This guide describes the procedure for creating Network Firewall and how to use the console after creation.
To use Network Firewall, first enable the Network Firewall service.
The minimum network service resources needed to create a Network Firewall are as follows.
[Note] See the Network Firewall service diagram in Network Firewall > Overview.
[Preparations for Configuring 1 Project]
[Preparations for Configuring 2 Spoke VPCs within One Project].
[Preparations for configuring more than one project].
[Preparations for configuring cross-region projects].
[Preparations for configuring multiple subnets within a single VPC].
[Note]
- The above service resources can be created in the [Network] category.
- Only one network firewall can be created per project.
[Notes before Creation]
- The created Network Firewall is not exposed in users’ projects.
- The subnets used for subnet, NAT, and external transmission must all be selected as different subnets.
- It is recommended to create subnets in the minimum unit (28 bits) that can be created in the NHN Cloud console.
- An Internet gateway must be connected to the routing table of the VPC to which the Network Firewall will belong before it can be created.
- If you use the Network Firewall service as a separate service from Security Groups, you must allow both to access the instances.
- The CIDR block owned by Network Firewall and the CIDR block requiring connectivity must not overlap.
- IPs created with the Virtual_IP type in Network > Network Interfaceare used by Network Firewall for redundancy purposes, so deleting them may block communication.
- After you create Network Firewall by selecting a single or redundancy configuration, you can change the configuration on the Options tab if you need to make changes. However, availability zones cannot be changed, so for redundancy configurations, configure separate availability zones whenever possible.
[Example] When the VPC (Hub) used by Network Firewall is 10.0.0.0/24, and the VPC (Spoke) that needs to be connected to the Network Firewall is 172.16.0.0/24.
[Note]
Create a peering according to the location of the Spoke VPC. * If the spoke VPCs are the same project, create a peering. * If the Spoke VPC is a different project, create a project peering. * If the Spoke VPC is in a different region, create a region peering.
Go to Network > Routing, select a Hub VPC, and set up the routing as follows.
Go to Network > Routing, select a Spoke VPC, and set up the routing as follows.
[Note]
- By setting up routing as above, all communication from the Spoke VPCs will pass through the Network Firewall.
- If you need to branch communications, explicitly set a destination that is not 0.0.0.0/0.
Once the above routing settings are complete, instances in the Spoke VPC will be able to communicate publicly through the Network Firewall. (Requires adding NAT in Network Firewall > NAT)
If the Spoke VPC has two or more subnets and traffic control between subnets is required through Network Firewall, add the routing as follows.
[Example] When the subnets of Spoke VPC (172.16.0.0/24) are 172.16.0.0/25 and 172.16.0.128/25
If there are two or more spoke VPCs, add the routing as follows.
[Example] With Spoke VPC1 (172.16.0.0/24) and Spoke VPC2 (192.168.0.0/24)
[Note] VPC peering between Spoke VPC2-Hub also requires the Add Route setting, as shown in 4in Connection Settings.
If you configure spoke subnets in the same VPC, create a new routing table to associate the subnets and add routes.
* In Network > Routing, create a routing table and add routes.
After the above routing settings are completed, communication between different Spoke VPCs can be private through Network Firewall.(Requires adding a policy in Network Firewall > Policy) Please refer to the Network Firewall service configuration diagram to set up the connection according to your environment.
After creating Network Firewall and complete all connection settings, you can access your instance through the Network Firewall.
For example, if you configure 3 subnets with 2 Spoke VPCs in 1 project and need web firewall access from outside, set up NAT and ACLs as shown below.
[How to set up]
- Go to Network Firewall > NAT tab
- Click Add and set up NAT
- Create a Destination IP object on the Objects tab before setup and need a spare floating IP
- Allow the required ACLs on the Network Firewall > Policies > ACLs tab
![]()
After setting up as above, you can access the instance if the departure IP is allowed in the security groups.
After creating Network Firewall, go to the Policies tab.
[Note]
- The default-deny policy is a required policy and cannot be modified or deleted.
- Logs blocked through the default-deny policy can be viewed on the Log tab after changing the Default blocking policy log setting to Enable on the Options tab.
On the ACLs tab, you can control inbound and outbound traffic and traffic between the Network Firewall and the associated VPCs.
[Caution] Once deleted, a policy cannot be restored, and a policy with name: default-deny cannot be deleted.
On the Route tab, specify the path of communication through the Network Firewall.
[Note]
- The default gateway for Network Firewall is NAT Ethernet, which cannot be modified or deleted.
- If the route settings change, there may be communication issues, so set them carefully.
[Note]
- If you select Ethernet as VPN, you don't need to specify a gateway.
- For setting up routes for private IP bands associated with an IPSec VPN, must set Ethernet to VPN.
- If you see a validation message like the one below when entering the destination subnet, pre-check the subnet range and enter it as the starting IP of the subnet.
- [Example]
- 192.168.199.0/21 (x) → 192.168.192.0/21 (o)
- 172.16.100.0/20 (x) → 172.16.96.0/20 (o)
- 10.10.10.130/25 (x) → 10.10.10.128/25 (o)
In the Object tab, create and manage IPs and ports to use when creating policies.
[Note] * Group objects cannot be added when creating a group object (only single or range objects can be added by selecting them).
[Note] Objects in use by a policy will be changed to ALL objects after deletion (caution required).
[Note] * Create an object by simply referencing the instance's name and private IP address, regardless of instances (once created, manage on the Object tab).
In the NAT (Network Address Translation) tab, select and connect a dedicated public IP with the instance to be accessed from the outside.
[Note]
- NAT offers only destination-based and 1:1 methods.
- Port-based NAT is not provided.
- After creating a NAT, you must add an allow policy to enable authorized communication.
- If you assign a floating IP directly to an instance that owns a private IP after NAT has been set up, there may be communication issues.
- After deleting NAT, delete the unused public IP before NAT directly from Network - Floating.
[Note] * Instances can be accessed from the pre-NAT public IP that you set when adding NAT (Not required to connect a floating IP directly to the instance).
The VPN tab enables secure, private communication over an encrypted tunnel between sites.
[Note]
- VPCs and subnets cannot be modified.
- You can create up to 10 gateways.
[Precautions for Setup]
- Set all settings identically to the peer VPN equipment.
- The local ID is optional, depending on how the peer VPN equipment is set up.
- You can add up to three Phase 2s.
- Set the private IP for Phase 2 to /24 bits or less; if you need to set a value higher than /24 bits, check the subnet range in advance and enter it as the starting IP for the subnet.
- [Example]
- 192.168.100.0/20 (X) → 192.168.96.0/20 (O)
- 172.16.30.0/21 (X) → 172.16.24.0/21 (O)
- 10.0.50.0/22 (X) → 10.0.48.0/22 (O)
- The local private IP and peer private IP must not overlap each other. This range includes all private bands that connect to Network Firewall, including VPC peering.
- The CIDRs below cannot be added to local private IPs and peer private IPs, and if they are, there may be issues with communication through Network Firewall.
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
[Note]
- In the Status column, you can see the status of the tunnel by color.
- Green: Healthy connection with the peer VPN equipment
- Red: Connection between peer VPN devices fails due to issues with settings or communication status.
- Gray: Waiting for connection (newly created tunnel)
- Orange: Click Stop to stop the connection between the peer VPN equipment.
- After the tunnel creation is complete, depending on the type of peer device and its settings, you may not need to click Connect to connect.
[Note]
- Under Events, you can only search the event log for the tunnel.
- Check the Log tab for logs of communication over the VPN tunnel or audit logs, such as tunnel creation and deletion.
In the Log tab, search logs created in Network Firewall.
Traffic: Search traffic logs generated by allow or block policies when passing through the Network Firewall.
Audit: Search logs for changes to Network Firewall, including policy creation and deletion.
In the Monitor tab, check the status of Network Firewall in real time. Searches are only available for up to 24 hours (1 day).
In the Options tab, set options required for operation of Network Firewall.
[Note] * Refer to the user guide when setting up Object Storage. * When using the Log & Crash Search service, you can leverage the log alarm setting feature to detect abnormal behavior. For example, you can add an ACL blocking policy for SSH communications to a specific destination to Network Firewall, and then set an alarm condition for logs generated by that policy. (For example, 20 or more SSH connection attempts logs in a one-minute period.) You can receive an alarm when the conditions you set are met.
[Note] The default MTU size for traffic, NAT Ethernet is 1450 bytes.
[Note]
- Changing your configuration takes a few minutes and may impact your service until the configuration change is complete.
- It is recommended to make changes to Network Firewall, such as changing policies and NAT after configuration changes are complete.
[Precautions when deleting] * If you are deleting a running Network Firewall, consider other services associated with the Network Firewall before proceeding.
You can disable the Network Firewall service in Project Management > Services in Use.
[Note]
- Disabling the Network Firewall service applies to both the Pangyo and Pyeongchon regions. For example, if you enable the Network Firewall service for both the Pangyo and Pyeongchon regions of the same project, you cannot disable the Network Firewall service for only one of the two regions.
- To disable, delete Network Firewall from the Korea (Pangyo) region and Korea (Pyeongchon) region before proceeding.