Adding visibility to inter-VPC connections with Alibaba Cloud Firewall Enterprise
In the last article I talked about the product called Cloud Firewall, the FaaS (Firewall as a Service) from Alibaba Cloud, a great alternative and a must-go in terms of capabilities, pricing and low maintenance.
And that is precisely why I’m not going to talk now about that, smart! This article will focus on one of the most interesting features from my point of view, as it the most “cloud native” feature a firewall can have, the “VPC Protection” and its amazing simplicity.
As the image above leaves this clear, please note that this feature is only available from the “Enterprise” edition of the Cloud Firewall, protecting a maximum of 2 VPCs by default and giving you easy management of Security Groups.
How it works?
If you never used a traffic-analysis tool before, you need to know that there is a couple of modifications needed so the analysis tool can, as you guessed, analyse. This works by modifying the routes of the network, so all requests goes through the system.
In our case, we want to control the traffic between 2 VPCs, meaning there is a need for a CEN connection between those two non-overlapping-cidr networks.
When it comes to VPC routing, we have the Route Tables, responsible of letting know everyone which way to take depending on where you want to go. Before activating this Cloud Native FaaS solution our network looks something like the image below:
Then, after activating the VPC protection, your routing will look more like the image below:
For this, you’ll need to go to “Cloud Firewall” > “Firewall Settings” > “Firewall Settings” and then, under “VPC Firewall” activate, at your discretion, the firewall on those VPCs you want to monitor.
As you can see in the above picture, Cloud Firewall creates an extra VPC connected to the same CEN instance and routes all connections through this one. Can we call this a “Transit VPC”? Well, I guess we can.
As I mentioned before about the routing, you’ll get a warning about the route update and the potential for some disruption on your communications. So use it with care!
Imagine doing this with your non FaaS Firewall. Exactly, this is only a couple of clicks or just some API calls, “convenient” is an understatement.