This topic provides answers to some frequently asked questions about enabling and disabling firewalls in Cloud Firewall, including impacts of enabling firewalls and changes on routes and traffic after enabling firewalls.
Internet firewall
NAT firewalls
VPC firewalls
What are the impacts of enabling a firewall?
Firewall type | Impact |
Internet firewall | When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds. You do not need to change the current network topology. Your workloads are not affected. |
NAT firewall |
|
A virtual private cloud (VPC) firewall that is created for an Express Connect circuit A VPC firewall that is created for a Basic Edition transit router |
|
A VPC firewall that is created for an Enterprise Edition transit router | Automatic traffic redirection
Manual traffic redirection
|
How do I release Cloud Firewall?
If you no longer require Cloud Firewall, you can release it by referring to Release Cloud Firewall to prevent unnecessary fees.
Why am I unable to activate Cloud Firewall for my account?
Causes
When you log on to the Cloud Firewall console, the Your account cannot be used to activate Cloud Firewall. message appears. The issue may occur in the following scenarios:
Your account is an Alibaba Cloud account and is added as a member for centralized management.
Your account is a Resource Access Management (RAM) user and does not have the required permissions.
Solutions
You can move the pointer over the profile picture in the upper-right corner of the Cloud Firewall console to view the type of your account.
If your account is an Alibaba Cloud account, you must use the account to log on to the Cloud Firewall console and activate Cloud Firewall. Then, enable protection for cloud assets that belong to the account. For more information, see Purchase Cloud Firewall.
If your account is a RAM user, you must attach the following policies to the RAM user by using the Alibaba Cloud account to which the RAM user belongs: createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess. For more information, see Grant permissions to the RAM user.
createSlr is a custom policy that you need to create. The following sample code provides an example on the content of the policy. For more information, see Create a custom policy.
{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:166032244439****:role/*", "Effect": "Deny", "Condition": { "StringEquals": { "ram:ServiceName": [ "cloudfw.aliyuncs.com" ] } } } ], "Version": "1" }NoteYou must specify the value of the Resource parameter in the following format:
acs:ram:*:ID of the Alibaba Cloud account:role/*. The ID is the ID of the Alibaba Cloud account to which the RAM user belongs.
What is the purpose of the Internet firewall?
You can add multiple types of Internet-facing assets to the Internet firewall for protection, including the public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of SLB instances, and EIPs. After you enable the Internet firewall, the system forwards inbound and outbound traffic at the Internet border to Cloud Firewall. Then, Cloud Firewall filters the traffic and allows only traffic that meets the specified conditions. For more information, see Internet Firewall.
Can the Internet firewall protect IPv6 addresses?
Yes, Cloud Firewall supports full protection for IPv6 addresses from January 8, 2025.
For more information, see the following topics:
[Announcement] Commercial release of protection for public IPv6 addresses
Implementation and protection scope of the Internet firewall
For more information about the cloud assets that can be protected by the Internet firewall, see Protection scope.
Is network traffic affected after I enable the Internet firewall?
If you enable the Internet firewall but do not configure access control policies or policies for the intrusion prevention system (IPS), Cloud Firewall monitors traffic and generates alerts for suspicious traffic but does not block suspicious traffic.
By default, the Internet firewall is enabled after you activate Cloud Firewall.
What are the impacts of disabling the Internet firewall?
If you disable the Internet firewall, network traffic does not pass through the firewall, and the following issues may occur:
The protection capabilities of the Internet firewall become invalid. For example, the access control policies that you created become invalid, and intrusion prevention is disabled.
The statistics of traffic at the Internet border are not updated, including network traffic analysis reports and traffic logs.
When I enable the Internet firewall, the system prompts SLB instance-related network restrictions. Why?
Cause
When you enable the Internet firewall, the "You cannot enable a firewall for the IP address because the network of the SLB instance does not support this operation" message appears. The cause may be that an SLB instance has only private IP addresses and does not support Cloud Firewall.
Solution
If your asset is an internal-facing SLB instance, we recommend that you associate an EIP with the instance to redirect traffic to Cloud Firewall. For more information, see Associate an EIP with an internal-facing CLB instance.
Why are my public IP addresses not displayed after I perform asset synchronization in Cloud Firewall Free Edition?
Cloud Firewall Free Edition can synchronize only EIPs. Information about newly added EIPs is displayed in Cloud Firewall one day later. Cloud Firewall Free Edition cannot synchronize public IP addresses of ECS instances or SLB instances.
Are the security group rules in ECS affected after VPC Firewall is enabled?
No, the security group rules are not affected.
After you enable VPC Firewall, a security group named Cloud_Firewall_Security_Group and an access control policy are automatically created to allow traffic to your VPC firewall. The security group controls only traffic between VPCs. The existing security group rules are not affected. You do not need to migrate or modify security group rules in ECS.
Why am I prompted that unauthorized network instances exist when I create a VPC firewall?
Cause
Your CEN instance is associated with a VPC that belongs to a different Alibaba Cloud account, and Cloud Firewall is not authorized to access the cloud resources that belong to the Alibaba Cloud account of the VPC.
Solution
Log on to the Cloud Firewall console with the Alibaba Cloud account, and authorize Cloud Firewall to access the cloud resources within the account by using a service-linked role as prompted. For more information, see Authorize Cloud Firewall to access other cloud resources.
I enabled a VPC firewall for a Basic Edition transit router. Why is a routing policy whose Routing Policy Action is set to Deny added to the route table of the transit router?
After you create and enable a VPC firewall for a VPC that is named VPC-test and is connected to a Basic Edition transit router, the VPC Firewall feature creates a VPC named Cloud_Firewall_VPC and advertises a static route to redirect the traffic of other VPCs that are connected to the transit router and not protected by firewalls to Cloud Firewall.
Cloud Firewall also adds a static route whose next hop points to the ENI that is created for Cloud_Firewall_VPC to the route table of Cloud_Firewall_VPC and creates a routing policy whose Routing Policy Action is set to Deny. This way, VPC-test does not learn the routes that are advertised by CEN. The outbound traffic of VPC-test is redirected to Cloud Firewall based on the static route.
Do not modify or delete the routing policy or the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.
Why does Cloud Firewall create a route table and add the static route 0.0.0.0/0 to the route table after I enable a NAT firewall?
After you enable a NAT firewall, Cloud Firewall automatically creates the custom route table Cloud_Firewall_ROUTE_TABLE and adds the static route 0.0.0.0/0 that points to the involved NAT gateway protected by Cloud Firewall to the custom route table. In addition, Cloud Firewall changes the next hop of the static route 0.0.0.0/0 in the system route table to the ENI of the NAT firewall. This way, the outbound traffic of the NAT gateway is redirected to Cloud Firewall.
Do not modify or delete the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.
How does Cloud Firewall match outbound traffic against access control policies of the Internet firewall, a NAT firewall, and a DNS firewall?
When an ECS instance accesses a domain name, traffic is matched in the following procedure if the Internet firewall, a NAT firewall, and a Domain Name System (DNS) firewall are enabled:
The ECS instance initiates a DNS request. The DNS request passes through the DNS firewall and is matched against the access control policies created for the DNS firewall.
The private network traffic that originates from the ECS instance passes through the NAT firewall and is matched against the access control policies created for the NAT firewall.
The allowed private network traffic passes through the NAT gateway, and the source IP address of the private traffic is converted to the public IP address of the NAT gateway.
The Internet traffic is forwarded by the NAT gateway to the Internet firewall and is matched against the access control policies created for the Internet firewall.
The traffic is matched against threat intelligence rules, basic protection policies, intelligence defense rules, and virtual patching rules of Cloud Firewall in sequence.
If the traffic does not hit a Deny policy in the preceding procedure, the traffic reaches the domain name. If the traffic hits a Deny policy, the traffic is denied and cannot reach the domain name.
How do I efficiently enable and configure access control policies for the Internet firewall?
Cloud computing has become an inevitable choice for the digital transformation of enterprises. A wider range of cloud-based solutions constitute a more complex business architecture, and security borders become more indistinct. Enterprises can use Cloud Firewall to deliver protection at cloud network borders. However, if a large number of public IP addresses are used, the configuration of access control policies is complex.
Cloud Firewall provides intelligent policies. Cloud Firewall automatically learns the traffic characteristics in the previous 30 days and the access and outbound connections of cloud services and IP addresses and automatically recommends appropriate access control policies for each destination IP address or domain name. This reduces Internet exposures and intrusion risks, and blocks malicious outbound IP addresses and domain names.
For more information about how to apply intelligent access control policies to the Internet firewall, see Create access control policies for the Internet firewall.
What are the differences between the old and new versions of VPC firewalls that can be created for Enterprise Edition transit routers?
Cloud Firewall adjusted specific capabilities of the VPC firewalls that can be created for Enterprise Edition transit routers. After a VPC firewall is created, a firewall VPC is automatically created. If the VPC firewall is created in automatic traffic redirection mode, the owner of the VPC is changed from a user account to a service account. The following list describes specific differences:
Firewall VPC owner: In the new version, the firewall VPC no longer belongs to a user account. The firewall VPC belongs to the service account of Cloud Firewall. You cannot view or modify the resources and configurations of the firewall VPC, and the firewall VPC does not occupy your VPC quota in a region.
Billing method: In the old version, you are charged for traffic transfer between your transit router and the service VPC and between your transit router and the firewall VPC during traffic redirection. In the new version, the firewall VPC belongs to Cloud Firewall. Therefore, fees for traffic transfer between your transit router and the firewall VPC are included in the bill of Cloud Firewall. You do not need to pay the fees.
Enabling of a VPC firewall: When you create a VPC firewall, you do not need to specify 3 CIDR blocks for vSwitches. You need to only specify 1 CIDR block that is at least 27 bits in length and does not conflict with your network plan. Subnets are automatically assigned to the vSwitches that are required to create the VPC firewall. For more information about how to configure a VPC firewall for an Enterprise Edition transit router, see Configure a VPC firewall for an Enterprise Edition transit router.
Enable a VPC firewall of the new version for an Enterprise Edition transit router
Only the automatic traffic redirection mode is supported. Make sure that Cloud Firewall uses the pay-as-you-go billing method. If Cloud Firewall uses the subscription billing method, make sure that the burstable protected traffic feature is enabled.
If no VPC firewall is created, perform the following steps: Enable the burstable protected traffic feature, and then create a VPC firewall. If your Cloud Firewall uses the pay-as-you-go billing method, you do not need to enable the feature.
WarningYou must strictly perform the preceding steps in this order.
If a VPC firewall is created, perform the following steps:
Delete the traffic redirection scenarios that are created for the VPC firewall and then delete the VPC firewall.
Enable the burstable protected traffic feature.
Create a VPC firewall and traffic redirection scenarios.
For more information about how to enable the burstable protected traffic feature, see Burstable protected traffic.
Does latency exist when I add an asset to Cloud Firewall?
Yes, latency exists when you add an asset to Cloud Firewall.
If the asset and Cloud Firewall reside in different zones of the same region, a latency of 4 to 8 milliseconds exists. If the asset and Cloud Firewall reside in the same zone, a latency of 2 to 3 milliseconds exists.