A VPC firewall manages the south-north traffics of VPC networks, and
allows you to manage the access control policies by configuring rule sets and rules.
The VPC firewall topology is shown in VPC Firewall. Figure 1. VPC Firewall
Assume that VM-1 attempts to access VM-3: The traffic from VM-1 will match the
inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are
detected, the access is denied.
Assume that VM-2 attempts to access VM-4: The traffic from VM-2 will match the
inbound rule set of the public NIC on the VPC vRouter, and then will match the
outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are
detected, the access is allowed.
Assume that Server-2 attempts to access Server-1: The traffic from Sever-2 will
match the inbound rule set of the private NIC on the VPC vRouter, and then will
match the outbound rule set of the public NIC on the VPC vRouter. If trusted
traffics are detected, the access is allowed.
Difference between a VPC firewall and a security group: A VPC firewall
manages the south-north traffic, and can be applied to the entire VPC. On the contrary,
a security group mainly manages the east-west traffic, and can be applied to VM NICs.
They can complement each other. The detailed differences are as follows.
Comparison
Security Group
VPC Firewall
Application scope
VM NIC
The entire VPC network
Deployment mode
Distributed
Centralized
Deployment location
VM instance
VPC vRouter
Configuration policy
Supports only allowed policies
Enables you to customize the accept policy, drop
policy, or reject policy as needed
Priority
Takes effect according to the configuration
sequence
Enables you to customize priorities
Matching rules
Source IP address, source port, and source
protocol
Source IP address, source port, destination IP
address, destination port, protocol, and packet status
Notice
When you use a VPC firewall, note the following:
One VPC vRouter can be used to create only one VPC firewall.
One NIC includes an inbound direction and an outbound direction. You can
configure only one rule set for each direction.
The control mechanism of a VPC vRouter will restrict external access to VM
instances without an EIP. If you are using static routing or OSPF, note that
the static routing and OSPF will not be available when the firewall with the
priority 9999 is disabled. If you still want to use static routing and OSPF,
add an inbound rule to the public network NIC.
When you use a rule set, note the following:
One rule set can have up to 9999 rules attached.
Only outbound rule sets can be created. Outbound rule sets apply to the
outbound direction of the NIC.
Exercise caution. The inbound and outbound directions of a rule set are
designed for VPC vRouters.
The inbound rule sets are created by the system by default. You can
customize your rules in an inbound rule set, but you cannot delete inbound
rule sets.
The rule sets of the same outbound direction can be reused on multiple
NICs.
When you use a rule, note the following:
A rule is a part of a rule set, and cannot be reused on multiple rule
sets.
A system rule is a preconfigured rule that supports system services. The
system rule has two priority ranges: 1-1000 and 4000-9999. The priority
range of a custom rule is 1001-2999. The system reserved priority range is
3000-3999. Lower integers indicate higher priorities.
System rules cannot be added, modified, or deleted.
