检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
NAT gateway traffic refers to the traffic between a NAT gateway and the Internet. It can be protected in two scenarios: If the EIP bound to the NAT gateway is used to connect to the Internet, CFW protects all traffic passing through the NAT gateway.
Table 1 DNAT protection rule parameters Parameter Description Rule Type Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured. NOTE: To select the NAT rule, ensure that: The professional edition firewall is used.
None Introduction Introduction 03:05 Cloud Firewall Service Introduction Features Traffic Protection at the Internet Border 03:15 Traffic Protection at the Internet Border VPC Border Traffic Protection 10:09 VPC Border Traffic Protection NAT Gateway Traffic Protection 04:18 NAT Gateway
CFW Protection Enabling Internet Border Traffic Protection Enabling VPC Border Traffic Protection Enabling NAT Gateway Traffic Protection
Overview Cloud Firewall (CFW) can protect the traffic of cloud services at the Internet border, VPC border, and NAT gateway. This section helps you quickly get started with CFW.
string Protocol type app string Application type src_region_name string Source region name src_region_id string Source region ID dst_region_name string Destination region name dst_region_id string Destination region ID log_type string Log type. internet: Internet border traffic log nat
Suggestion You are advised to create an independent VPC for the NAT gateway. To avoid affecting access control, do not use the VPC in the network configurations of Elastic Cloud Servers (ECSs) or other instances.
Table 1 Resource description Resource Description Quantity Cost NAT Gateway Protected resource. 1 For details about the billing modes and standards, see NAT Gateway Billing. Elastic IP (EIP) EIP bound to the NAT gateway.
Configuring a Protection Rule to Protect SNAT Traffic SNAT Protection Overview Resource and Cost Planning Connecting VPC1 and VPC-NAT to an Enterprise Router Configuring a NAT Gateway Configuring a Route Table for VPC1 Configuring a NAT Protection Rule
Configure NAT protection as follows and set other parameters based on your deployment: Figure 1 Configuring a NAT protection rule Follow-up Operations Checking protection outcomes Policy hits: For details about the protection overview, see Viewing Protection Information Using the
Configuring a NAT Protection Rule After verifying the traffic flow, configure protection rules so that the CFW can allow or block traffic accordingly. Configuring a NAT Protection Rule Log in to the management console.
EIP NAT (Only the professional edition can protect NAT traffic.) Content Type Selects a type. File upload: Click Add. Only files in .txt or .csv format can be uploaded or text input is supported. Text input: Enter an IP address in the IP Address text box.
NAT Gateway NAT Gateway provides public and private NAT gateways. A public NAT gateway provides SNAT and DNAT to let cloud servers in a VPC use an EIP to communicate with the Internet. CFW protects the NAT gateway traffic by protecting the VPC where the NAT gateway resides.
Request Parameters Table 3 Request body parameters Parameter Mandatory Type Description effect_scope No Array of integers Effective scope: 1 (the effective scope for deletion is EIP), 2 (the effective scope for deletion is NAT), 1,2 (the effective scope for deletion is EIP and NAT
Configuring an Access Control Policy Configuring Protection Rules to Block or Allow Internet Border Traffic Configuring Protection Rules to Block or Allow VPC Border Traffic Configuring Protection Rules to Block or Allow NAT Gateway Border Traffic Example 1: Allowing the Inbound Traffic
Configuring a NAT Gateway Prerequisites A NAT gateway has been purchased and its VPC has not been associated with any cloud resources (such as cloud servers). If there are no NAT gateways available, buy a public NAT gateway. For details about NAT gateway pricing, see Billing.
If you want to export an IP address blacklist whose effective scope is NAT, set the name to ip-blacklist-nat.txt.
CFW can protect all cloud resources (EIPs, VPCs, and NAT gateways) in the current region and under the current account. Enable enterprise management , and select an enterprise project when purchasing CFW. In this case, CFW bills belong to this project.
NAT gateway protection comes in the following scenarios: The EIP bound to a NAT gateway can be protected. Only the traffic of the EIP will be audited.
Modifying a Private CIDR Block To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify the CIDR private network segment or submit a service ticket to
