What is the function of the Internet firewall?
If the Internet firewall is disabled, the traffic of public IP addresses is forwarded to internal firewalls or security groups and then to the destination ECS instances.
If the Internet firewall is enabled, the traffic of public IP addresses is redirected to the Internet firewall before it is forwarded to internal firewalls or security groups and then to the destination ECS instances. If you enable the Internet firewall but do not configure access control policies for Cloud Firewall or policies for the intrusion prevention system (IPS), Cloud Firewall detects traffic and generates alerts for suspicious traffic but does not block any traffic.
Is network traffic affected when you enable the Internet firewall?
Enabling Internet Firewall or VPC Firewall has no impact on network traffic.
What are the impacts of disabling the Internet firewall?
The following figure shows the Internet Firewall tab.
Disabling the Internet firewall may have the following impacts:
- On the Internet Access page, some traffic analysis charts have no data. To go to this page, choose in the left-side navigation pane.
- If you have created outbound or inbound access control policies, these policies become invalid. The hits of these policies remain unchanged.
- Network traffic does not pass Cloud Firewall. Intrusion prevention is not implemented.
Even if Intrusion Prevention Mode is set to Monitoring Mode, the IPS no longer detects network traffic on the server. Traffic Control Mode is also invalid.
- The Traffic Logs tab does not display the traffic data generated after the Internet firewall is disabled. To go to this tab, choose in the left-side navigation pane, and click the Traffic Logs tab.
- Network traffic does not pass Cloud Firewall, so traffic data cannot be captured. The Packet Capture page does not display the IP packet information. To go to this page, choose Packet capture. in the left-side navigation pane. For more information, see
For information about how to enable or disable the Internet firewall, see Enable or disable Internet Firewall.
Why do I fail to enable the Internet firewall?
- A limit is imposed on the network architecture of the SLB instance.
- The assets do not have public IP addresses.
If your assets are deployed only on a private SLB instance, associate an elastic IP address (EIP) with the private SLB instance to redirect the traffic to Cloud Firewall. For more information, see Associate an Elastic IP address with an SLB instance.
Which types of public IP addresses can be protected by the Internet firewall?
- EIPs of Elastic Network Interfaces (ENIs). EIPs can be associated with ECS instances of the VPC type, private SLB instances in the VPC type, ENIs, and Network Address Translation (NAT) gateways.
- Public IP addresses of ECS instances
- EIPs of SLB instances of the VPC type
- Public IP addresses of bastion hosts