检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Configuring a NAT Protection Rule After verifying the traffic flow, configure protection rules so that the CFW can allow or block traffic accordingly. Configuring a NAT Protection Rule Log in to the management console.
For details, see Configuring Protection Rules to Block or Allow NAT Gateway Border Traffic. Protect the access traffic between VPCs, or between a VPC and an IDC. For details, see Configuring Protection Rules to Block or Allow VPC Border Traffic.
If you want to export an IP address blacklist whose effective scope is NAT, set the name to ip-blacklist-nat.txt.
CFW can protect all cloud resources (EIPs, VPCs, and NAT gateways) in the current region and under the current account. Enable enterprise management , and select an enterprise project when purchasing CFW. In this case, CFW bills belong to this project.
Modifying a Private CIDR Block To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify the CIDR private network segment or submit a service ticket to
string Protocol type app string Application type src_region_name string Source region name src_region_id string Source region ID dst_region_name string Destination region name dst_region_id string Destination region ID log_type string Log type. internet: Internet border traffic log nat
Request Parameters Table 3 Request body parameters Parameter Mandatory Type Description effect_scope No Array of integers Effective scope: 1 (the effective scope for deletion is EIP), 2 (the effective scope for deletion is NAT), 1,2 (the effective scope for deletion is EIP and NAT
EIP NAT (Only the professional edition can protect NAT traffic.) Content Type Selects a type. File upload: Click Add. Only files in .txt or .csv format can be uploaded or text input is supported. Text input: Enter an IP address in the IP Address text box.
Figure 1 Traffic between a VPC and an IDC Figure 2 Traffic between VPCs Introduction to VPC Border Traffic Protection Supported Protected Objects VPC Virtual gateway (VGW) attachment VPN Global DC gateway (DGW) Protection Specifications The protection specifications of a VPC border
The IP addresses can be separated by commas (,), semicolons (;), \r\n, \n), or \t. effect_scope No Array of integers Effective scope: 1 (EIP), 2 (NAT), or [1 2] (EIP and NAT).
For a professional edition firewall, one or more EIP, NAT, or EIP and NAT records may be displayed, depending on the imported records. Calling Method For details, see Calling APIs.
The Elastic Cloud Servers (ECSs), NAT gateways, Elastic Load Balance (ELB), or other resources that are bound to EIPs can be protected.
) bound to the EIP. device_name String Name of the device (such as ECS and NAT) bound to the EIP device_owner String Owner of the device (such as ECS and NAT) bound to the EIP. associate_instance_type String Type of the associated instance: NATGW, ELB, or PORT. fw_instance_name String
"er:routeTables:list", "er:routes:list", "er:associations:list", "er:instances:get", "ecs:cloudServers:list", "ecs:availabilityZones:list", "smn:topic:list", "nat
It can be an EIP or NAT rule. Direction Traffic direction of the protection rule. Source The party that originates a session. Destination The recipient of a session. Service Its value can be TCP, UDP, ICMP, or Any. Source Port: Source ports to be allowed or blocked.
NAT protection: Protect NAT traffic. Private IP addresses can be configured. EIP protection Direction Direction of protected traffic. Inbound: Traffic from external networks to the internal server. Outbound: Traffic from the customer server to external networks.
Figure 1 Internet border traffic protection Introduction to Internet Border Traffic Protection Protected Objects ECSs, NAT gateways, ELBs, and other resources bound to EIPs.
Address: www.example.test.api; Domain Description: api Domain Address: www.test.example.com; Domain Description: a domain name Domain Address: www.example.example.test; Domain Description: XX system Rule-ACL-Table: Order: 1 ACL Name: service A external connection Protection Rule: NAT
The source and destination addresses must be private IP addresses. 2: NAT rule.
Constraints: If type is set to 0 (Internet rule) or 2 (NAT rule), the direction is mandatory.