All Products
Search
Document Center

Cloud Firewall:Subscription 2.0

Last Updated:Jun 24, 2026

Subscription is a prepaid billing method that lets you reserve resources in advance at a lower price. This topic describes the billing rules for the subscription billing method.

Important

Starting October 15, 2025, the billable items for Cloud Firewall will be updated to Billing 2.0. New users use Billing 2.0 by default. Existing users can continue to use Billing 1.0 and can choose to upgrade to Billing 2.0. For more information about the pricing changes in Billing 1.0 and how to upgrade to Billing 2.0, see Billing 1.0 and upgrade instructions.

Billing details

Important
  • Scope: The term traffic or cloud assets refers to the total traffic or cloud assets of the current account and its member accounts.

  • Feature differences: For information about the feature differences among different editions of subscription-based Cloud Firewall, see Features.

  • Elastic Traffic: The elastic traffic feature is enabled by default. If your actual clean bandwidth exceeds your purchased bandwidth, the excess traffic is billed on a pay-as-you-go basis by default at a rate of 0.06 USD/GB. You can go to the System Settings > Alert Notification page to configure an Elastic Billing Alert to receive a notification when your peak bandwidth reaches a specified percentage of your purchased bandwidth.

  • Premium Edition limitation: The Premium Edition does not support VPC firewalls.

Features and billable items

Premium Edition

Enterprise Edition

Ultimate Edition

Description

Base price

USD 420/month

1,450 USD/month

3,900 USD/month

The base price includes only the default specifications. It does not include extended specifications or value-added services.

Specifications included in the base price

Number of instances

1

3

5

The general instance specifications of Cloud Firewall allow the creation of different border firewalls.
The calculation rules for Cloud Firewall instance consumption are as follows:

  • Internet firewall: One instance is required for each protected region. Within the same region, only one instance type is consumed, regardless of the number of protected public IP addresses or whether the IP addresses are IPv4 or IPv6.

  • NAT border firewall: One instance is required for each NAT Gateway instance.

  • VPC border firewall:

    • In a Cloud Enterprise Network (CEN) Enterprise Edition architecture, one instance is required for each TransitRouter (TR).

    • In a CEN Basic Edition architecture, one instance is required for each VPC.

    • In a VPC peering connection architecture, one instance is required for each pair of VPCs.

  • Multi-account management: If you enable this feature, the assets of each member account consume a Cloud Firewall instance type and incur a separate instance fee.

Bandwidth

30 Mbps

200 Mbps

800 Mbps

This bandwidth is used for Internet, VPC, and NAT border firewalls.

Bandwidth is calculated as follows:

  • Total bandwidth = Internet border bandwidth + VPC border bandwidth + NAT border bandwidth.

  • The Internet border firewall bandwidth is the sum of the outbound and inbound bandwidth.

Access control policy quota

10,000

50,000

100,000 (customizable)

To increase the quota for an Ultimate Edition instance, contact your account manager.

Multi-account management

Provides a quota of 1,000.

Provides a quota of 1,000.

Provides a quota of 1,000.

To increase the quota, contact your account manager.

Additional instances

USD 215/instance/month

If the number of instances included in your edition is not enough for your services, you can purchase additional instances. These can be used for any border firewall.

Additional bandwidth

  • Additional bandwidth ≤ 200 Mbps: USD 7/Mbps/month

  • 200 < Extended bandwidth ≤ 1,000 Mbps: USD 6.5/Mbps/month

  • 1000 Mbit/s < Extended bandwidth ≤ 5000 Mbit/s: 6 USD/Mbit/s/month

  • 5000 < Extension bandwidth ≤ 15000 Mbit/s: USD 4.5/Mbit/s/month

  • Extended bandwidth greater than 15,000: USD 3/Mbps/month

If the bandwidth included in your edition is not enough for your services, you can purchase additional bandwidth. This can be used for any border firewall. Tiered pricing is used.

Elastic traffic processing capacity

USD 0.06/GB. Bills are generated daily and pushed on the following day.

The processing capacity for traffic that exceeds your purchased bandwidth.

  • You can use pay-as-you-go savings plans to reduce costs. For more information, see Pay-as-you-go savings plans.

  • This feature is enabled by default and cannot be disabled. The elastic traffic capacity is capped at 10 Gbps. To request a higher quota, contact your account manager or architect.

Temporary additional bandwidth

Billed by day: USD 0.36/Mbps/day.

Maximum temporary additional bandwidth: 10 Gbps.

You can estimate traffic peaks and valleys based on your service needs and temporarily add bandwidth on a daily basis. For a custom quota, contact your account manager or architect.

Sensitive Data Leak Detection

Feature fee: USD 288/month (includes 100 GB), USD 0.026/GB for overage.

Log analysis storage capacity

Not included in the base price. Purchasable range: 2 TB to 500 TB

Not included in the base price. Purchasable range: 4 TB to 500 TB

Not included in the base price. Purchasable range: 6 TB to 500 TB

Cloud Firewall stores audit logs for 7 days by default. It supports event logs, traffic logs, and operation logs. To store logs for a longer period or meet compliance requirements, enable this feature.

  • Purchase step size: 1 TB.

  • Pricing: USD 80/1TB/month.

Subscription duration

Available durations: 1 month, 3 months, 6 months, 1 year, 2 years, or 3 years.

Billing example

For example, an enterprise purchases a 6-month subscription to Cloud Firewall Enterprise Edition. The enterprise adds 1 firewall instance and has a peak bandwidth of 250 Mbps. This bandwidth consists of the 200 Mbps included with the Enterprise Edition and 50 Mbps of additional bandwidth.

The fee is calculated as follows: (USD 1,450 + 1 extension instance × USD 215 + 50 Mbps of additional bandwidth × USD 7) × 6

Billing cycle

The billing cycle starts on the purchase date and ends on the expiration date of your instance.

Enable the subscription model

  1. Visit the Cloud Firewall purchase page, and select Product Type as the Subscription 2.0.

  2. Configure the purchase specifications, and click Buy Now and complete the payment.

    Configuration Item

    Description

    Edition

    Select the Cloud Firewall edition to purchase. After selection, you can view the features of different editions in the page description.

    auto-protect internet assets

    Select whether to automatically connect all Internet assets to the firewall for protection.

    additional firewall instances

    When the number of instances provided by the edition cannot meet your business requirements, you can purchase additional instances for the Internet firewall, VPC firewall, and NAT firewall.

    Note

    subscription Premium edition does not support VPC firewall.

    additional firewall bandwidth

    When the bandwidth provided by the edition cannot meet your business requirements, you can purchase additional bandwidth for the Internet firewall, VPC firewall, and NAT firewall.

    Note

    subscription Premium edition does not support VPC firewall.

    log analysis

    Select whether to enable the log analysis feature for Cloud Firewall and Agentic NDR.

    Cloud Firewall stores audit logs for the last 7 days by default, If you need longer log storage, classified protection compliance, or log export, you must enable the log analysis feature. Log analysis supports custom storage of log data for 7 to 730 days. For more information, see log analysis and Billing of the Log Analysis Feature.

    Note

    Purchase reference: For every 10 Mbit/s of business bandwidth with logs retained for 6 months, we recommend configuring 1 TB of log storage capacity.

    log storage capacity

    Agentic NDR

    Agentic NDR is Cloud Firewall a premium value-added service which achieves full north-south Internet traffic inspection on the cloud through non-intrusive bypass mirror deployment, actual business is not affected. It focuses on the detection and tracing of advanced threats, and supports bidirectional traffic analysis for requests and responses. It can determine attack results and retain full traffic packets, and provides application layer protocol identification and deep parsing capabilities.

    Includes 200 Mbit/s bandwidth, 2 Agentic NDR instances, and 30 GB of attack packet storage capacity.

    Note

    For more information, see What is Network Detection and Response?.

    NDR additional instances

    When the number of Agentic NDR instances provided by the edition cannot meet your business requirements, you need to purchase additional instances.

    NDR additional bandwidth

    Agentic NDR The sum of inbound and outbound bandwidth (including Internet and private network traffic access with shared quota). The purchase step size is 10 Mbit/s.

    NDR log storage capacity

    Agentic NDR log analysis feature. Billed independently, with storage space completely isolated from Cloud Firewall log analysis.

    NDR full traffic storage capacity

    Store complete raw network traffic.

    • After the attack message storage quota included in your plan is exhausted, attack messages can continue to be stored in the full traffic storage capacity.

    • Minimum purchase is 1 TB, in 1 TB increments. Billed through Agentic NDR.

    Note

    Recommendation: For 50 Mbps public bandwidth and 14 days of full traffic retention, select 4 TB of storage. Configure custom message filtering rules to reduce storage usage.

    firewall elastic traffic

    The elastic traffic feature is enabled by default for the firewall and cannot be disabled. When the actual business bandwidth exceeds the purchased bandwidth specification, the firewall charges post-paid elastic billing based on the actual inspected traffic for the excess portion. 0.06 USD/GB.

    sensitive data leak detection

    Select whether to enable sensitive data detection for active outbound traffic.

    purchase duration

    Select the purchase duration, and select whether to enable auto-renewal upon expiration.

    Note

    After you select auto-renewal, the auto-renewal cycle corresponds to the purchase duration, that is, monthly or yearly renewal. For example, if you purchase 6 months of Cloud Firewall service and select auto-renewal upon expiration, Cloud Firewall will automatically renew for one month after the service expires.

FAQ

How to check for recent excess traffic on a subscription Cloud Firewall

To check for recent excess traffic on your subscription Cloud Firewall, follow these steps:

  • Check for excess traffic in the last 30 days: Log on to the Cloud Firewall console. In the navigation pane on the left, choose Settings > Bill Management. If the value for Elastic Traffic is greater than 0, you have generated excess traffic.

  • Check for excess traffic older than 30 days: Go to the Expenses and Costs console to check for pay-as-you-go bills for Cloud Firewall. For more information, see View and analyze bills.

How do I view the current billing method and expiration date of Cloud Firewall?

Log on to the Cloud Firewall console. In the navigation pane on the left, choose Overview. You can view the current edition and expiration date in the Version Information area on the right.

Billing methods and corresponding editions:

  • Pay-as-you-go: Displayed as Pay-as-you-go.

  • Subscription: Displayed as Premium Edition, Enterprise Edition, or Ultimate Edition.

References