All Products
Search
Document Center

Cloud Firewall:Pre-sales FAQ

Last Updated:Jan 02, 2024

This topic provides answers to some frequently asked questions about Cloud Firewall.

FAQ about features

FAQ about Cloud Firewall that uses the pay-as-you-go billing method

FAQ about protection scope

FAQ about the relationship between Cloud Firewall and other Alibaba Cloud services

Why do I need to assign the service-linked role AliyunServiceRoleForCloudFW to Cloud Firewall?

You must authorize Cloud Firewall to access the cloud resources that belong to the current Alibaba Cloud account before you can perform the following operations: view the requests and responses of cloud assets, view the access information between the cloud assets over an internal network, and configure access control policies based on the statistics that are displayed in the Cloud Firewall console. The cloud resources include Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), and Server Load Balancer (SLB) instances.

You can authorize Cloud Firewall to access cloud resources only if you use an Alibaba Cloud account or a Resource Access Management (RAM) user that has the AliyunRAMFullAccess permission. For more information, see Authorize Cloud Firewall to access other cloud resources.

How do I release Cloud Firewall that uses the pay-as-you-go billing method?

Log on to the Cloud Firewall console. In the upper-right corner of the Overview page, click Self-service Release. For more information, see Release Cloud Firewall that uses the pay-as-you-go billing method.

Why are fees still deducted after I release Cloud Firewall that uses the pay-as-you-go billing method?

The billing cycle of Cloud Firewall that uses the pay-as-you-go billing method is one day. Bills are generated and daily fees are deducted from your account balance at 18:00 on the next day. If you release Cloud Firewall that uses the pay-as-you-go billing method on the current day, a bill is generated on the next day. For more information, see Pay-as-you-go.

How do I view the usage details of Cloud Firewall that uses the pay-as-you-go billing method?

Log on to the Cloud Firewall console. On the Settings > Bill Management page, view the usage details of Cloud Firewall that uses the pay-as-you-go billing method. For more information, see View the usage details of Cloud Firewall that uses the pay-as-you-go billing method.

How am I charged for Cloud Firewall that uses the pay-as-you-go billing method?

You are charged for Cloud Firewall that uses the pay-as-you-go billing method based on your resource usage. The billing cycle is one day. Bills are generated and daily fees are deducted from your account balance at 18:00 on the next day. The daily fee of Cloud Firewall that uses the pay-as-you-go billing method is calculated by using the following formula: Daily fee = Daily configuration fee of public IP addresses + Daily traffic processing fee. For more information, see Pay-as-you-go.

If you purchase a pay-as-you-go savings plan, you can use the pay-as-you-go savings plan to offset fees for Cloud Firewall. For more information, see Pay-as-you-go Savings plan.

How do I change the billing method of Cloud Firewall from subscription to pay-as-you-go and what are the impacts?

You cannot directly change the billing method of Cloud Firewall from subscription to pay-as-you-go. If you want to change the billing method of Cloud Firewall from subscription to pay-as-you-go, you can release Cloud Firewall that uses the subscription billing method, and then purchase Cloud Firewall that uses the pay-as-you-go billing method.

For more information, see Change the billing method from subscription to pay-as-you-go.

How do I change the billing method of Cloud Firewall from pay-as-you-go to subscription and what are the impacts?

You can change the billing method of Cloud Firewall from pay-as-you-go to subscription based on your business requirements. For more information, see Change the billing method of Cloud Firewall from pay-as-you-go to subscription.

What is a pay-as-you-go savings plan and how do I use it?

A savings plan is a discount plan that provides savings over pay-as-you-go rates in exchange for a commitment to use a consistent amount of resources for a specific period of time. You can obtain a greater discount and reduce more costs when you purchase a pay-as-you-go savings plan with a larger committed consumption amount. For more information, see Pay-as-you-go savings plan.

What are the differences between Cloud Firewall that uses the pay-as-you-go billing method and Cloud Firewall that uses the subscription billing method?

Can Cloud Firewall protect Layer 2 EIPs?

Yes, Cloud Firewall can protect Layer 2 elastic IP addresses (EIPs). For more information about the protection scope of Cloud Firewall, see What is Cloud Firewall?

Does Cloud Firewall support the classic network?

Cloud Firewall can protect ECS instances and specific SLB instances that use public IP addresses and reside in the classic network. Internal firewalls can protect instances in VPCs but not in the classic network.

Can Cloud Firewall protect Internet-facing SLB instances?

Alibaba Cloud provides Internet-facing and internal-facing SLB instances. Some Internet-facing SLB instances cannot be protected by Cloud Firewall due to network architecture limits. In this case, we recommend that you deploy internal-facing SLB instances and associate EIPs with the SLB instances.

After you enable a firewall for an internal-facing SLB instance that is associated with an EIP, traffic first passes through the firewall, then passes over a Destination Network Address Translation (DNAT) gateway that is associated with the EIP, and finally passes to the SLB instance.

Can Cloud Firewall protect traffic on Express Connect or CEN?

Yes, Cloud Firewall can protect traffic on Express Connect and Cloud Enterprise Network (CEN). Take note of the following items:

  • Cloud Firewall can protect traffic between VPCs that are connected by using an Express Connect circuit and reside in the same region. Cloud Firewall cannot protect traffic between a VPC and a Virtual Border Router (VBR) that are connected by using an Express Connect circuit.

  • Cloud Firewall can protect traffic between two CEN-connected VPCs, and between a VPC and a VBR that are connected by using a CEN instance.

Note

If you want to use Cloud Firewall to protect traffic between VPCs or between a VPC and a VBR across regions, you must migrate the VPCs from a peering connection in Express Connect to a CEN instance. For more information, see Migrate a VPC from a peering connection to a CEN instance.

Can Cloud Firewall defend against APT attacks?

Yes, the built-in threat intelligence feature of Cloud Firewall can be used to defend against advanced persistent threat (APT) attacks.

Can the Internet firewall protect traffic that is destined for a public VPN gateway?

No, the Internet firewall cannot protect traffic that is destined for a public VPN gateway. If you access a public VPN gateway over the Internet, the access traffic is encrypted by the VPN gateway, and the Internet firewall cannot identify and protect the encrypted traffic.

Can VPC Firewall protect traffic that is destined for a VPC by using an IPsec-VPN connection?

The answer varies based on your network deployment. The following scenarios are involved:

1. If your IPsec-VPN connection is associated with a Cloud Enterprise Network transit router and the IPsec-VPN connection is connected to a business VPC, VPC Firewall can protect traffic that is destined for the VPC by using the IPsec-VPN connection.

The following figure is provided as an example. In the following figure, VPC Firewall protects the traffic between an office network and a business VPC.

image

2. If your IPsec-VPN connection is deployed in a business VPC by associating the connection with a VPN gateway and your service involves cross-VPC traffic, such as traffic of VPCs that are connected by using a CEN or VPC peering connection, VPC Firewall can protect traffic that is destined for the VPC over the IPsec-VPN connection.

The following figure provides an example. In the following figure, VPC Firewall cannot protect the traffic from the office network to the VPC in which the IPsec-VPN connection is deployed. However, VPC Firewall protects the traffic from the office network to other business VPCs that are connected to the VPC in which the IPsec-VPN connection is deployed.

image

If you do need to protect the traffic that is destined for other business VPCs by using the IPsec-VPN connection, you can modify your network deployment and deploy the IPsec-VPN connection in a separate VPC. This way, Cloud Firewall can protect the traffic from the VPC in which the IPsec-VPN connection is deployed to other business VPCs.

3. If your IPsec-VPN connection is deployed in a business VPC by associating the connection with a VPN gateway and your service does not involve cross-VPC traffic, VPC Firewall cannot protect traffic that is destined for the VPC over the IPsec-VPN connection.

The following figure provides an example. In the following figure, VPC Firewall cannot protect the traffic between the office network and the business VPC.

image

Which types of traffic consume the purchased protection bandwidth of Cloud Firewall?

The protection bandwidth of Cloud Firewall contains Protected Internet Traffic, Protected VPC Traffic, and Protected Private Network Traffic of NAT Gateway. For more information, visit the Cloud Firewall buy page.

What is the relationship between Cloud Firewall and other cloud services in the Alibaba Cloud architecture?

The following figure shows the logical relationship between Cloud Firewall and other Alibaba Cloud services.

image

How does service traffic flow when I use Anti-DDoS Pro or Anti-DDoS Premium, WAF, and Cloud Firewall together?

  • If you use Anti-DDoS Pro or Anti-DDoS Premium, Web Application Firewall (WAF) in CNAME record mode, and Cloud Firewall together, service traffic flows to the following nodes one by one:

    Anti-DDoS Pro or Anti-DDoS Premium, WAF, Cloud Firewall, and backend service

  • If you use Anti-DDoS Pro or Anti-DDoS Premium, WAF in cloud native mode, and Cloud Firewall together, service traffic flows to the following nodes one by one:

    Anti-DDoS Pro or Anti-DDoS Premium, Cloud Firewall, WAF, and backend service

How many members does the multi-account management feature support?

Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition support the multi-account management feature. The number of members supported by the feature varies based on the edition of Cloud Firewall. For more information, see Billable items. If you want to add more members, reconfigure Managed Members to upgrade the specifications of your Cloud Firewall. For more information, see Upgrade and downgrade Cloud Firewall.