Feature differences between editions - Cloud Firewall - Alibaba Cloud Documentation Center

Before you purchase Cloud Firewall, select an edition based on your business needs, the features offered, and the cost. Understanding the features of each edition helps you make an informed decision.

Important

Starting October 15, 2025, the billable items for Cloud Firewall will be updated to Billing 2.0. New users use Billing 2.0 by default. Existing users can continue to use Billing 1.0 and can choose to upgrade to Billing 2.0. For more information about the pricing changes in Billing 1.0 and how to upgrade to Billing 2.0, see Billing 1.0 and upgrade instructions.

Feature list

The following table describes the features supported by different Cloud Firewall editions for Billing 2.0.

Note

: Indicates that the feature is not supported.
: Indicates that the feature is supported.

Feature	Description	Pay-as-you-go Edition	Premium Edition	Enterprise Edition	Ultimate Edition	References
Overview	Provides an overview of Cloud Firewall's defense capabilities. It displays statistics on protected assets, traffic data for the last 7 days, and defended security risks.					Data overview
Overview	Displays a visual traffic topology graph for cloud assets protected by Cloud Firewall.					Traffic topology graph
Firewall switch	The Internet firewall protects inbound and outbound traffic between the Internet and public assets with IP addresses (including IPv4 and IPv6).					Internet firewall
	NAT firewalls protect traffic from private IP assets that access the Internet through a NAT Gateway.					NAT firewall
	The VPC firewall protects traffic between virtual private clouds (VPCs) and between VPCs and data centers.					VPC firewall
Network traffic analysis	Suspicious Outbound Connections. Provides real-time monitoring of outbound connections from public and private cloud assets to the Internet to promptly detect unusual traffic.					Outbound connections
	Internet Exposure. Detects the IP addresses, ports, and applications of cloud assets protected by Cloud Firewall that are exposed to the Internet in real time. It provides visual analytics reports.					Internet Exposure
	VPC Access. Monitors traffic between interconnected VPCs in real time. This helps you get real-time VPC network traffic data to promptly detect and troubleshoot unusual traffic.					VPC Access
Attack prevention	Intrusion prevention. Actively detects and intercepts malicious traffic in real time. This includes malicious attacks from hackers, exploits, brute-force attacks, worms, mining programs, backdoor trojans, and DoS attacks. It protects your cloud-based information systems and network architecture.					Intrusion prevention
	Vulnerability Prevention. Automatically syncs vulnerabilities detected by Security Center on public assets connected to Cloud Firewall. It provides attack prevention for these vulnerabilities to create a closed loop of detection and protection.					Vulnerability Prevention
	Breach awareness. Helps you detect server intrusion events to prevent major business losses.					Breach awareness
	Data breach. Helps you promptly detect sensitive data leaks and risky payloads during outbound connections from your cloud assets. This prevents business losses.					Data breach
	The built-in threat detection engine lets you configure attack prevention rules for more precise detection and blocking of intrusion threats. How the threat detection engine works Basic protection Includes intrusion prevention rules accumulated from Alibaba Cloud's real-world attack and defense experience. It precisely intercepts common cloud network attacks such as malicious port scans, database attacks, reverse shells, arbitrary code execution, and exploits. This prevents risks like server intrusions. Virtual patching Supports virtual patching for precise protection against popular vulnerabilities, high-risk 0-day exploits, and N-day exploits. You do not need to install patches on your business systems. This provides timely defense against vulnerability exploits. Threat intelligence (Not supported by the Premium Edition) Includes Alibaba Cloud's global threat intelligence database of malicious IP addresses and domain names (such as malicious access sources, scan sources, and C&C services). It provides proactive defense against unknown threats and intrusions, blocks attack behavior, and prevents large-scale intrusions. Intelligent defense Uses artificial intelligence technology combined with massive amounts of attack data and features to intelligently detect unknown attack behaviors. This improves the detection of advanced attacks. Protection whitelist Lets you add a protection whitelist to allow normal service traffic that may have attack-like features. This ensures your services run smoothly.					IPS Configuration
Access control	Internet Border. Supports Layer 4 to Layer 7 access control (north-south) for inbound and outbound traffic of public assets. It effectively prevents external malicious attacks and strictly controls outbound traffic from active connections to prevent untrusted outbound connections.					Configure an access control policy for the Internet border
	NAT Border. Supports Layer 4 to Layer 7 access control (north-south) for traffic from private IP addresses behind a NAT gateway that access the public network. It effectively intercepts unauthorized access from the internal network to the public network.					Configure an access control policy for the NAT border
	VPC Border. Supports access control (east-west) for traffic between different VPCs, between VPCs and data centers, or between VPCs and third-party clouds. It blocks unauthorized internal traffic and allows trusted traffic.					Configure an access control policy for the VPC border
	Internal Border. Supports access control for inbound and outbound traffic between ECS instances to restrict unauthorized access between them.					Internal firewall
	Security group check. Detects high-risk rules in the security groups of ECS servers and provides suggestions for remediation. This helps you use the security group feature more securely and efficiently.					Security group check
	Manage address books. Supports custom address books, cloud service address books, and threat intelligence address books. You can add multiple IP addresses, ports, or domain names to an address book. You can then reference and automatically update them in access control policies with a single click to improve policy efficiency.					Manage address books
Synchronization nodes	ACK cluster synchronization nodes: Designed for ACK container environments. They dynamically collect pod IP addresses and update them to address books. This solves access control challenges caused by frequent IP changes, significantly reduces manual configuration, and improves security and management efficiency.	Up to 5	Up to 2	Up to 5	Up to 10	ACK cluster
Synchronization nodes	Private DNS synchronization nodes: Suitable for enterprises that use PrivateZone or self-managed DNS servers and have configured DNS records for internal domain names of services such as PaaS or hosts. Cloud Firewall can use private DNS synchronization nodes to automatically obtain the corresponding domain name-to-IP mappings and use them in domain name-based access control policies.	Up to 5	Up to 2	Up to 5	Up to 10	Private DNS
Log Monitoring	Log auditing. Provides a 7-day log audit feature by default for event tracing, troubleshooting, and other purposes. Supported log types Event logs: Record events where traffic passing through Cloud Firewall matches an access control policy. You can view information such as the time, threat type, source IP address, destination IP address, application type, and severity level. Traffic Logs: Record all traffic data that passes through Cloud Firewall. When a threat event occurs, you can use traffic logs to analyze the traffic and access source, and check whether the configured access control policy is effective. Operation logs: Record all user configurations and operations for Cloud Firewall, such as enabling or disabling the firewall and modifying intrusion prevention configurations.					Log auditing
Log Monitoring	Log analysis. Automatically collects, stores, and performs advanced analysis on all traffic logs from assets connected to Cloud Firewall in real time. The storage duration can be customized from 7 to 730 days, and you can also customize the delivery switch. It supports custom real-time monitoring and alerting based on specific metrics to ensure a timely response when anomalies occur in critical services.					Log analysis
Business Visualization	Lets you establish relationships between applications, application groups, and business groups for your cloud assets using custom groups. Supports business visualization to help you gain a comprehensive understanding of your cloud asset information and access relationships.					Custom groups Security group visualization Application Group Visualization
Multi-account management	Supports the multi-account management feature. This helps you share resources and ensure secure traffic access across multiple accounts.					Multi-account management
Alert notifications	When traffic anomalies, host compromises, suspicious outbound connections, vulnerability threats, disabled protection, or disabled intrusion prevention occur on your assets, you can receive timely notifications by text message or email.					Alert notifications

References

For more information about Cloud Firewall features, see Pre-sales FAQ.
For more information about the billing method for the subscription editions of Cloud Firewall (Premium Edition, Enterprise Edition, and Ultimate Edition), see Subscription 2.0.
For more information about the billing method for Cloud Firewall (Pay-as-you-go), see Pay-as-you-go 2.0.
For more information about how to purchase Cloud Firewall, see Purchase Cloud Firewall.