Cloud Firewall (Pay-as-you-go) is a billing method where you pay for what you use. You can combine it with pay-as-you-go savings plans to further reduce costs.
Watch this video to quickly learn about Cloud Firewall (Pay-as-you-go) and its related operations.
You can enable Cloud Firewall (Pay-as-you-go) as needed without purchasing many resources in advance. You are charged based on the number of protected assets and the amount of traffic. The hourly fee for protecting one public asset starts at USD 0.008. This billing method is suitable for the following scenarios:
Enterprises that experience frequent changes in business volume or have temporary and burstable resource usage. This method offers high elasticity and flexibility.
Small and medium-sized enterprises with a small number of assets (typically fewer than 10 public assets) or low traffic (typically a peak bandwidth of less than 10 Mbps). This method is more cost-effective.
Cloud Firewall (Pay-as-you-go) supports the following features:
Automatic discovery and one-click protection for cloud assets.
The Internet firewall automatically discovers public assets on the cloud and provides protection within seconds. Supported assets include public IP addresses of ECS, CLB, ALB, and NLB instances, EIPs (including Layer 2 EIPs), ENIs, and HaVIPs. The firewall protects both IPv4 and IPv6 assets.
NAT firewalls support automatic protection for private assets that access the internet through an Internet NAT gateway.
VPC firewalls support automatic protection for private assets that access other VPCs.
Real-time defense against inbound and outbound cyberattacks, including web attacks, brute-force attacks, database attacks, cryptocurrency-mining Trojans, viruses, worms, command execution, reverse shells, and malicious outbound connections. It also supports virtual patches for vulnerabilities, threat intelligence, and breach awareness.
Fine-grained isolation and access control of business domains from Layer 4 to Layer 7. It supports access control for public and private traffic at the Internet, NAT, and VPC boundaries. This includes network isolation Access Control List (ACL) policies based on IP addresses, domain names, applications, protocols, ports, and geographic locations.
Network traffic analysis and visualization for prompt detection of outbound connections, public exposure risks, and traffic trends and anomalies in private network outbound connections and VPC access.
Log audit and analysis with a log storage duration of up to 180 days. This helps you quickly trace attack traffic, perform unified analysis, and meet classified protection compliance requirements.
For more information, see Common scenarios, Functions and features, and Supported regions.
Billing details
Cloud Firewall (Pay-as-you-go) bills are based on the actual number of protected assets and the amount of processed traffic. Fees for the previous day are calculated and deducted from your account on the following day.
The daily fee for Cloud Firewall (Pay-as-you-go) is calculated using the following formula:
Daily bill = (Public IP configuration fee + Internet traffic processing fee + NAT firewall instance fee + NAT firewall traffic processing fee + VPC firewall instance fee + VPC firewall traffic processing fee) for the day
The minimum billing cycle for Cloud Firewall (Pay-as-you-go) is one hour. If you use the service for less than one hour, you are charged for one full hour. For example, usage from 15:55 to 16:05 spans two clock hours and is billed as two hours of usage.
If your account has an overdue payment for more than 15 consecutive days, your Cloud Firewall (Pay-as-you-go) instance is automatically released. If no asset is protected for more than 30 consecutive days, Cloud Firewall automatically disables the corresponding firewall module.
Border type | Billable item | Unit price | Description |
Internet firewall | Public IP configuration fee | USD 0.008 per public IP address-hour | Billed based on the number of protected public IP addresses for the day. Daily public IP configuration fee = Number of protected public IP addresses for the day × Unit price per public IP address |
Internet traffic processing fee | USD 0.06 per GB | Billed based on the actual Internet traffic processed by the Internet firewall for the day. Daily Internet traffic processing fee = (Outbound traffic + Inbound traffic) × Unit price per GB | |
NAT firewall | NAT firewall instance fee | USD 0.06 per instance-hour | Billed based on the number of created NAT firewalls for the day. Daily NAT firewall instance fee = Number of enabled NAT firewalls for the day × Unit price per instance Note The number of NAT firewalls varies based on the number of NAT gateways. A NAT gateway corresponds to a NAT firewall. For more information, see NAT firewalls. |
NAT firewall traffic processing fee | USD 0.06 per GB | Billed based on the actual private network traffic processed by the NAT firewall for the day. Daily NAT firewall traffic processing fee = Outbound traffic × Unit price per GB | |
VPC firewall | VPC firewall instance fee | USD 0.39 per instance-hour | Billed based on the number of created VPC firewalls for the day. Daily VPC firewall instance fee = Number of enabled VPC firewalls for the day × Unit price per instance Note The number of created VPC firewall instances is calculated as follows:
For more information, see Overview of VPC firewalls. |
VPC firewall traffic processing fee | USD 0.06 per GB | Billed based on the actual traffic processed by the VPC firewall for the day. Daily VPC firewall traffic processing fee = Outbound traffic × Unit price per GB | |
General features | Sensitive Data Leak Detection | Free within the default specifications. After the free quota is used up, you are charged USD 0.02 per GB. |
|
Quota for Additional Policy | Free within the default specifications. After the free quota is used up, you are charged USD 0.003 per 100 policies-hour. |
|
The default specifications for Cloud Firewall (Pay-as-you-go) are as follows:
Number of public IPs: Protect up to 1,000 public IPs.
Sensitive Data Leak Detection traffic: A free quota of 100 GB per month is provided after you enable the feature.
Quota for Additional Policy:
Internet Border: 2,000
NAT Border: 2,000
VPC Border: 10,000
For information about how specification usage is calculated, see Policy specification usage.
Peak traffic processing bandwidth: Up to 5 Gbps.
NoteCloud Firewall does not guarantee security for traffic that exceeds the peak bandwidth. You can check the firewall status on the Firewall Switch page in the Cloud Firewall console. A Firewall Status of Protected indicates that asset traffic is protected normally. A Firewall Status of Unprotected indicates that asset traffic is bypassed and is not protected. You are not billed for unprotected asset traffic. If you need more traffic processing bandwidth, you can submit a ticket.
Cloud Firewall (Pay-as-you-go) automatically synchronizes asset information and checks the protection status in real time. If the system detects that no assets are protected by your Cloud Firewall (Pay-as-you-go) instance for 1 to 30 consecutive days, it sends you a notification.
NoteIf no asset is added to your Cloud Firewall for 30 consecutive days, Cloud Firewall automatically disables the Internet Firewall, NAT Firewall, or VPC Firewall feature, and other related modules are reverted to their initial status. You can re-enable the modules as needed. For more information, see Internet Firewall, NAT Firewall, or VPC Firewall.
Billing examples
Scenario | Hourly bill |
You have enabled Cloud Firewall (Pay-as-you-go) but have not enabled protection for any cloud assets. | 0 USD |
You have enabled Cloud Firewall (Pay-as-you-go), enabled protection for two public IPs of cloud assets, and process about 1 GB of inbound and outbound traffic per hour. You have not enabled any NAT firewalls. | 2 × USD 0.008 + 1 GB × USD 0.06/GB = USD 0.076 |
You have enabled Cloud Firewall (Pay-as-you-go), enabled protection for two public IPs of cloud assets, process about 1 GB of inbound and outbound traffic per hour, enabled one NAT firewall, and process about 0.5 GB of private network traffic per hour. | 2 × USD 0.008 + 1 GB × USD 0.06/GB + 1 × USD 0.06 + 0.5 GB × USD 0.06/GB = USD 0.166 |
Enable Cloud Firewall (Pay-as-you-go)
Go to the Cloud Firewall console. In the dialog box that appears, click Activate to open the configuration panel.
On the Cloud Firewall (Pay-as-you-go) page, configure the specifications.
Billing Cycle: The default value is By Hour.
The minimum billing cycle for each billable item of Cloud Firewall is one hour, but bills are settled daily.
Automatic Protection For New Assets: Select whether to enable automatic protection for new assets.
If you enable Automatic Protection For New Assets, Cloud Firewall automatically protects your public assets after you enable Cloud Firewall (Pay-as-you-go). This includes enabling the firewall switch and attack protection to reduce security risks for your public assets.
NoteIf you do not require automatic asset protection, you can turn off Automatic Protection for New Assets in the Cloud Firewall console. For more information, see Internet Firewall.
Read and select the Terms of Service for Cloud Firewall (Pay-as-you-go), click Buy Now, and complete the payment.
After you enable Cloud Firewall (Pay-as-you-go), Alibaba Cloud settles the bill for the previous day based on your actual usage.
After you enable Cloud Firewall (Pay-as-you-go), you also need to enable NAT firewalls and VPC firewalls as needed.
Enable a NAT firewall
Log on to the Cloud Firewall console. In the navigation pane on the left, click Firewall Settings.
On the NAT Firewall tab, click Enable Now.
If no NAT firewall is created within 30 days after you enable the NAT Firewall feature, the module is automatically disabled. You can re-enable it when needed. After you enable the feature, add assets for protection promptly. The initial asset synchronization takes about 1 to 5 minutes.
Enable a VPC firewall
Log on to the Cloud Firewall console. In the navigation pane on the left, click Firewall Settings.
On the VPC Firewall tab, click Enable Now.
If no VPC firewall is created within 30 days after you enable the VPC Firewall feature, the module is automatically disabled. You can re-enable it when needed. After you enable the feature, add assets for protection promptly. The initial asset synchronization takes about 1 to 5 minutes.
View usage details
Cloud Firewall (Pay-as-you-go) is billed on an hourly basis. Fees from the previous day are calculated and settled on the following day. You can query the bill details for the pay-as-you-go edition to understand your charges.
Log on to the Cloud Firewall console.
In the navigation pane on the left, click . On the NAT Firewall tab, click Enable Now. After you enable the NAT Firewall feature, you can connect a NAT Gateway and create a NAT firewall instance. For more information, see Enable a NAT firewall.
In the navigation pane on the left, choose .
On the Bill Management page, view the pay-as-you-go usage details, including statistics about protected assets, enabled protection features, and traffic data for protected assets.
Click View Bill Details to view the bill details. For more information, see Bill details.
Use pay-as-you-go savings plans
When you use the pay-as-you-go billing method for Cloud Firewall, you can use a Cloud Firewall pay-as-you-go savings plan to reduce your costs. A Cloud Firewall pay-as-you-go savings plan is a subscription plan that is similar to a stored-value card. You can flexibly set the value of the plan based on your pay-as-you-go usage, starting from USD 10. After you purchase a pay-as-you-go savings plan, it is automatically applied to offset the fees for pay-as-you-go billable items of Cloud Firewall at a specific discount. For example, if you purchase a USD 20 savings plan, in addition to promotional or business discounts that you may receive at the time of purchase, you also receive a 5% discount on all pay-as-you-go billable items that are offset by the plan. You can purchase multiple pay-as-you-go savings plans as needed. For more information, see Pay-as-you-go savings plans.
Log on to the Cloud Firewall console.
In the navigation pane on the left, click .
On the Overview page, in the Instance Protection Status area on the right, click Pay-as-you-go Savings Plan.
On the Pay-as-you-go Savings Plans panel, you can purchase a pay-as-you-go savings plan as needed. For more information, see Pay-as-you-go savings plans.
A pay-as-you-go savings plan is a discount plan that provides savings over pay-as-you-go rates in exchange for a commitment to a certain amount of spending over a period. The larger your spending commitment, the greater the discount you receive, which can lead to more cost savings.
Convert from pay-as-you-go to subscription
Based on your business needs, you can change the billing method for Cloud Firewall by seamlessly converting from pay-as-you-go to subscription.
Enable the log analysis feature
Cloud Firewall (Pay-as-you-go) provides a default log audit duration of 7 days. To store logs for a longer period, you can enable the log analysis feature. The default storage duration is 180 days, but you can adjust it as needed. After you enable the log analysis feature, Cloud Firewall (Pay-as-you-go) does not charge any fees for it. All log-related fees are billed by Simple Log Service (SLS).
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose , and enable the feature as prompted. For more information, see Enable the log analysis feature.
The fees for the log analysis feature are included in your SLS bills, not your Cloud Firewall bills. SLS supports a pay-by-feature billing method and generates pay-as-you-go bills. Simple Log Service also lets you use resource plans to offset the fees for pay-as-you-go billable items. For more information, see Billing overview.
Release a Cloud Firewall (Pay-as-you-go) instance
If you no longer need Cloud Firewall (Pay-as-you-go), you can disable the firewalls on the Internet Firewall, NAT Firewall, and VPC Firewall tabs. Then, in the upper-right corner of the Overview page, choose . The self-service release process is shown in the following figure:
