Cloud Firewall offers four editions. This page lists the features each edition supports so you can choose the right one before you purchase.
Important
Starting October 15, 2025, Cloud Firewall uses Billing 2.0. New users use Billing 2.0 by default. Existing users can stay on Billing 1.0 or upgrade. See Billing 1.0 and upgrade instructions for details.
Feature list
The table below covers all features under Billing 2.0.
— Not supported
— Supported
Dashboard
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Overview | Shows protected assets, traffic data for the last 7 days, and defended security risks. | | | | | Data overview |
| Traffic topology graph | Displays a visual traffic topology graph for cloud assets protected by Cloud Firewall. | | | | | Traffic topology graph |
Firewall switch
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Internet firewall | Protects inbound and outbound traffic between the Internet and public assets (IPv4 and IPv6). | | | | | Internet firewall |
| NAT firewall | Protects traffic from private IP assets that access the Internet through a NAT gateway. | | | | | NAT firewall |
| VPC firewall | Protects traffic between virtual private clouds (VPCs) and between VPCs and data centers. | | | | | VPC firewall |
Network traffic analysis
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Suspicious outbound connections | Monitors outbound connections from public and private assets to the Internet in real time to detect unusual traffic. | | | | | Outbound connections |
| Internet exposure | Detects the IP addresses, ports, and applications of protected assets exposed to the Internet, with visual analytics reports. | | | | | Internet Exposure |
| VPC access | Monitors traffic between interconnected VPCs in real time to detect and troubleshoot unusual traffic. | | | | | VPC Access |
Attack prevention
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Intrusion prevention | Detects and blocks malicious traffic in real time, including hacker attacks, exploits, brute-force attacks, worms, mining programs, backdoor trojans, and DoS attacks. | | | | | Intrusion prevention |
| Vulnerability prevention | Syncs vulnerabilities detected by Security Center on public assets and provides attack prevention for them, closing the loop between detection and protection. | | | | | Vulnerability Prevention |
| Breach awareness | Detects server intrusion events to prevent business losses. | | | | | Breach awareness |
| Data breach | Detects sensitive data leaks and risky payloads in outbound connections from your cloud assets. | | | | | Data breach |
| IPS configuration | Configures the threat detection engine with five protection modes: Basic protection intercepts common cloud attacks such as port scans, database attacks, reverse shells, and exploits. Virtual patching blocks popular vulnerabilities and high-risk exploits without requiring patches. Threat intelligence draws on Alibaba Cloud's global database of malicious IPs and domains to block unknown threats (not available in Premium). Intelligent defense uses AI to detect advanced unknown attacks. Protection whitelist lets normal service traffic pass even if it resembles attack traffic. | | (threat intelligence not available) | | | IPS Configuration |
Access control
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Internet border | Layer 4–7 access control (north-south) for inbound and outbound traffic on public assets. Blocks external attacks and controls active outbound connections. | | | | | Configure an access control policy for the Internet border |
| NAT border | Layer 4–7 access control (north-south) for private IP traffic behind a NAT gateway that accesses the public network. | | | | | Configure an access control policy for the NAT border |
| VPC border | Access control (east-west) for traffic between VPCs, between VPCs and data centers, or between VPCs and third-party clouds. | | | | | Configure an access control policy for the VPC border |
| Internal border | Access control for inbound and outbound traffic between ECS instances to restrict unauthorized lateral movement. | | | | | Internal firewall |
| Security group check | Audits high-risk rules in ECS security groups and suggests remediation. | | | | | Security group check |
| Address books | Groups IP addresses, ports, or domain names into reusable address books — custom, cloud service, or threat intelligence. Reference and auto-update them in access control policies with one click. | | | | | Manage address books |
Synchronization nodes
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| ACK cluster synchronization nodes | Dynamically collects pod IP addresses from ACK container environments and syncs them to address books. Eliminates manual updates caused by frequent IP changes. | Up to 5 | Up to 2 |  Up to 5 | Up to 10 | ACK cluster |
| Private DNS synchronization nodes | Automatically resolves domain name-to-IP mappings from PrivateZone or self-managed DNS servers for use in domain-based access control policies. | Private DNS |
Log monitoring
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Log auditing | Retains 7 days of logs by default for event tracing and troubleshooting. Covers three log types: Event logs (traffic that matched an access control policy, including threat type, source and destination IPs, application type, and severity), Traffic logs (all traffic through Cloud Firewall for post-incident analysis), and Operation logs (all configuration changes, such as enabling the firewall or modifying IPS settings). | | | | | Log auditing |
| Log analysis | Collects and analyzes all traffic logs in real time. Storage duration is configurable from 7 to 730 days, and you can customize the delivery switch. Supports custom real-time alerts on specific metrics. | | | | | Log analysis |
Management and monitoring
| Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
|---|---|---|---|---|---|---|
| Business visualization | Groups cloud assets into applications, application groups, and business groups. Visualizes asset information and access relationships across your entire cloud environment. | | | | | Custom groups, Security group visualization, Application Group Visualization |
| Multi-account management | Manages multiple Alibaba Cloud accounts from a single console to share resources and ensure secure traffic access. | | | | | Multi-account management |
| Alert notifications | Sends SMS or email alerts when traffic anomalies, host compromises, suspicious outbound connections, vulnerability threats, disabled protection, or disabled intrusion prevention are detected. | | | | | Alert notifications |
References
Pre-sales FAQ — frequently asked questions about Cloud Firewall features
Subscription 2.0 — billing for Premium, Enterprise, and Ultimate editions
Pay-as-you-go 2.0 — billing for the Pay-as-you-go edition
Purchase Cloud Firewall — how to buy Cloud Firewall