Cloud Firewall protects your cloud services by isolating security domains and controlling traffic at every boundary—Internet, NAT, VPC, and on-premises connections. This guide explains the deployment scenarios and helps you choose the right edition.
Security domain isolation
After migrating to the cloud, many enterprises leave their network architecture in a default state. As the business grows, this leads to exposed ports, excessive access privileges, and significant blast radius when any service is compromised. Dividing your assets into security domains—by function and communication relationship—contains risk and limits lateral movement.
Cloud Firewall enforces this isolation across four traffic directions.
Cloud Firewall covers Internet, NAT, VPC, and on-premises traffic boundaries. It does not inspect traffic within a single VPC at the host level—use the ECS firewall for microsegmentation within a VPC.
Protect inbound Internet traffic
Configure an Internet firewall to control all inbound traffic to your public IP assets.
Optionally, set up a virtual private cloud (VPC) as a demilitarized zone (DMZ). Use the DMZ VPC with elastic IP addresses (EIPs), Server Load Balancer (SLB), and public IP addresses of Elastic Compute Service (ECS) instances to receive inbound Internet connections before traffic reaches internal services.
Protect outbound Internet traffic
Configure an Internet firewall and NAT firewalls together to control outbound traffic—from private IP assets to the Internet and from internal networks.
Optionally, set up a VPC for a DMZ or separate VPCs per service. Combine them with EIPs and NAT Gateways to route outbound connections through controlled exit points.
Protect east-west traffic in the cloud
Configure Cloud Enterprise Network (CEN) with an Enterprise Edition transit router. Attach VPCs to the transit router to connect network instances, and attach virtual border routers (VBRs) to enable cross-cloud interconnection.
Configure a VPC firewall to secure traffic crossing VPC boundaries. The VPC firewall provides Layer 4 to Layer 7 access control, protection against lateral movement attacks, and log tracing.
Configure an ECS firewall for microsegmentation within a single VPC.
Protect traffic between cloud and on-premises
Configure CEN or Express Connect. Connect your on-premises data center to CEN or Express Connect through a VBR to communicate with your cloud VPCs.
Configure a VPC firewall to monitor unusual traffic on these connections, apply fine-grained Layer 4 to Layer 7 access control policies, protect against lateral movement attacks, and run log audits.
Reference architectures
Large enterprises
For large enterprises, security domains are split into group-level and subsidiary-level domains. Group domains include Internet-facing production zones, internal-facing production zones, and production DMZs. The internal production network is further divided into general business domains, core business domains, and database domains.
Small companies
For small companies, security domains are divided into general business domains, core business domains, data security domains, and DMA security domains (for email systems and portal websites).
Choose an edition
Cloud Firewall offers two billing methods: subscription and pay-as-you-go (including pay-as-you-go savings plans).
Subscription includes three editions—Premium, Enterprise, and Ultimate—each with fixed asset quotas and bandwidth. Pay-as-you-go is billed based on actual usage.
Before selecting an edition, review the protection scope to confirm it matches your environment.
Quick decision guide
| If your situation is... | Start here |
|---|---|
| Fewer than 10 public assets, traffic peaks below 10 Mbps, and you only need north-south protection | Premium Edition (subscription) or pay-as-you-go |
| More than 10 public assets or traffic peaks above 10 Mbps, and you need VPC firewall for east-west traffic or classified protection compliance | Enterprise Edition (subscription) |
| Large-scale deployment with 5 firewall instances, 800 Mbps bandwidth, and 100,000+ policy rules, or extra-large enterprise requiring maximum coverage | Ultimate Edition (subscription) |
| Temporary workloads, burst traffic, or you prefer to scale protection with usage | Pay-as-you-go |
Edition overview
| Premium Edition | Enterprise Edition | Ultimate Edition | |
|---|---|---|---|
| Best for | Small and medium-sized enterprises protecting public assets against north-south threats, with fewer than 10 public assets and peak bandwidth under 10 Mbps | Medium and large enterprises that need VPC firewall for east-west traffic protection and classified protection compliance | Large and extra-large enterprises that need maximum scale (800 Mbps, 5 instances, 100,000 policies) and classified protection compliance |
| Firewall instances | 1 | 3 | 5 |
| Bandwidth | 30 Mbps | 200 Mbps | 800 Mbps |
| Access control policies | 10,000 | 50,000 | 100,000 (customizable) |
| Base price | $420/month | $1,450/month | $3,900/month |
Capability comparison
Billing method comparison
| Subscription | Pay-as-you-go | |
|---|---|---|
| Payment model | Upfront | Billed based on usage |
| Best for | Stable, predictable resource needs and long-term Cloud Firewall usage | Workloads that change frequently, temporary deployments, or burst scenarios |
| Asset volume | Typically more than 10 public assets or peak bandwidth above 10 Mbps | Smaller asset footprint or lower traffic |
For the full feature list, see Features.
What's next
Protection scope — Confirm which assets and traffic types are covered before purchasing
Features — Full feature list per edition