Cloud Firewall is a cloud security solution that provides firewalls as a service. It manages both north-south and east-west traffic and provides features, such as traffic monitoring, precise access control, and real-time intrusion prevention, to deliver protection at the network boundaries. This topic describes Cloud Firewall features and the editions that support these features.

Cloud Firewall features

The following table describes Cloud Firewall features and the editions that support these features. The specifications of a feature vary based on the editions. For more information, see Billing.

Note
  • Cross (×): This feature is not supported.
  • Tick (√): This feature is supported.
Scenario Feature Description Basic Edition Premium Edition Enterprise Edition Ultimate Edition References
Access traffic analysis and attack detection of on-cloud networks Overview Provides an overview of defense features that are enabled and disabled and shows statistics on access traffic and detected security risks from the last seven days. × Overview
Access control Internet Firewall Supports two-way access control over north-south traffic and supports domain name-based access control to strictly control the traffic of outbound connections. × Access control for outbound and inbound traffic on the Internet firewall
VPC Firewall Controls traffic between virtual private clouds (VPCs). × × Access control on VPC firewalls
Internal Firewall Controls east-west traffic among your Elastic Compute Service (ECS) instances on an internal network. × × Access control on an internal firewall between ECS instances
Network traffic analysis Outbound Connections Monitors outbound connections of cloud assets in real time. × Outbound connections
Internet Access Collects and analyzes the statistics on access traffic of on-cloud networks. × Internet access
VPC Access Monitors the traffic between VPCs in real time, which allows you to dynamically obtain the VPC traffic data and identify and handle suspicious traffic at the earliest opportunity. × × VPC access
All Access Activities Allows you to query traffic that passes through Cloud Firewall based on conditions. × All access activities
Attack prevention Vulnerability Prevention Detects vulnerabilities that can be exploited by attacks in real time and defends against these vulnerabilities. × Vulnerability prevention
Breach Awareness Provides the details about intrusion events that are detected by the intrusion prevention system (IPS) and the solutions to handle the intrusion events. × Breach awareness
Intrusion Prevention Provides the details of protection for traffic between VPCs, inbound Internet traffic, and outbound Internet traffic. × Intrusion prevention
Prevention Configuration Provides the built-in threat detection engine that delivers the following capabilities:
  • Intelligently detects and blocks intrusions in real time. Analyzes the network traffic blocked by Cloud Firewall and IPS.
  • Synchronizes all malicious IP addresses detected across Alibaba Cloud and defends against potential threats, such as malicious visitors, scanners, and command-and-control servers.
  • Integrates the intrusion prevention policies used for attack and defense on Alibaba Cloud to ensure high accuracy in threat detection.
  • Supports installation-free virtual patches for business systems. Precisely defends against common vulnerabilities.
× Prevention configuration
Log management Log Audit Provides log audit and behavior backtracking.
  • Provides the logs of events on the Internet firewall and VPC firewalls.
  • Provides the logs of the traffic that passes through Cloud Firewall. If a threat occurs, you can view traffic logs to analyze traffic, identify its source, and check whether configured access control policies are in effect.
  • Provides system operation logs to record all configurations and operations on Cloud Firewall.
× Log audit
Log Analysis Automatically collects, stores, and analyzes both inbound and outbound traffic logs in real time and supports real-time monitoring and alerting based on specific metrics. This ensures timely responses if exceptions occur in critical business. The value of a log storage duration ranges from 30 to 365 days. × Activate Log Service
Common tools for network traffic detection Toolbox Allows you to back up and roll back access control policies of the Internet firewall and VPC firewalls. × × Back up and roll back an access control policy
Supports the packet capture feature, which helps you troubleshoot network failures and analyze attacks. × × Create a packet capture task
Allows you to check security group configurations and check whether the requirements of classified protection are met. Check security group rules
Business visualization Custom Groups Allows you to create custom groups to build relationships between the applications of your cloud assets and application groups or business groups. × Create application groups and business groups
Centralized account management Central Account Management Allows you to add Alibaba Cloud accounts as members, which helps you manage the resources of the accounts in a centralized manner. × × × Use centralized account management