Cloud Firewall offers an edge firewall toggle feature. On the Edge firewalls page, it can automatically detect the public IPs you own and the associated cloud assets, and configure the corresponding firewall toggle for you. The Cloud Firewall toggle supports one-click protection, eliminating the need for any network access deployment or routing policy configuration. Moreover, there is no requirement to install any image files. The Cloud Firewall offers a plug-and-play product experience.
Traffic Mode Explanation
How It Works
Serial Firewall
Deployment Path
The serial firewall is directly deployed on the path of network data flow. All passing packets need to be inspected and processed by the firewall.
Data Processing
Since a serial firewall needs to process all data packets passing through it, it has high performance and processing capacity requirements.
If the firewall performance is insufficient, it may become a network bottleneck, affecting network speed and stability. Therefore, a new firewall instance needs to be created in each region and allocated with the corresponding bandwidth for a serial firewall.
Security Protection
The serial firewall can perform deep inspection and processing of data packets, providing high security. It can prevent malicious packets from entering the network, protecting internal resources from attacks.
Preparation for Serial Firewall
Before using the serial firewall, please do the following preparations:
Allocate Bandwidth to the Serial Firewall
Since a serial firewall has regional cluster attributes and an upper limit on protection performance, users need to allocate bandwidth for the regions that need to use the serial firewall.
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Firewall Toggles page, click Firewall settings.
3. Allocate bandwidth to the regions where you need to use the serial firewall. It is suggested to reasonably estimate based on the business peak. Excessive bandwidth may trigger service degradation, causing some firewall toggles to shut down automatically.
Note:
General bandwidth: General bandwidth will be consumed when allocating bandwidth for the serial firewall with the current version. General bandwidth is shared with the NAT edge firewall.
General instance: One general instance quota will be consumed for each newly added serial firewall region of the current version. General instance quota is shared with NAT edge firewall.
Serial firewall region: the supported regions of the current version are based on the aforementioned serial firewall setting display regions. More regions are gradually undergoing gray release, so stay tuned.
Confirm Assets Within Protection Range
Due to network architecture limitations, the current version of the serial firewall only supports protecting Elastic Public IPs in the latest network architecture, as specifically shown on the console. If you have any doubts, you can contact the Elastic IP team for confirmation. Public network CLB type is not currently supported. If protection is needed, it is recommended to switch to a form that supports protection through EIP + private network CLB.
Serial Firewall Toggle Operation
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Edge firewalls page, find the assets to be protected.
3. Click the
in the Firewall Toggles column to protect this asset at the edge.
4. The process to enable the serial firewall takes approximately 1 minute and has no effect on the network.
Note:
The serial pattern requires the use of a Private Link to establish a network from VPC to Firewall.
For the first time a EIP within the same VPC enables a serial firewall, a new Terminal Node for Private Link and diversion internal IP needs to be created. There's no additional charge for the Private Link within the scope of your serial firewall, but additional charges may apply beyond that. Please see Private Link Price. A new Private Link does not need to be created when you toggle the serial firewall within the same VPC subsequently.
Status monitoring
Users can monitor and view the bandwidth status based on the public IP in real-time, enabling timely adjustments such as scaling or selectively closing toggles.
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. In the upper right corner of the Status Monitoring panel on the Edge firewalls page, click the
icon.
3. On the Status Monitoring page, you can peek in real time and monitor the bandwidth situation based on public IP, and perform operations such as expanding capacity or turning off some toggles.
Note:
Peak bandwidth refers to the maximum of the upstream and downstream. For example, if you purchase 100 M of bandwidth, then the Cloud Firewall can handle both 100 M upstream and 100 M downstream at the same time.
Automatic Activation for New Assets
1. Log in to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Firewalls Toggles page, click Firewall settings.
3. Click Enable for new assets. Within the allowed Quota of protected public IP, it will automatically enable the Edge firewalls for the newly added public IP assets. You can choose whether to enable the serial traffic pattern by default and whether to automatically create a Private Link.
Serial Firewall Disaster Recovery Configuration
When the bandwidth of the serial firewall exceeds the assigned value for 5 consecutive minutes, it will trigger a service downgrade policy.
You can set your own toggle weight. After exceeding the limit, we will bypass the toggles in the order of the toggle weight level you set until the current region's bandwidth falls within specifications. If the weights are the same, the toggles will be turned off in decreasing order of peak bandwidth. The initial weight is set to 1 by default, with a maximum of 100 and a minimum of 0; the higher the weight, the higher the priority.
Directions
1. Log to the Cloud Firewall Console, and in the left navigation bar, select Firewall Toggles > Edge firewalls.
2. On the Firewall Toggles page, click Firewall settings.
3. On the Firewall settings page, edit the designated Firewall toggle weight.
4. Click Edit weight, you can choose the Firewall toggle, bulk edit switch weight, then click OK to save.
Syncing Assets
The interval for the backend periodically polling user asset information is 5 minutes. Hence, when the user's asset scale changes during this interval and has not been synchronized by the backend, you can go to the top of the list, click Sync assets, to promptly call the backend interface and re-read and synchronize the user's asset information and data.
When new assets do not appear in the Firewall Toggles list, you can go to the top of the list, click Sync assets to attempt asset synchronization.
Viewing Rules, Alerts, or Logs
In addition to enabling Firewall Toggles in the asset list, you can perform some other operations, mainly including viewing asset-related rules, alerts, and logs.
View Rules: In the asset list, click the View Rules in the operations column, you will be redirected to the page of rules associated with the asset.
View Alerts: In the asset list, click More > View Alerts under the operation column, select a specific event type, and you will be redirected to the relevant event page in the alert center.
View Logs: In the asset list, click More > View Logs under the operation column, select a specific log type, and you will be redirected to the relevant log page.
Disposal of Excessive Bandwidth of Network Edge Firewall
As cluster protection resources are limited, in order to ensure a good user experience and your business stability, we will follow the rules below for the disposal policy in excessive bandwidth situations, to ensure a certain room for scaling and reaction time in the face of traffic fluctuations and peak traffic, and the policies are as follows:
When the serial firewall's public network traffic continuously exceeds 150% of the bandwidth specification for five minutes, we will automatically shut off the firewall toggles according to your set serial firewall disaster recovery configuration, and it won't be turned on by us. We suggest that you pay attention to the bandwidth warning and service downgrade notification in a timely manner, and reasonably set the firewall bandwidth threshold.
Related Information
If you need to manage traffic and protect assets in the private network, or forward network traffic based on SNAT and DNAT, please refer to the NAT Border Firewall Toggle operation.
If you need to automatically detect VPC information and interconnections, and set a Cloud Firewall toggle for each interconnected pair of VPCs, please refer to the Inter-VPC Firewall Toggle operation.
Yes
No
Was this page helpful?