FAQ about enabling or disabling Cloud Firewall - Cloud Firewall

This topic answers frequently asked questions about enabling or disabling the Cloud Firewall switch. The questions cover the impact on your services and changes to routes and traffic after you enable the firewall.

Why can't I enable Cloud Firewall with my current account?
How do I disable Cloud Firewall?
What do I do if my service traffic exceeds the bandwidth supported by Cloud Firewall?
Internet firewall
NAT firewall
VPC firewall

What is the impact of enabling the firewall switch on my services?

Firewall type	Impact on services
Internet firewall	When you create, enable, or disable an Internet firewall, you do not need to change your network topology. You can enable or disable protection for your resources with a single click in seconds. This has no impact on your services.
NAT firewall	Creating a NAT firewall or deleting it after it is disabled has no impact on your services. The creation time depends on the number of elastic IP addresses (EIPs) attached to the NAT Gateway. Each additional EIP increases the creation time by about 2 to 5 minutes. Enabling or disabling a NAT firewall takes about 10 seconds. During this process, persistent connections may experience transient disconnections for 1 to 2 seconds. Short-lived connections are not affected.
VPC firewall for Express Connect VPC firewall for Basic Edition transit router	Creating a VPC firewall or deleting it after it is disabled has no impact on your services. Creation takes about 5 minutes. Enabling or disabling a VPC firewall takes about 5 to 30 minutes, depending on the number of route entries. During this process, persistent connections may experience transient disconnections for a few seconds. Short-lived connections are not affected. Note Before you enable the VPC firewall, check whether your application supports automatic TCP retransmission. Closely monitor the application connection status to prevent connection interruptions caused by the lack of a retransmission mechanism.
VPC firewall for Enterprise Edition transit router	Automatic traffic redirection Creating a VPC firewall or deleting it after it is disabled has no impact on your services. Creation takes about 5 minutes. Enabling or disabling a VPC firewall takes about 5 to 30 minutes, depending on the number of route entries. This has no impact on your services. Manual traffic redirection Creating a VPC firewall or deleting it after it is disabled has no impact on your services. Creation takes about 5 minutes. The impact on your services when enabling or disabling a VPC firewall is uncertain and depends on the traffic switching method.

How do I disable Cloud Firewall?

If you determine that your services do not require Cloud Firewall protection, you can release the instance to avoid further charges.

What should I do if my service traffic exceeds the bandwidth specification supported by Cloud Firewall?

If your service traffic exceeds the traffic processing specification of the purchased Cloud Firewall, the Service-Level Agreement (SLA) cannot be guaranteed. This may trigger degradation rules including but not limited to security capability failure (ACL, IPS, log audit), firewall shutdown for top overload assets, and rate limiting with packet loss.

If your service traffic may be at risk of exceeding limits, we recommend that you refer to Subscription elastic traffic pay-as-you-go.
For information about how to troubleshoot unusual traffic, see Troubleshooting guide for unusual traffic at the Internet border.
For information about how to expand protection bandwidth, see Renewal policy.

Why can't I enable Cloud Firewall with my current account?

Possible causes

When you log on to the Cloud Firewall console, a message indicates that Your account cannot be used to activate Cloud Firewall.. The possible causes are:

The current account is an Alibaba Cloud account that is managed by another Alibaba Cloud account as a member account.
The current account is a Resource Access Management (RAM) user that has not been granted the required permissions.

Solution

Move the pointer over the profile picture in the upper-right corner of the console to view the account type.

If the account is an Alibaba Cloud account:
Log on to the Cloud Firewall console using the administrator account that manages this account. Purchase Cloud Firewall and enable protection for the cloud assets of the member account. For more information, see Purchase Cloud Firewall.
If the account is a RAM user, use the Alibaba Cloud account to which the RAM user belongs to grant the createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess permissions to the RAM user. For more information, see Manage RAM user permissions.
The createSlr permission is a custom policy. You must create a custom policy with the following script. For more information, see Create a custom policy.
```
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:166032244439****:role/*",
            "Effect": "Deny",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
```
Note
The format of the Resource parameter is acs:ram:*:Alibaba Cloud account ID:role/*. Replace Alibaba Cloud account ID with the ID of the Alibaba Cloud account to which the RAM user belongs.

Causes and solutions for Cloud Firewall activation failures

Error message	Solution
The Cloud Enterprise Network (CEN) instance contains a VPC that belongs to another account, the VPC has not been granted the required permissions, or your Cloud Firewall is not the Ultimate Edition.	Log on to the Cloud Firewall console with the corresponding account to grant the required permissions and then enable the VPC firewall. For more information about how to grant permissions, see Grant permissions to Cloud Firewall. To upgrade to Cloud Firewall Ultimate Edition, see Renewal policy.
The CEN instance for which you want to enable the firewall contains a VPC that is connected to an Express Connect circuit and has a firewall enabled.	Submit a ticket to contact a product technical expert for assistance.
The CEN instance contains a VPC in a region that is not supported by the VPC firewall.	The CEN instance contains a VPC in a region that is not supported by the VPC firewall. For more information, see Supported regions.
A firewall in manual mode already exists in the same region within the CEN instance.	Submit a ticket to contact a product technical expert for assistance.
The CEN instance has only one network instance or does not contain a VPC.	A VPC firewall cannot be created if the CEN instance contains no VPCs or only one VPC. Add more VPCs to the CEN instance and try again.
The number of VPCs for which a firewall can be enabled in the same region has reached the upper limit.	Use a CEN transit router. For more information, submit a ticket to contact a product technical expert for assistance.
The root account of a cross-account VPC in the CEN instance has not purchased Cloud Firewall.	Use the root account to purchase Cloud Firewall.
The number of custom routes for the VPC-connected instance has reached the upper limit.	In the VPC console, on the O&M and Monitoring > Quota Management page, you can modify the custom route quota for the VPC route table in your account.
The VPC firewall quota is full.	Increase your firewall quota.
Check for duplicate CIDR block configurations. Currently, only VBR-to-VBR CIDR block duplication is allowed. VPC-to-VPC and VPC-to-VBR duplication is not allowed.	Submit a ticket to contact a product technical expert for assistance.
The routing policy priority quota is insufficient.	Submit a ticket to contact a product technical expert for assistance.
The CEN instance contains a deny routing policy (excluding the default deny routing policy with a priority of 5000).	Delete the relevant routing policy, or submit a ticket to contact a product technical expert for assistance.
The number of created VPCs in each region cannot exceed the region's VPC quota minus one, because the VPC firewall occupies one quota.	If the quota is full, go to the VPC console and modify the VPC quota on the Quota Management page. If the VPC quota cannot be modified, submit a ticket to contact a product technical expert for assistance.
The CEN instance advertises a public CIDR block, excluding 0.0.0.0/0, to prevent one-way access to SLB from triggering a disconnection.	Submit a ticket to contact a product technical expert for assistance.
A route pointing to a border router (BR) is configured.	Submit a ticket to contact a product technical expert for assistance.
A VPC in the CEN instance has a custom route table that is associated with a vSwitch.	Delete the custom route table or disassociate the vSwitch from the custom route table.
The number of routes after enabling the CEN firewall will exceed the upper limit.	Converge the number of advertised routes to 100 or fewer, or upgrade to the CEN-TR architecture. If needed, submit a ticket to contact a product technical expert for assistance.
The region where the transit router is located is not supported.	The transit router in the CEN instance is in a region that is not supported by the VPC firewall. For more information, see Supported regions.
The transit router contains a VPN connection.	Submit a ticket to contact a product technical expert for assistance.
The transit router route table contains a prefix list.	Advertise routes in the VPC instead of using a prefix list.
The transit router route table contains a blackhole route.	Submit a ticket to contact a product technical expert for assistance.
The transit router route table contains a static route.	Advertise routes in the VPC instead of using a static route.
The transit router route table contains a route conflict.	Check whether a deny route exists in the routing configuration.
The transit router route table contains a system routing policy conflict.	Check whether the matching conditions for the source instance type and target instance type of the system routing policy with priority 5000 include CCN, VBR, VPN, or ECR. If not, submit a ticket to contact a product technical expert for assistance.
The transit router route table contains an IPv6 route.	Cloud Firewall does not support this feature.
The VPC firewall is not enabled for the pay-as-you-go Cloud Firewall instance.	You can go to the Cloud Firewall console to enable the VPC firewall. For more information, see Pay-as-you-go 2.0.
The current Cloud Firewall edition does not support the VPC firewall.	Upgrade your Cloud Firewall edition. For more information, see Upgrade and downgrade.
VPC firewall asset synchronization is not complete.	Go to the Cloud Firewall console. In the navigation pane on the left, choose Firewall Settings > VPC Firewall. Click Sync Asset and wait 5 to 10 minutes.

What does the Internet firewall do?

The Internet firewall protects various public assets, such as public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of SLB instances, and EIPs. After you enable the Internet firewall, traffic to and from your assets at the Internet border is forwarded to Cloud Firewall. Cloud Firewall inspects and filters the traffic, allowing only traffic that meets the specified conditions to pass. For more information, see Internet firewall.

Does the Internet firewall protect IPv6 assets?

Yes. As of January 8, 2025, Cloud Firewall fully supports protection for IPv6 addresses.

Announcement: [Announcement] Cloud Firewall Subscription and Pay-As-You-Go Editions Commercially Support Public IPv6
Protection principles and asset types: How the Internet firewall works

For more information about the assets that the Internet firewall can protect, see Protection scope.

Does the Internet firewall affect network traffic?

If you enable the Internet firewall without configuring access control or intrusion prevention policies, Cloud Firewall only inspects traffic and generates alerts. It does not block traffic.

After you purchase Cloud Firewall, the Internet firewall is enabled for all assets by default.

What is the impact of disabling the Internet firewall?

If you disable the Internet firewall, traffic no longer passes through it. This has the following impacts:

The protection capabilities of the Internet firewall become ineffective. This includes access control policies and intrusion prevention for inbound and outbound traffic at the Internet border.
Internet border traffic statistics are not updated. This includes network traffic analysis reports and traffic logs.

Why do I see an SLB network restriction message when I enable the Internet firewall?

Possible cause

When you enable the Internet firewall, the console displays the message Due to SLB network restrictions, firewall protection cannot be enabled for the network where this IP is located. This may be because the SLB asset has only a private IP address and does not support Cloud Firewall protection.

Solution

For assets that have only a private IP address, you can attach an EIP to redirect traffic to Cloud Firewall for protection. For more information, see Associate and manage EIPs for private-facing CLB instances.

Why are some of my public IP assets not displayed after I sync assets in the Free Edition?

The Free Edition of Cloud Firewall syncs only EIP assets. New assets are synced to Cloud Firewall on the following day (T+1). It cannot sync public IP addresses of ECS instances or SLB instances.

Does enabling the VPC firewall affect ECS security group rules?

No, it does not.

After you enable the VPC firewall, Cloud Firewall automatically creates a security group named `Cloud_Firewall_Security_Group` and corresponding allow policies to permit traffic to pass through to the VPC firewall. The `Cloud_Firewall_Security_Group` security group controls traffic only within that VPC. The ECS security group rules that you created previously remain effective and are not affected. Therefore, you do not need to migrate or modify your ECS security group rules.

Why do I see a message about an unauthorized network instance when I create a VPC firewall?

Possible cause

The CEN instance contains a VPC that belongs to another Alibaba Cloud account, and that account has not granted Cloud Firewall the required permissions to access cloud resources.

Solution

Log on to the Cloud Firewall console with the unauthorized Alibaba Cloud account and grant the required permissions to the Cloud Firewall service role as prompted. For more information, see Grant permissions to Cloud Firewall.

Why is a deny routing policy added after I enable a VPC firewall for a Basic Edition transit router?

After you enable a VPC firewall for a VPC (for example, `VPC-test`) connected through a Basic Edition transit router, Cloud Firewall creates a VPC named `Cloud_Firewall_VPC` under that transit router. It also advertises a static route to redirect traffic from other VPCs (without a firewall enabled) under the same transit router to Cloud Firewall.

At the same time, Cloud Firewall adds a static route in `VPC-test` that points to the Cloud Firewall ENI to redirect outbound traffic from `VPC-test` to Cloud Firewall. It also creates a deny routing policy to prevent `VPC-test` from learning routes advertised by the CEN instance.

Important

Do not modify or delete the routing policy and route table. Otherwise, Cloud Firewall traffic redirection is affected, which causes service traffic interruptions.

Why does the NAT firewall need to create a route table and add a 0.0.0.0/0 static route?

After you enable a NAT firewall, Cloud Firewall automatically creates a custom route table named `Cloud_Firewall_ROUTE_TABLE` and adds a `0.0.0.0/0` route that points to the NAT Gateway. It also modifies the `0.0.0.0/0` route entry in the system route table to set its next hop to the Cloud Firewall ENI. This redirects outbound traffic from the NAT Gateway to Cloud Firewall.

Important

Do not modify or delete the route table and route entry. Otherwise, Cloud Firewall traffic redirection is affected, which causes service traffic interruptions.

If I enable the Internet, NAT, and DNS firewalls at the same time, how is outbound traffic matched?

If you enable the Internet, NAT, and DNS firewalls at the same time, when an ECS instance initiates a domain name access request (outbound traffic), the traffic is matched as follows:

The ECS instance initiates a DNS resolution request. The request passes through the DNS firewall and is matched against the access control policies of the DNS firewall.
The private network traffic initiated by the ECS instance passes through the NAT firewall and is matched against the access control policies of the NAT firewall.
Allowed private network traffic passes through the NAT Gateway, which translates the private source IP address into a public IP address of the NAT Gateway.
The NAT Gateway sends the public network traffic to the Internet firewall, where it is matched against the access control policies of the Internet firewall.
The traffic is matched against the threat intelligence, basic defense, intelligent defense, and virtual patching rules of Cloud Firewall.

If the traffic does not hit any deny policy during this process, the domain name is successfully accessed. If the traffic hits any deny policy, the traffic is denied, and the domain name cannot be accessed.

Why can I still use telnet commands to access resources after I configure an access control policy for the NAT firewall?

An EIP is bound to an SNAT entry and has a NAT firewall enabled. An access control policy is configured to allow an ECS instance to access a specific domain name only through the TCP protocol using HTTP or HTTPS. However, the ECS instance can still use telnet commands to access other domain names.

Cause: When you use a telnet command for testing, it lacks application-layer protocol features, such as HTTP or HTTPS. Cloud Firewall cannot identify the specific application type through Deep Packet Inspection (DPI). In this case, the application is displayed as `Unknown` and does not match the HTTP or HTTPS policy. In loose mode, when matching application or domain name policies, Cloud Firewall allows unidentified traffic by default if the domain name or application is not recognized. To match subsequent policies, you must enable strict mode.
Important
Strict mode is a global configuration. Enabling it affects the matching logic for all traffic. Proceed with caution based on your service requirements.
Solution: Do not use telnet for testing. Use the curl command instead.

Why does some traffic from a transit router (TR) bypass the NAT firewall?

This problem usually occurs when you associate the VPC connection of a TR with the dedicated vSwitch automatically created by the NAT firewall.

How it works:

The NAT firewall relies on specific route configurations to control traffic. In a standard configuration, the process is as follows:

Service traffic redirection: The route table of the service vSwitch in the VPC sets the next hop for routes to the Internet to the NAT firewall. This ensures that traffic first undergoes security inspection.
Firewall traffic forwarding: After the NAT firewall completes the inspection, the route table of the dedicated vSwitch where the firewall resides sets the next hop to the NAT Gateway to access the Internet.

Impact of incorrect configuration
If you attach the TR connection point to the dedicated vSwitch of the NAT firewall, public traffic from the TR directly enters this vSwitch. The traffic then matches the route entry whose next hop is set to the NAT Gateway, bypassing the NAT firewall's security inspection. As a result, some traffic is uncontrolled.

Recommended configuration
To ensure that all public traffic is processed by the NAT firewall, follow these best practices:

vSwitch isolation: Do not use the dedicated vSwitch of the NAT firewall for other purposes, including as a connection point for a TR.
Independent planning: Allocate a separate vSwitch for the TR's VPC connection.
Route verification: Confirm that all relevant route tables, including the one associated with the vSwitch used by the TR connection, are correctly configured. The next hop for the public routes to be controlled must point to the NAT firewall.

How to efficiently enable and configure Cloud Firewall Internet Border access control policies?

Cloud computing is an essential part of digital transformation for many enterprises. A wider range of cloud technology solutions leads to more complex service architectures, which makes security borders more ambiguous. You can use Cloud Firewall to build network border protection capabilities on the cloud. However, if you have many public IP addresses, configuring access control policies can be complex.

Cloud Firewall provides AI-powered intelligent policies. These policies can automatically learn traffic patterns from the last 30 days, including how your cloud IP assets and services are accessed and how they make outbound connections. Cloud Firewall then suggests suitable access control policies for the Internet border for each destination IP address or domain name. This helps reduce the exposure of your assets on the Internet, block malicious IP addresses and domain names for outbound traffic, and lower the risk of service intrusion.

For more information about how to apply intelligent access control policies for the Internet firewall, see Configure access control policies for the Internet firewall.

What are the differences between the old and new versions of the VPC firewall created with automatic traffic redirection for an Enterprise Edition TR?

Cloud Firewall has adjusted some features of the VPC firewall for Enterprise Edition Cloud Enterprise Network (CEN) transit routers (TRs). For firewalls created with automatic traffic redirection, the ownership of the firewall VPC has been changed from the user's account to a managed cloud service account. The main differences are as follows:

Firewall VPC ownership: In the new version, the firewall VPC no longer belongs to your account but to a Cloud Firewall backend account. You cannot view or modify the resources and configurations of the firewall VPC. It also does not occupy your VPC region quota.
Billing method: In the old VPC firewall architecture, in addition to the data transfer fee between the transit router and the service VPC, a data transfer fee was also incurred between the transit router and the firewall VPC. This fee was paid by the user. In the new version, the firewall VPC belongs to Cloud Firewall, and the data transfer fee between the transit router and the firewall VPC is paid by Cloud Firewall. You no longer need to pay this fee.
Enabling the VPC firewall: When you create a VPC firewall, you no longer need to enter three vSwitch CIDR blocks. You need to enter only one CIDR block of at least /27 that does not conflict with your network planning. This CIDR block is allocated to the vSwitch required during the firewall creation process. For more information about how to configure an Enterprise Edition VPC firewall, see Configure a VPC firewall for an Enterprise Edition transit router.

Steps to enable the new version of the VPC firewall for an Enterprise Edition TR

Important

Requirements: Only automatic traffic redirection is supported. Your Cloud Firewall instance must be pay-as-you-go or a subscription instance with the pay-as-you-go for elastic traffic feature enabled.

If you have not created a VPC firewall: First, enable pay-as-you-go for elastic traffic (pay-as-you-go customers can skip this step), and then create the VPC firewall.
Warning
You must follow this order strictly.
A Virtual Private Cloud (VPC) firewall is created:
- Delete the traffic redirection scenario and the existing VPC firewall.
- Enable pay-as-you-go for elastic traffic (pay-as-you-go customers can skip this step).
- Recreate the VPC firewall and the traffic redirection scenario.
For more information about how to enable pay-as-you-go for elastic traffic, see Pay-as-you-go for elastic traffic of subscription instances.

Does using the VPC firewall add latency?

Yes, it does.

Latency increases by 4 ms to 8 ms for traffic between different availability zones (AZs) in the same region. Latency increases by 2 ms to 3 ms for traffic within the same AZ.