The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
Refer to VPC Boundary Firewall, toggle on the firewall switch of the target CCN instance, where the integration mode selects custom routing.
Step 2: Configure traffic attraction routing.
The current operation aims to divert the user's business that requires protection and the CCN instance to the cloud firewall through the firewall gateway.
1. Go to the console of the CCN instance selected when opening the VPC boundary firewall, and view the details of the CCN instance associated with the custom routing mode.
2. Confirm that the firewall traffic diversion VPC and related routing table have been created. If not, wait for instance creation to complete or submit a ticket to contact us.
3. View the default route table page, and confirm the business VPC and firewall traffic diversion VPC that need to be connected.
Notes:
This document uses the following examples to demonstrate how to integrate: Beijing business VPC: VPC-A; Chongqing business VPC: VPC-B; Beijing regional firewall traffic diversion VPC: VPC-BJFW.
4. Go to the Virtual Private Cloud > Route Table page, select the firewall traffic diversion VPC that needs to be connected, and you can see the route tables including "Firewall VPC Dedicated Route Table_Do Not Delete or Modify" and "default". Select the "default" route table and edit the routing strategy.
5. Click Add Routing Policy to divert the next hop of the business VPC to the firewall.
Enter the CIDR of the business VPC as the destination. Select gateway load balancer terminal node for the next hop type. Select firewall gateway ID for the next hop. The remark can be filled freely.
Notes:
If there is a prompt indicating "specified CIDR forming ECMP", it is necessary to first disable the related service routes in the default routing table.
6. Add the new route and publish it to the CCN. For details, see Manage Routing Policies. After publication, you can see the specified routing policy in the default route table of the corresponding CCN.
Notes:
The original route entries will become invalid due to the conflict between the new routing strategy and the original routing strategy, which can be ignored.
Step 3: Create a Route Table to Connect Business VPCs
The purpose of the current operation is to integrate the firewall network with the user's business network to achieve mutual network access.
1. On the CCN page, create a route table for each business VPC diverting traffic to the firewall.
2. Adjust the route reception policy. In the route reception policy of the dedicated route table of each VPC, click add network instance to add the VPC instance to which the route table itself belongs and the interconnected VPC instances to the route table.
Notes:
Add a network instance, which must be divided into two steps: first, add your own VPC instance and the VPC instance that does not pass through firewall protection; then, add the VPC instance dedicated for firewall traffic diversion.
For example: Assume VPC-C is a business VPC that does not need to be connected to a firewall instance. In the routing table of VPC-A, first add two instances: VPC-A and VPC-C. Once added successfully, repeat the above operation to add one instance: VPC-BJFW.
3. Check whether the route entries in the route tables of each VPC meet expectations.
4. Bind a network instance. For the bind instance of the dedicated route table of each VPC, click Bind Network Instance to bind the dedicated route table of each VPC to its corresponding VPC instance. After the operation is completed, traffic will be diverted to the firewall.
Notes:
Please confirm the route is correct before binding the route table. It will take effect immediately after binding.
Step 4: Verify If the Firewall Is Working Properly
1. Refer to log audit to check whether there are traffic logs.
2. See Log Audit to check whether the intrusion prevention is working properly.
3. Configure private network rules and check whether they are hit normally.
The firewall is now functioning properly. If your network structure is complex or involves a dedicated line scenario, submit a ticket to consult detailed routing configuration solutions. If you have further questions, feel free to submit a ticket to contact us.
Canceling the Integration of a CCN Instance with a Cloud Firewall
Notes:
Please confirm the CCN instance has been disconnected from the CFW before turning off the corresponding VPC boundary firewall switch; otherwise, it may cause a network interruption.
1. Go to the console of the CCN instance where the VPC boundary firewall needs to be disabled, and view the details of the CCN instance associated with the protection object in the custom routing mode.
2. Bind all network instances, except for the VPC dedicated to the firewall, to the routing table used before integrating with the cloud firewall.
2.1 Select the route table used before integrating with the cloud firewall, typically the _default_rtb table.
2.2 Select all instances except those dedicated to firewalls.
2.3 Confirm the route, complete the cancellation of integrating the cloud firewall.
3. Check the network status. If it is normal, turn off the firewall switch corresponding to the current CCN instance in the CFW console.
