The VPC Firewall supports traffic steering through CCN's multi-route tables and access modes. In manual access mode, after you enable the Firewall Toggle, traffic from the CCN instance is not automatically protected. You must go to the console of that CCN instance and manually configure it according to the selected mode.
Multi-Route Table Access Mode
The multi-route table access mode is a routing method for manually accessing the VPC Firewall (cluster mode). This mode steers traffic to CFW for inspection and control by creating a dedicated routing table in CCN for each instance that requires protection. It applies to scenarios where CCN supports only multi-route tables and not policy-based routing, or where users want to manually and precisely control routing.
Step 1: Select Manual Access Mode
Enable the Firewall Toggle and select manual access. For the access mode, choose multi-route Table. For details, see Firewall Toggle.
Step 2: Configure Traffic Steering Policy
1. Select the creation method for the traffic-steering VPC:
Not Now: You must create a traffic-steering VPC in at least one region. Select Automatic assignment or Custom.
Automatic assignment: CFW automatically detects available /26 subnets for firewall traffic steering.
Custom: You can customize the VPC subnet for the firewall. Note that it must be a /26 subnet (for example, 10.0.0.0/26).
2. Click Create. The system will create an access VPC in the region where the VPC associated with the current CCN instance is located. This process is expected to take about 30 seconds; please wait patiently.
Step 3: Confirm Whether the Firewall Traffic Steering VPC Has Been Successfully Created
1. Log in to VPC console, in the left sidebar, click CCN.
2. In the CCN instance list, click the target instance's ID/Name.
3. On the Associated Instances tab, check whether a VPC instance named Dedicated firewall VPC Do not delete or modify exists and its status is Connected.
Note:
If the traffic diversion VPC is not created successfully, wait for the instance creation to complete or submit a ticket to contact us.
Step 4: Configuring the Routing Policy for the Firewall Traffic Steering VPC
After the firewall traffic steering VPC is created, the system automatically generates two route tables under this VPC. Their respective functions are as follows:
Route Table ID/Name
Feature
default
Used for traffic steering to the firewall gateway cluster, requiring users to manually configure routing policies.
Firewall VPC Dedicated Routing Table_Do Not Delete or Modify
Used for forwarding traffic that has passed through firewall inspection to the destination VPC, automatically created and maintained by CFW, requiring no manual operation.
4.1 Go to the default Route Table of the Firewall Traffic Steering VPC
1. Go to the VPC console > Route Tables > Route Tables page.
2. Select the region where the firewall traffic steering VPC is located at the top.
3. Select the firewall traffic steering VPC created by the system. You can then view the two route tables mentioned above.
4. Click the default route table to go to the default route table details page.
4.2 Disabling the Original Route Entry
On the default route table > Basic Information page, locate all route entries corresponding to the all business instances (such as business VPCs or Direct Connect gateways) that require protection, where the next hop type is "CCN", and Disable them.
Note:
This operation targets the default route table of the firewall traffic steering VPC, not the route table of the business VPC.
Disabling these route entries does not affect the existing business network because business traffic still runs according to the original CCN route table at this time.
4.3 Adding a Routing Policy Pointing to the Firewall Gateway
1. On the Basic Information page of the default route table, click Add Route Policy to configure traffic steering routes for all business instances that require protection:
Parameter
Description
Destination
Enter the CIDR of the business VPC to be protected (such as 10.0.0.0/16).
Next Hop Type
Select GWLB endpoint
Next Hop
Select the firewall gateway ID.
Remark
Enter a custom value. It is recommended to enter the business VPC name for easy identification.
2. Click Create. After configuration is complete, publish the newly created route Publish to CCN. If there is a subnet conflict, disable the existing entry first.
Note:
Hybrid Cloud Scenario Supplement: If you need to protect bidirectional traffic between a VPC and a Direct Connect gateway, you must also configure a traffic steering route for the opposite direction in the default route table. For example:
Direct Connect Gateway → VPC Direction: For the destination, enter the CIDR of the business VPC. For the next hop, select the firewall gateway.
VPC → Direct Connect Gateway Direction: For the destination, enter the CIDR of the business VPC (source direction). Similarly, after disabling the original CCN route entry, add a route policy pointing to the firewall gateway.
Ensure that all bidirectional traffic passes through firewall inspection.
4.4 "Dedicated Firewall VPC Route Table_Do Not Delete or Modify" Route Table
No action is required for the Dedicated Firewall VPC_Do Not Delete or Modify route table. This route table is automatically maintained by CFW and is used to correctly forward traffic that has passed through firewall inspection to the destination VPC.
Step 5: Create an Inter-VPC Access Route Table and Bind Instances
After completing the route configuration for the firewall traffic steering VPC, you must also create a dedicated route table on the CCN side for all instances that need to access the firewall, steering traffic to the firewall traffic steering VPC.
5.1 Creating a Dedicated Route Table
Note:
Each instance (VPC or Direct Connect gateway) that needs to access the firewall requires a separate, dedicated route table. For example, if one VPC and one Direct Connect gateway need to access the firewall, you must create two dedicated route tables.
1. Log in to VPC console, in the left sidebar, click CCN.
2. On the CCN page, click the target CCN instance's ID/Name.
3. On the target CCN instance details page, click the Route Table tab.
4. On the
Route Table
tab, click Create Route Table to create a dedicated route table for the instance that needs to access the firewall, then click OK.
5. Repeat the previous step to create a dedicated route table for all instances that need to access the firewall.
5.2 Configuring the Route Reception Policy
1. For each dedicated route table, click Route receiving policy > Add policy.
2. Click Add condition to add the following instances to the route acceptance policy, and select Allow for the acceptance behavior.
Instance to Be Added
Description
The instance itself to which this route table belongs
Add the instance for which this route table was created.
All instances within the CCN that do not connect to the firewall
Ensure that routing between instances not connected to the firewall is normal.
Firewall traffic steering VPC
Ensure that traffic can reach the firewall traffic steering VPC.
3. Click OK. Repeat the steps above to apply the same configuration to the dedicated route tables for other instances that need to access the firewall.
5.3 Checking Route Entries
After configuration is complete, check whether the route entries in each dedicated route table meet expectations to ensure:
Route entries that contain the firewall traffic steering VPC.
Route entries that contain instances not connected to the firewall.
Do not contain direct routes for other instances that need to access the firewall (this traffic should be forwarded through the firewall traffic steering VPC).
5.4 Binding Instances
Bind each dedicated route table to its corresponding instance. For example: the dedicated route table created for VPC-A should be bound to the VPC-A instance.
1. For each dedicated route table, click Bind with instance > Bind network instance.
2. Select the network instance corresponding to this dedicated route table (such as a VPC or Direct Connect gateway), and then click Next: Route Confirmation.
Note:
Traffic is steered to the firewall only when an instance is bound. Before binding, traffic continues to be routed according to the original routing table. Confirm that the route configuration is correct before performing the binding operation.
3. Click Completed. Repeat the steps above to bind the dedicated route tables of other instances to their corresponding instances.
Step 6: Verifying Whether the Network Instance Is Connected Successfully
1. Log in to the CFW console, and refer to Log Auditing to check whether there are traffic logs for the relevant business, verifying whether traffic passes through the firewall.
2. Refer to Log Auditing to check whether Intrusion Defense is functioning properly.
3. Configure VPC Border Rules and check whether they are being hit normally.
The firewall is now functioning properly. If your network architecture is complex or involves dedicated line scenarios, submit a ticket to consult detailed solutions for routing configuration; feel free to submit a ticket if you have further questions.
Disconnecting CCN Instances From CFW (Multi-Route Table)
Note:
Be sure to disable the corresponding VPC Firewall Toggle only after confirming that the CCN instance has been disconnected from CFW; otherwise, it will cause network interruption.
1. Log in to the VPC console, navigate to the console of the CCN instance for which you need to disable the VPC Firewall, and view the details of the CCN instance associated with the multi-route table mode protection object.
2. Except for the firewall-dedicated VPC, bind all network instances to the routing tables previously used before they are connected to CFW.
2.1 Select the routing table that was used before the cloud firewall is connected, which is typically the _default_rtb table.
2.2 Select all instances except those dedicated to the firewall.
2.3 Confirm routing and click Completed.
3. After it is confirmed that the network is functioning properly, disable the Firewall Toggle corresponding to the current CCN instance in the CFW console.
4. The created traffic redirection VPC and endpoints will be automatically cleaned up.
