All Products
Search
Document Center

Cloud Firewall:FAQ about enabling and disabling firewalls

Last Updated:Mar 18, 2025

This topic provides answers to some frequently asked questions about enabling and disabling firewalls in Cloud Firewall, including impacts of enabling firewalls and changes on routes and traffic after enabling firewalls.

What are the impacts of enabling a firewall?

Firewall type

Impact

Internet firewall

When you create, enable, or disable the Internet firewall, you can add resources to the Internet firewall for protection or remove resources from the Internet firewall within seconds. You do not need to change the current network topology. Your workloads are not affected.

NAT firewall

  • When you create a NAT firewall or delete a NAT firewall after it is disabled, your workloads are not affected.

    The creation duration varies based on the number of elastic IP addresses (EIPs) associated with the NAT gateway. The creation duration increases by approximately 2 to 5 minutes for each additional EIP.

  • The system requires approximately 10 seconds to enable or disable a NAT firewall. Persistent connections may be interrupted for 1 to 2 seconds. Short-lived connections are not affected.

A virtual private cloud (VPC) firewall that is created for an Express Connect circuit

A VPC firewall that is created for a Basic Edition transit router

  • When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected.

    The creation duration is approximately 5 minutes.

  • The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Persistent connections may be interrupted for several seconds. Short-lived connections are not affected.

    Note

    Before you enable a VPC firewall, we recommend that you check whether your application is configured to automatically re-establish connections over TCP, and pay close attention to the connection status of your application. This helps avoid connection interruptions.

A VPC firewall that is created for an Enterprise Edition transit router

Automatic traffic redirection

  • When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected.

    The creation duration is approximately 5 minutes.

  • The system requires approximately 5 to 30 minutes to enable or disable a VPC firewall. The creation duration varies based on the number of routes. Your workloads are not affected.

Manual traffic redirection

  • When you create a VPC firewall or delete a VPC firewall after it is disabled, your workloads are not affected.

    The creation duration is approximately 5 minutes.

  • When you enable or disable a VPC firewall, the time period during which your workloads are affected varies based on the traffic redirection mode.

How do I release Cloud Firewall?

If you no longer require Cloud Firewall, you can release it by referring to Release Cloud Firewall to prevent unnecessary fees.

Why am I unable to activate Cloud Firewall for my account?

Causes

When you log on to the Cloud Firewall console, the Your account cannot be used to activate Cloud Firewall. message appears. The issue may occur in the following scenarios:

  • Your account is an Alibaba Cloud account and is added as a member for centralized management.

  • Your account is a Resource Access Management (RAM) user and does not have the required permissions.

Solutions

You can move the pointer over the profile picture in the upper-right corner of the Cloud Firewall console to view the type of your account.

  • If your account is an Alibaba Cloud account, you must use the account to log on to the Cloud Firewall console and activate Cloud Firewall. Then, enable protection for cloud assets that belong to the account. For more information, see Purchase Cloud Firewall.

  • If your account is a RAM user, you must attach the following policies to the RAM user by using the Alibaba Cloud account to which the RAM user belongs: createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess. For more information, see Grant permissions to the RAM user.

    createSlr is a custom policy that you need to create. The following sample code provides an example on the content of the policy. For more information, see Create a custom policy.

    {
        "Statement": [
            {
                "Action": [
                    "ram:CreateServiceLinkedRole"
                ],
                "Resource": "acs:ram:*:166032244439****:role/*",
                "Effect": "Deny",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": [
                            "cloudfw.aliyuncs.com"
                        ]
                    }
                }
            }
        ],
        "Version": "1"
    }
    Note

    You must specify the value of the Resource parameter in the following format: acs:ram:*:ID of the Alibaba Cloud account:role/*. The ID is the ID of the Alibaba Cloud account to which the RAM user belongs.

Causes and solutions of firewall enabling failures

Cause

Solution

Your Cloud Enterprise Network (CEN) instance is not associated with a VPC created by a different Alibaba Cloud account, Cloud Firewall is not authorized to access VPCs created by a different Alibaba Cloud account, or Cloud Firewall does not run Ultimate Edition.

Complete authorization by using the required Alibaba Cloud account. Then, log on to the Cloud Firewall console and enable a VPC firewall. For more information, see Authorize Cloud Firewall to access other cloud resources. For more information about how to upgrade Cloud Firewall to Ultimate Edition, see Renewal.

An Express Connect circuit and a VPC exist on the CEN instance for which you want to enable a firewall. A firewall is already enabled for the VPC.

Join the DingTalk group 33081734 to obtain technical support.

The region in which the VPC on your CEN instance resides is not supported by the VPC Firewall feature.

For more information, see Supported regions.

A VPC firewall created in manual mode already exists in the region in which your CEN instance resides.

Join the DingTalk group 33081734 to obtain technical support.

Only one network instance exists on the CEN instance or no VPC exists on your CEN instance.

Add more VPCs to the CEN instance and then try again.

The number of VPCs for which VPC firewalls can be enabled in the same region exceeds the upper limit.

Use a CEN transit router. Join the DingTalk group 33081734 to obtain technical support.

Cloud Firewall is not purchased by using the Alibaba Cloud account to which your CEN instance belongs.

Use the Alibaba Cloud account to purchase Cloud Firewall.

The number of custom routes in your VPC exceeds the upper limit.

Log on to the VPC console, go to the O&M and Monitoring > Quota Management page, and then increase the maximum number of custom routes allowed for each route table within your Alibaba Cloud account.

Your VPC quota is insufficient.

Increase the VPC quota.

The specified CIDR blocks are duplicated. Only the CIDR blocks of virtual border router (VBRs) can be duplicated. The CIDR blocks of VPCs and the CIDR blocks of a VPC and a VBR cannot be duplicated.

Join the DingTalk group 33081734 to obtain technical support.

Your priority quota for policy-based routes is insufficient.

Join the DingTalk group 33081734 to obtain technical support.

Your CEN instance has routing policies whose Routing Policy Action is set to Deny, excluding system routing policies whose priority is set to 5000 and Routing Policy Action is set to Deny.

Delete the routing policies or join the DingTalk group 33081734 to obtain technical support.

The number of VPCs that are created in the region exceeds the VPC quota for the region minus one. The VPC firewall consumes a VPC quota of 1.

If the VPC quota is exhausted, log on to the VPC console and go to the Quota Management page to increase the VPC quota. If the VPC quota reaches the upper limit, join the DingTalk group 33081734 to obtain technical support.

The CIDR blocks advertised by your CEN instance include public CIDR blocks, excluding 0.0.0.0/0. In this case, one-way access to Server Load Balancer (SLB) may trigger interruption.

Join the DingTalk group 33081734 to obtain technical support.

Verify the upstream routes that are configured to point to your border router.

Join the DingTalk group 33081734 to obtain technical support.

A VPC in your CEN instance has a custom route table that is associated with a vSwitch.

Delete the custom route table or disassociate the custom route table from the vSwitch.

After a firewall is enabled for your CEN instance, the number of advertised routes will exceed the upper limit.

Advertise less than or equal to 100 routes or upgrade your network architecture to the CEN-TR architecture. Join the DingTalk group 33081734 to obtain technical support.

The region in which the transit router resides is not supported by the VPC Firewall feature.

For more information, see Supported regions.

VPN connections exist in your transit router.

Join the DingTalk group 33081734 to obtain technical support.

Prefix lists exist in the route table of your transit router.

Advertise routes in your VPC instead of using route prefix lists.

Blackhole routes exist in the route table of your transit router.

Join the DingTalk group 33081734 to obtain technical support.

Static routes exist in the route table of your transit router.

Advertise routes in your VPC instead of using static routes.

Route conflicts exist in the route table of your transit router.

Check whether a route conflict exists.

System routing policy conflicts exist in the route table of your transit router.

Check whether the matching conditions of the system routing policy whose priority is 5000 include the following source or destination instance types: Cloud Connect Network (CCN), VBR, VPN, and Express Connect Router (ECR). If not, join the DingTalk group 33081734 to obtain technical support.

IPv6 routes exist in the route table of your transit router.

IPv6 routes are not supported by Cloud Firewall.

The VPC Firewall feature is disabled in Cloud Firewall that uses the pay-as-you-go billing method.

Log on to the Cloud Firewall console and enable the VPC Firewall feature. For more information, see Pay-as-you-go.

The VPC Firewall feature is not supported in the current edition of Cloud Firewall.

Upgrade the edition of Cloud Firewall. For more information, see Upgrade or downgrade Cloud Firewall.

The asset synchronization for the VPC Firewall feature is incomplete.

Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings. On the Firewall Settings page, click the VPC Firewall tab, click Synchronize Assets, and then wait for 5 to 10 minutes for the assets to be synchronized.

What is the purpose of the Internet firewall?

You can add multiple types of Internet-facing assets to the Internet firewall for protection, including the public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of SLB instances, and EIPs. After you enable the Internet firewall, the system forwards inbound and outbound traffic at the Internet border to Cloud Firewall. Then, Cloud Firewall filters the traffic and allows only traffic that meets the specified conditions. For more information, see Internet Firewall.

Can the Internet firewall protect IPv6 addresses?

Yes, Cloud Firewall supports full protection for IPv6 addresses from January 8, 2025.

For more information, see the following topics:

For more information about the cloud assets that can be protected by the Internet firewall, see Protection scope.

Is network traffic affected after I enable the Internet firewall?

If you enable the Internet firewall but do not configure access control policies or policies for the intrusion prevention system (IPS), Cloud Firewall monitors traffic and generates alerts for suspicious traffic but does not block suspicious traffic.

By default, the Internet firewall is enabled after you activate Cloud Firewall.

What are the impacts of disabling the Internet firewall?

If you disable the Internet firewall, network traffic does not pass through the firewall, and the following issues may occur:

  • The protection capabilities of the Internet firewall become invalid. For example, the access control policies that you created become invalid, and intrusion prevention is disabled.

  • The statistics of traffic at the Internet border are not updated, including network traffic analysis reports and traffic logs.

When I enable the Internet firewall, the system prompts SLB instance-related network restrictions. Why?

Cause

When you enable the Internet firewall, the "You cannot enable a firewall for the IP address because the network of the SLB instance does not support this operation" message appears. The cause may be that an SLB instance has only private IP addresses and does not support Cloud Firewall.

Solution

If your asset is an internal-facing SLB instance, we recommend that you associate an EIP with the instance to redirect traffic to Cloud Firewall. For more information, see Associate an EIP with an internal-facing CLB instance.

Why are my public IP addresses not displayed after I perform asset synchronization in Cloud Firewall Free Edition?

Cloud Firewall Free Edition can synchronize only EIPs. Information about newly added EIPs is displayed in Cloud Firewall one day later. Cloud Firewall Free Edition cannot synchronize public IP addresses of ECS instances or SLB instances.

Are the security group rules in ECS affected after VPC Firewall is enabled?

No, the security group rules are not affected.

After you enable VPC Firewall, a security group named Cloud_Firewall_Security_Group and an access control policy are automatically created to allow traffic to your VPC firewall. The security group controls only traffic between VPCs. The existing security group rules are not affected. You do not need to migrate or modify security group rules in ECS.

Why am I prompted that unauthorized network instances exist when I create a VPC firewall?

Cause

Your CEN instance is associated with a VPC that belongs to a different Alibaba Cloud account, and Cloud Firewall is not authorized to access the cloud resources that belong to the Alibaba Cloud account of the VPC.

Solution

Log on to the Cloud Firewall console with the Alibaba Cloud account, and authorize Cloud Firewall to access the cloud resources within the account by using a service-linked role as prompted. For more information, see Authorize Cloud Firewall to access other cloud resources.

I enabled a VPC firewall for a Basic Edition transit router. Why is a routing policy whose Routing Policy Action is set to Deny added to the route table of the transit router?

After you create and enable a VPC firewall for a VPC that is named VPC-test and is connected to a Basic Edition transit router, the VPC Firewall feature creates a VPC named Cloud_Firewall_VPC and advertises a static route to redirect the traffic of other VPCs that are connected to the transit router and not protected by firewalls to Cloud Firewall.

Cloud Firewall also adds a static route whose next hop points to the ENI that is created for Cloud_Firewall_VPC to the route table of Cloud_Firewall_VPC and creates a routing policy whose Routing Policy Action is set to Deny. This way, VPC-test does not learn the routes that are advertised by CEN. The outbound traffic of VPC-test is redirected to Cloud Firewall based on the static route.

Important

Do not modify or delete the routing policy or the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.

Why does Cloud Firewall create a route table and add the static route 0.0.0.0/0 to the route table after I enable a NAT firewall?

After you enable a NAT firewall, Cloud Firewall automatically creates the custom route table Cloud_Firewall_ROUTE_TABLE and adds the static route 0.0.0.0/0 that points to the involved NAT gateway protected by Cloud Firewall to the custom route table. In addition, Cloud Firewall changes the next hop of the static route 0.0.0.0/0 in the system route table to the ENI of the NAT firewall. This way, the outbound traffic of the NAT gateway is redirected to Cloud Firewall.

Important

Do not modify or delete the route table. Otherwise, the traffic redirection capability of Cloud Firewall is affected, and your workloads are interrupted.

How does Cloud Firewall match outbound traffic against access control policies of the Internet firewall, a NAT firewall, and a DNS firewall?

When an ECS instance accesses a domain name, traffic is matched in the following procedure if the Internet firewall, a NAT firewall, and a Domain Name System (DNS) firewall are enabled:

  1. The ECS instance initiates a DNS request. The DNS request passes through the DNS firewall and is matched against the access control policies created for the DNS firewall.

  2. The private network traffic that originates from the ECS instance passes through the NAT firewall and is matched against the access control policies created for the NAT firewall.

  3. The allowed private network traffic passes through the NAT gateway, and the source IP address of the private traffic is converted to the public IP address of the NAT gateway.

  4. The Internet traffic is forwarded by the NAT gateway to the Internet firewall and is matched against the access control policies created for the Internet firewall.

  5. The traffic is matched against threat intelligence rules, basic protection policies, intelligence defense rules, and virtual patching rules of Cloud Firewall in sequence.

If the traffic does not hit a Deny policy in the preceding procedure, the traffic reaches the domain name. If the traffic hits a Deny policy, the traffic is denied and cannot reach the domain name.

image

How do I efficiently enable and configure access control policies for the Internet firewall?

Cloud computing has become an inevitable choice for the digital transformation of enterprises. A wider range of cloud-based solutions constitute a more complex business architecture, and security borders become more indistinct. Enterprises can use Cloud Firewall to deliver protection at cloud network borders. However, if a large number of public IP addresses are used, the configuration of access control policies is complex.

Cloud Firewall provides intelligent policies. Cloud Firewall automatically learns the traffic characteristics in the previous 30 days and the access and outbound connections of cloud services and IP addresses and automatically recommends appropriate access control policies for each destination IP address or domain name. This reduces Internet exposures and intrusion risks, and blocks malicious outbound IP addresses and domain names.

For more information about how to apply intelligent access control policies to the Internet firewall, see Create access control policies for the Internet firewall.

What are the differences between the old and new versions of VPC firewalls that can be created for Enterprise Edition transit routers?

Cloud Firewall adjusted specific capabilities of the VPC firewalls that can be created for Enterprise Edition transit routers. After a VPC firewall is created, a firewall VPC is automatically created. If the VPC firewall is created in automatic traffic redirection mode, the owner of the VPC is changed from a user account to a service account. The following list describes specific differences:

  1. Firewall VPC owner: In the new version, the firewall VPC no longer belongs to a user account. The firewall VPC belongs to the service account of Cloud Firewall. You cannot view or modify the resources and configurations of the firewall VPC, and the firewall VPC does not occupy your VPC quota in a region.

  2. Billing method: In the old version, you are charged for traffic transfer between your transit router and the service VPC and between your transit router and the firewall VPC during traffic redirection. In the new version, the firewall VPC belongs to Cloud Firewall. Therefore, fees for traffic transfer between your transit router and the firewall VPC are included in the bill of Cloud Firewall. You do not need to pay the fees.

  3. Enabling of a VPC firewall: When you create a VPC firewall, you do not need to specify 3 CIDR blocks for vSwitches. You need to only specify 1 CIDR block that is at least 27 bits in length and does not conflict with your network plan. Subnets are automatically assigned to the vSwitches that are required to create the VPC firewall. For more information about how to configure a VPC firewall for an Enterprise Edition transit router, see Configure a VPC firewall for an Enterprise Edition transit router.

    image

Enable a VPC firewall of the new version for an Enterprise Edition transit router

Important

Only the automatic traffic redirection mode is supported. Make sure that Cloud Firewall uses the pay-as-you-go billing method. If Cloud Firewall uses the subscription billing method, make sure that the burstable protected traffic feature is enabled.

  • If no VPC firewall is created, perform the following steps: Enable the burstable protected traffic feature, and then create a VPC firewall. If your Cloud Firewall uses the pay-as-you-go billing method, you do not need to enable the feature.

    Warning

    You must strictly perform the preceding steps in this order.

  • If a VPC firewall is created, perform the following steps:

    • Delete the traffic redirection scenarios that are created for the VPC firewall and then delete the VPC firewall.

    • Enable the burstable protected traffic feature.

    • Create a VPC firewall and traffic redirection scenarios.

  • For more information about how to enable the burstable protected traffic feature, see Burstable protected traffic.

Does latency exist when I add an asset to Cloud Firewall?

Yes, latency exists when you add an asset to Cloud Firewall.

If the asset and Cloud Firewall reside in different zones of the same region, a latency of 4 to 8 milliseconds exists. If the asset and Cloud Firewall reside in the same zone, a latency of 2 to 3 milliseconds exists.