Cloud Firewall inspects inbound, outbound, and inter-workload traffic to provide network-wide traffic identification, unified policy management, and intrusion detection. After purchasing Cloud Firewall, complete the following steps to protect your cloud workloads: enable firewalls, configure intrusion prevention, analyze traffic patterns, and create access control policies.
Cloud Firewall does not protect your traffic until you configure access control policies or enable the intrusion prevention system (IPS) in Block Mode. Purchasing the service alone does not activate protection.
Prerequisites
Before you begin, ensure that you have:
A Cloud Firewall subscription. For details, see Purchase Cloud Firewall
Sufficient quota to cover all public IP assets that require protection
Default configuration after purchase
After purchase, some modules are preconfigured while others require manual setup.
| Module | Component | Default state | Action needed |
|---|---|---|---|
| Firewall Settings | Internet firewall | Enabled for all resources within the quota | None. If not all resources are enabled due to insufficient quota, increase the quota. |
| VPC firewall | Not created | Manually create and enable. Enterprise and Ultimate editions only. | |
| NAT firewall | Not created | Manually create and enable. | |
| IPS | Internet firewall | Block-Loose mode, auto-selected based on workloads | None. The default configuration is sufficient. |
| VPC firewall | Not configured | Set the IPS block mode when creating the VPC firewall. IPS is automatically enabled with the VPC firewall. | |
| Access Control | Internet firewall | Allows all traffic | Manually configure based on workload requirements. |
| VPC firewall | Not configured | Configure policies after enabling the VPC firewall. | |
| NAT firewall | Not configured | Configure policies after enabling the NAT firewall. | |
| ECS firewall | Not configured | Configure as needed. Enterprise and Ultimate editions only. | |
| Alert Notification | Alert Notification | Enabled, but no recipients configured | Configure recipients. |
| Multi-account Management | Multi-account management | Not configured | Create manually if needed. |
Step 1: Enable firewall protection
Cloud Firewall includes four firewall types, each protecting a different network boundary. Enable the firewalls that match your architecture.
Internet firewall
The Internet firewall manages traffic between your public IP assets and the internet. It is enabled by default for all resources within your quota.
To verify or adjust the Internet firewall status, see Internet firewall.
VPC firewall
The VPC firewall manages traffic between network instances connected through Cloud Enterprise Network (CEN) and Express Connect. For the protection scope, see VPC firewall overview.
VPC firewall is available only in the Enterprise and Ultimate editions.
To create and enable a VPC firewall, see Configure a VPC firewall for an Enterprise Edition transit router.
NAT firewall
The NAT firewall controls and protects traffic from private IP addresses to the public internet through a NAT gateway.
To create and enable a NAT firewall, see NAT firewall.
ECS firewall
The ECS firewall controls inbound and outbound traffic between ECS instances. After you publish access control policies for the ECS firewall, they are automatically synchronized to ECS security groups. No separate enablement is needed.
ECS firewall is available only in the Enterprise and Ultimate editions.
To configure access control policies for the ECS firewall, see Create an access control policy for an internal firewall.
Verify firewall status
After enabling or disabling a firewall, the status changes to Protected or Unprotected. The status change may take a few seconds.
Step 2: Configure IPS
Cloud Firewall includes a built-in IPS that detects and blocks intrusions in real time. It identifies malicious files such as trojans and backdoors, detects malicious payload requests, and applies virtual patches to block intrusion attempts. The detection mechanisms include threat intelligence, intrusion detection rules, intelligent models, and virtual patching.
IPS modes
The IPS operates in two modes:
Monitor Mode: Generates alerts without blocking traffic. Use this mode first to identify false positives before switching to Block Mode.
Block Mode: Generates alerts and automatically blocks attack payloads.
Block Mode levels
Block Mode provides three protection levels:
| Level | Behavior | Best for |
|---|---|---|
| Block-Loose | Blocks attacks using a conservative ruleset with a low false positive rate | Workloads that need to minimize false positives |
| Block-Medium | Blocks attacks using standard rules with a balanced false positive rate | Daily operations |
| Block-Strict | Blocks attacks using all rules, minimizing false negatives but with a higher false positive rate | Workloads with strict security requirements |
Before enabling Block Mode, run in Monitor Mode for a trial period. Analyze any false positives, then switch to Block Mode at the appropriate level.
For the complete IPS configuration options, see IPS configuration.
Verify IPS results
In the Cloud Firewall console, go to Detection and Response > IPS. On the Protection Status or VPC Protection tab, review intrusion blocking details including source IP, destination IP, blocked application, block source, and event details. For more information, see Intrusion Prevention.
Related best practices
Step 3: Analyze traffic patterns
Review your traffic patterns before creating access control policies. The Traffic Analysis feature provides real-time visibility into outbound connections, internet exposure, and inter-VPC access.
Traffic analysis provides the foundation for effective policy design. Review your traffic data before configuring access control policies.
Outbound connections
View the domains and IP addresses your cloud assets connect to. Use threat intelligence tags, access details, and logs to identify gaps in your outbound access control policies. For details, see Outbound Connections.
Internet exposure
Review your publicly exposed services, ports, public IP addresses, and cloud product information. Use this data along with intelligent policy recommendations to strengthen inbound access control. For details, see Internet Exposure.
VPC access
Monitor traffic trends, sessions, and open ports between VPCs. Identify and troubleshoot abnormal traffic to refine your VPC access control policies. For details, see VPC Access.
Step 4: Create access control policies
By default, Cloud Firewall allows all traffic when no policies are configured. Create access control policies to control traffic at each network boundary.
For configuration instructions, see:
Recommended access control strategies
In addition to allowing necessary outbound connections, deny all other outbound traffic. If the source address of an outbound policy is a private IP address, create a NAT firewall first. Otherwise, the outbound policy does not take effect. For details, see NAT firewall.
| Firewall type | Direction | Recommended strategy | Learn more |
|---|---|---|---|
| Internet firewall | Outbound | Create a high-priority policy to allow necessary internet access. Then add a low-priority policy to deny all other outbound traffic. Make sure the Internet firewall is enabled before configuring policies. For multiple source IPs, destination IPs, or ports, use address books or create multiple policies. | Access control policy example |
| Internet firewall | Inbound | Create a high-priority policy to allow trusted external source IPs. Then add a low-priority policy to deny all other inbound traffic. Make sure the Internet firewall is enabled before configuring policies. | Access control policy example, Deny access from overseas regions, Defend against unauthorized MongoDB access |
| NAT firewall | Outbound | After enabling the NAT firewall, it inspects all outbound traffic from private resources within a VPC (including resources in the same VPC and across different VPCs) that flows through the NAT gateway. Traffic is matched against access control policies and the built-in threat intelligence library to determine whether to allow or block the connection. | Allow private hosts to access specified domains only |
| VPC firewall | Inter-VPC | Create a high-priority policy to allow trusted traffic. Then add a low-priority policy to deny all other inter-VPC traffic. The VPC firewall allows all traffic by default after enablement. | VPC firewall policy example |
| ECS firewall | Inbound and outbound | Create policies to allow access to cloud services, then deny all other sources, protocols, ports, and applications. Policies are automatically synchronized to ECS security groups. Choose between basic security groups (for a small number of ECS instances) and advanced security groups (for large-scale deployments with more instances and no limit on private IP addresses). | ECS firewall policy example |
Verify policy hits
Access control policies take effect immediately after creation. To verify that a policy is matching traffic:
In the Cloud Firewall console, go to Access Control > Internet Border.
In the access control policy list, check the Hits/Last Hit At column.
If the column shows a hit count and timestamp, traffic has matched the policy. Click the hit count to open the Traffic Log page for detailed data.
For more information, see Internet firewall access control policies and Log audit.
Step 5: Set up alert notifications
Configure alert notifications to receive timely alerts when asset risks occur or new assets are added. Alert Notification is enabled by default, but recipients must be configured.
For the alert types supported by Cloud Firewall and how to configure them, see Alert Notification.
Next steps
Troubleshoot abnormal events in Traffic Analysis: Traffic Analysis FAQ
Troubleshoot abnormal IPS events: IPS FAQ
Collect, query, and analyze traffic logs in real time: Log Analysis
Centrally manage resources across multiple accounts: Multi-account Management