Alibaba Cloud Cloud Firewall is a cloud security solution that provides firewalls as a service. It implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall serves as the first line of defense to protect your workloads in Alibaba Cloud.
Positioning of Cloud Firewall
Features
Internet firewall
Supports fine-grained control of inbound and outbound traffic between Internet-facing assets and the Internet, reducing exposure risks of public assets. The built-in threat defense module supports compromised host detection, outbound connection blocking, and access relationship visualization. It uses cluster deployment, requires no complex configuration, supports one-click protection enabling, and allows performance scaling.
NAT firewall
When VPC resources access the Internet through NAT gateways, they may face security risks such as unauthorized access, data leaks, and malicious traffic attacks. Enabling NAT firewalls can block unauthorized traffic.
VPC firewall
Monitors and controls east-west traffic between VPCs or between a VPC and a data center that are connected using an Enterprise Edition transit router, a Basic Edition transit router, or an Express Connect circuit. This helps ensure the security of east-west traffic between VPCs, a VPC and a virtual border router (VBR) in a data center, a VPC and a VBR of a third-party cloud, and a VPC and a VPN gateway.
ECS firewall
Supports managing Elastic Compute Service (ECS) security groups and controlling traffic for ECS instances in VPCs. Access control policies are automatically synchronized to ECS security groups. Supports security group compliance checks and micro-segmentation visualization.
Protection scope
Protection scope | Description | References |
Cloud assets and traffic | Cloud Firewall can protect the following cloud assets or traffic:
Note Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection. | |
Cloud network type |
| - |
Supported regions | Regions that are supported by Cloud Firewall. |
Editions
Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. The following table describes the differences among the editions. For more information about the protection capabilities supported by different editions of Cloud Firewall, see Features.
Edition | Description | Billing method |
Pay-as-you-go | Cloud Firewall that uses the pay-as-you-go billing method delivers reliable security protection capabilities for Internet-facing assets. You can use features such as attack awareness, attack prevention, and asset exception notification. You can also configure access control policies for the Internet firewall. | Pay-as-you-go. The pay-as-you-go billing method flexibly adapts to business requirements and is suitable for scenarios in which your resource usage frequently fluctuates and your business has temporary or burst requirements on resources. |
Premium Edition | Cloud Firewall Premium Edition protects Internet-facing assets. You can use features such as traffic analysis and protection for your assets, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification. | Subscription is a billing method where you pay for services in advance. Compared with the pay-as-you-go billing method, the subscription billing method lets you reserve resources and reduce costs at discounted rates. The subscription billing method is suitable for scenarios in which your resource usage does not frequently fluctuate and resources are used for a long period of time. |
Enterprise Edition | Cloud Firewall Enterprise Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification. Cloud Firewall Enterprise Edition offers all capabilities provided by Cloud Firewall Premium Edition. Cloud Firewall Enterprise Edition also provides value-added services such as visualization, network security defense across VPCs, and centralized management of security groups. | |
Ultimate Edition | Cloud Firewall Ultimate Edition offers all capabilities provided by Cloud Firewall Enterprise Edition. Compared with Cloud Firewall Enterprise Edition, Cloud Firewall Ultimate Edition provides more powerful protection capabilities. |
Compliance
Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR), and Payment Card Industry (PCI) Data Security Standards (DSS).
Contact us
If you have pre-sales questions about purchasing or trying Cloud Firewall, you can contact our product technical experts by submitting a ticket.
References
For more information about the billing of Cloud Firewall, see Billing overview.
For more information about selecting a suitable Cloud Firewall edition for your business needs, see Introduction to Cloud Firewall selection.
For more information about how to activate and use Cloud Firewall that uses the pay-as-you-go billing method, see Get started with Cloud Firewall that uses the pay-as-you-go billing method.
For more information about how to activate and use Cloud Firewall that uses the subscription billing method, see Get started with Cloud Firewall that uses the subscription billing method.