Subscription is a prepaid billing method that lets you reserve resources in advance at a lower price. This topic describes the billing rules for the subscription billing method.
Starting October 15, 2025, the billable items for Cloud Firewall will be updated to Billing 2.0. New users use Billing 2.0 by default. Existing users can continue to use Billing 1.0 and can choose to upgrade to Billing 2.0. For more information about the pricing changes in Billing 1.0 and how to upgrade to Billing 2.0, see Billing 1.0 and upgrade instructions.
Billing details
Scope: The term traffic or cloud assets refers to the total traffic or cloud assets of the current account and its member accounts.
Feature differences: For information about the feature differences among different editions of subscription-based Cloud Firewall, see Features.
Elastic Traffic: The elastic traffic feature is enabled by default. If your actual clean bandwidth exceeds your purchased bandwidth, the excess traffic is billed on a pay-as-you-go basis by default at a rate of 0.06 USD/GB. You can go to the page to configure an Elastic Billing Alert to receive a notification when your peak bandwidth reaches a specified percentage of your purchased bandwidth.
Premium Edition limitation: The Premium Edition does not support VPC firewalls.
Features and billable items | Premium Edition | Enterprise Edition | Ultimate Edition | Description | |
Base price | USD 420/month | 1,450 USD/month | 3,900 USD/month | The base price includes only the default specifications. It does not include extended specifications or value-added services. | |
Specifications included in the base price | Number of instances | 1 | 3 | 5 | The general instance specifications of Cloud Firewall allow the creation of different border firewalls.
|
Bandwidth | 30 Mbps | 200 Mbps | 800 Mbps | This bandwidth is used for Internet, VPC, and NAT border firewalls. Bandwidth is calculated as follows:
| |
Access control policy quota | 10,000 | 50,000 | 100,000 (customizable) | To increase the quota for an Ultimate Edition instance, contact your account manager. | |
Multi-account management | Provides a quota of 1,000. | Provides a quota of 1,000. | Provides a quota of 1,000. | To increase the quota, contact your account manager. | |
Additional instances | USD 215/instance/month | If the number of instances included in your edition is not enough for your services, you can purchase additional instances. These can be used for any border firewall. | |||
Additional bandwidth |
| If the bandwidth included in your edition is not enough for your services, you can purchase additional bandwidth. This can be used for any border firewall. Tiered pricing is used. | |||
Elastic traffic processing capacity | USD 0.06/GB. Bills are generated daily and pushed on the following day. | The processing capacity for traffic that exceeds your purchased bandwidth.
| |||
Temporary additional bandwidth | Billed by day: USD 0.36/Mbps/day. Maximum temporary additional bandwidth: 10 Gbps. | You can estimate traffic peaks and valleys based on your service needs and temporarily add bandwidth on a daily basis. For a custom quota, contact your account manager or architect. | |||
Sensitive Data Leak Detection | Feature fee: USD 288/month (includes 100 GB), USD 0.026/GB for overage. |
| |||
Log analysis storage capacity | Not included in the base price. Purchasable range: 2 TB to 500 TB | Not included in the base price. Purchasable range: 4 TB to 500 TB | Not included in the base price. Purchasable range: 6 TB to 500 TB | Cloud Firewall stores audit logs for 7 days by default. It supports event logs, traffic logs, and operation logs. To store logs for a longer period or meet compliance requirements, enable this feature.
| |
Subscription duration | Available durations: 1 month, 3 months, 6 months, 1 year, 2 years, or 3 years. | ||||
Billing example
For example, an enterprise purchases a 6-month subscription to Cloud Firewall Enterprise Edition. The enterprise adds 1 firewall instance and has a peak bandwidth of 250 Mbps. This bandwidth consists of the 200 Mbps included with the Enterprise Edition and 50 Mbps of additional bandwidth.
The fee is calculated as follows: (USD 1,450 + 1 extension instance × USD 215 + 50 Mbps of additional bandwidth × USD 7) × 6
Billing cycle
The billing cycle starts on the purchase date and ends on the expiration date of your instance.
Enable the subscription model
-
Visit the Cloud Firewall purchase page, and select Product Type as the Subscription 2.0.
-
Configure the purchase specifications, and click Buy Now and complete the payment.
Configuration Item
Description
Edition
Select the Cloud Firewall edition to purchase. After selection, you can view the features of different editions in the page description.
auto-protect internet assets
Select whether to automatically connect all Internet assets to the firewall for protection.
additional firewall instances
When the number of instances provided by the edition cannot meet your business requirements, you can purchase additional instances for the Internet firewall, VPC firewall, and NAT firewall.
Notesubscription Premium edition does not support VPC firewall.
additional firewall bandwidth
When the bandwidth provided by the edition cannot meet your business requirements, you can purchase additional bandwidth for the Internet firewall, VPC firewall, and NAT firewall.
Notesubscription Premium edition does not support VPC firewall.
log analysis
Select whether to enable the log analysis feature for Cloud Firewall and Agentic NDR.
Cloud Firewall stores audit logs for the last 7 days by default, If you need longer log storage, classified protection compliance, or log export, you must enable the log analysis feature. Log analysis supports custom storage of log data for 7 to 730 days. For more information, see log analysis and Billing of the Log Analysis Feature.
NotePurchase reference: For every 10 Mbit/s of business bandwidth with logs retained for 6 months, we recommend configuring 1 TB of log storage capacity.
log storage capacity
Agentic NDR
Agentic NDR is Cloud Firewall a premium value-added service which achieves full north-south Internet traffic inspection on the cloud through non-intrusive bypass mirror deployment, actual business is not affected. It focuses on the detection and tracing of advanced threats, and supports bidirectional traffic analysis for requests and responses. It can determine attack results and retain full traffic packets, and provides application layer protocol identification and deep parsing capabilities.
Includes 200 Mbit/s bandwidth, 2 Agentic NDR instances, and 30 GB of attack packet storage capacity.
NoteFor more information, see What is Network Detection and Response?.
NDR additional instances
When the number of Agentic NDR instances provided by the edition cannot meet your business requirements, you need to purchase additional instances.
NDR additional bandwidth
Agentic NDR The sum of inbound and outbound bandwidth (including Internet and private network traffic access with shared quota). The purchase step size is 10 Mbit/s.
NDR log storage capacity
Agentic NDR log analysis feature. Billed independently, with storage space completely isolated from Cloud Firewall log analysis.
NDR full traffic storage capacity
Store complete raw network traffic.
After the attack message storage quota included in your plan is exhausted, attack messages can continue to be stored in the full traffic storage capacity.
Minimum purchase is 1 TB, in 1 TB increments. Billed through Agentic NDR.
NoteRecommendation: For 50 Mbps public bandwidth and 14 days of full traffic retention, select 4 TB of storage. Configure custom message filtering rules to reduce storage usage.
firewall elastic traffic
The elastic traffic feature is enabled by default for the firewall and cannot be disabled. When the actual business bandwidth exceeds the purchased bandwidth specification, the firewall charges post-paid elastic billing based on the actual inspected traffic for the excess portion. 0.06 USD/GB.
sensitive data leak detection
Select whether to enable sensitive data detection for active outbound traffic.
purchase duration
Select the purchase duration, and select whether to enable auto-renewal upon expiration.
NoteAfter you select auto-renewal, the auto-renewal cycle corresponds to the purchase duration, that is, monthly or yearly renewal. For example, if you purchase 6 months of Cloud Firewall service and select auto-renewal upon expiration, Cloud Firewall will automatically renew for one month after the service expires.
FAQ
How to check for recent excess traffic on a subscription Cloud Firewall
To check for recent excess traffic on your subscription Cloud Firewall, follow these steps:
Check for excess traffic in the last 30 days: Log on to the Cloud Firewall console. In the navigation pane on the left, choose . If the value for Elastic Traffic is greater than 0, you have generated excess traffic.
Check for excess traffic older than 30 days: Go to the Expenses and Costs console to check for pay-as-you-go bills for Cloud Firewall. For more information, see View and analyze bills.
How do I view the current billing method and expiration date of Cloud Firewall?
Log on to the Cloud Firewall console. In the navigation pane on the left, choose Overview. You can view the current edition and expiration date in the Version Information area on the right.
Billing methods and corresponding editions:
Pay-as-you-go: Displayed as Pay-as-you-go.
Subscription: Displayed as Premium Edition, Enterprise Edition, or Ultimate Edition.