Technology Encyclopedia Home >What are the firewall subnets that are automatically created in the VPC and the firewall routes in the route table?

What are the firewall subnets that are automatically created in the VPC and the firewall routes in the route table?

Created on 2025-05-22 11:27:52
25

In a Virtual Private Cloud (VPC), when you create a network security setup, certain firewall-related subnets and routes are often automatically generated to ensure secure communication and isolation.

Firewall Subnets

These are typically "DMZ" (Demilitarized Zone) subnets or "Security" subnets where firewalls or security appliances are deployed. For example:

  • A DMZ subnet is created to host public-facing services (e.g., web servers) while isolating them from internal resources.
  • A Security subnet may be used for deploying next-generation firewalls (NGFW) or intrusion detection/prevention systems (IDS/IPS).

Example:
If you create a VPC with public and private subnets, some cloud platforms automatically provision a DMZ subnet (e.g., 10.0.1.0/24) for hosting firewalls that control traffic between the internet and internal resources.

Firewall Routes in the Route Table

These are routes that direct traffic through the firewall for inspection or filtering. Common examples include:

  1. Internet-bound traffic: A route sending public subnet traffic (e.g., 0.0.0.0/0) to a firewall in the DMZ subnet before reaching the internet.
  2. Private-to-public traffic: A route allowing private subnet traffic (e.g., 10.0.2.0/24 → 10.0.1.0/24) to pass through a firewall for security checks before accessing the internet.
  3. Inter-VPC or hybrid connectivity: Routes forwarding traffic to a firewall in a dedicated security subnet for cross-network inspection.

Example:
In a VPC with:

  • Public subnet (10.0.0.0/24)
  • Private subnet (10.0.2.0/24)
  • DMZ subnet (10.0.1.0/24) with a firewall

The route table for the private subnet might include:

  • 0.0.0.0/0 → 10.0.1.4 (firewall IP in DMZ)
    This ensures all outgoing traffic from private instances is inspected by the firewall before exiting the VPC.

Recommendation for Scalable Firewall Management

For advanced firewall and security needs, consider using Tencent Cloud's Security Group and Network ACL for fine-grained traffic control. Additionally, Tencent Cloud's Next-Generation Firewall (NGFW) can be deployed in a dedicated subnet for centralized security management. These services simplify firewall subnet and route configurations while enhancing network protection.