Designing an Internet‑Facing Cloud Firewall: Architecture, Rules, and Future Plans

Project Background

After the company fully launched its Virtual Private Cloud (VPC), basic cloud networking functions are mature, but a security product is still missing to protect cloud workloads. Traditional hardware firewalls are inflexible in deployment and policy configuration and cannot analyze or protect cloud traffic. Cloud firewalls can be classified by location (Internet‑edge, VPC‑edge, NAT). This article focuses on the Internet‑edge firewall, which operates on the Elastic Public IP (EIP) assets that connect users to the external Internet, enabling unified management of north‑south traffic between the Internet and VPC. By managing firewall security policies, precise access control of north‑south traffic is achieved, meeting users’ security and availability needs.

Architecture Design

1. Physical Architecture

The Internet‑edge firewall is placed before the EIP gateway. Traffic that is protected first passes through the firewall, where policy filtering determines whether to allow or block the flow. Allowed traffic is forwarded, while abnormal traffic is intercepted. Unprotected traffic follows the original forwarding path, allowing services to enable protection on demand.

2. Software Architecture

The Internet‑edge firewall is developed on the DPDK framework and consists of a control plane and a forwarding plane. The control plane provides API interfaces to automate traffic steering and rule distribution. The forwarding plane enforces the rules, performing either packet release or drop actions to block illegal traffic.

Project Implementation

1. Traffic Steering and Return

The cloud firewall controls traffic between VPC internal IPs and public addresses. The traffic flow is as follows:

When a VPC instance’s Elastic IP (EIP) is a public address and the FIP configuration enables fw_switch , the control plane automatically announces the public address to the cloud firewall.

a. When an external client accesses a VPC instance, BGP routes the traffic to the cloud firewall. After matching firewall rules, the packet is encapsulated in VXLAN; the outer source IP is the firewall VTEP IP, and the outer destination IP is the FIP gateway VTEP IP. The FIP mapping then injects the packet into the VPC instance.

b. When a VPC instance accesses the Internet, traffic reaches the FIP gateway. The gateway checks the fw_switch flag; if enabled, traffic is steered to the cloud firewall for rule matching on the outbound direction, after which it is either forwarded or blocked.

2. Rule Matching Logic

The current v1 version of the cloud firewall provides two main functions: access control and illegal domain interception. ACL matching rules are based on the packet’s five‑tuple and traffic direction. The data structure for a policy entry is shown below:

<code>struct dp_vs_policy_entry {
    int      rule_num;
    int      af;
    char     groupname[256];
    uint8_t  src_plen;
    uint8_t  dst_plen;
    union inet_addr srcaddr;
    union inet_addr dstaddr;
    uint8_t  proto;
    uint16_t srcport;
    uint16_t dstport;
    char     direction[64];
    char     action[64];
} __rte_cache_aligned;
</code>

Future Plans

1. The current version implements basic access control and illegal domain interception. Future releases will gradually add modules such as log auditing and traffic analysis.

2. Existing mainstream cloud firewalls include Internet‑edge, NAT‑edge, and extended VPC‑edge firewalls. Subsequent versions will expand the range of cloud firewall types to align with industry standards.