Billing method 1.0 and upgrade instructions - Cloud Firewall

This topic describes the billable items of billing method 1.0, the main differences between billing method 1.0 and 2.0, and how to upgrade your billing method.

Starting October 15, 2025, Cloud Firewall will introduce billing method 2.0. New users will use billing method 2.0 by default. Existing users can continue to use billing method 1.0 or choose to upgrade to 2.0. You can determine your current billing method on the Overview page of the Cloud Firewall console. If the page displays an option to upgrade to billing method 2.0, you are using billing method 1.0.

Subscription 1.0

Billing

Important

New changes: Starting October 15, 2025, only the Enterprise and Ultimate editions of the subscription plan will support the threat intelligence feature in IPS Configuration. The Premium Edition will no longer support this feature.
Scope: The traffic or cloud assets described in the following billing items is the total traffic or cloud assets from the current account and its member accounts.
Excess usage: If your service traffic exceeds the processing capacity of your purchased Cloud Firewall instance, the product's Service-Level Agreement (SLA) is not guaranteed. This may trigger downgrade rules. These rules can include the failure of security features such as access control, IPS, or log audit, the disabling of the firewall for assets with the highest excess traffic, or packet loss due to rate limiting.
If your service traffic is at risk of exceeding the limit, see Pay-as-you-go for elastic traffic of subscription instances.

Features and billable items		Premium Edition	Enterprise Edition	Ultimate Edition	Description
Base price		USD 420/month	USD 1,450/month	USD 3,900/month	The base price includes only the default specifications. It does not include expanded specifications or value-added items.
Subscription duration		Available subscription durations are 1 month, 3 months, 6 months, 1 year, 2 years, and 3 years.			None
Internet firewall	Number of protectable public IP addresses	The base price includes 20 public IP addresses. You can increase the number to a value from 20 to 1,000.	The base price includes 50 public IP addresses. You can increase the number to a value from 50 to 1,000.	The base price includes 400 public IP addresses. You can increase the number to a value from 400 to 1,000.	The number of public IP addresses that the Internet firewall can protect. Expansion fee: USD 7/IP address/month
Internet firewall	Protected Internet Traffic	The base price includes 10 Mbps. You can increase the bandwidth to a value from 10 Mbps to 5,000 Mbps.	The base price includes 50 Mbps. You can increase the bandwidth to a value from 50 Mbps to 5,000 Mbps.	The base price includes 200 Mbps. You can increase the bandwidth to a value from 200 Mbps to 15,000 Mbps.	The peak bandwidth of Internet traffic that can be protected. The billable bandwidth is the greater of the inbound or outbound traffic bandwidth values. Expansion fee: USD 7/Mbps/month If the expandable bandwidth range does not meet your requirements, contact your account manager.
NAT firewalls	Number of NAT firewalls	This is not included in the base price. The scale-out range is from 1 to 20.	The base price includes 1 NAT firewall. You can increase the number to a value from 1 to 100.	The base price includes 2 units by default, and the number of units can be scaled from 2 to 1,000.	The number of NAT firewalls that you can create. One NAT Gateway instance corresponds to one NAT firewall. Expansion fee: USD 32/instance/month.
NAT firewalls	Protected Private Network Traffic of NAT Gateway	The base price does not include this item. You can expand the bandwidth to a value from 5 Mbps to 1,000 Mbps.	The base price includes 10 Mbps. You can increase the bandwidth to a value from 10 Mbps to 5,000 Mbps.	The base price includes 20 Mbps. You can increase the bandwidth to a value from 20 Mbps to 10,000 Mbps.	The peak bandwidth of traffic from private network assets to the Internet that can be protected. Expansion fee: Additional bandwidth < 200 Mbps: USD 5.5/Mbps/month 200 Mbps ≤ Additional bandwidth < 1,000 Mbps: USD 3.2/Mbps/month Additional bandwidth ≥ 1,000 Mbps: USD 2.4/Mbps/month
VPC firewall	Number of VPC Firewalls	Not supported	The base price includes 2 VPC firewalls. You can increase the number to a value from 2 to 100.	The base price includes 5 VPC firewalls. You can increase the number to a value from 5 to 200.	The number of VPC firewalls that you can create. Expansion fee: USD 300/instance/month
VPC firewall	Protected VPC Traffic	Not supported	The base price includes 200 Mbps. You can increase the bandwidth to a value from 200 Mbps to 5,000 Mbps.	The base price includes 1,000 Mbps. You can increase the bandwidth to a value from 1,000 Mbps to 10,000 Mbps.	The peak bandwidth of traffic between VPCs that can be protected. Expansion fee: USD 7.5/10 Mbps. If your service requires more than 10 Gbps of traffic, contact your account manager one month in advance.
Common capabilities for all borders	Elastic traffic processing capability	The base price does not include this feature. You can enable it as needed.	The base price does not include this feature. You can enable it as needed.	The base price does not include this feature. You can enable it as needed.	After you enable this feature, you receive 10 GB of free excess elastic traffic per day. You are charged for usage that exceeds 10 GB. Fees for the previous day are calculated and settled at 18:00 each day. Price: USD 0.06/GB For more information about pay-as-you-go for excess elastic traffic, see Pay-as-you-go for elastic traffic of subscription instances. You can use this feature with pay-as-you-go savings plans to reduce costs. For more information, see pay-as-you-go savings plans.
	Sensitive Data Leak Detection	100 GB (free by default) after activation	300 GB (free by default) after activation	500 GB (free by default) after activation	After the default quota is exceeded, the fee is USD 0.02/GB. You can use this feature with pay-as-you-go savings plans to reduce costs. For more information, see pay-as-you-go savings plans. For more information about how to enable and use this feature, see Enable Sensitive Data Leak Detection.
	Quota for access control policies. If the default access control policy quota for your edition is insufficient, you can purchase an additional global quota. This quota is shared by Internet firewalls, NAT firewalls, and VPC firewalls.	The base price includes the following default policy quotas: Internet firewall: 4,000 NAT firewall: 4,000 Quota for Additional Policy range: 0 to 100,000.	The base price includes the following default policy quotas: Internet firewall: 10,000 NAT firewall: 10,000 VPC firewall: 10,000 Quota for Additional Policy range: 0 to 200,000.	The base price includes the following default policy quotas: Internet firewall: 20,000 NAT firewall: 20,000 VPC firewall: 20,000 Quota for Additional Policy range: 0 to 300,000	The fees for the Quota for Additional Policy are as follows: 0 to 10,000: USD 0.02/policy/month 10,000 to 50,000: USD 0.015/policy/month More than 50,000: USD 0.01/policy/month Note For more information about the usage-based billing method for access control policies, see Policy Usage Specifications.
	Log storage capacity for log analysis	The base price does not include this item. You can expand the capacity to a value from 1,000 GB to 100,000 GB	The base price does not include this item. You can expand the capacity to a value from 1,000 GB to 100,000 GB.	The base price does not include this item. You can expand the capacity to a value from 1,000 GB to 100,000 GB	Cloud Firewall stores audit logs for 7 days by default. These logs include event logs, traffic logs, and operation logs. To store logs for a longer period or meet compliance requirements, you can enable the log analysis feature. Expansion fee for log analysis storage capacity: USD 80/1,000 GB/month.
	Multi-account management	Includes 1,000 units free of charge.	Includes 1,000 units free of charge.	Includes 1,000 units free of charge.	To increase the quota, contact your account manager.

Billing example

An enterprise has 60 assets that are assigned public IP addresses in its Alibaba Cloud account. The enterprise purchases a 6-month Cloud Firewall Enterprise Edition instance and expands the Protected Internet Traffic bandwidth to 60 Mbps.

The total fee is calculated as follows: (USD 1,450 + 10 additional public IP addresses × USD 7 + 10 Mbps additional bandwidth × USD 7) × 6

Pay-as-you-go 1.0

Billing

For a pay-as-you-go Cloud Firewall instance, billing is based on the actual number of accessed assets and the amount of processed traffic. Fees for the previous day are calculated and deducted from your account the next day.

The formula for calculating the fees for a pay-as-you-go Cloud Firewall instance is:

Daily bill = Public IP address configuration fee + Internet traffic processing fee + NAT firewall instance fee + NAT firewall traffic processing fee + VPC firewall instance fee + VPC firewall traffic processing fee for the day

Important

New changes: Starting December 1, 2025, the configuration fee for public IP addresses of Internet firewalls will increase from USD 0.008/hour per IP address to USD 0.014/hour per IP address. In addition, the threat intelligence feature in IPS Configuration will no longer be supported. To use this feature, you must upgrade to pay-as-you-go 2.0.
Minimum billing unit: The minimum billing unit for a pay-as-you-go Cloud Firewall instance is one hour. Usage for less than one hour is billed as one hour. For example, usage from 15:55 to 16:05 is billed as two hours because the usage spans two separate one-hour billing periods (15:00-16:00 and 16:00-17:00).
Overdue payments: If your account has an insufficient balance and your payment is overdue for more than 15 consecutive days, your pay-as-you-go Cloud Firewall instance is automatically released. If no assets are accessed for more than 30 consecutive days, Cloud Firewall automatically disables the corresponding border firewall modules.

Type	Billable item	Unit price	Description
Internet firewall	Public IP address configuration fee	USD 0.014/hour per IP address	Billed based on the number of public IP addresses for which protection is enabled on the day. Daily public IP address configuration fee = Number of public IP addresses accessed on the day × Unit price of public IP address configuration
Internet firewall	Internet traffic processing fee	USD 0.06/GB	Billed based on the actual amount of Internet traffic processed by the Internet firewall on the day. Daily Internet traffic processing fee = (Processed outbound traffic + Processed inbound traffic) × Unit price per GB of traffic
NAT firewall	NAT firewall instance fee	USD 0.06/hour per instance	Billed based on the actual number of NAT firewalls created on the day. Daily NAT firewall instance fee = Number of NAT firewalls enabled on the day × Unit price per NAT firewall instance Note The number of NAT firewall instances created. Each NAT Gateway instance corresponds to one NAT firewall instance. For more information, see NAT firewall.
NAT firewall	NAT firewall traffic processing fee	USD 0.06/GB	Billed based on the actual amount of private network traffic processed by the NAT firewall on the day. Daily NAT firewall traffic processing fee = Processed outbound traffic × Unit price per GB of traffic
VPC firewall	VPC firewall instance fee	USD 0.39/hour per instance	Billed based on the actual number of VPC firewalls created on the day. Daily VPC firewall instance fee = Number of VPC firewalls enabled on the day × Unit price per VPC firewall instance Note The number of VPC firewall instances created: If your VPCs are connected using an Enterprise Edition transit router of Cloud Enterprise Network (CEN), each Enterprise Edition transit router corresponds to one VPC firewall instance. If your VPCs are connected using a Basic Edition transit router of CEN, each VPC corresponds to one VPC firewall instance. If your VPCs are connected using Express Connect, each pair of VPCs corresponds to one VPC firewall instance. For more information, see VPC firewall.
VPC firewall	VPC firewall traffic processing fee	USD 0.06/GB	Billed based on the actual amount of traffic processed by the VPC firewall on the day. Daily VPC firewall traffic processing fee = Processed outbound traffic × Unit price per GB of traffic
Common capabilities	Sensitive Data Leak Detection	Free within the default quota. After the quota is exceeded, the fee is USD 0.02/GB.	You can use this feature with pay-as-you-go savings plans to reduce costs. For more information about how to enable and use this feature, see Enable Sensitive Data Leak Detection.
Common capabilities	Quota for Additional Policy	Free within the default quota. After the quota is exceeded, the fee is USD 0.003/100 policies/hour.	Usage of less than 100 policies is billed as 100 policies. You are charged on an hourly basis. Bills are generated the next day. You can use this feature with pay-as-you-go savings plans to reduce costs.

The default specifications for a pay-as-you-go Cloud Firewall instance are as follows:
- Number of accessed public IP addresses: A maximum of 1,000 public IP addresses can be accessed.
- Traffic for Sensitive Data Leak Detection: 100 GB per month is provided for free after you enable the feature.
- Quota for Additional Policy:
  - Internet firewall: 2,000
  - NAT firewall: 2,000
  - VPC firewall: 10,000
  - For more information about how quota usage is calculated, see Policy quota usage.
- Peak traffic processing bandwidth for the pay-as-you-go edition: Does not exceed 5 Gbps.
  Note
  Cloud Firewall does not guarantee security for traffic that exceeds the peak bandwidth. You can view the firewall status on the Firewall Settings page in the Cloud Firewall console. If the Firewall Status is Protected, your asset traffic is protected. If the Firewall Status is Unprotected, your asset traffic bypasses the firewall and is therefore not protected. This traffic does not incur charges. If you require a higher traffic processing bandwidth, contact your account manager.
A pay-as-you-go Cloud Firewall instance automatically synchronizes assets and detects their accessed state in real time. If the system detects that no assets have been accessed by your pay-as-you-go Cloud Firewall instance for 1 to 30 consecutive days, you will receive a notification.
Note
If no assets are accessed for more than 30 consecutive days, Cloud Firewall automatically disables the Internet firewall, NAT firewall, or VPC firewall modules. Other related modules are reset to their initial state. You can re-enable the modules when needed. For more information, see Internet firewall, NAT firewall, or VPC firewall.

Billing example

Example scenario	Hourly bill
You have a pay-as-you-go Cloud Firewall instance but have not enabled protection for any cloud assets.	0 USD
You have a pay-as-you-go Cloud Firewall instance. You have enabled protection for the public IP addresses of two cloud assets. The processed inbound and outbound traffic is about 1 GB per hour. You have not enabled a NAT firewall.	2 × USD 0.014 + 1 GB × USD 0.06/GB = USD 0.088
You have a pay-as-you-go Cloud Firewall instance. You have enabled protection for the public IP addresses of two cloud assets. The processed inbound and outbound traffic is about 1 GB per hour. You have enabled one NAT firewall. The processed private network traffic is about 0.5 GB per hour.	2 × USD 0.014 + 1 GB × USD 0.06/GB + 1 × USD 0.06 + 0.5 GB × USD 0.06/GB = USD 0.178

Main differences between billing method 1.0 and 2.0

Subscription

Simplified billable items: In billing method 2.0, the instance and traffic fees are unified for different types of border firewalls. Internet firewalls are no longer billed based on the number of public IP addresses. Instead, instance fees are charged based on the number of protected regions. The Premium, Enterprise, and Ultimate editions include 1, 3, and 5 firewall instances, respectively. Both the number of instances and the bandwidth can be expanded.
Feature changes: Compared to billing method 1.0, billing method 2.0 provides more bandwidth for each edition. It introduces tiered pricing for additional bandwidth. The elastic traffic feature is enabled by default and cannot be disabled. The minimum storage capacity for log analysis is increased. A feature fee is charged for Sensitive Data Leak Detection.
Bandwidth calculation change: The method for calculating the bandwidth of an Internet firewall is changed from using the greater of the inbound or outbound traffic bandwidth values to using the sum of the inbound and outbound traffic bandwidth.
Free features: In billing method 2.0, the configuration fee for public IP addresses of Internet firewalls and the fee for additional policy quotas are waived.

Pay-as-you-go

Simplified billable items: In billing method 2.0, the instance and traffic fees are unified for different types of border firewalls. The instance fee is USD 0.36/hour per instance, and the traffic fee is USD 0.06/GB. Internet firewalls are billed based on the number of protected regions, not the number of public IP addresses.
Log analysis change: In billing method 2.0, log analysis fees are billed by Cloud Firewall instead of Simple Log Service (SLS). The fee is USD 0.3/TB/hour. If the log analysis module was enabled before the upgrade, you will be charged for a default storage capacity of 1 TB after the upgrade. You can adjust the storage capacity in the console later.
Bandwidth calculation change: The method for calculating the bandwidth of an Internet firewall is changed from using the greater of the inbound or outbound traffic bandwidth values to using the sum of the inbound and outbound traffic bandwidth.
Free features: In billing method 2.0, the configuration fee for public IP addresses of Internet firewalls and the fee for additional policy quotas are waived. You can configure up to 10,000 access control policies.

Upgrade the billing method from 1.0 to 2.0

Impact of the upgrade

If you are using a subscription 1.0 instance, note the following:

Subscription 2.0 and subscription 1.0 are independent Cloud Firewall instances. To upgrade to version 2.0, you must first purchase a subscription 2.0 instance. After you purchase the 2.0 instance, unsubscribe from the subscription 1.0 instance promptly. If both subscription 2.0 and 1.0 instances exist in your system, the Cloud Firewall Overview page will prompt you to unsubscribe from the 1.0 instance.
Important
Strictly follow the purchase-then-unsubscribe procedure. If you unsubscribe from the 1.0 instance before purchasing a 2.0 instance, your configuration data will be lost.
The upgrade process does not affect your services. Your Cloud Firewall configurations, including the Automatic Protection for New Assets configuration status, are automatically inherited by the 2.0 instance.

If you are using a pay-as-you-go 1.0 instance, note the following:

The fees incurred on the day of the upgrade to 2.0 will be billed the next day. Two bills will be generated: fees incurred before the upgrade (including the hour of the upgrade) are calculated based on billing method 1.0, and fees incurred after the upgrade are calculated based on billing method 2.0.
The upgrade process does not affect your services. Cloud Firewall configurations are automatically inherited by the 2.0 instance. If you enabled the log analysis feature in 1.0, the feature is disabled after the upgrade. To use the feature, you must manually enable it.

If you previously used billing method 1.0, you are automatically upgraded to billing method 2.0 when you switch the billing method. For more information, see Switch between subscription and pay-as-you-go.

Upgrade steps

Log on to the Cloud Firewall console. On the Overview tab, in the Protection Status section on the right, click Upgrade to Subscription 2.0 or Upgrade to Pay-As-You-Go 2.0.
Follow the on-screen instructions to complete the upgrade purchase.
If you were using a subscription 1.0 instance, go to the page to unsubscribe from the subscription 1.0 instance promptly after the purchase is complete.