What cloud assets or traffic can Cloud Firewall protect?

Cloud Firewall can protect the following cloud assets or traffic:
  • Internet traffic: traffic of public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of Server Load Balancer (SLB) instances, High-Availability Virtual IP Addresses (HAVIPs), EIPs, EIPs of ECS instances, EIPs of Elastic Network Interfaces (ENIs), some public IP addresses of Server Load Balancer (SLB) instances, and EIPs of network address translation (NAT) gateways.
  • Traffic between VPCs: traffic between VPCs that are connected by using a CEN or Express Connect
  • Traffic between VPCs and data centers: The VPCs and data centers are connected by using virtual border routers (VBRs).

Is Cloud Firewall applicable to the classic network?

The Internet firewall and intrusion prevention system (IPS) are applicable to the classic network. Internal firewalls are applicable to virtual private clouds (VPCs). However, internal firewalls are not applicable to the classic network.

Is Cloud Firewall available in regions outside mainland China?

Yes, Cloud Firewall is available in regions in mainland China and the following regions outside mainland China: China (Hong Kong), Malaysia (Kuala Lumpur), Singapore (Singapore), Indonesia (Jakarta), and Germany (Frankfurt).

Can Cloud Firewall protect Internet-facing SLB instances?

Alibaba Cloud provides Internet-facing and internal-facing Server Load Balancer (SLB) instances. Some Internet-facing SLB instances cannot be protected by Cloud Firewall due to network architecture limits. To enable Cloud Firewall to protect these instances, we recommend that you deploy internal-facing SLB instances and associate elastic IP addresses (EIPs) with the SLB instances.
Note For an Internet-facing SLB instance that is in use and is not protected by Cloud Firewall, we recommend that you do not change the network type of the instance by yourself. If you need help, contact SLB technical support.

After you enable a firewall in the Cloud Firewall console, the traffic goes through the firewall. The destination IP address, which is an EIP, of the traffic is then translated into an IP address of an internal-facing SLB instance by using DNAT.

Can Cloud Firewall control traffic from private IP addresses to the Internet?

Cloud Firewall controls traffic to the Internet only from EIPs or public IP addresses obtained by using DNAT. It cannot control outbound traffic from private IP addresses before NAT is implemented.

If you want to control the traffic from a private IP address, associate an EIP with the private IP address and configure access control policies for this EIP.

Can Cloud Firewall control IPsec traffic?

The Internet firewall cannot be used to control decrypted IPsec traffic.

You can use the policies for internal firewalls of Cloud Firewall to control decrypted IPsec traffic. In this case, the decrypted IPsec traffic is regarded as east-west traffic.

Can Cloud Firewall protect traffic on Express Connect or CEN?

Yes, Cloud Firewall can protect traffic on Express Connect and Cloud Enterprise Network (CEN).
  • Cloud Firewall can protect traffic only between VPCs that are connected by using Express Connect in the same region. It cannot protect traffic between a VPC and a Virtual Border Router (VBR) that are connected by using Express Connect.
  • Cloud Firewall can protect traffic between two CEN-connected VPCs, as well as between a VPC and a VBR that are connected by using a CEN.
Note If you need Cloud Firewall to protect traffic between two VPCs in different regions, or between a VPC and a VBR, migrate the traffic of Express Connect to a CEN. For more information, see Migrate a VPC from a peering connection to a CEN instance.

Why does Cloud Firewall provide three types of firewalls?

Cloud Firewall provides three types of firewalls: Internet firewall, VPC firewall, and internal firewall.

The Internet firewall is deployed at the boundary of the Internet to centrally manage public IP addresses. Internal firewalls work in the same way as security groups to manage communication between ECS instances. The following figure shows how the Internet firewall and internal firewalls work and where they are deployed in the network topology.

Internet firewall and internal firewalls

VPC firewalls are used to protect traffic between VPCs and are deployed at the boundaries of VPCs to manage the traffic over Express Connect. The following figure shows how a VPC firewall works and where it is deployed in the network topology.

VPC firewalls

You can use all of the three types of firewalls to refine your network access control policies and build three protection systems: Internet traffic protection, VPC protection, and instance protection.

  • Cloud Firewall provides centralized access control by using inbound and outbound policies to support more precise control over network traffic. Cloud Firewall also provides application-specific and domain name-specific access control policies for you to centrally manage VPCs and regions. You can use the monitor mode and address books to tune your access control policies.
  • For network traffic that requires microsegmentation, Cloud Firewall provides distributed access control. Cloud Firewall is developed based on security groups and offers the visualized analysis of internal network traffic, which allows you to tune policies for traffic between ECS instances. The monitor mode, blocked traffic analysis, and threat intelligence features will be soon available.

Cloud Firewall allows you to configure firewalls based on network boundaries to build multiple logical protection systems, which facilitates maintenance. If you want to protect only the Internet traffic, you need only to configure inbound or outbound policies on the Internet firewall. If you also want to protect your instances, you can configure access control policies for east-west traffic on internal firewalls.

Can Cloud Firewall defend against APT attacks?

Yes, the built-in threat intelligence feature of Cloud Firewall can be used to defend against advanced persistent threat (APT) attacks.

Can Cloud Firewall protect the traffic destined for a VPC over a VPN gateway?

No, if you use a Virtual Private Network (VPN) gateway to remotely access a VPC in a CEN over the Internet, the access traffic is encrypted by the VPN gateway, and Cloud Firewall cannot decrypt the traffic.

Can Cloud Firewall protect the traffic of IPv6 addresses?

No, Cloud Firewall cannot protect the traffic of IPv6 addresses. However, Cloud Firewall can forward the traffic.