This topic provides answers to some frequently asked questions about Cloud Firewall.
FAQ about features
Why do I need to assign the service-linked role AliyunServiceRoleForCloudFW to Cloud Firewall?
How many members does the multi-account management feature support?
What are the main scenarios in which Cloud Firewall protects Internet-facing SLB instances?
What are the core defense capabilities of the Internet firewall?
What are the advantages of Alibaba Cloud Cloud Firewall over self-managed firewalls?
FAQ about Cloud Firewall that uses the pay-as-you-go billing method
FAQ about protection scope
Can Cloud Firewall protect traffic on Express Connect or CEN?
Can the Internet firewall protect traffic that is destined for a public VPN gateway?
Can VPC Firewall protect traffic that is destined for a VPC over IPsec-VPN?
Which types of traffic consume the purchased protection bandwidth of Cloud Firewall?
FAQ about the relationship between Cloud Firewall and other Alibaba Cloud services
Why do I need to assign the service-linked role AliyunServiceRoleForCloudFW to Cloud Firewall?
You must authorize Cloud Firewall to access the cloud resources that belong to the current Alibaba Cloud account before you can perform the following operations: view the requests and responses of cloud assets, view the access information between the cloud assets over an internal network, and configure access control policies based on the statistics that are displayed in the Cloud Firewall console. The cloud resources include Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), and Server Load Balancer (SLB) instances.
You can authorize Cloud Firewall to access cloud resources only if you use an Alibaba Cloud account or a Resource Access Management (RAM) user that has the AliyunRAMFullAccess permission. For more information, see Authorize Cloud Firewall to access other cloud resources.
How do I release Cloud Firewall that uses the pay-as-you-go billing method?
Log on to the Cloud Firewall console. In the upper-right corner of the Overview page, click Self-service Release. For more information, see Release Cloud Firewall.
Why are fees still deducted after I release Cloud Firewall that uses the pay-as-you-go billing method?
The billing cycle of Cloud Firewall that uses the pay-as-you-go billing method is one day. Bills are generated and daily fees are deducted from your account balance at 18:00 on the next day. If you release Cloud Firewall that uses the pay-as-you-go billing method on the current day, a bill is generated on the next day. For more information, see Pay-as-you-go.
How do I view the usage details of Cloud Firewall that uses the pay-as-you-go billing method?
Log on to the Cloud Firewall console. On the page, view the usage details of Cloud Firewall that uses the pay-as-you-go billing method. For more information, see View the usage details.
How am I charged for Cloud Firewall that uses the pay-as-you-go billing method?
You are charged for Cloud Firewall that uses the pay-as-you-go billing method based on your resource usage. The billing cycle is one day. Bills are generated and daily fees are deducted from your account balance at 18:00 on the next day. The daily fee of Cloud Firewall that uses the pay-as-you-go billing method is calculated by using the following formula: Daily fee = Daily configuration fee of public IP addresses + Daily traffic processing fee. For more information, see Pay-as-you-go.
If you purchase a pay-as-you-go savings plan, you can use the pay-as-you-go savings plan to offset fees for Cloud Firewall. For more information, see Pay-as-you-go savings plans.
How do I change the billing method of Cloud Firewall from subscription to pay-as-you-go and what are the impacts?
You cannot directly change the billing method of Cloud Firewall from subscription to pay-as-you-go. If you want to change the billing method of Cloud Firewall from subscription to pay-as-you-go, you can release Cloud Firewall that uses the subscription billing method, and then purchase Cloud Firewall that uses the pay-as-you-go billing method.
For more information about how to change the billing method and release Cloud Firewall that uses the subscription billing method, see Change the billing method from subscription to pay-as-you-go.
How do I change the billing method of Cloud Firewall from pay-as-you-go to subscription and what are the impacts?
You can change the billing method of Cloud Firewall from pay-as-you-go to subscription based on your business requirements. For more information, see Upgrade and downgrade Cloud Firewall.
What is a pay-as-you-go savings plan and how do I use it?
A savings plan is a discount plan that provides savings over pay-as-you-go rates in exchange for a commitment to use a consistent amount of resources for a specific period of time. You can obtain a greater discount and reduce more costs when you purchase a pay-as-you-go savings plan with a larger committed consumption amount. For more information, see Pay-as-you-go savings plans.
What are the differences between Cloud Firewall that uses the pay-as-you-go billing method and Cloud Firewall that uses the subscription billing method?
The billing methods are different. For more information, see Subscription and Pay-as-you-go.
The supported features are different. For more information, see Functions and features.
Can Cloud Firewall protect Layer 2 EIPs?
Yes, Cloud Firewall can protect Layer 2 elastic IP addresses (EIPs). For more information about the protection scope of Cloud Firewall, see What is Cloud Firewall?
Does Cloud Firewall support the classic network?
Cloud Firewall can protect ECS instances and specific SLB instances that use public IP addresses and reside in the classic network. Internal firewalls can protect instances in VPCs but not in the classic network.
Can Cloud Firewall protect Internet-facing SLB instances?
Alibaba Cloud provides Internet-facing and internal-facing SLB instances. Some Internet-facing SLB instances cannot be protected by Cloud Firewall due to network architecture limits. In this case, we recommend that you deploy internal-facing SLB instances and associate EIPs with the SLB instances.
After you enable a firewall for an internal-facing SLB instance that is associated with an EIP, traffic first passes through the firewall, then passes over a Destination Network Address Translation (DNAT) gateway that is associated with the EIP, and finally passes to the SLB instance.
Can Cloud Firewall protect traffic on Express Connect or CEN?
Yes, Cloud Firewall can protect traffic on Express Connect and Cloud Enterprise Network (CEN). Take note of the following items:
Cloud Firewall can protect traffic between VPCs that are connected by using an Express Connect circuit and reside in the same region. Cloud Firewall cannot protect traffic between a VPC and a Virtual Border Router (VBR) that are connected by using an Express Connect circuit.
Cloud Firewall can protect traffic between two CEN-connected VPCs, and between a VPC and a VBR that are connected by using a CEN instance.
If you want to use Cloud Firewall to protect traffic between VPCs or between a VPC and a VBR across regions, you must migrate the VPCs from a peering connection in Express Connect to a CEN instance. For more information, see Migrate a VPC from a peering connection to a CEN instance.
Can Cloud Firewall defend against APT attacks?
Yes, the built-in threat intelligence feature of Cloud Firewall can be used to defend against advanced persistent threat (APT) attacks.
Can the Internet firewall protect traffic that is destined for a public VPN gateway?
No, the Internet firewall cannot protect traffic that is destined for a public VPN gateway. If you access a public VPN gateway over the Internet, the access traffic is encrypted by the VPN gateway, and the Internet firewall cannot identify and protect the encrypted traffic.
Can VPC Firewall protect traffic that is destined for a VPC by using an IPsec-VPN connection?
The answer varies based on your network deployment. The following scenarios are involved:
1. If your IPsec-VPN connection is associated with a Cloud Enterprise Network transit router and the IPsec-VPN connection is connected to a business VPC, VPC Firewall can protect traffic that is destined for the VPC by using the IPsec-VPN connection.
The following figure is provided as an example. In the following figure, VPC Firewall protects the traffic between an office network and a business VPC.
2. If your IPsec-VPN connection is deployed in a business VPC by associating the connection with a VPN gateway and your service involves cross-VPC traffic, such as traffic of VPCs that are connected by using a CEN or VPC peering connection, VPC Firewall can protect traffic that is destined for the VPC over the IPsec-VPN connection.
The following figure provides an example. In the following figure, VPC Firewall cannot protect the traffic from the office network to the VPC in which the IPsec-VPN connection is deployed. However, VPC Firewall protects the traffic from the office network to other business VPCs that are connected to the VPC in which the IPsec-VPN connection is deployed.
If you do need to protect the traffic that is destined for other business VPCs by using the IPsec-VPN connection, you can modify your network deployment and deploy the IPsec-VPN connection in a separate VPC. This way, Cloud Firewall can protect the traffic from the VPC in which the IPsec-VPN connection is deployed to other business VPCs.
3. If your IPsec-VPN connection is deployed in a business VPC by associating the connection with a VPN gateway and your service does not involve cross-VPC traffic, VPC Firewall cannot protect traffic that is destined for the VPC over the IPsec-VPN connection.
The following figure provides an example. In the following figure, VPC Firewall cannot protect the traffic between the office network and the business VPC.
Which types of traffic consume the purchased protection bandwidth of Cloud Firewall?
The protection bandwidth of Cloud Firewall contains Protected Internet Traffic, Protected VPC Traffic, and Protected Private Network Traffic of NAT Gateway. For more information, visit the Cloud Firewall buy page.
What is the relationship between Cloud Firewall and other cloud services in the Alibaba Cloud architecture?
The following figure shows the logical relationship between Cloud Firewall and other Alibaba Cloud services.
How does service traffic flow when I use Anti-DDoS, WAF, and Cloud Firewall together?
If you use Anti-DDoS, Web Application Firewall (WAF) in CNAME record mode, and Cloud Firewall together, service traffic flows to the following nodes one by one:
Anti-DDoS, WAF, Cloud Firewall, and backend service
If you use Anti-DDoS, WAF in cloud native mode, and Cloud Firewall together, service traffic flows to the following nodes one by one:
Anti-DDoS, Cloud Firewall, WAF, and backend service
How many members does the multi-account management feature support?
Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition support the multi-account management feature. The number of members supported by the feature varies based on the edition of Cloud Firewall. For more information, see Billable items. If you want to add more members, reconfigure Managed Members to upgrade the specifications of your Cloud Firewall. For more information, see Upgrade and downgrade Cloud Firewall.
What are the main scenarios in which Cloud Firewall protects Internet-facing SLB instances?
Cloud Firewall supports the new-generation Internet-facing SLB architecture and comprehensively protects Internet-facing SLB instances in the cloud. If you purchased Alibaba Cloud Cloud Firewall, you can log on to the Cloud Firewall console and enable firewalls to improve overall network security. Cloud Firewall also provides the intrusion prevention and access control features for Internet access of Internet-facing SLB instances:
Intrusion prevention: This feature supports one-click deployment of virtual patches to protect against zero-day vulnerabilities and other urgent high-risk vulnerabilities. You can use the feature to defend against vulnerability exploitations without the need of restart or patch installation.
Access control: This feature implements fine-grained Internet-facing access control, supports HTTP and HTTPS applications, and provides restrictions on specific IP addresses, ports, and protocols, especially on TCP-based business. You can use the feature to restrict access sources. For example, you can configure access control policies to allow traffic from specific areas. This ensures that your business runs in a more reliable and secure manner.
What are the advantages of Alibaba Cloud Cloud Firewall over self-managed firewalls?
Alibaba Cloud Cloud Firewall provides an easy-to-use and out-of-the-box solution that can be used to manage north-south and east-west network traffic in a centralized manner and ensure network security in the cloud. Compared with self-managed firewalls, Alibaba Cloud Cloud Firewall provides the following advantages:
Managed services: Self-managed firewalls are configured and devices are synchronized by using routes. When the number of VPCs increases, the number of network-side faults on the self-managed firewalls also increases. This increases the complexity of security control and O&M costs. Cloud Firewall is fully managed by Alibaba Cloud. You do not need to deploy devices. You can immediately use Cloud Firewall after you complete the required configurations in the Cloud Firewall console. This reduces the costs of network security control and O&M.
High availability and elastic scaling: The high availability and high performance of self-managed firewalls are achieved based on virtual devices. Cloud Firewall uses the cluster deployment mode to support smooth performance scaling without the need to pay attention to issues related to high availability, scaling or access. Cloud Firewall adopts dual-zone deployment. If a server or an availability zone fails, Cloud Firewall can still run as expected in the other zone.
Deep integration with cloud services: Cloud Firewall can integrate with various Alibaba Cloud services, such as VPC, CEN, Elastic IP Address, and SLB, to control access to cloud assets at the network level, and integrate with the security capabilities of terminals to handle abnormal access to cloud assets.
Intrusion prevention and threat intelligence: Cloud Firewall has a built-in threat detection engine that can simultaneously update network-wide threat intelligence and monitor more than 5 million active malicious IP addresses and domain names to detect and block threats from the Internet in real time.
What are the core protection features of the Internet firewall?
The Internet firewall can detect traffic between the Internet and public IP addresses in Alibaba Cloud. After you activate Cloud Firewall, you can use the following defense capabilities:
Asset inventory: The Internet firewall of Cloud Firewall can analyze normal and abnormal inbound and outbound traffic of assets, including open applications, open ports, open public IP addresses, and information about accessed cloud services.
Intrusion prevention: Cloud Firewall has a built-in threat detection engine that can detect and intercept malicious traffic and attacks on the Internet in real time. Cloud Firewall can intelligently block intrusions based on threat intelligence.
Blocked Domain Names: After you enable firewalls for network assets, the system analyzes the outbound connection data of the assets in real time to detect suspicious assets at the earliest opportunity. Cloud Firewall also blocks Internet access based on domain-based or IP address-based access control policies.
Vulnerability prevention: Cloud Firewall provides the virtual patching capability to defend against high-risk vulnerabilities that can be remotely exploited. If you cannot install patches or restart the system, vulnerabilities can also be automatically prevented.
How do I use WAF and Cloud Firewall to manage Internet exposures?
Internet exposures refer to known or unknown assets that are exposed on the Internet. The assets include IP addresses, ports, domain names, applications, and APIs. As the number of assets connected to the network of enterprises increases, Internet exposures also increase. More Internet exposures indicate greater threats faced by enterprises. Therefore, effective management of Internet exposures is the basic requirement for security operations and management.
Management of business application assets: The number of business system platforms is increasing in recent years. In some cases, employees may build their own websites, and the test environment or APIs may not be recycled in time. The assets may use lower versions of open-source systems, components, and web frameworks, and have access permissions that exceed business requirements. Attackers can use the assets as jump servers to bypass the protection at the network boundary of the enterprises. Asset identification of Web Application Firewall (WAF) provides a global asset perspective by obtaining the configuration information about services such as Alibaba Cloud Certificate Management Service, Alibaba Cloud DNS, WAF, and HiChina, and by leveraging big data association analysis capabilities. This ensures that assets can be fully protected and improves overall security.
Network asset management: With the rapid business growth of enterprises, the number of IP addresses in the cloud increases. The IP addresses may have opened ports and services that exceed business requirements due to neglect of management. You can use Cloud Firewall to monitor communication traffic between the Internet and public IP addresses in the cloud, disable unnecessary IP addresses and ports that are exposed on the Internet, and configure access control policies to implement fine-grained access control on Internet access.
Why do users who use transit routers of CEN instances have higher requirements on Cloud Firewall?
An increasing number of enterprises are migrating their workloads to the cloud, and the enterprises may plan multiple cross-region VPCs. Users can use Cloud Enterprise Network (CEN) to build high-performance, low-latency, and high-availability networks that interconnect cross-region VPCs or VPCs and data centers to meet diversified networking and management requirements.
In most cases, users of Enterprise Edition transit routers have the following requirements:
Network management requirements on multiple services across VPCs and hybrid clouds: The service levels and security levels of VPCs vary, but the access of services requires conditional connections of multiple VPCs. Enterprises must properly plan and design access control policies and protection policies to protect traffic across VPCs or between VPCs and data centers. This way, the enterprises can defend against attacks based on the horizontal penetration phases in the cyber kill chain. The complexity of managing traffic between VPCs and traffic between VPCs and data centers varies based on the number of VPCs in an enterprise and the scale of business in the cloud. Transit routers allow users to protect more VPCs, which increases the complexity of controlling east-west traffic in the cloud. Therefore, users have higher requirements for fine-grained management of east-west traffic in the cloud.
Compliance requirements: When large-sized enterprise users migrate their business to the cloud, most of the users require access control policies to meet classified protection requirements such as Multi-Level Protection Scheme (MLPS) and International Organization for Standardization (ISO) 27001. For example, according to the cloud computing security extension requirement of MLPS, users must deploy access control mechanisms at different levels of network boundaries to implement session and application-based access control. Cloud Firewall Enterprise Edition can meet the requirements of users to control and protect east-west traffic.