Cloud Firewall protects your cloud infrastructure from network threats and enforces security policies across every traffic boundary.
Enterprise data center in the cloud
When you migrate services to the cloud or operate large-scale data centers, public assets are exposed to inbound threats, and uncontrolled east-west traffic creates lateral movement risks. Cloud Firewall provides network-wide traffic analysis, blocks malicious Internet traffic, and supports custom access control policies.
Internet firewall — north-south traffic
The Internet firewall sits at the Internet border and manages all inbound and outbound traffic for your public assets. It provides fine-grained control over traffic between public assets and the Internet, reducing your attack surface and lowering security risk for service traffic.
NAT firewalls — outbound traffic from VPCs
When resources in a virtual private cloud (VPC), such as Elastic Compute Service (ECS) or Elastic Container Instance (ECI) instances, access the Internet through a NAT Gateway, they are exposed to unauthorized access, data breaches, and malicious traffic. Enable NAT firewalls to block unauthorized traffic.
VPC firewall — east-west traffic between VPCs and data centers
The VPC firewall inspects and controls east-west traffic between VPCs, and between VPCs and data centers. Traffic flowing through an Enterprise Edition transit router, Basic Edition transit router, or Express Connect is covered. The firewall secures internal traffic between different VPCs, and between a VPC and a data center (Virtual Border Router, or VBR), a third-party cloud (VBR), or a VPN.
Internal firewall — ECS instance-level control
The internal firewall manages ECS security groups to control inbound and outbound traffic for each ECS instance in a VPC. Access control policies you publish are automatically synchronized to ECS security groups. The internal firewall also supports security group compliance checks and visualization of security group microsegmentation.
Hybrid cloud and cloud-based DMZ
Running a hybrid cloud means traffic flows in both directions — north-south between your demilitarized zone (DMZ) and the Internet, and east-west between your on-premises data center and cloud VPCs. A gap in either direction leaves your environment exposed.
Cloud Firewall covers both traffic paths. It provides north-south traffic protection for the DMZ and east-west traffic protection between your data center and VPCs, securing communication across your entire hybrid environment. If your DMZ is deployed in the cloud, Cloud Firewall also secures traffic between the DMZ and your on-premises data center.
Multi-account management
Managing security across multiple Alibaba Cloud accounts typically requires switching between consoles and duplicating policy work. Cloud Firewall integrates with Resource Directory to centralize this.
You can enable the multi-account management feature to centrally protect resources across multiple accounts from the Cloud Firewall console, configure security policies for every account from a single interface, and monitor VPC traffic per account — all without jumping between separate consoles. This provides protection across multiple network borders while reducing operations overhead.
Major events and high-confrontation scenarios
Large-scale attack campaigns, zero-day exploits, and targeted high-confrontation threats require faster response than standard policy workflows allow. Cloud Firewall lets you block IP addresses or domain names in batches, trace and counter attackers, and prevent zero-day vulnerability attacks — so your team can respond at scale without manual bottlenecks.
