Cloud Firewall is an industry-leading cloud security solution that provides firewalls as a service. It manages both north-south and east-west traffic and provides traffic monitoring, precise access control, and real-time intrusion prevention to protect your networks.


The following table describes Cloud Firewall features and the editions that provide these features.

Scenario Feature Description Supported edition Reference
Access traffic analysis and attack detection of on-cloud networks Overview Provides an overview of defense functions that are enabled and disabled, statistics of access traffic in the last seven days, and detected security risks. All paid editions Overview
Access control Internet Firewall Supports two-way access control over the north-south traffic and domain name-based access control to strictly control the traffic of outbound connections. All paid editions Outbound and inbound traffic control on the Internet firewall
VPC Firewall Controls traffic between VPCs. Enterprise Edition and Ultimate Edition Access control on VPC firewalls
Internal Firewall Isolates east-west traffic among your ECS instances on an internal network. All paid editions Access control on an internal firewall between ECS instances
Real-time monitoring and analysis on network traffic Outbound Connections Monitors outbound connections of cloud assets in real time. All paid editions Outbound connections
Internet Access Collects and analyzes the statistics of access traffic of on-cloud networks. All paid editions Internet access
VPC Access Monitors the traffic between VPCs in real time, so that you can obtain the VPC traffic data in real time and identify and handle suspicious traffic in a timely manner. Enterprise Edition and Ultimate Edition VPC access
Breach Awareness Provides details about intrusion events that are detected by the intrusion prevention system (IPS) and the solutions to the intrusion events. All paid editions Breach awareness
Traffic Blocked by IPS Provides statistics of access traffic that is blocked by Cloud Firewall. All paid editions Traffic blocked by IPS
All Access Activities Allows you to query traffic that passes through Cloud Firewall and meets specified conditions. All paid editions All access activities
Intrusion prevention Vulnerability Prevention Detects vulnerabilities that can be exploited by network attacks and provides defense against these vulnerabilities. All paid editions Vulnerability prevention
Intrusion Prevention
  • Intelligently detects and blocks intrusions in real time. Analyzes the network traffic blocked by Cloud Firewall and IPS.
  • Synchronizes all malicious IP addresses detected across Alibaba Cloud and defends against potential threats, such as malicious visitors, scanners, and command-and-control servers.
  • Integrates the best practices of intrusion prevention policies on Alibaba Cloud to ensure high accuracy in threat detection.
  • Supports installation-free virtual patches for business systems. Protects against commonly encountered vulnerabilities and high-risk zero-day and N-day vulnerabilities.
All paid editions Intrusion prevention policies
Logs Log Audit Provides log auditing and behavior backtracking.
  • Provides event logs to show threats or intrusions detected and blocked by IPS in real time.
  • Provides traffic logs to record the traffic that passes through Cloud Firewall. When a threat occurs, you can view traffic logs to analyze traffic, identify its source, and check whether configured access control policies take effect.
  • Provides system operations logs to record all configurations and operations on Cloud Firewall.
All paid editions Log audit
Log Analysis Automatically collects, stores, and analyzes inbound and outbound traffic logs in real time and supports real-time monitoring and alerting based on specified metrics. This ensures timely responses if exceptions occur for critical business. The log can be stored for up to six months. All paid editions Activate Log Service
Common network traffic detection tools Toolbox Provides functions such as packet capture, policy backup and rollback, and security group configuration check, which helps you fully understand the network traffic that passes through Cloud Firewall.
  • Security group configuration check and classified protection compliance check are available in the free trail edition and all paid editions.
  • Packet capture and policy backup and rollback are available only in paid editions.

Back up and roll back an access control policy

Packet capture

Check security group rules

Business visualization Visualization of security groups and application groups Provides information and access relationships of your assets. All paid editions

Visualize application groups

Visualization of custom groups Allows you to create custom groups to build relationships between applications, application groups, and business groups of your cloud assets. All paid editions Create application groups and business groups