Features - Product Introduction| Alibaba Cloud Documentation Center

Cloud Firewall is a cloud security solution that provides firewalls as a service. It manages both north-south and east-west traffic and provides features, such as traffic monitoring, precise access control, and real-time intrusion prevention, to deliver protection at the network boundaries. This topic describes Cloud Firewall features and the editions that support these features.

Cloud Firewall features

The following table describes Cloud Firewall features and the editions that support these features. The specifications of a feature vary based on the editions. For more information, see Billing.

Note

Cross (×): This feature is not supported.
Tick (√): This feature is supported.


Scenario	Feature	Description	Basic Edition	Premium Edition	Enterprise Edition	Ultimate Edition	References
Access traffic analysis and attack detection of on-cloud networks	Overview	Provides an overview of defense features that are enabled and disabled and shows statistics on access traffic and detected security risks from the last seven days.	×	√	√	√	Overview
Access control	Internet Firewall	Supports two-way access control over north-south traffic and supports domain name-based access control to strictly control the traffic of outbound connections.	×	√	√	√	Access control for outbound and inbound traffic on the Internet firewall
	VPC Firewall	Controls traffic between virtual private clouds (VPCs).	×	×	√	√	Access control on VPC firewalls
	Internal Firewall	Controls east-west traffic among your Elastic Compute Service (ECS) instances on an internal network.	×	×	√	√	Access control on an internal firewall between ECS instances
Network traffic analysis	Outbound Connections	Monitors outbound connections of cloud assets in real time.	×	√	√	√	Outbound connections
	Internet Access	Collects and analyzes the statistics on access traffic of on-cloud networks.	×	√	√	√	Internet access
	VPC Access	Monitors the traffic between VPCs in real time, which allows you to dynamically obtain the VPC traffic data and identify and handle suspicious traffic at the earliest opportunity.	×	×	√	√	VPC access
	All Access Activities	Allows you to query traffic that passes through Cloud Firewall based on conditions.	×	√	√	√	All access activities
Attack prevention	Vulnerability Prevention	Detects vulnerabilities that can be exploited by attacks in real time and defends against these vulnerabilities.	×	√	√	√	Vulnerability prevention
	Breach Awareness	Provides the details about intrusion events that are detected by the intrusion prevention system (IPS) and the solutions to handle the intrusion events.	×	√	√	√	Breach awareness
	Intrusion Prevention	Provides the details of protection for traffic between VPCs, inbound Internet traffic, and outbound Internet traffic.	×	√	√	√	Intrusion prevention
	Prevention Configuration	Provides the built-in threat detection engine that delivers the following capabilities: Intelligently detects and blocks intrusions in real time. Analyzes the network traffic blocked by Cloud Firewall and IPS. Synchronizes all malicious IP addresses detected across Alibaba Cloud and defends against potential threats, such as malicious visitors, scanners, and command-and-control servers. Integrates the intrusion prevention policies used for attack and defense on Alibaba Cloud to ensure high accuracy in threat detection. Supports installation-free virtual patches for business systems. Precisely defends against common vulnerabilities.	×	√	√	√	Prevention configuration
Log management	Log Audit	Provides log audit and behavior backtracking. Provides the logs of events on the Internet firewall and VPC firewalls. Provides the logs of the traffic that passes through Cloud Firewall. If a threat occurs, you can view traffic logs to analyze traffic, identify its source, and check whether configured access control policies are in effect. Provides system operation logs to record all configurations and operations on Cloud Firewall.	×	√	√	√	Log audit
Log management	Log Analysis	Automatically collects, stores, and analyzes both inbound and outbound traffic logs in real time and supports real-time monitoring and alerting based on specific metrics. This ensures timely responses if exceptions occur in critical business. The value of a log storage duration ranges from 30 to 365 days.	×	√	√	√	Activate Log Service
Common tools for network traffic detection	Toolbox	Allows you to back up and roll back access control policies of the Internet firewall and VPC firewalls.	×	×	√	√	Back up and roll back an access control policy
		Supports the packet capture feature, which helps you troubleshoot network failures and analyze attacks.	×	×	√	√	Create a packet capture task
		Allows you to check security group configurations and check whether the requirements of classified protection are met.	√	√	√	√	Check security group rules
Business visualization	Custom Groups	Allows you to create custom groups to build relationships between the applications of your cloud assets and application groups or business groups.	×	√	√	√	Create application groups and business groups
Business visualization	Centralized account management	Central Account Management	Allows you to add Alibaba Cloud accounts as members, which helps you manage the resources of the accounts in a centralized manner.	×	×	×	√	Use centralized account management