Dear Alibaba Cloud users,
The virtual private cloud (VPC) Firewall feature is available in Cloud Firewall that uses the pay-as-you-go billing method starting July 4, 2024. If you use Cloud Firewall that uses the pay-as-you-go billing method, you can enable the VPC Firewall feature to monitor and protect east-west traffic between VPCs, between a VPC and a data center that are connected by using a virtual border router (VBR), and between a VPC and the internal network of a third-party cloud that are connected by using a VBR.
Release date
July 4, 2024
Scenarios
You can create VPC firewalls for Enterprise Edition transit routers in Cloud Enterprise Network (CEN) instances, Basic Edition transit routers in CEN instances, and VPCs connected by using Express Connect circuits. This helps protect the east-west traffic between VPCs, between a VPC and a data center that are connected by using a VBR, and between a VPC and the internal network of a third-party cloud that are connected by using a VBR.
After you enable VPC firewalls, Cloud Firewall can use the built-in security capabilities to block unauthorized traffic. This ensures the security of traffic between internal-facing assets. The following capabilities are supported:
Access control of cross-VPC traffic over internal networks from Layer 4 to Layer 7
Visualized analysis of cross-VPC traffic over internal networks
Protection of cross-VPC traffic over internal networks against lateral movement attacks
Log audit and analysis of east-west traffic over internal networks
For more information about the features supported by Cloud Firewall that uses the pay-as-you-go billing method, see Functions and features.
Billing description
You are charged for the VPC Firewall feature in Cloud Firewall that uses the pay-as-you-go billing method based on the following formula:
Daily fee = (Instance fee of VPC firewalls + Traffic processing fee of VPC firewalls).
Billable item | Pay-as-you-go | Billing cycle |
Instance fee of VPC firewalls | USD 12 per VPC firewall-day | Day |
Traffic processing fee of VPC firewalls | USD 0.06 per GB | Day |
You can use pay-as-you-go savings plans to offset the fees for billable items of VPC firewalls.
The following list describes how to calculate the number of VPC firewalls:
If your VPC is deployed together with an Enterprise Edition transit router of a CEN instance, each transit router corresponds to a VPC firewall.
If your VPC is deployed together with a Basic Edition transit router of a CEN instance, each VPC corresponds to a VPC firewall.
If your VPC is deployed together with an Express Connect circuit, a local VPC and its peer VPC correspond to a VPC firewall.
For more information, see Overview.
Enable the VPC Firewall feature
Make sure that Cloud Firewall that uses the pay-as-you-go billing method is activated. For more information, see Purchase Cloud Firewall that uses the pay-as-you-go billing method. To enable the VPC Firewall feature, perform the following steps:
Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.
On the VPC Firewall tab, click Upgrade Now.
If you do not create a VPC firewall within 30 days after you enable the VPC Firewall feature, the feature is automatically disabled. If you want to continue using the feature, you can re-enable the feature. After you enable the feature, add assets to the feature for protection. The system requires approximately 1 minute to 5 minutes to synchronize asset information to the feature for the first time.
References
For more information about how to view pay-as-you-go bills, see View pay-as-you-go bills.
For more information about how to purchase Cloud Firewall that uses the pay-as-you-go billing method, see Pay-as-you-go and Pay-as-you-go savings plan.
For more information about how to enable a VPC firewall, see VPC Firewall.
For more information about how to create an access control policy for a VPC firewall, see Create an access control policy for a VPC firewall.