All Products
Search
Document Center

Cloud Firewall:Internet firewall

Last Updated:Jun 21, 2026

The internet firewall provides fine-grained control over traffic between your public assets and the Internet, reducing their public exposure and mitigating security risks. Enabling the internet firewall does not require changes to your network topology. You can protect resources with a single click, and the protection takes effect in seconds. This allows you to quickly implement traffic visualization, attack prevention, access control, and log auditing for traffic to and from the Internet.

Features

How it works

After you enable the internet firewall for a public asset, Cloud Firewall filters all inbound and outbound traffic. It uses deep packet inspection (DPI) traffic analysis, intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies to determine whether to allow or block traffic, securing the connection between your public assets and the Internet.

The internet firewall protects inbound and outbound traffic for assets such as: ECS, EIP (including Layer 2 EIPs), Server Load Balancer, Bastionhost, NAT Gateway, HaVip, and GA EIPs for both IPv4 and IPv6.

Click to view the full list of supported asset types

IPv4

IPv6

  • ALB EIP

  • Bastionhost outbound IP address

  • Bastionhost IP address

  • Bastionhost inbound IP address

  • EIP

  • ECS EIP

  • ECS public IP address

  • ENI EIP

  • GA EIP

    Note
    • The GA instance to which the accelerated IP belongs must be a Standard Instance.

    • The accelerated IP type must be Elastic IP Address.

    • The acceleration region of the accelerated IP must not be an Alibaba Cloud point of presence (POP).

      To check whether an acceleration region is an Alibaba Cloud POP, see ListAvailableBusiRegions.

  • HaVip

  • NAT EIP

  • NAT public IP address

  • NLB EIP

  • SLB EIP

  • SLB public IP address

  • AI gateway public IP address

  • API gateway public IP address

  • Simple Application Server public IP address

  • Wuying Workspace (Enterprise Edition) public IP address

  • ALB IPv6

  • ECS IPv6

  • ENI EIP IPv6

  • GA EIP IPv6

    Note
    • The GA instance to which the accelerated IP belongs must be a Standard Instance.

    • The accelerated IP type must be Elastic IP Address.

    • The acceleration region of the accelerated IP must not be an Alibaba Cloud point of presence (POP).

      To check whether an acceleration region is an Alibaba Cloud POP, see ListAvailableBusiRegions.

  • NLB IPv6

  • SLB IPv6

  • AI gateway public IPv6 address

  • API gateway public IPv6 address

image

Impact on services

Creating, enabling, or disabling the internet firewall does not alter your network topology or interrupt your services. You can protect or unprotect resources with a single click in seconds. We recommend enabling the internet firewall during off-peak hours.

Protection specifications

Starting October 15, 2025, Cloud Firewall will introduce Billing method 2.0. New users will default to Billing method 2.0, while existing users will continue to use Billing method 1.0. The protection specifications for the internet firewall differ between the two billing methods.

Billing method 2.0

Specification

Description

Subscription editions

Pay-as-you-go edition

Number of firewall instances

The number of regions you can protect. Each protected region uses one firewall instance.

Depends on the number of instances and bandwidth that you purchase. For details on the instances and bandwidth provided by different editions, see Subscription 2.0. If your quota is insufficient, you can upgrade your specifications. For more information, see Check asset protection status.

Billed based on the actual number of firewall instances and total processed traffic.

The maximum supported peak bandwidth is 10 Gbps. For higher specifications, contact your business manager or architect. For detailed billing information, see Pay-as-you-go 2.0.

Public traffic processing capability

The maximum total Internet traffic processed by the firewall. Billing is based on the sum of inbound and outbound traffic bandwidth.

Billing method 1.0

Specification

Description

Subscription editions

Pay-as-you-go edition

Number of protectable public IP addresses

The number of public IP addresses you can protect with the internet firewall.

Depends on the number of protectable public IP addresses that you purchase and the peak of total processed traffic. If your quota is insufficient, you can upgrade your specifications.

Different Cloud Firewall editions have different public IP quota limits. For details, see Subscription 1.0.

Note

If your traffic exceeds the purchased capacity, the Service Level Agreement (SLA) is not guaranteed. This can trigger service degradation, such as disabling security features (ACL, IPS, and log auditing), shutting down the firewall for high-traffic assets, or applying rate limiting and packet loss.

If you anticipate that your traffic may exceed the limit, we recommend using the post-paid elastic traffic feature for subscription instances. For more information, see Pay-as-you-go for elastic traffic on subscription.

Billed based on the actual number of protected public IP addresses and the peak of total processed traffic. No quota limits apply. For detailed billing information, see Pay-as-you-go 1.0.

Public traffic processing capability

The maximum total Internet traffic processed. You are billed based on the higher of the inbound or outbound traffic bandwidth.

Asset protection status

Cloud Firewall tracks the number of current firewall instances and unprotected public IP addresses. You can protect your public assets as needed.

Note

For maximum security, we recommend protecting all public assets in your Alibaba Cloud account with the internet firewall.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall.

  3. On the Internet Firewall tab, view the protection status of your public assets.

    The Firewall Overview section on the left displays the Total Instances and Available Quotas. The Internet Border section on the right shows the number of internet firewall instances and Protected public IP addresses. You can click Enable All to enable protection for all assets, or click View Protection Details to see specific asset protection information.

  4. (Optional) If your Available Quotas are insufficient, click Upgrade to increase your capacity. For more information, see Subscription 2.0.

Enable the Internet firewall

Manual protection

If Automatic Protection for New Assets is disabled, you can manually protect your public assets.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall.

  3. On the Internet Firewall tab, click the IPv4 or IPv6 tab to manually enable protection for public assets.

    If a desired asset is not in the list, click Synchronize Assets in the upper-right corner of the list. This action syncs asset information from your Alibaba Cloud account and its member accounts. The synchronization may take 1 to 2 minutes.

    • Enable protection for a single asset: Find the asset in the list and click Enable Protection in the Actions column.

    • Enable protection for multiple assets: Select the checkboxes of the assets you want to protect, and then click Enable Protection below the list.

Automatic protection

After you enable Automatic Protection for New Assets, Cloud Firewall automatically protects any new public assets added to your Alibaba Cloud account or its member accounts.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall.

  3. Enable the Automatic Protection for New Assets feature: On the Internet Firewall tab, turn on the switch next to Automatic Protection for New Assets.

  4. Select asset types for automatic protection: Click Automatic Protection for New Assets. In the configuration panel that appears, select the asset types and regions for automatic protection. After configuration, click Save to apply the changes.

    On the Internet Firewall tab, the Automatic Protection for New Assets and Synchronize Assets options are located in the upper-right area above the asset list. To manually sync the latest asset information, click Synchronize Assets.

Next steps

After creating an internet firewall, you can configure access control policies, view logs for public assets, and perform other actions to better manage traffic between your public assets and the Internet.

Configure access control policies

By default, Cloud Firewall allows all traffic if no access control policies are configured. You can create access control policies for the internet firewall to manage traffic between your public assets and the Internet with fine-grained control.

On the Firewall > Internet Firewall page, find the target Internet firewall and click Configure Policy in the Actions column to configure an outbound or inbound access control policy for the public asset. For more information, see Configure an access control policy for an Internet firewall.

Query audit logs

On the Detection & Response > Log Auditing page, on the Traffic Logs > Internet Boundary tab, set filter conditions to view access logs between public assets and the internet. For more information, see Log Auditing.

View traffic analysis

  • On the Traffic Analysis > Outbound Connection page, view traffic data for outbound connections from your business assets to the internet. The data includes the sources of abnormal outbound traffic, the destination internet addresses that your assets access, outbound connections from public assets, and outbound connections from private assets. This helps you investigate suspicious assets and ensure business security. For more information, see Outbound Connection.

  • On the Traffic Analysis > Internet Exposure page, you can view how your business assets are exposed to the internet. The page displays data such as the sources of anomalous inbound traffic, exposed public IP addresses, open ports, exposed applications, and the number of public IP addresses for your cloud products. This information helps you investigate suspicious assets and ensure the security of your business. For more information, see Internet Exposure.

View attack protection data

On the Firewall > Internet firewall page, in the Actions column of the target Internet firewall, click View Attacks and select to view the attack protection data for outbound or inbound traffic of public assets. For more information, see Intrusion Prevention.

View public traffic processing status

In the left-side navigation pane, click Overview. On the Overview page, in the Asset Protection section, you can view the number of firewall instances, purchased traffic, and recent peak bandwidth.

More operations

Default security group policies

Note

The internet firewall protects traffic to and from the Internet. You must ensure that the protected public assets are configured to allow Internet traffic. For more information, refer to the official documentation for the corresponding public asset.

When protecting ECS assets (including ECS public IP addresses and ECS EIPs), you can apply default Allow policies for Internet traffic with a single click on the Cloud Firewall console. This lets you manage rules centrally through Cloud Firewall without modifying security group configurations in the ECS console.

How it works

Cloud Firewall adds four rules with the lowest priority (100) to the security groups associated with your ECS assets. These rules allow Internet access for the ECS assets.

For rules with the same priority, ECS security groups match Deny rules first. Therefore, if you have existing Deny rules with a priority of 100, the Allow policies applied by Cloud Firewall will not override them.

Usage notes

  • These one-click policies affect all resources within the associated security group. Before applying them, enable Cloud Firewall protection and configure proper inbound access control policies for all associated resources. Otherwise, you may expose your resources to the Internet.

    We advise against applying these policies to unprotected resources. Similarly, we advise against disabling Cloud Firewall protection for resources where these policies are already applied.

  • When your Cloud Firewall service expires, the four Allow policies added by Cloud Firewall remain active in the security group. If you no longer use the Cloud Firewall service, we recommend that you manually delete these four default Allow policies. For instructions, see Delete a security group rule.

Limitations

  • The feature to apply default Allow policies for security groups supports only inbound rules for ECS public IP addresses and ECS EIPs.

  • Applying default Allow policies is not supported for enterprise security groups.

Apply Allow policies

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall.

  3. On the Internet Firewall tab, click the IPv4 or IPv6 tab.

  4. In the public asset list, find the ECS asset for which you want to apply the default policy, and click Apply in the Default Allow Policies column.

  5. (Optional) If rules in the current security group conflict with the rules to be applied, you must adjust the policies first.

    • Adjustable conflict: Rules in the security group have the same priority as the rules to be applied, but the protocol type, port range, or authorization object is different.

      In the Default Allow Policies dialog box, click Quick Modify to resolve the conflict by increasing the priority of the existing security group rule.

    • Non-adjustable conflict: Rules in the security group have the same priority, protocol type, port range, and authorization object as the rules to be applied.

      We recommend that you go to the Security Group page in the ECS console to view and adjust the priority of the conflicting rules. For detailed instructions, see Modify a security group rule. Alternatively, you can submit a ticket to consult with our technical experts.

  6. In the Actions column for the security group, click Quick Apply. Review the four Allow policies to be applied, and then click OK.

    If an ECS instance uses multiple security groups, you must apply the policies to all of them for the change to take effect.

    The four policies to be applied all have a priority of 100, apply to the private network interface, and use the ALL protocol. The policies consist of three Deny rules for the source addresses 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8, and one Allow rule for the source address 0.0.0.0/0.

After you configure the security group allow rules, you can view the deployment status of the default security group allow policy on the Firewall > Internet Firewall page to determine whether the policy is successfully deployed and promptly troubleshoot any deployment failures.

Possible application statuses are:

  • Applied: The default Allow policies have been applied to all security groups associated with the ECS asset.

  • Not Applied: The default Allow policies have not been applied to one or more of the associated security groups, or a configuration conflict exists.

  • -: One-click application of default Allow policies is not supported for this asset type.

Public asset list

You can download the public asset list as a CSV file.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall.

  3. On the Internet Firewall tab, click the IPv4 or IPv6 tab.

  4. In the upper-right corner of the public asset list, click the image.png icon.

  5. In the upper-right corner of the Internet Firewall tab, click Download Task Management to check the download progress. After the task is complete, click Download in the Actions column.

Internet firewall protection

Warning

Disabling internet firewall protection stops Cloud Firewall from managing an asset's traffic, which may expose it to risks such as malicious attacks and data breaches. Proceed with caution.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall.

  3. On the Internet Firewall tab, click the IPv4 or IPv6 tab. In the public asset list, find the asset that you want to unprotect and click Disable Protection in the Actions column.