The Internet firewall provides fine-grained control over the inbound and outbound Internet traffic of your public assets. This helps reduce the Internet exposure of your public assets and lowers the security risks to your service traffic. You can enable the Internet firewall without changing your current network topology and protect your resources with a single click in seconds. This lets you quickly implement features such as visual analytics, attack prevention, access control, and log audits for inbound and outbound Internet traffic.
Features
How it works
After you enable the Internet firewall for your public assets, Cloud Firewall filters inbound and outbound traffic based on deep packet inspection (DPI) traffic analysis, intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies. The firewall determines whether the traffic meets the allow criteria and effectively blocks unauthorized access attempts. This ensures the security of traffic between your public assets and the Internet.
Scope of protected public assets (outbound and inbound): This includes public IPv4 and IPv6 assets such as ECS, EIP (including Layer 2 EIPs), Server Load Balancer (SLB), Bastionhost, NAT Gateway, HAVIP, and GA EIPs.
The following figure shows an example of a protection scenario for the Internet firewall.
Impact on services
You can create, enable, or disable the Internet firewall without changing your network topology. You can protect or unprotect resources with a single click in seconds, with no impact on your services. We recommend that you enable the Internet firewall during off-peak hours.
Protection specifications
Starting from October 15, 2025, Cloud Firewall will release Billing Method 2.0. New users will use Billing Method 2.0 by default, and existing users will continue to use Billing Method 1.0. The specifications for the Internet firewall differ between the two billing methods.
Billing Method 2.0
Protection specification | Description | Cloud Firewall Subscription (Premium, Enterprise, and Ultimate Editions) | Cloud Firewall Pay-as-you-go |
Number of firewall instances | The number of regions that can be protected. Each protected region corresponds to one Internet firewall instance. | Depends on the number of purchased instances and bandwidth. For more information about the number of instances and bandwidth provided by different editions, see Subscription 2.0. If the quota is insufficient, you can upgrade the specifications. For more information, see View the protection status of assets. | Billing is based on the actual number of firewall instances and the total traffic processed. The maximum supported peak bandwidth is 10 Gbps. If you need a higher specification, contact your business manager or architect. For more information about billing, see Pay-as-you-go. |
Protected Internet Traffic | The peak of the total Internet traffic processed by the firewall. The billable bandwidth is the sum of the inbound and outbound Internet traffic bandwidth. |
Billing Method 1.0
Protection specification | Description | Cloud Firewall Subscription (Premium, Enterprise, and Ultimate Editions) | Cloud Firewall Pay-as-you-go |
Number of protectable public IP addresses | The number of public IP addresses for which the Internet firewall can be enabled. | The quota depends on the number of protectable public IP addresses and the peak total traffic that you purchased. If the quota is insufficient, you can upgrade the specifications. Different Cloud Firewall editions have different quotas for public IP addresses. For more information, see Subscription 1.0. Note If your service traffic exceeds the purchased traffic processing capacity of Cloud Firewall, the product Service-level agreement (SLA) cannot be guaranteed. This may trigger protective measures, such as disabling security features (ACL, IPS, and log audit), shutting down the firewall for assets that exceed the traffic limit, or causing packet loss due to rate limiting. If your service traffic is at risk of exceeding the limit, see Pay-as-you-go for Elastic Traffic for Subscription. | Billing is based on the actual number of public IP addresses for which protection is enabled and the peak of the total traffic processed. There is no quota limit. For more information about billing, see Pay-as-you-go 1.0. |
Protected Internet Traffic | The peak total Internet traffic processed. The billable bandwidth is the higher of the inbound or outbound Internet traffic bandwidth. |
View the protection status of assets
Cloud Firewall collects statistics on the current number of Internet firewall instances and the number of unprotected public IP addresses. You can enable protection for public assets as required.
To ensure the security of your service traffic, we recommend that you enable Internet firewall protection for all public assets in your Alibaba Cloud account.
Log on to the Cloud Firewall console.
In the navigation pane on the left, click Firewall Settings.
On the Internet Firewall tab, view the protection status of public assets in your Alibaba Cloud account.
(Optional) If the number of Available Quotas is insufficient, click Upgrade to upgrade the specifications. For more information, see Subscription 2.0.
Enable the firewall
Enable protection for assets with one click
If Automatic Protection for New Assets is disabled, you can manually enable Internet firewall protection for your public assets.
Log on to the Cloud Firewall console.
In the navigation pane on the left, click Firewall Settings.
On the Internet Firewall tab, click the IPv4 or IPv6 tab to manually enable protection for public assets.
If an asset that you want to protect is not in the public asset list, click Synchronize Assets in the upper-right corner of the list. This action synchronizes the asset information of your Alibaba Cloud account and its member accounts. Asset synchronization takes one to two minutes.
Enable protection for a single asset
In the public asset list, find the public asset that you want to protect. In the Actions column, click Enable Protection.
Enable protection for multiple assets in a batch
In the public asset list, select the public assets that you want to protect. Below the list, click Enable Protection.
You can also click Enable Protection in the data statistics area to enable Internet firewall protection for all public assets based on dimensions such as public IP address, region, and asset type.
Enable automatic protection for new assets
After you enable Automatic Protection for New Assets, Cloud Firewall automatically enables Internet firewall protection for new public assets that are added to your Alibaba Cloud account and its member accounts.
Log on to the Cloud Firewall console.
In the navigation pane on the left, click Firewall Settings.
On the Internet Firewall tab, click Automatic Protection for New Assets and select the public assets to which you want to apply this feature.
What to do next
After you create an Internet firewall, you can configure access control policies and view access logs for your public assets. This helps you better control traffic between your public assets and the Internet.
Configure access control policies
If you do not configure any access control policies, Cloud Firewall allows all traffic by default. You can create access control policies for the Internet firewall to apply fine-grained control over traffic between your public assets and the Internet.
On the page, find the target Internet firewall. In the Actions column, click Configure Policy. Then, select whether to configure an outbound or inbound access control policy for the public asset. For more information, see Configure access control policies for the Internet firewall.
Query audit logs
On the page, go to the tab. You can set filter conditions to view the access logs between your public assets and the Internet. For more information, see Log audit.
View network traffic analysis
On the page, you can view data about outbound connections from your service assets to the Internet. This includes data for outbound unusual traffic tracing, destination Internet addresses accessed by assets, outbound connections from public assets, and outbound connections from private network assets. This helps you identify suspicious assets and ensure service security. For more information, see Outbound connection.
On the page, you can view data about Internet access to your service assets. This includes data for inbound unusual traffic tracing, open public IP addresses of service assets, open ports, open applications, and the number of public IP addresses for cloud products. This helps you identify suspicious assets and ensure service security. For more information, see Internet Exposure.
View attack prevention data
On the page, find the target Internet firewall. In the Actions column, click View Attacks. Then, select whether to view outbound or inbound attack prevention data for the public asset. For more information, see Intrusion prevention.
View Internet traffic processing status
In the navigation pane on the left, click Overview. On the Overview page, in the Asset Protection section, you can view the number of firewall instances, purchased bandwidth, and recent peak bandwidth.
More operations
Deploy default Allow policies for security groups
The Internet firewall protects traffic to and from the Internet. You must confirm that traffic to and from the Internet is allowed for the protected public assets. For more information, see the official documentation for the corresponding public asset.
When you protect ECS assets, such as public IP addresses of ECS instances and ECS EIPs, you can deploy default Allow policies for traffic from the Internet in the Cloud Firewall console with a single click. This lets you centrally manage rules in Cloud Firewall without having to go to the ECS console to modify security group configurations.
How it works
Cloud Firewall adds four rules with the lowest priority (100) to the security groups associated with your ECS assets. These rules allow access to the ECS assets from the Internet.
For rules with the same priority, ECS security groups match Deny rules first. Therefore, if you have already configured a Deny rule with a priority of 100, the Allow policy deployed by Cloud Firewall will not override your existing Deny rule.
Notes
The default Allow policies deployed with a single click take effect for all resources associated with the security group. Before you deploy the policies, enable Cloud Firewall protection for all resources associated with the security group and properly configure inbound access control policies for the Internet firewall. Otherwise, your assets may be exposed to the Internet.
Do not deploy default Allow policies for resources for which Cloud Firewall is disabled. Also, do not disable Cloud Firewall protection for resources where traffic is already allowed.
After your Cloud Firewall service expires, the four Allow policies automatically added by Cloud Firewall are retained in the security group and remain in effect. If you no longer use the Cloud Firewall service, you must manually delete the four default Allow policies deployed by Cloud Firewall. For more information, see Delete security group rules.
Limits
The feature that deploys default Allow policies for security groups supports only inbound rules for public IP addresses of ECS instances and ECS EIPs.
Enterprise security groups do not support the deployment of default Allow policies.
Deploy Allow policies
Log on to the Cloud Firewall console.
In the navigation pane on the left, click Firewall Settings.
On the Internet Firewall tab, click the IPv4 or IPv6 tab.
In the public asset list, find the ECS asset for which you want to deploy the default policy. In the Default Allow Policies column, click Apply.
(Optional) If a rule in the current security group conflicts with the rule to be deployed, you must first adjust the policy.
Adjustable configuration conflict: A rule in the security group has the same priority as the rule to be deployed, but they have different protocol types, port ranges, or authorization objects.
In the Default Allow Policies dialog box, click Quick Modify to resolve the conflict by increasing the priority of the original rule in the security group.
Non-adjustable configuration conflict: A rule in the security group has the same priority, protocol type, port range, and authorization object as the rule to be deployed.
We recommend that you go to the Security Group page in the ECS console to check and adjust the priorities of conflicting rules. For more information, see Modify security group rules. Alternatively, submit a ticket and contact a product technical expert for assistance.
In the Actions column for the security group, click Quick Apply. Review the four Allow policies to be deployed, and then click OK.
If an ECS instance is associated with multiple security groups, you must deploy Allow policies for all associated security groups for the default Allow policy of the ECS instance to take effect.
After the security group Allow policies are configured, you can go to the page to view the deployment status of the default Allow policies for the security group. This helps you confirm whether the policies have been successfully deployed and promptly troubleshoot any deployment failures.
The security group policy deployment statuses include the following:
Applied: Default Allow policies have been deployed for all security groups associated with the ECS asset.
Not Applied: Default Allow policies have not been deployed for all or some of the security groups associated with the ECS asset, or there is a configuration conflict.
-: One-click deployment of default Allow policies is not supported for this asset type.
Download the public asset list
You can download the asset information from the public asset list to your computer as a CSV file.
Log on to the Cloud Firewall console.
In the navigation pane on the left, click Firewall Settings.
On the Internet Firewall tab, click the IPv4 or IPv6 tab.
In the upper-right corner of the public asset list, click the
icon.In the upper-right corner of the Internet Firewall tab, click Download Task Management to view the download progress. After the task is complete, click Download in the Actions column.