Feature differences between editions - Cloud Firewall - Alibaba Cloud Documentation Center

Before you purchase Cloud Firewall, select an edition based on your business needs, feature differences, and cost. This topic describes the features of each edition to help you make an informed decision.

Important

Starting October 15, 2025, the billable items for Cloud Firewall features will be updated to Billing 2.0. New users will use Billing 2.0 by default. Existing users can continue to use Billing Method 1.0 or choose to upgrade to Billing 2.0. For information about the cost changes in Billing 1.0 and how to upgrade to Billing 2.0, see Legacy Billing Method 1.0 and Upgrade Instructions.

Feature list

The following table describes the features supported by different Cloud Firewall editions in Billing 2.0.

Note

: This feature is not supported.
: This feature is supported.

Feature name	Overview	Pay-as-you-go	Premium Edition	Enterprise Edition	Ultimate Edition	References
Overview	Outlines the protection capabilities of Cloud Firewall. It displays statistics about protected assets, access traffic over the last 7 days, and defended security risks.					Data overview
Overview	Displays a visual traffic topology graph of the cloud assets that are protected by Cloud Firewall.					Traffic topology graph
Firewall switches	The Internet firewall protects inbound and outbound traffic between the Internet and public assets that have public IP addresses (IPv4 and IPv6).					Internet firewall
	NAT firewalls protect traffic from private IP assets that access the Internet through a NAT Gateway.					NAT firewalls
	The VPC firewall protects traffic between VPCs and between VPCs and data centers.					VPC firewall
Network traffic analysis	Outbound connections. Monitors outbound connections from public and private cloud assets to the Internet in real time to promptly detect unusual traffic.					Outbound connection activities
	Internet Exposure. Detects the IP addresses, ports, and applications of cloud assets protected by Cloud Firewall that are exposed to the Internet in real time. It provides visual analytics reports.					Internet Exposure
	VPC Access. Monitors traffic between interconnected VPCs in real time. This helps you obtain real-time VPC network traffic data to promptly detect and troubleshoot unusual traffic.					VPC Access
Attack prevention	Intrusion prevention. Actively detects and intercepts malicious traffic in real time. This includes malicious attacks from hackers, vulnerability exploits, brute-force attacks, worms, mining programs, backdoor trojans, and DoS attacks. It protects your cloud information systems and network architecture.					Intrusion prevention
	Vulnerability Prevention. Automatically synchronizes vulnerabilities that Security Center detects on your public assets connected to Cloud Firewall. It provides attack prevention for these vulnerabilities to create a closed loop of vulnerability detection and protection.					Vulnerability Prevention
	Breach awareness. Helps you detect server intrusion events to prevent major business losses.					Breach awareness
	Data breach. Helps you promptly detect sensitive data leaks and risky payloads in outbound connections from your cloud assets to prevent business losses.					Data breach
	The built-in threat detection engine lets you configure attack prevention rules to more precisely detect and block intrusion threats. How the threat detection engine works Basic defense Built-in intrusion prevention rules are accumulated from Alibaba Cloud's real-world security practices. These rules precisely intercept common cloud-based network attacks such as malicious port scanning, database attacks, reverse shells, arbitrary code execution, and vulnerability exploits to prevent risks like server intrusions. Virtual patching Provides virtual patching for precise protection against popular vulnerabilities, critical 0-day exploits, and N-day exploits. You do not need to install patches on your business systems. This allows for prompt defense against vulnerability exploit attacks. Threat intelligence (not supported by the Premium Edition) The built-in threat intelligence database contains malicious IP addresses and domain names from across Alibaba Cloud, such as malicious access sources, scan sources, and C&C services. This provides proactive defense against unknown threats and intrusions, blocks attack behaviors, and prevents large-scale intrusions. Intelligent defense Uses artificial intelligence technology combined with massive amounts of attack data and features to intelligently detect unknown attack behaviors and improve the detection of advanced attacks. Protection whitelist Lets you add IP addresses to a protection whitelist to allow normal service traffic that may have attack characteristics. This ensures your services run as expected.					IPS Configuration
Access control	Internet Border. Supports Layer 4 to Layer 7 access control for north-south inbound and outbound traffic of public assets. This effectively prevents external malicious attacks and strictly controls outbound traffic from outbound connections to prevent untrusted connections.					Configure access control policies for the Internet border
	NAT Border. Supports Layer 4 to Layer 7 access control for north-south traffic from private IP addresses that access the Internet through NAT Gateways. This effectively intercepts unauthorized access from the internal network to the Internet.					Configure access control policies for the NAT border
	VPC Border. Supports access control for east-west traffic between different VPCs, and between VPCs and data centers or third-party clouds. This blocks unauthorized internal traffic and allows trusted traffic.					Configure access control policies for the VPC border
	Internal Border. Supports access control for inbound and outbound traffic between ECS instances to restrict unauthorized access between them.					Internal firewall
	Security group check. Detects important-risk rules in the security groups of ECS servers and provides suggestions for remediation. This helps you use the security group feature more securely and efficiently.					Security group check
	Manage address books. Supports custom address books, cloud service address books, and threat intelligence address books. You can add multiple IP addresses, ports, or domain names to an address book. Then, you can reference and automatically update them in access control policies with a single click to improve the efficiency of your policies.					Manage address books
Sync nodes	ACK cluster sync nodes: Designed for ACK container environments. They support dynamic collection of pod IP addresses and update them to address books. This resolves access control issues caused by frequent IP address changes, significantly reduces manual configuration, and improves security and management efficiency.	Up to 5	Up to 2	Up to 5	Up to 10	ACK clusters
Sync nodes	Private DNS sync nodes: Suitable for enterprises that use PrivateZone or self-managed DNS servers and have configured internal domain name resolution records for services such as PaaS or hosts. Cloud Firewall can use private DNS sync nodes to automatically obtain the corresponding domain name-to-IP mappings and use them in domain name-based access control policies.	Up to 5	Up to 2	Up to 5	Up to 10	Private DNS
Log Monitoring	Log audit. Provides a 7-day log audit feature by default. This helps you trace events and troubleshoot faults. Supported log types for auditing Event logs: Record events where traffic passing through Cloud Firewall matches an access control policy. You can view information such as the time, threat type, source IP address, destination IP address, application type, and severity level. Traffic Logs: Record all traffic data that passes through Cloud Firewall. When a threat event occurs, you can use traffic logs to analyze the traffic and access source, and check whether the configured access control policies are effective. Operation logs: Record all user configurations and operations for Cloud Firewall, such as enabling or disabling the firewall and modifying intrusion prevention configurations.					Log audit
Log Monitoring	Log analysis. Automatically collects, stores, and performs advanced analysis on all traffic logs delivered to Cloud Firewall in real time. The storage duration can be customized from 7 to 730 days, and you can also customize the delivery switch. It supports real-time monitoring and alerting based on specific metrics to ensure a prompt response when abnormalities occur in key services.					Log analysis
Business Visualization	Lets you establish relationships between applications, application groups, and business groups of your cloud assets using custom groups. It supports business visualization to help you gain a comprehensive understanding of your cloud asset information and access relationships.					Custom groups Security group visualization Application Group Visualization
Multi-account management	Supports the multi-account management feature. This helps you share resources and ensure secure traffic access across multiple accounts.					Multi-account management
Alert notifications	When traffic exceptions, host compromise, suspicious outbound connections, vulnerability threats, disabled protection, or disabled intrusion prevention occur on your assets, you can receive prompt notifications by text message or email.					Alert notifications

References

For more information about Cloud Firewall features, see Presales FAQ.
For more information about the billing methods of Cloud Firewall subscription editions (Premium, Enterprise, and Ultimate), see Subscription 2.0.
For more information about the billing method of the Cloud Firewall pay-as-you-go edition, see Pay-as-you-go 2.0.
For more information about how to purchase Cloud Firewall, see Purchase Cloud Firewall.