如何创建VPC边界防火墙_云防火墙(Cloud Firewall)-阿里云帮助中心

本文介绍如何使用Terraform创建VPC边界防火墙（防护通过高速通道连接的两个VPC之间的流量）。

说明

当前示例代码支持一键运行，您可以直接运行代码。一键运行

前提条件

由于阿里云账号（主账号）具有资源的所有权限，一旦发生泄露将面临重大风险。建议您使用RAM用户，并为该RAM用户创建AccessKey，具体操作方式请参见创建RAM用户和创建AccessKey。

使用以下示例为RAM用户授权，具体操作方式请参见为RAM用户授权。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "yundun-cloudfirewall:*",
                "yundun-ndr:*",
                "vpc:CreateVpc",
                "vpc:DeleteVpc",
                "vpc:DescribeVpcs",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:DescribeVSwitches",
                "vpc:CreateRouteEntry",
                "vpc:DeleteRouteEntry",
                "vpc:DescribeRouteEntries",
                "vpc:CreateVpcPeerConnection",
                "vpc:DeleteVpcPeerConnection",
                "vpc:DescribeVpcPeerConnections",
                "cloudfirewall:CreateVpcFirewall",
                "cloudfirewall:DeleteVpcFirewall",
                "cloudfirewall:DescribeVpcFirewalls"
            ],
            "Resource": "*"
        }
    ]
}

准备Terraform运行环境，您可以选择以下任一方式来使用Terraform。
在Explorer中使用Terraform：阿里云提供了Terraform的在线运行环境，您无需安装Terraform，登录后即可在线使用和体验Terraform。适用于零成本、快速、便捷地体验和调试Terraform的场景。
Cloud Shell：阿里云Cloud Shell中预装了Terraform的组件，并已配置好身份凭证，您可直接在Cloud Shell中运行Terraform的命令。适用于低成本、快速、便捷地访问和使用Terraform的场景。
在本地安装和配置Terraform：适用于网络连接较差或需要自定义开发环境的场景。
重要
请确保Terraform版本不低于v0.12.28。如需检查现有版本，请运行terraform --version命令。

使用的资源

alicloud_cloud_firewall_vpc_firewall：VPC边界防火墙。

创建VPC边界防火墙

本示例将创建VPC边界防火墙。

创建一个工作目录，并且在工作目录中创建以下名为main.tf的配置文件。main.tfTerraform主文件，定义了将要部署的资源。

variable "region" {
  default = "cn-heyuan"
}
provider "alicloud" {
  region = var.region
}
# 获取当前阿里云uid
data "alicloud_account" "current" {
}
# 创建VPC 1
resource "alicloud_vpc" "vpc" {
  vpc_name   = "dd-tf-vpc-01"
  cidr_block = "192.168.0.0/16"
}
# 创建VPC 2
resource "alicloud_vpc" "vpc1" {
  vpc_name   = "dd-tf-vpc-02"
  cidr_block = "172.16.0.0/12"
}
# 创建一个Vswitch CIDR 块为 192.168.10.0/24
resource "alicloud_vswitch" "vsw" {
  vpc_id       = alicloud_vpc.vpc.id
  cidr_block   = "192.168.10.0/24"
  zone_id      = "cn-heyuan-a"
  vswitch_name = "dd-tf-vpc-01-example-1"
}
# 创建另一个Vswitch CIDR 块为 192.168.20.0/24
resource "alicloud_vswitch" "vsw1" {
  vpc_id       = alicloud_vpc.vpc.id
  cidr_block   = "192.168.20.0/24"
  zone_id      = "cn-heyuan-b"
  vswitch_name = "dd-tf-vpc-01-example-2"
}
# 创建一个Vswitch CIDR 块为 172.16.10.0/24
resource "alicloud_vswitch" "vsw2" {
  vpc_id       = alicloud_vpc.vpc1.id
  cidr_block   = "172.16.10.0/24"
  zone_id      = "cn-heyuan-a"
  vswitch_name = "dd-tf-vpc-02-example-11"
}
# 创建另一个Vswitch CIDR 块为 172.16.20.0/24
resource "alicloud_vswitch" "vsw3" {
  vpc_id       = alicloud_vpc.vpc1.id
  cidr_block   = "172.16.20.0/24"
  zone_id      = "cn-heyuan-b"
  vswitch_name = "dd-tf-vpc-02-example-22"
}
# 创建VPC对等连接
resource "alicloud_vpc_peer_connection" "default" {
  # 对等连接名称
  peer_connection_name = "terraform-example-vpc-peer-connection"
  # 发起方VPC_ID
  vpc_id = alicloud_vpc.vpc.id
  # 接收方 VPC 对等连接的 Alibaba Cloud 账号 ID
  accepting_ali_uid = data.alicloud_account.current.id
  # 接收方 VPC 对等连接的区域 ID。同区域创建时，输入与发起方相同的区域 ID；跨区域创建时，输入不同的区域 ID。
  accepting_region_id = "cn-heyuan"
  # 接收端VPC_ID
  accepting_vpc_id = alicloud_vpc.vpc1.id
  # 描述
  description = "terraform-example"
  # 是否强制删除
  force_delete = true
}
# 接收端
resource "alicloud_vpc_peer_connection_accepter" "default" {
  instance_id = alicloud_vpc_peer_connection.default.id
}
# 配置路由条目-vpc-A
resource "alicloud_route_entry" "foo" {
  # VPC-A 路由表ID
  route_table_id = alicloud_vpc.vpc.route_table_id
  # 目标网段，自定义
  destination_cidrblock = "1.2.3.4/32"
  # 下一跳类型
  nexthop_type = "VpcPeer"
  # 下一跳id
  nexthop_id = alicloud_vpc_peer_connection.default.id
}
# 配置路由条目2 -vpc-B
resource "alicloud_route_entry" "foo1" {
  # VPC-A 路由表id
  route_table_id = alicloud_vpc.vpc1.route_table_id
  # 目标网段，自定义
  destination_cidrblock = "4.3.2.1/32"
  # 下一跳类型
  nexthop_type = "VpcPeer"
  # 下一跳id
  nexthop_id = alicloud_vpc_peer_connection.default.id
}
# 先创建其他前置资源
resource "time_sleep" "wait_before_firewall" {
  # 确保云企业网实例，网络连接实例创建好后
  depends_on = [
    alicloud_route_entry.foo,
    alicloud_route_entry.foo1
  ]
  create_duration = "720s" # 根据需要设置时间
}
# 延迟
resource "null_resource" "wait_for_firewall" {
  provisioner "local-exec" {
    command = "echo waiting for firewall to be ready"
  }
  # 确保云企业网实例创建
  depends_on = [time_sleep.wait_before_firewall]
}
# VPC对等连接高速通道防火墙实例
resource "alicloud_cloud_firewall_vpc_firewall" "default" {
  # 前置依赖
  depends_on = [
    null_resource.wait_for_firewall
  ]
  timeouts {
    create = "30m" # 给创建加上超时时间
  }
  # 实例名称
  vpc_firewall_name = "tf-test"
  # 用户uid
  member_uid        = data.alicloud_account.current.id
  local_vpc {
    # 发起端vpc id
    vpc_id = alicloud_vpc.vpc.id
    # 地域
    region_no = "cn-heyuan"
    # 路由条目
    local_vpc_cidr_table_list {
      # 路由表id
      local_route_table_id = alicloud_vpc.vpc.route_table_id
      local_route_entry_list {
        # 下一跳
        local_next_hop_instance_id = alicloud_vpc_peer_connection.default.id
        # 目标网块
        local_destination_cidr = alicloud_route_entry.foo.destination_cidrblock
      }
    }
  }
  peer_vpc {
    # 接收端vpc id
    vpc_id = alicloud_vpc.vpc1.id
    # 地域
    region_no = "cn-heyuan"
    # 路由条目
    peer_vpc_cidr_table_list {
      # 路由表id
      peer_route_table_id = alicloud_vpc.vpc1.route_table_id
      peer_route_entry_list {
        # 目标网块
        peer_destination_cidr = alicloud_route_entry.foo1.destination_cidrblock
        # 下一跳
        peer_next_hop_instance_id = alicloud_vpc_peer_connection.default.id
      }
    }
  }
  # 资源的状态。有效值：
  # open: 创建 VPC 边界防火墙后，保护机制自动启用。
  # close: 创建 VPC 边界防火墙后，不自动启用保护。
  status = "open"
}
output "vpc_id" {
  value = alicloud_vpc.vpc.id
}
output "vpc1_id" {
  value = alicloud_vpc.vpc1.id
}
output "route_table_id_vpc" {
  value = alicloud_vpc.vpc.route_table_id
}
output "route_table_id_vpc1" {
  value = alicloud_vpc.vpc1.route_table_id
}
output "foo_nexthop_id" {
  value = alicloud_vpc_peer_connection.default.id
}
output "foo1_nexthop_id" {
  value = alicloud_vpc_peer_connection.default.id
}
output "cidrblock" {
  value = alicloud_route_entry.foo.destination_cidrblock
}
output "cidrblock1" {
  value = alicloud_route_entry.foo1.destination_cidrblock
}

执行以下命令，初始化Terraform运行环境。

terraform init

返回如下信息，表示Terraform初始化成功。

Initializing the backend...

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.203.0...


Warning: registry.terraform.io: For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.


Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

创建执行计划，并预览变更。
```
terraform plan
```

执行以下命令，创建VPC边界防火墙来防护通过高速通道连接的两个VPC之间的流量。

terraform apply

在执行过程中，根据提示输入yes并按下Enter键，等待命令执行完成，若出现以下信息，则表示创建VPC边界防火墙成功。

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

alicloud_vpc.vpc: Creating...
alicloud_vpc.vpc1: Creating...
alicloud_vpc.vpc1: Creation complete after 6s [id=vpc-f8z3bgpc9436064a***]
alicloud_vswitch.vsw2: Creating...
alicloud_vswitch.vsw3: Creating...
alicloud_vpc.vpc: Creation complete after 6s [id=vpc-f8zbmuyrti2q3t3exi***]
alicloud_vpc_peer_connection.default: Creating...
alicloud_vswitch.vsw1: Creating...
alicloud_vswitch.vsw: Creating...
alicloud_vswitch.vsw3: Creation complete after 4s [id=vsw-f8zxfkuawt6h3zorst***]
alicloud_vswitch.vsw: Creation complete after 4s [id=vsw-f8zbfkhc4odb6fv3y4***]
alicloud_vpc_peer_connection.default: Creation complete after 6s [id=pcc-rwz8io7yddag5y***]
alicloud_vpc_peer_connection_accepter.default: Creating...
alicloud_vswitch.vsw1: Creation complete after 7s [id=vsw-f8z88qcqyfbb5x2nj9***]
alicloud_vswitch.vsw2: Creation complete after 7s [id=vsw-f8zqv2i961em95c7bv***]
alicloud_vpc_peer_connection_accepter.default: Creation complete after 6s [id=pcc-rwz8io7yddag5ya***]
alicloud_route_entry.foo: Creating...
alicloud_route_entry.foo1: Creating...
alicloud_route_entry.foo1: Creation complete after 6s [id=vtb-f8zbaphqlvdnb7njt1***:vrt-f8ze0dot16bcip5o8d***:4.3.2.1/32:VpcPeer:pcc-rwz8io7yddag5y***]
alicloud_route_entry.foo: Creation complete after 6s [id=vtb-f8zukaban4cfna8f8k***:vrt-f8z23psp6f1ecy44z7***:1.2.3.4/32:VpcPeer:pcc-rwz8io7yddag5ya***]
time_sleep.wait_before_firewall: Creating...
time_sleep.wait_before_firewall: Still creating... [10s elapsed]
time_sleep.wait_before_firewall: Still creating... [20s elapsed]
time_sleep.wait_before_firewall: Still creating... [30s elapsed]
time_sleep.wait_before_firewall: Still creating... [40s elapsed]
time_sleep.wait_before_firewall: Still creating... [50s elapsed]
time_sleep.wait_before_firewall: Still creating... [1m0s elapsed]
time_sleep.wait_before_firewall: Still creating... [1m10s elapsed]
time_sleep.wait_before_firewall: Still creating... [1m20s elapsed]
time_sleep.wait_before_firewall: Still creating... [1m30s elapsed]
time_sleep.wait_before_firewall: Still creating... [1m40s elapsed]
time_sleep.wait_before_firewall: Still creating... [1m50s elapsed]
time_sleep.wait_before_firewall: Still creating... [2m0s elapsed]
time_sleep.wait_before_firewall: Still creating... [2m10s elapsed]
time_sleep.wait_before_firewall: Still creating... [2m20s elapsed]
time_sleep.wait_before_firewall: Still creating... [2m30s elapsed]
time_sleep.wait_before_firewall: Still creating... [2m40s elapsed]
time_sleep.wait_before_firewall: Still creating... [2m50s elapsed]
time_sleep.wait_before_firewall: Still creating... [3m0s elapsed]
time_sleep.wait_before_firewall: Still creating... [3m10s elapsed]
time_sleep.wait_before_firewall: Still creating... [3m20s elapsed]
time_sleep.wait_before_firewall: Still creating... [3m30s elapsed]
time_sleep.wait_before_firewall: Still creating... [3m40s elapsed]
time_sleep.wait_before_firewall: Still creating... [3m50s elapsed]
time_sleep.wait_before_firewall: Still creating... [4m0s elapsed]
time_sleep.wait_before_firewall: Still creating... [4m10s elapsed]
time_sleep.wait_before_firewall: Still creating... [4m20s elapsed]
time_sleep.wait_before_firewall: Still creating... [4m30s elapsed]
time_sleep.wait_before_firewall: Still creating... [4m40s elapsed]
time_sleep.wait_before_firewall: Still creating... [4m50s elapsed]
time_sleep.wait_before_firewall: Still creating... [5m0s elapsed]
time_sleep.wait_before_firewall: Still creating... [5m10s elapsed]
time_sleep.wait_before_firewall: Still creating... [5m20s elapsed]
time_sleep.wait_before_firewall: Still creating... [5m30s elapsed]
time_sleep.wait_before_firewall: Still creating... [5m40s elapsed]
time_sleep.wait_before_firewall: Creation complete after 12m0s [id=2024-11-05T01:44:57Z]
null_resource.wait_for_firewall: Creating...
null_resource.wait_for_firewall: Provisioning with 'local-exec'...
null_resource.wait_for_firewall (local-exec): Executing: ["/bin/sh" "-c" "echo waiting for firewall to be ready"]
null_resource.wait_for_firewall (local-exec): waiting for firewall to be ready
null_resource.wait_for_firewall: Creation complete after 0s [id=5344790266853010843]
alicloud_cloud_firewall_vpc_firewall.default: Creating...
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [1m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [2m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [3m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [4m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [5m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [6m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [7m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [8m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [9m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [10m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m10s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m20s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m30s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m40s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [11m50s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Still creating... [12m0s elapsed]
alicloud_cloud_firewall_vpc_firewall.default: Creation complete after 12m1s [id=vfw-782be77253a0462e8***]

Apply complete! Resources: 13 added, 0 changed, 0 destroyed.

验证结果
执行terraform show命令
您可以使用以下命令查询Terraform已创建的资源详细信息。
```
terraform show
```
登录云防火墙控制台
登录云防火墙控制台，在防火墙开关>VPC边界防火墙页面，搜索VPC边界防火墙实例ID查看详细信息。

清理资源

当您不再需要上述通过Terraform创建或管理的资源时，请运行以下命令以释放资源。关于terraform destroy的更多信息，请参见Terraform常用命令。

terraform destroy

完整示例

说明