Cloud Firewall Subscription Edition - Cloud Firewall - Alibaba Cloud Documentation Center

Subscription is a prepaid billing method that lets you reserve Cloud Firewall resources in advance at a lower cost than pay-as-you-go.

Important

Starting October 15, 2025, Cloud Firewall uses Billing 2.0. New users are on Billing 2.0 by default. Existing users can continue on Billing 1.0 and upgrade at any time. For pricing changes in Billing 1.0 and upgrade steps, see Billing 1.0 and upgrade instructions.

Billing details

Important

Scope of "traffic or cloud assets": Refers to the total traffic or cloud assets across the current account and its member accounts.
Feature differences between editions: See Features.
Premium Edition limitation: Premium Edition does not support VPC firewalls.

Elastic traffic (always on)

Elastic traffic is enabled by default and cannot be disabled. If your actual clean bandwidth exceeds your purchased bandwidth, the excess is billed at USD 0.06/GB. Bills are generated daily and pushed the following day. The maximum elastic bandwidth is 10 Gbps. For a higher quota, contact your account manager or architect.

To receive an alert when your peak bandwidth approaches your purchased limit, go to System Settings > Alert Notification and configure an Elastic Billing Alert.

Edition pricing

The base price covers only the default specifications listed below. Extended specifications and value-added services are priced separately.

Item	Premium Edition	Enterprise Edition	Ultimate Edition
Base price	USD 420/month	USD 1,450/month	USD 3,900/month
Instances included	1	3	5
Bandwidth included	30 Mbps	200 Mbps	800 Mbps
Access control policy quota	10,000	50,000	100,000 (customizable)
Multi-account management quota	1,000	1,000	1,000

Bandwidth applies to Internet Border, Virtual Private Cloud (VPC) Border, and NAT Border combined (total sum across all three). To increase the access control policy quota for Ultimate Edition or the multi-account management quota for any edition, contact your account manager.

How instances are counted:

A general-purpose Cloud Firewall instance covers different types of border firewalls. The count is calculated as follows:

Each protected region = 1 Internet firewall instance
Each NAT Gateway instance = 1 NAT firewall instance
VPC firewall instances vary by architecture:
- Cloud Enterprise Network (CEN) Enterprise Edition: each Transit Router (TR) = 1 instance
- CEN Basic Edition: each VPC = 1 instance
- Express Connect: each pair of VPCs = 1 instance
When multi-account management is enabled, firewall instances under different member accounts are billed separately

Extended specifications

Purchase additional capacity when the defaults included in your edition are not enough.

Additional instances

Additional instances can be used for any border firewall (Internet Border, VPC Border, or NAT Border). Premium Edition does not support additional VPC firewall instances.

Edition	Price
Enterprise Edition	USD 215/instance/month
Ultimate Edition	USD 215/instance/month

Additional bandwidthUSD 288USD 0.026/GBUSD 0.36USD 3USD 4.5USD 6.5USD 7

Additional bandwidth uses tiered pricing based on the total amount of bandwidth added. Additional bandwidth can be used for any border firewall.

Additional bandwidth	Price
≤ 200 Mbps	USD 7/Mbps/month
200–1,000 Mbps	USD 6.5/Mbps/month
1,000–5,000 Mbps	USD 6/Mbps/month
5,000–15,000 Mbps	USD 4.5/Mbps/month
> 15,000 Mbps	USD 3/Mbps/month

Temporary additional bandwidth

For short-term traffic spikes, add bandwidth on a daily basis at USD 0.36/Mbps/day. Maximum: 10 Gbps. For a higher limit, contact your account manager or architect.

Value-added services

Sensitive Data Leak Detection

Item	Price
Monthly fee (includes 100 GB)	USD 288/month
Overage	USD 0.026/GB

To reduce costs, use this feature with pay-as-you-go savings plans. See Pay-as-you-go savings plans. For setup instructions, see Enable Sensitive Data Leak Detection.

Log Analysis

Cloud Firewall stores audit logs for 7 days by default, covering event logs, traffic logs, and operation logs. Enable Log Analysis to extend the retention period (7–730 days) or meet compliance requirements.

Edition	Purchasable range	Purchase step
Premium Edition	2 TB–500 TB	1 TB
Enterprise Edition	4 TB–500 TB	1 TB
Ultimate Edition	6 TB–500 TB	1 TB

For more information, see Log Analysis and Billing of the Log Analysis feature.

Subscription durations

Available durations: 1 month, 3 months, 6 months, 1 year, 2 years, or 3 years.

Billing examples

Example 1: Enterprise Edition with additional instances and bandwidth

Scenario: Enterprise Edition, 6-month subscription, 1 additional firewall instance, 250 Mbps peak bandwidth (200 Mbps included + 50 Mbps additional).

Item	Unit price	Quantity	Subtotal
Enterprise Edition base price	USD 1,450/month	6 months	USD 8,700
Additional instance	USD 215/instance/month	1 × 6 months	USD 1,290
Additional bandwidth (≤ 200 Mbps tier)	USD 7/Mbps/month	50 Mbps × 6 months	USD 2,100
Total			USD 12,090

Example 2: Enterprise Edition with elastic traffic overage

Scenario: Enterprise Edition, 1-month subscription, no additional specifications purchased. During the month, traffic exceeds the 200 Mbps included bandwidth, generating 500 GB of elastic traffic.

Item	Unit price	Quantity	Subtotal
Enterprise Edition base price	USD 1,450/month	1 month	USD 1,450
Elastic traffic	USD 0.06/GB	500 GB	USD 30
Total			USD 1,480

Elastic traffic is billed daily and pushed the following day. Monitor usage at System Settings > Alert Notification to avoid unexpected charges.

Example 3: Ultimate Edition with Sensitive Data Leak Detection

Scenario: Ultimate Edition, 1-month subscription, Sensitive Data Leak Detection enabled with 150 GB of traffic analyzed.

Item	Unit price	Quantity	Subtotal
Ultimate Edition base price	USD 3,900/month	1 month	USD 3,900
Sensitive Data Leak Detection (includes 100 GB)	USD 288/month	1 month	USD 288
Sensitive Data Leak Detection overage	USD 0.026/GB	50 GB	USD 1.30
Total			USD 4,189.30

Billing cycle

The billing cycle starts on the purchase date and ends on the expiration date of your instance.

Purchase subscription

Go to the Cloud Firewall purchase page and set Product Type to Subscription 2.0.
Configure the specifications based on your requirements.
Click Buy Now and complete the payment.

The following table describes the configuration items on the purchase page.

Configuration item	Description
Edition	Select the Cloud Firewall edition. After selecting an edition, view the feature details on the page to compare editions.
Automatic Protection For Internet Assets	Select whether to automatically protect all Internet assets with the firewall.
Number Of Additional Firewall Instances	If the instances included in your edition are not enough, purchase additional instances for Internet Border, VPC Border, and NAT Border. Note Premium Edition does not support VPC firewalls.
Scalable Bandwidth	If the bandwidth included in your edition is not enough, purchase additional bandwidth for Internet Border, VPC Border, and NAT Border. Note Premium Edition does not support VPC firewalls.
Elastic TrafficUSD 0.06/GB0.06 USD/GB	Enabled by default and cannot be disabled. If your actual service bandwidth exceeds the purchased bandwidth, the excess is billed at USD 0.06/GB.
Sensitive Data Leak Detection	Select whether to enable sensitive data detection for outbound connections.
Log Analysis	Select whether to enable Log Analysis. By default, Cloud Firewall stores audit logs for 7 days. Enable this feature to store logs for 7–730 days, meet compliance requirements, or export logs.
Log Storage Capacity	Select the log storage capacity.
Duration	Select the subscription duration and whether to enable Auto Renewal. The renewal cycle corresponds to the subscription duration. For example, a 6-month subscription with Auto Renewal enabled renews for 1 month upon expiration.

Cloud Firewall:Subscription 2.0