 network range within the CIDR block of the current VPC, such as 192.168.0.0/24.
Firewall VPC
It connects firewall instances and must be created in the regions where the VPCs you want to connect are located.
Auto: CFW automatically creates a VPC with a /20 range that does not conflict with the connected VPCs.
Custom: Set a VPC with a /20 range that does not conflict with the connected VPCs, such as 192.168.1.0/20.
Routing mode
The way that networks are interconnected determines the firewall toggles and routing modes. Choose a routing mode that best suits your needs.
Point-to-point: It is suitable for connecting a few VPCs with a simple network topology. In this mode, one toggle is generated for each VPC-to-VPC connection.
Point to multipoint: It is suitable for connecting multiple VPCs to a simple network topology, such as a star network topology. In this mode, one toggle is set for each VPC and traffic between two VPCs goes through two firewall toggles.
Fullmesh: It is suitable for connecting many VPCs to a complex network topology, such as a mesh network topology. In this mode, only one firewall toggle is set to control all VPC routes.
Custom route: In this mode, no firewall toggles are set. You can configure a custom route as guided in Configuring Custom Routes after creating a firewall.
Note: Custom route is only supported in multiple regions. For available routing modes, go to the CFW console.
1. Log in to the Cloud Firewall console, and select Firewall toggle > Inter-VPC toggle in the left sidebar.
2. On the Inter-VPC toggle page, click the Firewall instances page and then click Create instance.
3. In the pop-up inter-VPC firewall window, enter the instance name, select CCN mode and click Next.
4. Select a CCN instance to be added to the inter-VPC firewall, and click OK.
Important
The CCN instance must support the multi-route table mode. If not, contact the CCN side to enable the multi-route table feature.
In the CCN mode, inter-VPC firewalls can be created in specified regions.
In the CCN mode, an inter-VPC firewall is associated with only one CCN instance.
5. After selecting a CCN instance, select a region available for the connected VPC in the drop-down. A firewall instance then will be created in this region. You can configure the firewall instance name, remote disaster recovery, and instance bandwidth specifications, and click Next.
Parameters:
Region: Select the region where the VPC to protect locates.
Notes
If only one region is selected to deploy a firewall instance, all inter-VPC traffic with the firewall toggles on will pass through the firewall instance in that region. This is suitable for a business network with a star topology.
If all regions are selected to deploy firewall instances, all inter-VPC traffic with the firewall toggles on will pass through the firewall instances in those regions. This is suitable for a business network with a mesh topology.
Custom route is only supported in multiple regions.
Remote disaster recovery: Select it to enable remote disaster recovery.
Availability zone: Select an availability zone according to your needs.
Instance bandwidth: An instance supports 1-20 Gbps (up to 5 Gbps configurable). To set a bandwidth greater than the configurable limit, submit a ticket or upgrade your service. If you need more than the maximum bandwidth available, another firewall instance can be created.
Important
Make sure the throughput limit is not exceeded for each of your firewall instances.
6. Configure the routing VPC and routing mode. Click Create after checking these settings.
Notes
The creation process takes several minutes to complete.
Parameter
Description
Create routing VPC
CFW can route traffic to the firewall through a VPC with /20 range. It can be created in the associated CCN instance via three different ways.
Auto: A random idle /20 range is selected.
Custom: Set a VPC IP range to be used for the firewall on your own. It must be a /20 range. For example, 192.168.1.0/20.
Important:
CCN has begun charging on connected network instances and inbound traffic from July 1, 2023, so creating a firewall VPC for your connected network instance may incur costs. For more details, see Start Charging on CCN Connected Network Instances and Inbound Traffic.
Routing mode
The way that networks are interconnected determines the firewall toggles and routing modes. Choose a routing mode that best suits your needs.
Point-to-point: It is suitable for connecting a few VPCs with a simple network topology. In this mode, one toggle is generated for each VPC-to-VPC connection.
Point to multipoint: It is suitable for connecting multiple VPCs to a simple network topology, such as a star network topology. In this mode, one toggle is set for each VPC and traffic between two VPCs goes through two firewall toggles.
Fullmesh: It is suitable for connecting many VPCs to a complex network topology, such as a mesh network topology. In this mode, only one firewall toggle is set to control all VPC routes.
Custom route: In this mode, no firewall toggles are set. You can configure a custom route as guided in Configuring Custom Routes after creating a firewall.
Note: Custom route is only supported in multiple regions. For available routing modes, go to the CFW console.
