Cloud Firewall subscription edition - Cloud Firewall - Alibaba Cloud Documentation Center

Subscription is a prepaid billing method that lets you reserve resources in advance at a lower price. This topic describes the billing rules for the subscription billing method.

Important

Starting October 15, 2025, the billable items for Cloud Firewall will be updated to Billing 2.0. New users use Billing 2.0 by default. Existing users can continue to use Billing 1.0 and can choose to upgrade to Billing 2.0. For more information about the pricing changes in Billing 1.0 and how to upgrade to Billing 2.0, see Billing 1.0 and upgrade instructions.

Billing details

Important

Scope: The term traffic or cloud assets refers to the total traffic or cloud assets of the current account and its member accounts.
Feature differences: For information about the feature differences among different editions of subscription-based Cloud Firewall, see Features.
Elastic Traffic: The elastic traffic feature is enabled by default. If your actual clean bandwidth exceeds your purchased bandwidth, the excess traffic is billed on a pay-as-you-go basis by default at a rate of 0.06 USD/GB. You can go to the System Settings > Alert Notification page to configure an Elastic Billing Alert to receive a notification when your peak bandwidth reaches a specified percentage of your purchased bandwidth.
Premium Edition limitation: The Premium Edition does not support VPC firewalls.

Features and billable items		Premium Edition	Enterprise Edition	Ultimate Edition	Description
Base price		USD 420/month	1,450 USD/month	3,900 USD/month	The base price includes only the default specifications. It does not include extended specifications or value-added services.
Specifications included in the base price	Number of instances	1	3	5	A general-purpose Cloud Firewall instance can be used to create different types of border firewalls. The number of instances is calculated as follows: Each protected region corresponds to one Internet firewall instance. Each NAT Gateway instance corresponds to one NAT firewall instance. VPC firewall: In a Cloud Enterprise Network (CEN) Enterprise Edition architecture, each TR corresponds to one instance. In a CEN Basic Edition architecture, each VPC corresponds to one instance. In an Express Connect architecture, each pair of VPCs corresponds to one instance. If the multi-account management feature is enabled, firewall instances under different member accounts are billed separately.
	Bandwidth	30 Mbps	200 Mbps	800 Mbps	This applies to Internet borders, VPC borders, and NAT borders. It is the sum of the bandwidth for all three.


	Access control policy quota	10,000	50,000	100,000 (customizable)	To increase the quota for an Ultimate Edition instance, contact your account manager.
	Multi-account management	Provides a quota of 1,000.	Provides a quota of 1,000.	Provides a quota of 1,000.	To increase the quota, contact your account manager.
Additional instances		USD 215/instance/month			If the number of instances included in your edition is not enough for your services, you can purchase additional instances. These can be used for any border firewall.


Additional bandwidth		Additional bandwidth ≤ 200 Mbps: USD 7/Mbps/month 200 < Extended bandwidth ≤ 1,000 Mbps: USD 6.5/Mbps/month 1000 Mbit/s < Extended bandwidth ≤ 5000 Mbit/s: 6 USD/Mbit/s/month 5000 < Extension bandwidth ≤ 15000 Mbit/s: USD 4.5/Mbit/s/month Extended bandwidth greater than 15,000: USD 3/Mbps/month			If the bandwidth included in your edition is not enough for your services, you can purchase additional bandwidth. This can be used for any border firewall. Tiered pricing is used.


Elastic traffic processing capacity		USD 0.06/GB. Bills are generated daily and pushed on the following day.			The processing capacity for traffic that exceeds your purchased bandwidth. This feature is enabled by default and cannot be disabled. The maximum elastic bandwidth is 10 Gbps. For a custom quota, contact your account manager or architect.
Temporary additional bandwidth		Billed by day: USD 0.36/Mbps/day. Maximum temporary additional bandwidth: 10 Gbps.			You can estimate traffic peaks and valleys based on your service needs and temporarily add bandwidth on a daily basis. For a custom quota, contact your account manager or architect.
Sensitive Data Leak Detection		Feature fee: USD 288/month (includes 100 GB), USD 0.026/GB for overage.			You can use this feature with pay-as-you-go savings plans to reduce costs. For more information, see Pay-as-you-go savings plans. For detailed instructions on how to enable and use this feature, see Enable Sensitive Data Leak Detection.
Log analysis storage capacity		Not included in the base price. Purchasable range: 2 TB to 500 TB	Not included in the base price. Purchasable range: 4 TB to 500 TB	Not included in the base price. Purchasable range: 6 TB to 500 TB	Cloud Firewall stores audit logs for 7 days by default. It supports event logs, traffic logs, and operation logs. To store logs for a longer period or meet compliance requirements, enable this feature. Purchase step size: 1 TB.
Subscription duration		Available durations: 1 month, 3 months, 6 months, 1 year, 2 years, or 3 years.

Billing example

For example, an enterprise purchases a 6-month subscription to Cloud Firewall Enterprise Edition. The enterprise adds 1 firewall instance and has a peak bandwidth of 250 Mbps. This bandwidth consists of the 200 Mbps included with the Enterprise Edition and 50 Mbps of additional bandwidth.

The fee is calculated as follows: (USD 1,450 + 1 extension instance × USD 215 + 50 Mbps of additional bandwidth × USD 7) × 6

Billing cycle

The billing cycle starts on the purchase date and ends on the expiration date of your instance.

Enable the subscription model

Go to the Cloud Firewall purchase page and set Product Type to Subscription 2.0.

Configure the specifications and then click Buy Now to complete the payment.

Configuration item	Description
Edition	Select the Cloud Firewall edition that you want to purchase. After you select an edition, you can view the description on the page to learn about the features of different editions.
Automatic Protection For Internet Assets	Select whether to automatically protect all Internet assets with the firewall.
Number Of Additional Firewall Instances	If the number of instances provided by the edition is insufficient for your business, you can purchase additional instances for the Internet border, VPC border, and NAT border. Note Cloud Firewall Premium Edition does not support VPC firewalls.
Scalable Bandwidth	If the bandwidth provided by the edition is insufficient for your business, you can purchase additional bandwidth for the Internet border, VPC border, and NAT border. Note Cloud Firewall Premium Edition does not support VPC firewalls.
Elastic Traffic	The burstable traffic feature is enabled by default and cannot be disabled. If your actual service bandwidth exceeds the purchased bandwidth, the excess traffic is billed on a pay-as-you-go basis. The price is USD 0.06/GB.
Sensitive Data Leak Detection	Select whether to enable sensitive data detection for outbound connections.
Log Analysis	Select whether to enable the log analysis feature for Cloud Firewall. By default, Cloud Firewall stores audit logs for the last 7 days. To store logs for a longer period, meet compliance requirements, or export logs, you must enable the log analysis feature. This feature lets you store log data for a custom period of 7 to 730 days. Note For more information, see Log Analysis and Billing of the Log Analysis Feature.
Log Storage Capacity
Duration	Select the subscription duration and select whether to enable Auto Renewal. Note If you enable auto-renewal, the renewal cycle corresponds to the subscription duration. For example, if you purchase a 6-month subscription and enable Auto Renewal, the service is automatically renewed for 1 month upon expiration.

Cloud Firewall:Subscription 2.0

Billing details

Billing example

Billing cycle

Enable the subscription model

References