NAT firewall

更新时间:
复制 MD 格式

When resources within a VPC, such as ECS and ECI, access the internet through a NAT Gateway, they are exposed to security risks like unauthorized access, data leaks, and malicious attacks. To mitigate these risks, you can enable a NAT firewall, which uses Cloud Firewall to block unauthorized traffic. This topic describes how to configure a NAT firewall.

This video shows how to protect your NAT Gateway.

Introduction

How it works

The NAT firewall supports one-click activation, asset synchronization, access control policy configuration, traffic analysis, and log auditing.

After you enable the NAT firewall, it inspects all outbound traffic from private assets in your VPC to the associated NAT Gateway. This includes assets in the same VPC and across different VPCs. The NAT firewall evaluates traffic against your configured access control policies and the built-in threat intelligence library of Cloud Firewall. It matches elements such as source and destination addresses, ports, protocols, applications, and domains to determine whether to allow the traffic. This process prevents unauthorized internet access from your private assets.

image

Impact on your services

When you enable or disable a NAT firewall, Cloud Firewall performs a route switch. This causes a transient disconnection of 1 to 2 seconds for long-lived connections. Short-lived connections are not affected. To minimize the impact on your services, perform these operations during off-peak hours.

  • Creating a NAT firewall does not affect your services. However, if you choose to enable the firewall during creation, it will cause a transient disconnection of 1 to 2 seconds for long-lived connections. Short-lived connections are not affected.

    Note

    The time it takes to create a NAT firewall depends on the number of EIPs bound to the NAT Gateway. Each additional EIP increases the creation time by approximately 2 to 5 minutes. This process does not affect your services.

  • Disabling and then deleting a NAT firewall does not affect your services.

  • If your traffic exceeds the specifications of your purchased Cloud Firewall edition, the service level agreement (SLA) is not guaranteed. This may trigger service degradation, including the deactivation of security features (such as access control, IPS, and log auditing), the shutdown of the firewall for assets that exceed traffic limits, and rate limiting that causes packet loss.

    If your traffic may exceed the purchased limit, we recommend that you enable pay-as-you-go for elastic traffic.

Limitations

  • After you enable a NAT firewall, do not change the routes in the firewall's vSwitch or any route whose next hop is the NAT firewall. Modifying these routes can cause service disruptions.

  • To add a new CIDR block for cross-VPC protection after enabling a NAT firewall, you must manually update the route table of the firewall's vSwitch. We recommend that you also update the corresponding route in the route table that was used before the firewall was enabled. This prevents routing issues if the firewall is later disabled.

  • If your Cloud Firewall instance expires and you do not renew it in time, the NAT firewall is automatically released. Traffic then reverts to the original outbound route, which may cause a brief service interruption.

    To ensure service availability, we recommend that you enable auto-renewal or renew your subscription in advance. For more information, see Renewal.

  • If your NAT firewall was created before September 1, 2023, the maximum protection bandwidth for all network connections to the same tuple (destination IP and destination port) is 20 Mbps. If the bandwidth for connections to the same tuple exceeds 20 Mbps, you may experience network jitter. To increase this bandwidth limit, we recommend that you delete and recreate the NAT firewall.

    NAT firewalls created on or after September 1, 2023, do not have this 20 Mbps bandwidth limit.

  • The NAT firewall does not protect IPv6 traffic.

  • Creating a NAT firewall automatically adds SNAT entries. The number of new SNAT entries equals the number of EIPs bound to the NAT Gateway. Do not delete or modify the SNAT entries created by Cloud Firewall.

  • You can view General NAT quotas to learn about the quotas for SNAT entries on a NAT Gateway. Reserve a portion of this quota for the NAT Firewall. The number of reserved SNAT entries must be equal to the number of EIPs that are associated with the NAT Gateway.

Workflow

The following flowchart shows the process of using a NAT firewall.

Note

Cloud Firewall provides a default number of NAT firewall licenses. If this number is insufficient, you must purchase more licenses. For more information, see Purchase Cloud Firewall.

Prerequisites

  • You have activated Cloud Firewall and purchased a sufficient number of NAT firewall licenses. For more information, see Purchase Cloud Firewall.

  • You have created an Internet NAT Gateway. For more information, see Internet NAT Gateway.

    Important

    Currently, the NAT firewall protects only Internet NAT Gateways.

    The NAT Gateway must meet the following conditions:

    • The NAT Gateway's region must support NAT firewalls. For a list of supported regions, see Supported regions.

    • The NAT Gateway is bound to at least 1 and no more than 10 EIPs. For more information, see Internet NAT Gateway.

    • The NAT Gateway has SNAT entries configured and does not have any DNAT entries. For more information, see Create and manage SNAT entries.

      If the NAT Gateway has existing DNAT entries, you must delete them before you can enable the NAT firewall. For more information, see Create and manage DNAT entries.

    • The NAT Gateway's VPC has a route entry that points 0.0.0.0/0 to the NAT Gateway. For more information, see Create and manage a route table.

    • The VPC must have an available CIDR block with at least a /28 mask. Secondary CIDR blocks are supported.

Create and enable a NAT firewall

Follow these steps to create a NAT firewall. Each NAT Gateway instance corresponds to one NAT firewall.

Notes

  • A new NAT Gateway takes 1 to 5 minutes to synchronize with the NAT firewall service.

  • New EIPs and SNAT entries for a NAT Gateway take 1 to 2 minutes to synchronize with the NAT firewall. The EIPs and SNAT entries do not take effect until the synchronization is complete.

    Alternatively, on the Firewall > Internet Firewall page, click Synchronize Assets to manually synchronize them.

  • A new route that points to a NAT Gateway takes up to 30 minutes to synchronize with the NAT firewall.

    Alternatively, on the Firewall > NAT Firewall page, click Synchronize Assets to manually synchronize the route.

  • When you create a NAT firewall, Cloud Firewall performs the following actions:

    • Adds a 0.0.0.0/0 route that points to the NAT Gateway in the route table of the firewall's vSwitch.

    • Modifies the 0.0.0.0/0 route entry in the system route table to set its next hop to the Cloud Firewall ENI.

    Note

    Creating a NAT firewall adds a custom route table to your VPC. If the VPC contains an ACK cluster that uses the Flannel network plug-in, you must configure the multi-route-table feature of Cloud Controller Manager after the firewall is created. Add the VPC system route table to the list of multiple route tables. Otherwise, cluster node scaling may be affected. For more information, see Use the multi-route-table feature of a VPC.

    If you are already using the multi-route-table feature of Cloud Controller Manager, you can ignore this note.

Procedure

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall.

  2. On the NAT Firewall tab, find the target NAT Gateway and click Create in its Actions column.

  3. In the Create NAT Firewall panel, click Check Now. After the check is complete and all items have passed, click Next.

    If you are certain that the NAT Gateway meets all the creation requirements, you can click Skip and start creation now..

  4. Choose a traffic redirection mode that suits your business needs:

    • Automatically Create vSwitch (Recommended): Recommended for scenarios with sufficient CIDR blocks. This mode provides fully automated traffic redirection.

    • Manually Select vSwitch: Recommended for scenarios with limited CIDR block availability. This mode requires you to reuse an existing vSwitch or manually create one. The process is more complex and intended for advanced users.

  5. In the Create NAT Firewall panel, configure the following parameters.

    Parameter

    Description

    Basic Information

    Name

    Enter a custom name for the NAT firewall.

    Traffic Redirection Configurations

    Select Route Table

    Select the route table whose original next hop is the NAT Gateway. When the firewall is created, the next hop is automatically changed to point to the NAT firewall. This directs outbound traffic from private assets to the NAT firewall.

    vSwitch CIDR block (Automatically Create vSwitch)

    or

    Redirection vSwitch (Manually Select vSwitch)

    You can create a new vSwitch or select an existing one.

    • Rules for configuring a new vSwitch CIDR block:

      • You must specify a vSwitch CIDR block with at least a /28 mask that does not conflict with your network plan. This CIDR block is allocated to the NAT firewall for traffic redirection.

      • The vSwitch CIDR block must be a subnet of the VPC's CIDR block (secondary CIDR blocks are supported) and must not conflict with existing service CIDR blocks. After allocation, Cloud Firewall automatically associates it with a custom traffic redirection route table.

    • Notes for selecting an existing vSwitch:

      • A NAT firewall requires a vSwitch that meets the following requirements. For more information, see Create and manage a VPC.

        • The vSwitch, NAT Gateway, and NAT firewall must be in the same VPC.

        • The vSwitch and the NAT Gateway must be in the same availability zone.

        • The vSwitch CIDR block must have at least a /28 mask, and the number of available IP addresses must be greater than the number of EIPs bound to the NAT Gateway.

        • The vSwitch must not be connected to any other cloud resources.

      • Create a new route table and associate it with the vSwitch. For more information, see Create and manage a route table.

      • (Optional) Add custom route entries other than the 0.0.0.0/0 route to the new route table as needed. For more information, see Use custom route tables to manage network traffic.

        For example, if your services require cross-VPC communication, you must manually add the return routes for the VPCs to the route table.

      Note

      If the target vSwitch does not appear in the vSwitch list or is grayed out, check whether the vSwitch is associated with other cloud resources or a custom route table. After you confirm that the vSwitch configuration is correct, go to the NAT Firewall tab and click Synchronize Assets in the upper-right corner.

    Engine Mode

    Engine Mode

    The matching mode for access control policies.

    • Loose Mode (Default): In this mode, when an access control policy for an application or domain encounters traffic from an unidentified application or domain, the traffic is allowed to pass. This mode prioritizes service availability.

    • Strict Mode: In this mode, when an access control policy for an application or domain encounters traffic from an unidentified application or domain, the traffic is passed to subsequent policies for further matching. If a deny policy matches the unidentified traffic, it is blocked.

  6. Select I have read and confirmed the preceding notes, and then click Enable Firewall.

  7. After the NAT firewall is created, you must manually change the Enabled Status to Enabled.

    After you enable the firewall, traffic is rerouted through Cloud Firewall to protect your traffic.

Next steps

After you create a NAT firewall, you can configure access control policies and view access logs to control traffic between your private assets and the internet.

Configure access control policies

If you do not configure any access control policies, Cloud Firewall allows all traffic by default. You can create NAT firewall access control policies to gain fine-grained control over outbound internet traffic from your private assets.

Go to the Firewall > NAT Firewall page. In the Actions column for the target NAT firewall, click the image.png icon and select Access Control.

On the page that appears, you can create a NAT firewall access control policy. For more information, see Configure an access control policy for a NAT firewall.

Query audit logs

Go to the Firewall > NAT Firewall page. In the Actions column for the target NAT firewall, click the image.png icon and select Log Audit.

On the page that appears, you can query logs for outbound traffic from your private network. For more information, see Log auditing.

View traffic analysis

Go to the Firewall > NAT Firewall page. In the Actions column for the target NAT firewall, click the image.png icon and select Analysis.

On the page that appears, you can view traffic analysis for the NAT Gateway's outbound internet traffic. For more information, see Outbound Connections.

View NAT private traffic statistics

In the left-side navigation pane, click Overview. On the Overview page, click Purchased Specification Usage in the upper-right corner. You can view the processing capacity for NAT private traffic, recent traffic peaks, and the usage of your NAT firewall licenses.

NAT firewall vSwitch list

Go to the Firewall > NAT Firewall page. In the upper-right corner of the NAT firewall list, click Firewall vSwitch List.

NAT firewall list fields

The list on the Firewall > NAT Firewall tab displays all NAT Gateway assets under your account and the status of their NAT firewalls. You can distinguish between a NAT firewall and a NAT Gateway asset in the UID/NAT Firewall ID/Name column:

  • If this column displays an identifier in the format ID:proxy-nat-xxx, a NAT firewall exists for the NAT Gateway.

  • If this column only displays an identifier in the format UID:xxx, a NAT firewall has not been created for the asset.

Disable and delete a NAT firewall

Warning

Disabling a NAT firewall causes a route switch that results in a 1- to 2-second disconnection for long-lived connections. We recommend that you perform this action during off-peak hours. Deleting a firewall after it has been disabled does not affect your services.

If you delete a NAT firewall without disabling it first, the system performs both actions simultaneously, which will also cause a 1- to 2-second disconnection for long-lived connections.

  • Disable a NAT firewall

    Go to the Firewall > NAT Firewall page. Find the target firewall and turn off the switch in its Switch column.

  • Delete a NAT firewall

    Go to the Firewall > NAT Firewall page. Find the target firewall, click the image.png icon in its Actions column, and select Delete.

Related Topics