All Products
Search

This Product

    Cloud Firewall:Best practices for securing outbound traffic

    Document Center

    Cloud Firewall:Best practices for securing outbound traffic

    Last Updated:Jun 21, 2026

    This topic describes the risks of outbound connections from private network assets, introduces a solution that uses a NAT gateway and NAT firewall, and provides deployment and maintenance procedures for the solution in typical business scenarios.

    Security challenges of outbound traffic

    As network attacks grow more sophisticated, enterprises face greater security challenges. Typically, enterprise workloads on the cloud handle both inbound traffic from the internet and outbound traffic initiated by business assets. However, when protecting their networks, most security teams focus on inbound network traffic and deploy comprehensive security measures. The security of outbound network traffic is often overlooked, becoming a weak link in the security posture of many enterprises. For example, if an attacker bypasses inbound defenses and infiltrates the internal network, they can exfiltrate data, download malware, or connect to malicious command and control (C&C) servers. Additionally, security oversights by an enterprise can lead to internal staff making unauthorized external connections or visiting malicious websites, which creates risks such as sensitive data leakage.

    Enterprises need to be aware of the following potential security risks associated with outbound traffic:

    • Risk of malware compromise

      After bypassing inbound security measures and compromising internal workloads, attackers often connect to malicious C&C servers to download ransomware. In an attack chain, malware infection is typically one of the initial stages of a larger-scale attack. Many types of malware still need to communicate with a C&C server to establish a connection, receive updates, request commands, and exfiltrate stolen data to the C&C server. Certain types of ransomware, botnets, and crypto-mining activities require outbound connections. Promptly detecting and blocking these malicious outbound connections is crucial to prevent further damage to IT infrastructure, digital assets, and development systems.

    • Risk of data leakage

      Stealing high-value corporate data is often the primary goal of malicious attackers. If successful, an attacker can obtain valuable enterprise data, such as financial records, passwords, emails, and personally identifiable information (PII). They can then exfiltrate this data over the network for illicit sale, financial fraud, identity theft, and other malicious activities. Attackers may also use the acquired information to escalate privileges or access sensitive systems, which poses more destructive risks to the enterprise.

    • Risk from internal personnel

      Due to a lack of security awareness or lapses in corporate security management, internal personnel may access insecure web services, locations, or IP addresses during system development or O&M. They might also intentionally upload sensitive corporate data to public or open-source platforms like GitHub, creating risks of intrusion and data leakage. These risky behaviors must be monitored, alerted on, blocked, and audited for traceability.

    • Risk from the supply chain

      An enterprise may have a robust security system, but its business may involve third-party development systems or require interconnection with suppliers or subsidiaries. If a supplier or subsidiary is compromised due to inadequate security, the attack can spread to the enterprise and lead to malicious outbound connections. Therefore, enterprises must monitor and audit traffic from their supply chains to enable prompt traceability and loss mitigation upon attack detection.

    • Compliance risks for outbound traffic

      Some industry regulators and internal audit teams have imposed clear and stringent requirements for outbound traffic to enhance system security. For example, Requirement 1.3.2 of the Payment Card Industry Data Security Standard (PCI DSS) v4.0 mandates restricting outbound traffic from the cardholder data environment (CDE). Only traffic deemed necessary is permitted. All other outbound traffic must be blocked. This requirement aims to prevent malicious individuals and compromised system components within the entity's network from communicating with untrusted external hosts. Therefore, enterprises must also implement strict security management and auditing for outbound traffic.

    Solution

    To manage outbound traffic security, enterprises can use a "NAT gateway + NAT firewall" solution to monitor and protect outbound traffic.

    • A NAT gateway uses custom SNAT and DNAT entries to provide public-facing services for servers on the cloud and enable them to access the internet. With the SNAT capability, when an ECS instance initiates an outbound connection, it accesses the internet through an EIP from the SNAT address pool. This prevents the private network from being directly exposed to the public internet, thereby enhancing asset security.

    • The NAT firewall is a security feature of Cloud Firewall that protects NAT boundaries. It provides Layer 4 to Layer 7 security protection for resources within a VPC, such as ECS and ECI instances, when they access the internet through a NAT gateway. The NAT firewall audits and blocks unauthorized traffic to reduce security risks such as unauthorized access, data leakage, and malicious traffic attacks. Compared with the SNAT rules of a NAT gateway, the access control policies of Cloud Firewall provide fine-grained control over destination IP addresses, domain names, regions, protocols, ports, and applications.

    image

    Solution architectures

    Scenario 1: Multiple VPCs

    An enterprise primarily develops data center systems on the cloud and uses two VPCs: one for production and one for testing. The development environment requires external software calls, such as for updating JAR packages at startup, which requires outbound connections from both VPCs. The enterprise must ensure that developers are only authorized to access legitimate services and all unauthorized outbound connections are blocked to prevent security risks.

    Deployment plan

    • Deploy a NAT gateway in each VPC. Configure an SNAT entry on each NAT gateway to allow ECS instances on private networks to access the internet by using a NAT EIP.

    • Deploy a NAT firewall for each NAT gateway. Configure allowlist-based ACL access control policies on each NAT firewall to allow access only to authorized IP addresses and domain names.

    Scenario 2: Centralized DMZ VPC

    A financial institution runs its securities and insurance business on the cloud. The institution has multiple business VPCs, including a mid-tier VPC, a third-party system VPC, and a market data VPC. All VPCs access the internet through a DMZ. The environment requires access to external payment services, external market data services, and regulatory services. The institution needs to allow access only to authorized services and block unauthorized outbound connections to prevent security risks. It also needs to monitor and audit all outbound traffic in real time to detect abnormal traffic and attacks.

    Deployment plan

    • Deploy only one NAT gateway in the DMZ VPC. Configure an SNAT entry on the NAT gateway to allow ECS instances on private networks to access the internet by using a NAT EIP. Other VPCs access the internet through the DMZ VPC via CEN.

    • Deploy only one NAT firewall in front of the NAT gateway in the DMZ VPC. Configure allowlist-based ACL access control policies on the NAT firewall to allow access only to authorized IP addresses and domain names.

    Scenario 3: Multiple vSwitches

    A large multinational organization operates within a single VPC on the cloud. Due to complex business access patterns and numerous external systems, the organization needs to apply distinct security protections for different assets and requires more granular security policy management.

    Deployment plan

    • Deploy NAT gateways for different vSwitches in the business VPC. One of the NAT gateways is associated with multiple EIPs. Configure an SNAT entry on each NAT gateway to allow ECS instances on private networks to access the internet by using a NAT EIP.

    • Deploy a NAT firewall for each NAT gateway. Configure allowlist-based ACL access control policies on each NAT firewall to allow access only to authorized IP addresses and domain names.

    Deployment

    Step 1: Deploy NAT gateway

    1. Log on to the NAT Gateway console. Based on your business scenario, create an internet NAT gateway for the corresponding VPC. For more information, see Create an internet NAT gateway instance.

    2. Associate an EIP with the created internet NAT gateway. For more information, see Internet NAT gateway.

      Important

      An internet NAT gateway requires an associated EIP to function correctly.

    3. Create an SNAT entry for the internet NAT gateway to allow ECS instances without public IP addresses to access the internet. For more information, see Create an SNAT entry.

      The NAT firewall feature of Cloud Firewall supports only NAT gateways that are configured with SNAT entries and do not have DNAT entries. Otherwise, you cannot enable the NAT firewall.

    Step 2: Create NAT firewall

    Prerequisites

    • You must have an active Cloud Firewall subscription and a sufficient license quota for NAT Firewalls. For more information, see Purchase Cloud Firewall.

    • You have created an Internet NAT Gateway. For more information, see Internet NAT Gateway.

      Important

      Currently, the NAT Firewall protects only Internet NAT Gateways.

      The Internet NAT Gateway must meet the following conditions:

      • The region where the Internet NAT Gateway is deployed supports NAT Firewalls. For a list of supported regions, see Supported regions.

      • The Internet NAT Gateway must be associated with 1 to 10 EIPs. For more information, see Internet NAT Gateway.

      • The Internet NAT Gateway must have SNAT entries but no DNAT entries. For more information, see Create and manage SNAT entries.

        If the Internet NAT Gateway has DNAT entries, you must delete them before you can enable the NAT Firewall. For more information, see Create and manage DNAT entries.

      • The Internet NAT Gateway's VPC must have a 0.0.0.0/0 route entry that points to the NAT Gateway. For more information, see Create and manage a route table.

      • The Internet NAT Gateway's VPC must have an available subnet with a prefix length of at least 28. Secondary CIDR blocks are supported.

    Procedure

    If a NAT gateway does not appear in the NAT firewall asset list, you can click Synchronize Assets in the upper-right corner of the list to manually synchronize assets. Manual synchronization takes 5 to 10 minutes. Please wait for the synchronization to complete.

    1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Firewall.

    2. Click the NAT Firewall tab.

    3. In the Create NAT Firewall panel, configure and enable the NAT firewall. For more information, see NAT Firewall.

    4. After the firewall is created, locate the target NAT gateway and turn on the switch in the Firewall column to enable the NAT firewall.

      Make sure that the gateway type of the target NAT gateway is Enhanced.

    Step 3: Configure policy

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, select Prevention Configuration > Access Control > Policy Configuration > NAT Border.

    3. On the NAT Border page, select the NAT gateway to configure, and Click Create Policy.

      Cloud Firewall automatically synchronizes the NAT gateways associated with your current account, You can select the NAT gateway to configure from the drop-down list.

      image..png

    4. In the Create Policy - NAT Border panel, configure the access control policy and click OK. For more information, see Configure an access control policy for a NAT firewall.

      After the policy is created, you can view it in the access control policy list. The list includes information such as NAT Gateway ID, Priority, Source, Destination, Protocol, Application, Port, Action, Policy Validity Period, Enabled Status, and hit count. You can also Edit, Copy, or Move the policy.

    Step 4: Verify solution

    1. Log on to an ECS instance in the VPC and run the curl command, such as curl www.example.com, to simulate business access to the internet. For information about how to log on to an ECS instance, see Overview of connection methods for ECS instances.

    2. Log on to the Cloud Firewall console.

    3. In the left-side navigation pane, choose Detection & Response > Log Audit.

    4. On the Traffic Logs > NAT Border tab, set the source IP address to the private IP address of the ECS instance and search for traffic logs. If the traffic logs show that the access control policy is in effect, this confirms that the NAT firewall is protecting the outbound traffic of the NAT gateway.

    O&M

    Analyze unusual traffic

    Step 1: Check traffic

    1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Overview.

    2. On the Overview page, check the traffic trend for any unusual traffic spikes at a specific time.

      Note

      If the traffic exceeds your purchased protection bandwidth, the trend chart displays the purchased NAT boundary processing capacity. This indicates the amount of traffic that has exceeded the bandwidth.

      image

    If you find an unusual traffic spike, you need to check the details of outbound private assets to locate the anomalous IP address. For more information, see Step 2.

    Step 2: Locate anomalous IPs

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Analysis > Outbound Connections.

    3. On the Outbound Connections > Outbound Private IP Addresses tab, sort by traffic to identify assets with unusually high usage and detect any abnormal access.

      The data table also includes columns such as NAT Gateway ID/Name, Region, Instance ID/Name, Outbound Domain Count/Outbound IP Count, Request Count, and Security Risk. In the Actions column, you can click Mark as Watched to add the asset to a watchlist, or click View Logs to view detailed logs.

    If you locate an anomalous IP address, you must investigate further by using log audit data. For more information, see Step 3.

    Step 3: Analyze traffic logs

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Detection & Response > Log Audit.

    3. On the Traffic Logs > NAT Border tab, set the source IP address to the private IP address of the ECS instance, search for traffic logs, and examine the Source IP Address, Source Port, and Destination Port to determine whether the unusual traffic is required by your business.

    O&M suggestions

    If you identify an unusual traffic spike and determine that the traffic is required for your business, consider the following O&M suggestions:

    • Increase Cloud Firewall protection bandwidth

      For more information, see Renewal.

    • Optimize workload deployment

      For example, if your business needs to access Alibaba Cloud OSS or SLS, use an internal endpoint to save public network bandwidth.

    • Disable the NAT firewall for IP addresses that do not require protection

      For more information, see Disable a NAT firewall.