In manual access mode, traffic is not automatically protected after you enable the Firewall Toggle. You must go to the CCN console to configure route traffic steering to the CFW for protection to take effect.
Multi-Route Table Access Mode
Prerequisite
You have enabled the Firewall Toggle and configured traffic steering in CFW console > NAT Boundary (Cluster). For details, see Firewall Toggle.
Step 1: Verifying the Firewall Traffic Steering VPC Creation
1. Log in to VPC console, in the left sidebar, click Cloud Connect Network.
2. In the CCN instance list, click the ID/Name of the automatically created CCN instance.
3. On the Associated to tab, check whether there is a VPC instance whose name contains Dedicated NAT fivrewall drain VPC, Do not delete or modifty and whose status is Connected. This indicates that the traffic diversion VPC required by the firewall has been successfully created. If the traffic diversion VPC and the related routing table are not created, wait for the creation to complete or submit a ticket to contact us.
Step 2: Configuring Traffic Steering Routes
The purpose of this operation is to steer traffic from the business network instances that users need to protect to the CFW through the firewall gateway.
1. Go to the VPC > Routing Tables > Routing Tables page, and locate the default routing table corresponding to the automatically generated "Dedicated NAT firewall drain VPC, Do not delete or modify" instance.
2. Select the default routing table, and click Basic information.
3. On the Basic Information page, click
to disable the routing entries of the original network instance (for example, entries whose next hop is a CCN).
4. Click Add routing policy to steer the next hop of the business instance to the firewall, and then click Create.
Destination: Enter 0.0.0.0/0.
Next Hop Type: Select Gateway Load Balancer Endpoint.
Next Hop: Select NAT Firewall Gateway ID. Remarks can be freely entered.
Note:
If a subnet conflict alert appears (for example, "Specified CIDR forms ECMP"), you need to first disable the original conflicting business routing entries in the default routing table.
5. On the Basic Information page, click Publish to CCN to manually publish this routing policy to the CCN. After publishing, you can view the specified routing policy in the default routing table of the corresponding CCN.
Notes:
Because the new routing policy conflicts with the original routing policy, the original routing entry will become invalid. You can ignore it.
Step 3: Creating an Inter-VPC Access Routing Table and Binding Instances
The purpose of this operation is to establish connectivity between the firewall network and the user's business network, enabling network intercommunication.
1. In the CCN instance list, click the ID/Name of the automatically created CCN instance.
2. On the Routing table tab, click Create route table to create a dedicated routing table for each network instance (such as a VPC or Direct Connect Gateway) that needs to be connected to the firewall.
3. On the Route receiving policy tab of each dedicated routing table, click Add policy.
4. For the matching condition, select Instance ID. Add Dedicated NAT fivrewall drain VPC, Do not delete or modifty to this route receive policy. For the propagation behavior, select Allow. Click OK.
5. On the Bind with instance tab of each dedicated routing table, click Bind network instance to bind the routing table to its corresponding network instance.
5.1 Select the network instance to be bound, click the corresponding
, and then click Next: Route Confirmation.
5.2 Confirm the routes, then click Completed.
Note:
Before the instance is bound, traffic is forwarded according to the original routing table. After the instance is bound, network traffic will be successfully steered to the firewall and takes effect immediately. Ensure that the routes are correct before proceeding with the binding.
Step 4: Verifying Network Instance Connectivity
1. Log in to the CFW console. Refer to Log Auditing to check whether there are traffic logs for the relevant business, verifying whether traffic passes through the firewall.
2. Refer to Log Auditing to check whether Intrusion Defense is functioning normally.
3. Configure NAT Border Rules and check whether they are being hit normally.
The firewall is now functioning normally. If your network architecture is complex or involves dedicated line scenarios, please submit a ticket to consult on detailed routing configuration solutions. If you have further questions, you are also welcome to submit a ticket to contact us.
Disconnecting a NAT Gateway from CFW (Multi-Route Table)
Note:
Ensure that the NAT Gateway has been disassociated from the CFW before you disable the corresponding NAT Firewall Toggle. Otherwise, network interruption will occur.
1. Log in to VPC console, in the left sidebar, click Cloud Connect Network.
2. Go to the console of the CCN instance for which you need to disable the NAT Firewall, and view the details of the CCN instance associated with the multi-route table mode protection object.
3. Bind all network instances, except for the firewall-dedicated VPC, to the routing table that was used before they are connected to the CFW.
3.1 Select the routing table that was used before they are connected to the CFW, typically the _default_rtb table. Then choose Bind with instance > Bind network instance.
3.2 Select all instances except those dedicated to the firewall.
3.3 Confirm the routes, then click Completed.
4. After it is verified that the network is functioning normally, disable the Firewall Toggle corresponding to the current NAT Gateway in the CFW console.
