CFW provides a cluster mode VPC border toggle feature. On the VPC firewall page, it can automatically detect your CCN instances and configure the corresponding Firewall Toggle for you.
You can log in to CFW console, in the left sidebar, choose Firewall Toggle > VPC Firewall, to configure the cluster mode VPC Firewall.
Access Impact
When the VPC Firewall is accessed, a 1-2 second network jitter may occur when routes take effect due to dynamic route publishing for traffic steering. During this period, cross-VPC or intra-VPC CVM communication will not be interrupted, with users only perceiving brief latency fluctuations.
Note:
This network jitter is a normal technical phenomenon during route publishing. It is recommended to perform the Firewall Toggle enabling operation during off-peak business hours and verify the automatic reconnection capability of critical services in advance.
Firewall Toggle
1. Log in to the CFW Console, choose Firewall Toggle > VPC Firewall in the left sidebar.
2. On the VPC Firewall page, locate the CCN instances requiring protection in the Protection Objects column and enable the Firewall Toggle.
Note:
Enabling protection for each CCN instance consumes 1 general instance quota. Make sure sufficient quota is available before enabling.
3. In the pop-up window, select the access mode:
Automatic access: CFW automatically coordinates with CCN to configure policy-based routing tables according to your configured VPC traffic steering policy.
Manual access: In manual access mode, you need to manually configure traffic steering on the CCN console.
Note:
The policy-based routing access methods in both automatic and manual access modes rely on the policy-based routing feature of CCN. This feature is currently in public beta phase and unavailable by default. To experience this feature, submit a ticket to CFW to apply.
5. In the instance list, you can perform operations such as disabling and editing on protected CCN instances.
Note:
After the Firewall Toggle is disabled, relevant network assets (such as VPCs and subnets) used by the current CCN-type instance to access the firewall will be automatically cleared.
On the VPC Firewall page, click Scale-out to redirect to the purchase page where you can scale parameters such as bandwidth and log storage capacity.
In cluster mode, all CCN instances with the toggle enabled share the VPC firewall bandwidth, so you don't need to adjust settings for individual instances.
Firewall Status Monitoring
VPC Firewall status monitoring supports statistics on the bandwidth of each CCN instance.
1. In the upper-right corner of the bandwidth configuration panel, click View Monitoring.
2. On the Status Monitoring - ①VPC Firewall page, you can filter the dimension for bandwidth monitoring by ②CCN instance name, or choose to ③switch to connections. By selecting a ④time range, you can modify the statistical dimension. You can view the ⑤monitoring curve and examine ⑥monitoring data from different perspectives.
Note:
Due to differences in statistical models and collection frequencies, there may be normal deviations between monitoring data and the Observability Platform.
Differences Between Primary/Secondary Mode and Cluster Mode
For differences between the primary/secondary mode and cluster mode editions of VPC Firewall, see the following table.
