CFW provides the Internet Border Firewall Toggle feature. On the Internet Border Firewall Toggle page, it automatically detects your public IP addresses and associated cloud assets, configuring corresponding Firewall Toggles accordingly. The CFW Toggle supports one-click protection enablement, allowing you to activate security without any network deployment, routing policy configuration, or installation of image files. CFW delivers an immediate activation-upon-enabling experience.
Explanation of Access Mode
Working Principles
Serial Firewall
Deployment path
Serial firewalls are deployed directly in the path of network data flow, where all passing packets must be inspected and processed by the firewall.
Processing data
Since serial firewalls need to process all passing packets, they have high requirements for performance and processing capability.
If the firewall performance is insufficient, it may become a network bottleneck, affecting network speed and stability. Therefore, a new firewall instance must be created in each region for serial firewalls, with corresponding bandwidth allocated.
Security Protection
Serial firewalls can perform deep inspection and processing of data packets, providing a high level of security. They prevent malicious packets from entering the network, protecting internal resources from attacks.
Supported Asset Types
Internet Firewall supports the following asset types:
After the EIP is bound to an instance, this feature is supported, subject to whether the firewall toggle can be enabled in the console. If you have any questions, submit a ticket to contact us.
Before using the serial firewall, complete the following preparations:
Assign Bandwidth to the Serial Firewall
Because the serial firewall features regional clustering attributes and has a protection performance limit, you need to allocate bandwidth to regions where the serial firewall is required.
1. Log in to CFW console, and in the left sidebar, select Firewall Toggle.
2. On the Firewall Toggle page, click Firewall settings in the upper-right corner.
3. Allocate bandwidth to regions where the serial firewall is required. It is recommended to make reasonable estimates based on peak business demands. Traffic exceeding the allocated bandwidth will not be protected, though this process will not affect network connectivity. For details, refer to Bandwidth.
Note:
North-south bandwidth: Allocating bandwidth for the serial firewall in the current version will consume north-south bandwidth.
General instance: Each additional serial firewall region in the current version consumes one general instance quota.
Serial Firewall regions: The regions supported in the current version are subject to those displayed in the Serial Firewall settings. More regions are being gradually rolled out. Stay tuned.
Confirm Assets Fall Within Protection Scope
Due to network architecture limitations, the current version of the serial firewall only supports protecting Elastic Public IPs (EIPs) with the latest network architecture. For specifics, refer to the console display. If you have questions, contact the EIP team for confirmation. Public CLB types are not currently supported. For protection, switch to an EIP + internal CLB configuration.
Serial Firewall Toggle Operations
1. Log in to the CFW console, and in the left sidebar, choose Firewall Toggle > Internet Firewall.
2. On the Internet Firewall page, locate the asset that requires protection and confirm that the access mode is displayed as serial.
3. Click
in the Firewall Toggle column to enable boundary protection for this asset.
4. Enabling the serial firewall is expected to take 1 minute and will not affect the network.
Note:
Serial mode requires using Private Link to establish connectivity from the VPC to the firewall.
When enabling the serial firewall for an EIP in the same VPC for the first time, you need to create a new endpoint for Private Link and a traffic-steered private IP address. Private Link within the specifications of the serial firewall (allocated bandwidth) incurs no additional fees, but exceeding the quota may incur certain charges. For details, see Private Link Pricing. Subsequent serial firewall toggles in the same VPC do not require recreating the Private Link.
Firewall Status Monitoring
You can fully monitor the protection status of the firewall and resource usage via the two main panels in the console.
Asset Protection Overview
On the Asset Protection Overview panel, you can quickly grasp the overall protection posture and manage resources. This panel primarily displays two categories of key information: first, protection status, including the number of unprotected and protected public IP addresses, along with the total allocated bandwidth in bypass mode and serial mode; second, resource quotas, namely the remaining available quotas for general instances and public IP address protection.
Click Enalbe One-click Protection to enable the firewall in batches for all supported public IPs.
If resources are insufficient, click Scale-out to be redirected to the purchase page to expand your quota.
Bandwidth Usage Details
The Bandwidth Usage Details panel provides you with granular traffic monitoring and analysis based on time and dimensions.
On the Bandwidth Usage Details panel, you can view the peak bandwidth and allocated bandwidth of serial firewalls across all regions within the selected time period.
Click View monitoring to view and monitor the bandwidth status of public IP addresses in real time, and perform operations such as scaling out or disabling some toggles.
Note:
Peak bandwidth refers to the maximum value of uplink and downlink, meaning that if you purchase 100M bandwidth, CFW can simultaneously handle 100M uplink and 100M downlink traffic.
New Asset Auto-Enable
1. Log in to CFW console, navigate to the Firewall Toggle page in the left sidebar, and click Firewall settings.
2. Choose Feature Configuration > Auto-Enable Switch for New Assets. When the protection quota for public IP addresses allows, the internet boundary toggle will be automatically enabled for newly added public IP assets. You can select below whether to automatically create Private Link.
Internet Firewall Excess Bypass Weight Setting
When traffic exceeds the bandwidth of the Internet Firewall, it triggers a bypass policy. We will automatically disable some Firewall Toggles to reduce traffic within the bandwidth specification, and when traffic returns to normal, it will automatically enable the toggles.
Weight range: 0 - 100 (default: 1). A higher value indicates a higher priority.
Traffic limiting mechanism: When real-time bandwidth > purchased specification, the system automatically disables high-weight resolutions first (if weights are equal, disable in descending order of peak bandwidth) until real-time bandwidth falls within the purchased specification.
Recovery mechanism: When real-time bandwidth ≤ purchased specification, the system automatically enables high-weight resolutions first (if weights are equal, enable in descending order of peak bandwidth) and automatically enables the Firewall Toggle.
Operation Steps
1. Log in to CFW console, navigate to the Firewall Toggle page in the left sidebar, and click Firewall settings.
2. On the Firewall Settings > Feature Configuration page, edit the weight of the specified Firewall Toggle.
3. Click Edit weight, you can select Firewall Toggles, batch edit the toggle weights, click OK to save.
Synchronizing Assets
The interval for the backend's scheduled polling of user asset information is 5 minutes. Therefore, when the scale of user assets changes within this interval but has not yet been synchronized by the backend, you can click Sync assets above the list to promptly call the backend interface to re-read and synchronize the user's asset information and data.
When newly added assets do not appear in the Firewall Toggle list, you can click Sync assets above the list to attempt synchronization.
View Rules, Alarms, or Logs
In addition to enabling the Firewall Toggle in the asset list, you can perform other operations, primarily including viewing rules, alarms, and logs associated with the assets.
View rules: In the asset list, click View rules in the operation column to redirect to the rules page associated with the asset.
View alarms: In the asset list, choose More > Related alerts in the operation column, select a specific event type, and you will be redirected to the corresponding event page in the Alarm Center.
View logs: In the asset list, choose More > View logs in the operation column, select a specific log type, and you will be redirected to the corresponding log page.
Internet Firewall Bandwidth Overrun Handling
Bandwidth overload of the Internet Firewall will not cause packet loss in customer business traffic or affect the traffic rate, but will be unable to provide the protection feature.
Starting from September 25, 2024, when business bandwidth exceeds 100% of the Internet Firewall bandwidth, the following measures will be taken:
Disable some Internet Firewall Toggles to Bypass a portion of traffic, only protecting traffic within the bandwidth specification.
The handling methods for serial and bypass modes are identical: disable some toggles to restrict traffic.
Support configuring the weight of Firewall Toggles to set the priority for automatically disabling Firewall Toggles.
To perform traffic management and security protection for private network assets, or to configure network traffic forwarding based on SNAT or DNAT, see NAT Firewall Toggle.
To automatically detect VPC information and interconnection relationships, and create CFW Toggles between each pair of interconnected VPCs, see VPC Firewall Toggle.
If you encounter issues related to the Internet Firewall, see the Basic Introduction documentation.
