检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
The IP addresses can be separated by commas (,), semicolons (;), \r\n, \n), or \t. effect_scope No Array of integers Effective scope: 1 (EIP), 2 (NAT), or [1 2] (EIP and NAT).
For a professional edition firewall, one or more EIP, NAT, or EIP and NAT records may be displayed, depending on the imported records. Calling Method For details, see Calling APIs.
Specification Limitations To enable VPC border protection and NAT protection, use the CFW professional edition and enable VPC firewall protection.
For details about how to allow cloud resources to access specified domain names through the NAT gateway, see Configuring a Protection Rule to Protect SNAT Traffic.
For details about how to enable traffic protection for private IP addresses, see Enabling NAT Gateway Traffic Protection.
The professional edition supports NAT rules. protected_resource_nat_id String ID of the NAT gateway to be protected. The professional edition supports NAT rules. protected_resource_project_id String Tenant ID of a protected resource.
The Elastic Cloud Servers (ECSs), NAT gateways, Elastic Load Balance (ELB), or other resources that are bound to EIPs can be protected.
For details about how to protect the traffic of private network assets at the Internet border, see Configuring Protection Rules to Block or Allow NAT Gateway Border Traffic.
For details about how to enable NAT gateway traffic protection, see Enabling NAT Gateway Traffic Protection. Parent Topic: System Management
) bound to the EIP. device_name String Name of the device (such as ECS and NAT) bound to the EIP device_owner String Owner of the device (such as ECS and NAT) bound to the EIP. associate_instance_type String Type of the associated instance: NATGW, ELB, or PORT. fw_instance_name String
"er:routeTables:list", "er:routes:list", "er:associations:list", "er:instances:get", "ecs:cloudServers:list", "ecs:availabilityZones:list", "smn:topic:list", "nat
If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.
It can be an EIP or NAT rule. Direction Traffic direction of the protection rule. Source The party that originates a session. Destination The recipient of a session. Service Its value can be TCP, UDP, ICMP, or Any. Source Port: Source ports to be allowed or blocked.
To use public network CIDR blocks other than 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or the 100.64.0.0/10 segment reserved for carrier-level NAT as private network CIDR blocks, modify private network CIDR blocks or submit a service ticket to expand your private IP CIDR blocks,
NAT protection: Protect NAT traffic. Private IP addresses can be configured. EIP protection Direction Direction of protected traffic. Inbound: Traffic from external networks to the internal server. Outbound: Traffic from the customer server to external networks.
Figure 1 Internet border traffic protection Introduction to Internet Border Traffic Protection Protected Objects ECSs, NAT gateways, ELBs, and other resources bound to EIPs.
Address: www.example.test.api; Domain Description: api Domain Address: www.test.example.com; Domain Description: a domain name Domain Address: www.example.example.test; Domain Description: XX system Rule-ACL-Table: Order: 1 ACL Name: service A external connection Protection Rule: NAT
If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.
The source and destination addresses must be private IP addresses. 2: NAT rule.
Constraints: If type is set to 0 (Internet rule) or 2 (NAT rule), the direction is mandatory.
