All Products
Search

This Product

    Cloud Firewall:FAQ about Cloud Firewall settings

    Document Center

    Cloud Firewall:FAQ about Cloud Firewall settings

    Last Updated:Apr 01, 2026

    This topic answers frequently asked questions about enabling or disabling Cloud Firewall. It covers the impact on your services and the resulting changes to routes and traffic.

    Impact of enabling a firewall

    Firewall type

    Impact

    Internet firewall

    You can create, enable, or disable an internet firewall without changing your network topology. You can add or remove asset protection in seconds, with no impact on your services.

    NAT firewall

    • Creating or deleting a NAT firewall has no impact on your services.

      The creation time depends on the number of elastic IP addresses (EIPs) associated with the NAT gateway. Each additional EIP adds approximately 2 to 5 minutes to the creation time.

    • Enabling or disabling a NAT firewall takes about 10 seconds. During this process, long-lived connections may experience a brief interruption of 1 to 2 seconds. Short-lived connections are not affected.

    VPC firewall for Express Connect

    VPC firewall for a Basic Edition transit router

    • Creating or deleting a VPC firewall has no impact on your services.

      Creation takes approximately 5 minutes.

    • Enabling or disabling a VPC firewall takes approximately 5 to 30 minutes, depending on the number of route entries. During this process, long-lived connections may experience brief interruptions. Short-lived connections are not affected.

      Note

      Before enabling a VPC firewall, check if your application supports automatic TCP retransmission. Monitor your application's connection status closely to prevent interruptions if it lacks a retransmission mechanism.

    VPC firewall for an Enterprise Edition transit router

    Automatic traffic redirection

    • Creating or deleting a VPC firewall has no impact on your services.

      Creation takes approximately 5 minutes.

    • Enabling or disabling a VPC firewall takes approximately 5 to 30 minutes, depending on the number of route entries. This process has no impact on your services.

    Manual traffic redirection

    • Creating or deleting a VPC firewall has no impact on your services.

      Creation takes approximately 5 minutes.

    • When you enable or disable a VPC firewall, the duration of service impact varies depending on the traffic switching method.

    How do I disable Cloud Firewall?

    If your services no longer require Cloud Firewall protection, you can release an instance to avoid further charges.

    Handling traffic overages

    If your service traffic exceeds the purchased bandwidth specification, the service level agreement (SLA) is not guaranteed. This overage can trigger service degradation, which may include but is not limited to: disabled security features like access control, IPS, and Log Audit; firewall bypass for high-traffic assets; and packet loss from rate limiting.

    Why can't I enable Cloud Firewall for my account?

    Cause

    When you log on to the Cloud Firewall console, the message Your account cannot be used to activate Cloud Firewall. appears. This can happen for the following reasons:

    • Your Alibaba Cloud account is a member account managed by another Alibaba Cloud account.

    • You are a RAM user without the required permissions.

    Solution

    You can hover over your profile picture in the upper-right corner of the console to check your account type.

    • If the account is an Alibaba Cloud account:

      You must use the administrator account that centrally manages this member account to log on to the Cloud Firewall console, activate the service, and then enable protection for the cloud assets of the member account. For more information, see Purchase Cloud Firewall.

    • If the account is a RAM user (sub-account), you must use the parent Alibaba Cloud account (main account) to grant the createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess permissions to the RAM user. For more information, see Manage RAM user permissions.

      Here, createSlr is a custom permission policy. You must create this policy. The script is as follows. For more information, see Create a custom permission policy.

      {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:166032244439****:role/*",
            "Effect": "Deny",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
      Note

      The format of the Resource parameter is acs:ram:*:Alibaba Cloud account ID:role/*, where Alibaba Cloud account ID is the ID of the root account that owns the RAM user.

    Firewall enablement failures

    Error message

    Solution

    Your Cloud Enterprise Network (CEN) instance is not associated with a cross-account VPC, Cloud Firewall is not authorized to access the cross-account VPC, or your Cloud Firewall edition is not Ultimate Edition.

    Use the corresponding account to log on to Cloud Firewall and grant the required permissions before you enable the VPC firewall. For more information about authorization, see Authorize Cloud Firewall to access cloud resources. To upgrade to Cloud Firewall Ultimate Edition, see Renewal.

    The CEN instance for which you want to enable a firewall contains a VPC that is connected to Express Connect and already has a firewall enabled.

    For technical assistance, submit a .

    The region where the VPC in the CEN instance resides is not supported by the VPC firewall.

    For more information, see Supported regions.

    A firewall created in manual mode already exists in the same region as the CEN instance.

    For technical assistance, submit a .

    The CEN instance has only one network instance or no VPC.

    You cannot create a Cloud Firewall instance if the CEN instance has no VPCs or only one VPC. Add more VPCs to the CEN instance and try again.

    The number of VPCs for which a firewall can be enabled in the same region has reached the quota.

    We recommend that you use a CEN transit router. For more information, submit a for technical assistance.

    The managing account for the cross-account CEN instance has not purchased Cloud Firewall.

    Use the managing account to purchase Cloud Firewall.

    The number of custom routes for the VPC instance exceeds the quota.

    Go to the VPC console and choose O&M and Monitoring > Quota Management. On the Quota Management page, increase the custom route quota for the route table under your account.

    The VPC firewall quota is full.

    We recommend that you increase your firewall quota.

    Duplicate CIDR block configuration is detected. Only CIDR blocks of virtual border routers (VBRs) can be duplicated. CIDR blocks of different VPCs or a VPC and a VBR cannot be duplicated.

    For technical assistance, submit a .

    The quota for policy-based route priorities is insufficient.

    For technical assistance, submit a .

    The CEN instance contains route policies of the Deny type, excluding default system route policies with a priority of 5000.

    We recommend that you delete the relevant route policies or submit a for technical assistance.

    The number of VPCs in a region must be less than the VPC quota because the VPC firewall consumes one quota slot.

    If the quota is full, go to the VPC console and select the Quota Management page to increase the VPC quota. If the VPC quota cannot be increased, submit a for technical assistance.

    The advertised CIDR blocks of the CEN instance contain public IP ranges, excluding 0.0.0.0/0. This can cause one-way access to SLB to trigger disconnections.

    For technical assistance, submit a .

    Failed to verify routes that point to a border router (BR).

    For technical assistance, submit a .

    A VPC in the CEN instance has a custom route table that is bound to a vSwitch.

    You can delete the relevant custom route table or unbind the vSwitch from the custom route table.

    Enabling the firewall for the CEN instance will cause the number of routes to exceed the quota.

    We recommend that you reduce the number of advertised routes to 100 or fewer, or upgrade to the CEN-TR architecture. If needed, submit a for technical assistance.

    The region where the transit router is located is not supported.

    The region where the transit router in the CEN instance resides is not supported by the VPC firewall. For more information, see Supported regions.

    The transit router has a VPN connection.

    For technical assistance, submit a .

    The route table of the transit router contains a prefix list.

    We recommend that you advertise routes in the VPC instead of using a prefix list.

    The route table of the transit router contains a blackhole route.

    For technical assistance, submit a .

    The route table of the transit router contains a static route.

    We recommend that you advertise routes in the VPC instead of using a static route.

    The route table of the transit router has a route conflict.

    We recommend that you check for any denied routes that may be causing the conflict.

    The route table of the transit router has a system route policy conflict.

    Check if the source and destination instance types in the matching conditions of the system route policy with priority 5000 include CEN, VBR, VPN, or ECR. If not, submit a for technical assistance.

    The route table of the transit router contains an IPv6 route.

    This is not currently supported by Cloud Firewall.

    The VPC firewall is not enabled for the pay-as-you-go edition of Cloud Firewall.

    You can go to the Cloud Firewall console to enable the VPC firewall. For more information, see Pay-as-you-go 2.0.

    The current Cloud Firewall edition does not support the VPC firewall.

    We recommend that you upgrade your Cloud Firewall edition. For more information, see Upgrade and downgrade.

    Asset synchronization for the VPC firewall is not complete.

    Go to the Cloud Firewall console. In the left-side navigation pane, choose Firewall > VPC firewall. On the VPC firewall page, click Synchronize Assets and wait 5 to 10 minutes.

    What is the purpose of the internet firewall?

    The internet firewall can protect multiple types of public assets, such as the public IP addresses of ECS instances, SLB instances, and EIPs. After you enable the internet firewall, traffic to and from these assets at the internet border is forwarded to Cloud Firewall. Cloud Firewall inspects and filters the traffic, allowing only traffic that meets the specified conditions to pass. For more information, see Internet firewall.

    Does the internet firewall protect IPv6 assets?

    Yes. As of January 8, 2025, Cloud Firewall fully supports the protection of IPv6 assets.

    For the scope of assets that the internet firewall can protect, see Protection scope.

    Does the internet firewall affect network traffic?

    If you only enable the internet firewall without configuring any access control or intrusion prevention policies, Cloud Firewall only inspects and generates alerts for traffic. It does not block any traffic.

    When you purchase Cloud Firewall, the internet firewall is enabled by default for all assets.

    What is the impact of disabling the internet firewall?

    If you disable the internet firewall, all traffic bypasses it, which has the following consequences:

    • The protection features of the internet firewall become inactive. This includes access control policies for inbound and outbound traffic at the internet border and intrusion prevention.

    • Traffic statistics for the internet border, including network traffic analysis reports and logs, are no longer generated.

    SLB network restriction error when enabling internet firewall

    Cause

    When you enable the internet firewall, you may see the message: You cannot enable a firewall for the IP address because the network of the SLB instance does not support this operation. This can happen if the SLB asset has only a private IP address, which does not support Cloud Firewall protection.

    Solution

    For assets that have only a private IP address, you can enable Cloud Firewall protection by associating an EIP with the asset to redirect its traffic to the firewall. For more information, see Associate and manage an EIP for an internal-facing CLB instance.

    Why are public IPs missing after syncing assets in Free Edition?

    Cloud Firewall Free Edition can synchronize only EIP assets. Newly added assets appear in Cloud Firewall after a 24-hour delay (T+1 day). It cannot synchronize public IP addresses of ECS or SLB instances.

    Why is an internet firewall asset status 'Protection abnormal'?

    Cause

    • The asset was part of a classic network-to-VPC migration.

    • When a public-facing Classic Load Balancer (CLB) instance was released, its public IP address was converted to an EIP and retained.

    Solution

    Click Disable and then Enable to restore normal status.

    Does enabling a VPC firewall affect ECS security group rules?

    No.

    When you enable a VPC firewall, Cloud Firewall automatically creates a security group named Cloud_Firewall_Security_Group and a corresponding allow policy to permit traffic to pass through the VPC firewall. This security group only manages traffic within that VPC. Your existing ECS security group rules remain effective.

    Why an 'unauthorized network instance' error when creating a VPC firewall?

    Cause

    Your CEN instance contains a VPC that belongs to another Alibaba Cloud account, and that account has not authorized Cloud Firewall to access its cloud resources.

    Solution

    Log on to the Cloud Firewall console with the unauthorized Alibaba Cloud account and follow the on-screen prompts to authorize the Cloud Firewall service role. For more information, see Authorize Cloud Firewall to access cloud resources.

    Deny route policy for Basic Edition transit routers

    After you enable a VPC firewall for a VPC (for example, VPC-test) connected through a Basic Edition transit router, Cloud Firewall creates a new VPC named Cloud_Firewall_VPC under that transit router. It also advertises a static route to redirect traffic from other unprotected VPCs under the same transit router to Cloud Firewall.

    At the same time, Cloud Firewall adds a static route within VPC-test that points to the firewall's elastic network interface (ENI), redirecting outbound traffic from VPC-test to the firewall. It also creates a deny route policy to prevent VPC-test from learning routes advertised by the CEN instance.

    Important

    Do not modify or delete the route policy and route table described above. Doing so will disrupt Cloud Firewall's traffic redirection and cause service interruptions.

    Why a NAT firewall creates a route table and a 0.0.0.0/0 route

    When you enable a NAT firewall, Cloud Firewall automatically creates a custom route table named Cloud_Firewall_ROUTE_TABLE and adds a 0.0.0.0/0 route that points to the NAT gateway. It also modifies the 0.0.0.0/0 route entry in the system route table, changing its next hop to the firewall's elastic network interface (ENI). This ensures that outbound traffic from the NAT gateway is redirected to Cloud Firewall.

    Important

    Do not modify or delete this route table or its route entries. Doing so will disrupt Cloud Firewall's traffic redirection and cause service interruptions.

    Outbound traffic matching with multiple firewalls

    When an ECS instance initiates an outbound request to a domain and all three firewalls are enabled, the traffic is matched as follows:

    1. The ECS instance sends a DNS request, which passes through the DNS firewall and is matched against its access control policies.

    2. The private network traffic from the ECS instance passes through the NAT firewall and is matched against its access control policies.

    3. Allowed private traffic passes through the NAT gateway, which translates the private source IP address to a public IP address.

    4. The NAT gateway sends the public traffic to the internet firewall, where it is matched against the internet firewall's access control policies.

    5. The traffic is then matched against the threat intelligence, basic protection, intelligence defense, and virtual patching rules of Cloud Firewall.

    If the traffic does not match any deny policy during this process, it successfully reaches the domain. If it matches any deny policy, the traffic is blocked and cannot access the domain.

    image

    Why does telnet still work after configuring a NAT firewall policy?

    An EIP is bound to an SNAT entry, a NAT firewall is enabled, and an access control policy is configured to allow an ECS instance to access a specific domain only via TCP using HTTP or HTTPS. However, the ECS instance can still use the telnet command to access other domains.

    • Cause: When you test with the telnet command, it lacks application-layer protocol features (like HTTP or HTTPS). As a result, Cloud Firewall's deep packet inspection (DPI) cannot identify the specific application, and the application is labeled as "Unknown." This traffic does not match the HTTP or HTTPS policy. In loose mode, when matching application or domain policies, Cloud Firewall defaults to allowing traffic with unidentified applications or domains. To ensure such traffic is matched against subsequent policies, you must enable strict mode.

      Important

      Strict mode is a global setting. Enabling it will affect the matching logic for all traffic. Please proceed with caution based on your business needs.

    • Solution: We do not recommend using telnet for testing. Use the curl command instead.

    Why is some transit router traffic bypassing the NAT firewall?

    This issue typically occurs when a VPC connection from a transit router (TR) is associated with the dedicated vSwitch automatically created by the NAT firewall.

    How it works:

    A NAT firewall relies on specific route configurations to manage traffic. In a standard setup, the process is as follows:

    1. Service traffic redirection: The route table of the service vSwitch in your VPC directs internet-bound traffic to the NAT firewall as the next hop. This ensures all traffic undergoes security inspection first.

    2. Firewall traffic forwarding: After the NAT firewall inspects the traffic, the route table of its dedicated vSwitch forwards the traffic to the NAT gateway as the next hop, which then sends it to the internet.

    Impact of incorrect configuration
    If you bind the TR connection point to the NAT firewall's dedicated vSwitch, internet-bound traffic from the TR will enter this vSwitch directly. This traffic will match the route entry whose next hop is the NAT gateway, thereby bypassing the NAT firewall's security inspection. This leaves some traffic unmonitored.

    Recommended configuration
    To ensure all internet-bound traffic is processed by the NAT firewall, follow these best practices:

    • vSwitch isolation: The NAT firewall's dedicated vSwitch must not be used for other purposes, including as a connection point for a TR.

    • Independent planning: Allocate a separate, dedicated vSwitch for the TR's VPC connection.

    • Route verification: Confirm that all relevant route tables, including the one associated with the TR connection's vSwitch, are correctly configured to point internet-bound routes to the NAT firewall as the next hop.

    image

    How to efficiently enable and configure Cloud Firewall internet boundary access control policies?

    As cloud computing becomes essential for digital transformation, business architectures grow more complex and security perimeters blur. Enterprises can use Cloud Firewall to protect their cloud network perimeters. However, configuring access control policies can be complicated if you have a large number of public IP addresses.

    Cloud Firewall provides intelligent policies that automatically analyze traffic from the last 30 days, as well as how your cloud IP assets and services are accessed and how they make outbound connections. Based on this analysis, it suggests appropriate access control policies for the internet firewall for each destination IP address or domain. This helps reduce your internet attack surface, block malicious internal-to-external IP addresses and domains, and lower the risk of service intrusion.

    For information on how to deploy intelligent access control policies for the internet firewall, see Configure access control policies for the internet firewall.

    VPC firewall for Enterprise TR: version differences

    Cloud Firewall has adjusted some functions of the VPC firewall for Enterprise Edition transit routers. For firewalls created with automatic traffic redirection, the ownership of the firewall VPC has changed from your account to a managed service account. The main differences are as follows:

    1. Firewall VPC ownership: In the new version, the firewall VPC no longer belongs to your account but to a Cloud Firewall background account. You cannot view or modify the firewall VPC's resources and configurations. It also does not consume your regional VPC quota.

    2. Billing: In the old architecture, you were charged for traffic transfer fees between the transit router and your service VPC, and also between the transit router and the firewall VPC. In the new version, since the firewall VPC is owned by Cloud Firewall, the traffic transfer fees between the transit router and the firewall VPC are also covered by Cloud Firewall.

    3. Enabling the VPC firewall: When creating a VPC firewall, you no longer need to enter three vSwitch CIDR blocks. You only need to enter one CIDR block of at least /27 that does not conflict with your network plan. This CIDR block will be used to allocate the necessary vSwitches during firewall creation. To configure an Enterprise Edition VPC firewall, see Configure a VPC firewall for an Enterprise Edition transit router.

      image

    Enabling the new Enterprise TR VPC firewall

    Important

    Requirements: This only supports automatic traffic redirection. Your Cloud Firewall edition must be pay-as-you-go or a subscription edition with the pay-as-you-go for elastic traffic feature enabled.

    • If you have not created a VPC firewall: First, enable the burstable protected traffic feature (this step can be skipped for pay-as-you-go customers), and then create the VPC firewall.

      Warning

      You must follow this order strictly.

    • If you have already created a VPC firewall:

      • Delete the traffic redirection scenarios and the existing VPC firewall.

      • Enable the burstable protected traffic feature (this step can be skipped for pay-as-you-go customers).

      • Re-create the VPC firewall and the traffic redirection scenarios.

    • For specific steps on enabling the burstable protected traffic feature, see Pay-as-you-go for elastic traffic with a subscription.

    Is there latency with a VPC firewall?

    Yes.

    A VPC firewall adds 4 to 8 ms of latency for traffic between different zones in the same region and 2 to 3 ms for traffic within the same zone.