Cloud Firewall is a managed firewall service that provides centralized traffic control and security isolation for your Alibaba Cloud workloads. It protects your assets across three traffic boundaries — Internet, virtual private cloud (VPC), and host — without hardware deployment or complex configuration.
Use cases
Control inbound and outbound Internet traffic — Apply fine-grained access control policies to Internet-facing assets and block threats before they reach your workloads.
Secure east-west traffic between VPCs — Monitor and control traffic between VPCs, between VPCs and on-premises data centers, and across cloud network topologies.
Protect private networks accessing the Internet through NAT gateways — Block unauthorized outbound traffic before it leaves your cloud environment.
Manage ECS security groups centrally — Sync access control policies to Elastic Compute Service (ECS) security groups automatically and enforce micro-segmentation across your instances.
Detect threats and visualize access relationships — Identify compromised hosts, block unauthorized outbound connections, and map traffic flows across your cloud assets.
Enable protection with one click — Cloud Firewall uses cluster deployment and scales automatically. No infrastructure provisioning required.
Positioning of Cloud Firewall
Firewall types
Cloud Firewall provides four firewall types, each protecting a distinct segment of your traffic perimeter.
Internet firewall
Controls inbound and outbound north-south traffic between your Internet-facing assets and the Internet. The built-in threat defense module provides compromised host detection, outbound connection blocking, and access relationship visualization. Enable protection in one click — Cloud Firewall deploys as a cluster and scales automatically.
NAT firewall
Protects VPC resources that access the Internet through NAT gateways. Blocks unauthorized access, data leaks, and malicious traffic attacks before they affect your private network.
VPC firewall
Monitors and controls east-west traffic across your cloud network topology. The supported traffic flows depend on your connectivity type:
Enterprise Edition transit router:
Traffic between VPCs in the same or different regions
Traffic between a VPC and a virtual border router (VBR), representing on-premises data center connectivity
Traffic between a VPC and a Cloud Connect Network (CCN) instance
Traffic between multiple VBRs, or between a CCN instance and a VBR
Basic Edition transit router:
Traffic between VPCs in the same or different regions
Traffic between a VPC and a VBR
Traffic between a VPC and a CCN instance
Express Connect circuit:
Traffic between VPCs in the same region that belong to the same account, connected via an Express Connect circuit in VPC mode
Traffic between VPCs in the same region connected using a VPC peering connection
ECS firewall
Manages ECS security groups and controls inbound and outbound traffic for ECS instances in VPCs. Access control policies are automatically synchronized to ECS security groups. Supports security group compliance checks and micro-segmentation visualization.
Protection scope
Protection scope | Description | References |
Cloud assets and traffic | Internet firewall (north-south): Protects IPv4 and IPv6 assets, including ECS, Elastic IP Address (EIP) (including Layer 2 EIP), load balancing, Bastionhost, NAT, HAVIP, and GA EIP. IPv4 assets: ALB EIP, Bastionhost outbound IP address, Bastionhost IP address, Bastionhost inbound IP address, EIP, ECS EIP, ECS public IP address, elastic network interface (ENI) EIP, GA EIP (standard GA instance only; EIP type only; non-POP acceleration region only — call ListAvailableBusiRegions to verify), HAVIP, NAT EIP, NAT public IP address, Network Load Balancer (NLB) EIP, Server Load Balancer (SLB) EIP, SLB public IP address, AI gateway public IP address, API gateway public IP address. IPv6 assets: ALB IPv6, ECS IPv6, ENI EIP IPv6, GA EIP IPv6 (same constraints as IPv4 GA EIP), NLB IPv6, SLB IPv6, AI gateway public IPv6 address, API gateway public IPv6 address. NAT firewall: Traffic from private networks to the Internet. VPC firewall (east-west): See Firewall types. ECS firewall: Inbound and outbound traffic of ECS instances. | Internet Firewall, NAT Firewall, Configure a VPC firewall for an Enterprise Edition transit router, Configure a VPC firewall for a Basic Edition transit router, Configure a VPC firewall for Express Connect, Create an access control policy for an ECS firewall |
Cloud network type | VPC: Cloud Firewall supports all Alibaba Cloud VPCs. Classic network: The Internet Firewall and intrusion prevention system (IPS) features support the classic network. ECS firewalls protect instances in VPCs but not in the classic network. | — |
Supported regions | Regions supported by Cloud Firewall. |
Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. To redirect traffic to Cloud Firewall, associate EIPs with the internal-facing SLB instances.
The Internet firewall in Cloud Firewall manages traffic between the Internet and public assets in the cloud, such as elastic IP addresses (EIPs), NAT Gateway public IPs, and SLB public IPs. It cannot directly protect the public IPs of on-premises networks.
To protect a self-built IDC or an on-premises network, you can connect the network to an Alibaba Cloud VPC using Cloud Enterprise Network (CEN) or a peering connection. You can then use the VPC boundary firewall to apply unified access control and security protection to cross-cloud interconnection traffic.
Editions
Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and a pay-as-you-go option. For a full breakdown of protection capabilities by edition, see Features.
Edition | What's included | Billing |
Pay-as-you-go | Protects Internet-facing assets. Includes attack awareness, attack prevention, asset exception notification, and access control policies for the Internet firewall. | Pay-as-you-go — scales with usage. Suited for workloads with fluctuating traffic or temporary resource needs. |
Premium Edition | Protects Internet-facing assets. Includes traffic analysis and protection, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification. | Subscription — pay upfront at a discounted rate. Suited for stable, long-running workloads. |
Enterprise Edition | Protects Internet-facing assets, VPCs, and ECS instances. Includes all Premium Edition capabilities plus visualization, network security defense across VPCs, and centralized security group management. | Subscription |
Ultimate Edition | Includes all Enterprise Edition capabilities with more powerful protection. | Subscription |
Compliance
Cloud Firewall complies with ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR), and Payment Card Industry (PCI) Data Security Standards (DSS).
FAQ
What are the differences between Web Application Firewall (WAF), Cloud Firewall, and Anti-DDoS Pro and Anti-DDoS Premium?
Web Application Firewall (WAF): A security product dedicated to the HTTP/HTTPS application layer. WAF performs deep inspection of web requests to defend against application-layer attacks.
Cloud Firewall (CFW): A unified network perimeter access control product for cloud environments. CFW manages traffic and provides intrusion prevention at Internet, VPC, and NAT boundaries to prevent network-layer intrusion and lateral movement.
Anti-DDoS: Protects against large-scale distributed denial-of-service (DDoS) attacks by redirecting traffic to globally distributed scrubbing centers. Anti-DDoS filters malicious traffic to maintain service stability and availability during attacks.
Cloud product | Web Application Firewall (WAF) | Cloud Firewall (CFW) | Anti-DDoS |
Protection level | Application layer (L7) | Network/transport layer (L3-L4) | Network/transport layer (L3-L4) and application layer (L7) |
Core mechanism | Semantic analysis, rule matching, and behavior modeling | Access control policies, stateful inspection, and intrusion prevention system (IPS) | Traffic scrubbing, signature-based filtering, and bandwidth scaling |
Defensible attacks | SQL injection, XSS, webshell uploads, HTTP flood attacks, malicious bots, and API abuse | Port scanning, brute-force attacks, unauthorized access, cryptomining worms, and east-west traffic threats | L3/L4 volumetric attacks such as SYN flood and UDP flood, and L7 application-layer attacks such as high-frequency HTTP floods |
Use cases | Defend websites and apps against tampering, malicious access, bot scraping, and API abuse. | Enforce unified access policies for cloud assets at public network entry and exit points. Prevent brute-force attacks on servers and lateral movement within internal networks. | Ensure service continuity and network availability during high-volume attacks with zero packet loss. |
To build a defense in depth system, you can use a combined architecture of Anti-DDoS Pro and Anti-DDoS Premium, Cloud Firewall, and WAF.
Can I use Cloud Firewall with other products such as CDN, NAT Gateway, and WAF? What is the service traffic path?
Yes. Cloud Firewall can be deployed with other cloud products. The traffic path is shown in the figure below.
How do I determine the number of Cloud Firewall instances to purchase for my services?
New users use Billing Pattern 2.0 by default. In this pattern, subscription-based Cloud Firewall uses a general-purpose instance type. You can use this instance type to create different border firewalls. For example, the Premium Edition subscription provides one general-purpose instance type.
The number of consumed Cloud Firewall instances is calculated as follows:
Internet firewall: One instance is required for each protected region. Within the same region, only one instance type is consumed, regardless of the number of protected public IP addresses or whether the IP addresses are IPv4 or IPv6.
NAT border firewall: One instance is required for each NAT Gateway instance.
VPC border firewall:
In a Cloud Enterprise Network (CEN) Enterprise Edition architecture, one instance is required for each TransitRouter (TR).
In a CEN Basic Edition architecture, one instance is required for each VPC.
In a VPC peering connection architecture, one instance is required for each pair of VPCs.
Multi-account management: If you enable this feature, the assets of each member account consume a Cloud Firewall instance type and incur a separate instance fee.
Is Alibaba Cloud Cloud Firewall an in-house product or an original equipment manufacturer (OEM) product?
Cloud Firewall is developed entirely in-house by Alibaba Cloud. It is not an OEM product from a third-party vendor.
What's next
Billing overview — Understand how Cloud Firewall is priced across editions.
How to choose an edition — Match your requirements to the right edition.
Get started with pay-as-you-go — Activate and configure Cloud Firewall using the pay-as-you-go billing method.
Get started with subscription — Activate and configure Cloud Firewall using the subscription billing method.