Tencent Cloud's VPC Firewall supports enabling automatic access through the CCN policy-based routing feature. Through automated traffic steering configuration, it allows flexible setting of traffic steering policies by VPC or CIDR granularity, simplifying the operational complexity of traditional routing solutions.
Note:
The automatic access mode is currently in public beta stage and is unavailable by default. If you want to experience this feature, please submit a ticket to CFW to apply. Prerequisites
Your CCN instance needs to support the policy-based routing feature. If it only supports multiple routing tables, it cannot use the automatic access mode.
Enabling protection for each CCN instance consumes 1 border firewall toggle quota. Please ensure sufficient quota is available.
Step 1: Select Automatic Access Mode
Enable the Firewall Toggle and select the automatic access mode. For details, see Firewall Toggle. Step 2: Configure Traffic Steering Policy
1. On the traffic steering policy configuration page, you can define which traffic between VPCs or Direct Connect gateway instances needs to pass through firewall protection. Multiple rules can be configured to accommodate complex network architectures.
|
Multi-point nterconnection | Protecting the traffic of mutual access between each pair of instances within the selected group. | Select at least 2 different instances within the rule. |
Multipoint-to-Multipoint | Protecting the mutual access traffic between the two groups: "Multi-point Instance 1" and "Multi-point Instance 2". Traffic between instances within the group does not pass through the firewall. | Select at least 1 instance from each of the two groups. The same instance cannot be selected both within the same group and across different groups. |
2. After completing the configuration, click Next.
Note:
To protect traffic between VPCs in the same region included in the traffic diversion policy, you must submit a ticket to CCN to apply for opening intra-city traffic diversion for VPC instances. Otherwise, this traffic will not pass through the firewall. The activation process may cause session connection interruptions for PaaS services in the corresponding VPC. Applications must implement automatic reconnection mechanisms for long-lived connections to ensure rapid service recovery. Step Three: Create a Drainage VPC
CFW requires a dedicated VPC (with a 26-bit subnet) to steer traffic.
On the Create Traffic Diversion VPC page, the system will list all regions involved in the current traffic diversion policy. Please configure each region separately:
1. Select creation method:
Not Now: Traffic diversion resources will not be created in the current region (can be added later).
Automatic assignment: The system automatically detects and allocates available /26 subnets.
Custom: Manually specify an unused /26 subnet (such as 10.0.0.0/26).
Note:
To protect traffic between VPCs in different regions, a traffic diversion VPC must be created in at least one of the regions.
2. Confirm Access: After the configuration is verified to be correct, click Access Now.
Step 4: Wait for Deployment Completion
The system will automatically perform the following operations:
1. Traffic diversion VPC and related resources will be created in the specified region.
2. Deploy policy-based routing in CCN.
This process is expected to take 1-3 minutes. Please wait patiently for the switch status to become enabled.
Subsequent Management and Ops
When the Firewall Toggle is enabled, click Edit in the operation column of the instance list to perform the following operations:
Modify Traffic Diversion Policy: Adjust the VPC scope or CIDR that needs to be protected.
Incremental Configuration of Traffic Diversion Resources: For regions that were initially set to "Do not create for now" or newly added to the current CCN instance, you can reselect the creation method for supplemental creation.
Note:
During the period when the Firewall Toggle is enabled, the traffic diversion VPCs created via "Automatic Selection" or "Custom" methods will be locked, and their CIDR cannot be modified or they cannot be deleted.
If you need to modify or delete traffic diversion resources, you must first disable the Firewall Toggle (after disabling, the system will automatically clean up related resources).