What types of public IPs will not appear in the switch list of the Internet border firewall?

Public IPs that typically do not appear in the switch list of an Internet border firewall include:

1. Private IPs used in NAT (Network Address Translation):

   • These are internal IPs (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that are translated to a public IP when accessing the internet. The firewall only sees the public IP after NAT, not the original private IPs.
   • Example: A server with IP 192.168.1.10 inside a data center uses NAT to access the internet via a public IP 203.0.113.5. The firewall logs show 203.0.113.5, not 192.168.1.10.

2. Ephemeral IPs (temporary public IPs):

   • Some cloud services assign temporary public IPs to instances that change upon restart or termination. These IPs may not persist in firewall logs if they are frequently rotated.
   • Example: A virtual machine in a cloud environment uses an ephemeral IP 198.51.100.1 for a session, which changes after a reboot. The firewall may not retain this IP in its switch list.

3. IPs used in proxy or VPN services:

   • Traffic routed through proxies or VPNs appears to originate from the proxy/VPN's public IP, masking the original client IPs. The firewall only logs the proxy/VPN IP.
   • Example: A user accesses the internet via a proxy server with IP 203.0.113.10. The firewall sees 203.0.113.10 but not the user's real IP.

4. IPs from dynamic DNS or failover systems:

   • Systems using dynamic DNS or failover mechanisms may switch between multiple public IPs. The firewall may only log the current active IP, not all possible IPs.
   • Example: A website uses failover between 203.0.113.1 and 203.0.113.2. The firewall logs whichever IP is active at the time.

For cloud environments, Tencent Cloud provides services like Elastic Public IP (EIP) for stable public IP management and NAT Gateway for efficient NAT operations, ensuring predictable IP handling in firewall configurations.