Subscription is a billing method that requires payment before you use a service. A subscription lets you reserve resources in advance at a lower price, which helps you reduce costs. This topic describes the billing rules for subscriptions.
Starting October 15, 2025, the billable items for Cloud Firewall features will be updated to Billing 2.0. New users will use Billing 2.0 by default. Existing users can continue to use Billing Method 1.0 or choose to upgrade to Billing 2.0. For more information about the cost changes in Billing Method 1.0 and how to upgrade to Billing 2.0, see Legacy Billing Method 1.0 and Upgrade Instructions.
Billing details
Scope: The traffic or cloud assets for a billable item is the sum of the traffic or cloud assets from the current account and all its member accounts.
Feature differences: For more information about the differences in features among the subscription editions of Cloud Firewall, see Feature List.
Elastic bandwidth: The elastic bandwidth feature is enabled by default. If your actual service bandwidth exceeds your purchased bandwidth, the excess traffic is billed on a pay-as-you-go basis at a rate of USD 0.06/GB. You can go to the page to configure an Elastic Billing Alert. This alert notifies you when your peak bandwidth reaches a specified percentage of your purchased bandwidth.
Premium Edition limitation: The Premium Edition does not support VPC firewalls.
Features and billable items | Premium Edition | Enterprise Edition | Ultimate Edition | Description | |
Base price | USD 420/month | USD 1,450/month | USD 3,900/month | The base price includes only the default specifications. It does not include extended specifications or value-added services. | |
Specifications included in the base price | Number of instances | 1 | 3 | 5 | A general-purpose Cloud Firewall instance can be used to create different types of border firewalls. The number of instances is calculated as follows:
|
Bandwidth | 30 Mbps | 200 Mbps | 800 Mbps | This is the total bandwidth for the Internet border, VPC border, and NAT border. | |
Access control policy quota | 10,000 | 50,000 | 100,000 (customizable) | To increase the quota for an Ultimate Edition instance, contact your business manager. | |
Multi-account management | You can choose from 1,000 specifications. | It offers 1,000 specifications. | Offers 1000 specifications. | To increase the quota, contact your business manager. | |
Number of extra instances | USD 215/instance/month | If the number of instances included in your edition is not enough for your business needs, you can purchase extra instances. These can be used for any type of border firewall. | |||
Extra bandwidth |
| If the bandwidth included in your edition is not enough for your business needs, you can purchase extra bandwidth. This can be used for any type of border firewall. Tiered pricing is used. | |||
Elastic bandwidth processing capacity | USD 0.06/GB | This is the processing capacity for traffic that exceeds your purchased bandwidth. This feature is enabled by default and cannot be disabled. The maximum elastic bandwidth is 10 Gbps. For custom quotas, contact your business manager or architect. | |||
Temporary extra bandwidth | Billed daily: USD 0.36/Mbps/day. Maximum temporary extra bandwidth: 10 Gbps. | You can estimate traffic peaks and valleys based on your business needs and temporarily purchase extra bandwidth on a daily basis. For custom quotas, contact your business manager or architect. | |||
Sensitive Data Leak Detection | Feature fee: USD 288/month (includes 100 GB). Overage fee: USD 0.026/GB. |
| |||
Log analysis storage capacity | Not included in the base price. You can purchase 2 TB to 500 TB. | Not included in the base price. You can purchase 4 TB to 500 TB. | Not included in the base price. You can purchase 6 TB to 500 TB. | Cloud Firewall stores audit logs for 7 days by default. It supports event logs, traffic logs, and operation logs. To store logs for a longer period or meet compliance requirements, you must enable this feature. Purchase increment: 1 TB. | |
Subscription duration | Available durations: 1 month, 3 months, 6 months, 1 year, 2 years, and 3 years. | ||||
Billing example
An enterprise purchases a 6-month subscription to Cloud Firewall Enterprise Edition. They purchase one additional firewall instance and have a peak bandwidth of 250 Mbps. This bandwidth consists of the 200 Mbps included with the Enterprise Edition and 50 Mbps of additional bandwidth.
The total fee is calculated as follows: (USD 1,450 + 1 additional instance × USD 215 + 50 Mbps additional bandwidth × USD 7) × 6
Billing cycle
The billing cycle starts on the purchase date and ends on the expiration date of your subscription.
Enable the subscription billing method
Go to the Cloud Firewall purchase page and set Billing Method to Subscription.
Configure the specifications and click Buy Now to complete the payment.
Parameter
Description
Edition
The edition of Cloud Firewall that you want to purchase.
After you select an edition, you can view the Edition Description to learn about the features of different editions.
Number Of Public IP Addresses
The number of public IP addresses that can be protected by the Internet firewall.
Premium Edition: The basic price includes 20 public IP addresses. You can increase the quota to a value from 20 to 1,000.
Enterprise Edition: The basic price includes 50 public IP addresses. You can increase the quota to a value from 50 to 1,000.
Ultimate Edition: The basic price includes 400 public IP addresses. You can increase the quota to a value from 400 to 1,000.
Protected Internet Traffic
The peak Internet traffic that can be protected by Cloud Firewall. The metering metric is the peak outbound or inbound Internet traffic, whichever is greater. We recommend that you set this parameter to the Internet bandwidth of your business.
Premium Edition: The basic price includes 10 Mbit/s of protected traffic. You can increase the quota to a value from 10 to 2,000 Mbit/s.
Enterprise Edition: The basic price includes 50 Mbit/s of protected traffic. You can increase the quota to a value from 50 to 5,000 Mbit/s.
Ultimate Edition: The basic price includes 200 Mbit/s of protected traffic. You can increase the quota to a value from 200 to 15,000 Mbit/s.
If the specification does not meet your business requirements, contact your account manager to apply for a bandwidth increase.
Number Of VPC Firewalls
The number of VPCs that can be protected by Cloud Firewall. You need to configure this parameter only if you select Enterprise Edition or Ultimate Edition.
Enterprise Edition: The basic price includes 2 VPC firewalls. You can increase the quota to a value from 2 to 100.
Ultimate Edition: The basic price includes 5 VPC firewalls. You can increase the quota to a value from 5 to 200.
Protected Traffic Between VPCs
The peak cross-VPC traffic that can be protected. You need to configure this parameter only if you select Enterprise Edition or Ultimate Edition.
Enterprise Edition: The basic price includes 200 Mbit/s of protected traffic. You can increase the quota to a value from 200 to 5,000 Mbit/s.
Ultimate Edition: The basic price includes 1,000 Mbit/s of protected traffic. You can increase the quota to a value from 1,000 to 10,000 Mbit/s.
NoteIf you want to protect more than 10 Gbit/s of cross-VPC traffic, you must contact your account manager to apply for higher traffic processing capabilities one month in advance.
Number Of NAT Firewalls
The number of NAT firewalls that you can create.
Premium Edition: Not included in the base price by default. Scalable from 1 to 20 units.
Enterprise Edition: The basic price includes 1 NAT firewall. You can increase the quota to a value from 1 to 100.
Ultimate Edition: The basic price includes 2 NAT firewalls. You can increase the quota to a value from 2 to 1,000.
Protected Traffic Of NAT Firewalls
The peak traffic that can be protected by a NAT firewall in Cloud Firewall. The peak traffic can be specified in increments of 5 Mbit/s.
Premium Edition: The basic price does not include protected traffic. You can purchase 5 to 1,000 Mbit/s of protected traffic.
Enterprise Edition: The basic price includes 10 Mbit/s of protected traffic. You can increase the quota to a value from 10 to 5,000 Mbit/s.
Ultimate Edition: The basic price includes 20 Mbit/s of protected traffic. You can increase the quota to a value from 20 to 10,000 Mbit/s.
Elastic Traffic Processing Capability
Specify whether to enable the burstable protected traffic feature.
Sensitive Data Leak Detection
Specify whether to enable the detection of sensitive data in outbound traffic.
Quota For Additional Policy
If the access control policy quota of your Cloud Firewall edition is insufficient, you can increase the quota by using Quota For Additional Policy.
Premium Edition: 0 to 100,000
Enterprise Edition: 0 to 200,000
Ultimate Edition: 0 to 300,000
Multi-Account Management
If you have multiple Alibaba Cloud accounts in your enterprise and you want to manage the accounts in a centralized manner, you can enable the multi-account management feature. To use Cloud Firewall to protect assets across multiple accounts, purchase Cloud Firewall for your account and add other accounts to Cloud Firewall as members. You do not need to purchase Cloud Firewall for other accounts.
Premium Edition: 1,000 member accounts are provided free of charge.
Enterprise Edition: 1,000 member accounts are provided free of charge.
Ultimate Edition: 1,000 member accounts are provided free of charge.
If you want to increase the quota, submit a ticket to contact technical experts.
Number Of Member Accounts
Log Analysis
Specify whether to enable the log analysis feature for Cloud Firewall .
By default, Cloud Firewall stores audit logs for seven days. If you want to store audit logs for a longer period of time, meet classified protection requirements, or export audit logs, we recommend that you enable the log analysis feature. The log analysis feature allows Cloud Firewall to store logs from 7 to 730 days.
If you set Protected Internet Traffic to 10 Mbit/s and want to store logs for six months, we recommend that you purchase 1,000 GB of storage capacity.
NoteFor more information, see Log Analysis and Billing of the Log Analysis Feature.
Log Storage Capacity
Subscription Duration
Select the subscription duration and specify whether to enable Auto Renewal.
NoteThe auto-renewal cycle is based on the subscription duration. If you purchase a monthly or yearly subscription, Cloud Firewall is renewed on a monthly or yearly basis. For example, if you purchase a six-month subscription to Cloud Firewall and select Auto Renewal, Cloud Firewall is automatically renewed for one month after your subscription expires.