Cloud Firewall helps you isolate and protect your services in the cloud. This helps ensure service security and meet compliance requirements. This topic describes how to use Cloud Firewall to protect your services.
Selection overview
After cloud adoption, an enterprise's security domains are often left in a default state due to factors such as business type, network scale, and service management. As the business grows, this can result in a disorganized network architecture. For example, unnecessary ports might be exposed to the Internet, or internal services might have excessive access privileges. If a service is attacked, it can create significant security risks. Therefore, enterprises must plan their security domains in the cloud.
A network security domain is like a hotel where different guests can stay on different floors and in different rooms without interfering with each other. In an IT environment, a database server and a customer-facing web server have different security levels. A server in a test environment also has a different security level than a server in a production environment. Therefore, you should divide your business assets into security domains based on their functions and communication relationships.
Cloud Firewall for security domain isolation
Scenario 1: Protect inbound Internet traffic
Principle: Ensure flexibility, elastic scaling, and security.
Configuration recommendations:
Configure an Internet firewall to manage inbound Internet traffic.
Optional: Configure a virtual private cloud (VPC) for demilitarized zones (DMZ). Use the VPC with Elastic IP Addresses (EIPs), Server Load Balancer (SLB), and public IP addresses of Elastic Compute Service (ECS) instances to provide inbound Internet connections.
Scenario 2: Protect outbound Internet traffic
Principle: Ensure flexibility, elastic scaling, and security.
Configuration recommendations:
Configure an Internet firewall and NAT firewalls to manage outbound traffic to the Internet and from private networks.
Optional: Configure a VPC for a DMZ or different VPCs for different services. Use the VPCs with EIPs and NAT Gateways to provide outbound Internet connections.
Scenario 3: Protect east-west traffic in the cloud
Principle: Isolate environments and ensure necessary connectivity and security.
Configuration recommendations:
Configure Cloud Enterprise Network (CEN). We recommend that you use an Enterprise Edition transit router. Attach VPCs to the transit router to connect network instances in the cloud. You can also attach virtual border routers (VBRs) to the transit router to implement cross-cloud interconnection.
Configure a VPC firewall to secure service traffic across VPCs or clouds. This includes Layer 4 to Layer 7 access control, protection against lateral movement attacks, and log tracing.
Configure an internal firewall to implement microsegmentation within a VPC.
Scenario 4: Protect traffic between cloud assets and on-premises data centers
Principle: Enable communication between cloud assets and on-premises data centers and ensure security.
Configuration recommendations:
Configure CEN or Express Connect. Connect your on-premises data center to CEN or Express Connect through a VBR to enable communication with your business groups in VPCs.
Configure a VPC firewall to monitor unusual traffic between your on-premises data center and business groups in your VPCs. You can also implement fine-grained Layer 4 to Layer 7 access control policies, protect against lateral movement attacks, and perform log audits.
Network structure for security domain isolation using Cloud Firewall
Large groups
For large enterprises, the security domains of the production network are divided into group security domains and subsidiary security domains. Group security domains are further divided into Internet-facing production zones, internal-facing production zones, and production DMZs. The internal production network is further divided into general business security domains, core business security domains, and database security domains based on business type.
Small companies
For small companies, security domains are divided into general business security domains, core business security domains, data security domains, and DMA security domains (for email systems and portal websites) based on business type, functional modules, and network communication relationships.
Select an edition: A multi-dimensional comparison
Before you select a Cloud Firewall edition, you should understand the protection scope of Cloud Firewall to ensure it matches your business needs. For more information, see Protection scope.
Cloud Firewall offers two billing methods: pay-as-you-go (which includes pay-as-you-go savings plans) and subscription. The subscription method includes three editions: Premium Edition, Enterprise Edition, and Ultimate Edition. Each edition offers different features, asset quotas, and bandwidth extension specifications.
You can use the following comparison tables to select a suitable edition. For more information, see Functions and features.