In the last article I talked about the product called Cloud Firewall, the FaaS (Firewall as a Service) from Alibaba Cloud, a great alternative and a must-go in terms of capabilities, pricing and low maintenance.

And that is precisely why I’m not going to talk now about that, smart! This article will focus on one of the most interesting features from my point of view, as it the most “cloud native” feature a firewall can have, the “VPC Protection” and its amazing simplicity.

Plenty to choose from

 

As the image above leaves this clear, please note that this feature is only available from the “Enterprise” edition of the Cloud Firewall, protecting a maximum of 2 VPCs by default and giving you easy management of Security Groups.

 

How it works?

If you never used a traffic-analysis tool before, you need to know that there is a couple of modifications needed so the analysis tool can, as you guessed, analyse. This works by modifying the routes of the network, so all requests goes through the system.

In our case, we want to control the traffic between 2 VPCs, meaning there is a need for a CEN connection between those two non-overlapping-cidr networks.

When it comes to VPC routing, we have the Route Tables, responsible of letting know everyone which way to take depending on where you want to go. Before activating this Cloud Native FaaS solution our network looks something like the image below:

Default routing when using CEN and 2 VPCs

 

Then, after activating the VPC protection, your routing will look more like the image below:

Routing modified to be used by Cloud Firewall

 

For this, you’ll need to go to “Cloud Firewall” > “Firewall Settings” > “Firewall Settings” and then, under “VPC Firewall” activate, at your discretion, the firewall on those VPCs you want to monitor.

As you can see in the above picture, Cloud Firewall creates an extra VPC connected to the same CEN instance and routes all connections through this one. Can we call this a “Transit VPC”? Well, I guess we can.

As I mentioned before about the routing, you’ll get a warning about the route update and the potential for some disruption on your communications. So use it with care!

 

Conclusion

Imagine doing this with your non FaaS Firewall. Exactly, this is only a couple of clicks or just some API calls, “convenient” is an understatement.