The internet firewall provides fine-grained control over traffic between your public assets and the Internet, reducing their public exposure and mitigating security risks. Enabling the internet firewall does not require changes to your network topology. You can protect resources with a single click, and the protection takes effect in seconds. This allows you to quickly implement traffic visualization, attack prevention, access control, and log auditing for traffic to and from the Internet.
Features
How it works
After you enable the internet firewall for a public asset, Cloud Firewall filters all inbound and outbound traffic. It uses deep packet inspection (DPI) traffic analysis, intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies to determine whether to allow or block traffic, securing the connection between your public assets and the Internet.
The internet firewall protects inbound and outbound traffic for assets such as: ECS, EIP (including Layer 2 EIPs), Server Load Balancer, Bastionhost, NAT Gateway, HaVip, and GA EIPs for both IPv4 and IPv6.
Impact on services
Creating, enabling, or disabling the internet firewall does not alter your network topology or interrupt your services. You can protect or unprotect resources with a single click in seconds. We recommend enabling the internet firewall during off-peak hours.
Protection specifications
Starting October 15, 2025, Cloud Firewall will introduce Billing method 2.0. New users will default to Billing method 2.0, while existing users will continue to use Billing method 1.0. The protection specifications for the internet firewall differ between the two billing methods.
Billing method 2.0
|
Specification |
Description |
Subscription editions |
Pay-as-you-go edition |
|
Number of firewall instances |
The number of regions you can protect. Each protected region uses one firewall instance. |
Depends on the number of instances and bandwidth that you purchase. For details on the instances and bandwidth provided by different editions, see Subscription 2.0. If your quota is insufficient, you can upgrade your specifications. For more information, see Check asset protection status. |
Billed based on the actual number of firewall instances and total processed traffic. The maximum supported peak bandwidth is 10 Gbps. For higher specifications, contact your business manager or architect. For detailed billing information, see Pay-as-you-go 2.0. |
|
Public traffic processing capability |
The maximum total Internet traffic processed by the firewall. Billing is based on the sum of inbound and outbound traffic bandwidth. |
Billing method 1.0
|
Specification |
Description |
Subscription editions |
Pay-as-you-go edition |
|
Number of protectable public IP addresses |
The number of public IP addresses you can protect with the internet firewall. |
Depends on the number of protectable public IP addresses that you purchase and the peak of total processed traffic. If your quota is insufficient, you can upgrade your specifications. Different Cloud Firewall editions have different public IP quota limits. For details, see Subscription 1.0. Note
If your traffic exceeds the purchased capacity, the Service Level Agreement (SLA) is not guaranteed. This can trigger service degradation, such as disabling security features (ACL, IPS, and log auditing), shutting down the firewall for high-traffic assets, or applying rate limiting and packet loss. If you anticipate that your traffic may exceed the limit, we recommend using the post-paid elastic traffic feature for subscription instances. For more information, see Pay-as-you-go for elastic traffic on subscription. |
Billed based on the actual number of protected public IP addresses and the peak of total processed traffic. No quota limits apply. For detailed billing information, see Pay-as-you-go 1.0. |
|
Public traffic processing capability |
The maximum total Internet traffic processed. You are billed based on the higher of the inbound or outbound traffic bandwidth. |
Asset protection status
Enable the Internet firewall
Manual protection
If Automatic Protection for New Assets is disabled, you can manually protect your public assets.
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, click Firewall.
-
On the Internet Firewall tab, click the IPv4 or IPv6 tab to manually enable protection for public assets.
If a desired asset is not in the list, click Synchronize Assets in the upper-right corner of the list. This action syncs asset information from your Alibaba Cloud account and its member accounts. The synchronization may take 1 to 2 minutes.
-
Enable protection for a single asset: Find the asset in the list and click Enable Protection in the Actions column.
-
Enable protection for multiple assets: Select the checkboxes of the assets you want to protect, and then click Enable Protection below the list.
-
Automatic protection
After you enable Automatic Protection for New Assets, Cloud Firewall automatically protects any new public assets added to your Alibaba Cloud account or its member accounts.
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, click Firewall.
-
Enable the Automatic Protection for New Assets feature: On the Internet Firewall tab, turn on the switch next to Automatic Protection for New Assets.
-
Select asset types for automatic protection: Click Automatic Protection for New Assets. In the configuration panel that appears, select the asset types and regions for automatic protection. After configuration, click Save to apply the changes.
On the Internet Firewall tab, the Automatic Protection for New Assets and Synchronize Assets options are located in the upper-right area above the asset list. To manually sync the latest asset information, click Synchronize Assets.
Next steps
After creating an internet firewall, you can configure access control policies, view logs for public assets, and perform other actions to better manage traffic between your public assets and the Internet.
Configure access control policies
By default, Cloud Firewall allows all traffic if no access control policies are configured. You can create access control policies for the internet firewall to manage traffic between your public assets and the Internet with fine-grained control.
On the page, find the target Internet firewall and click Configure Policy in the Actions column to configure an outbound or inbound access control policy for the public asset. For more information, see Configure an access control policy for an Internet firewall.
Query audit logs
On the page, on the tab, set filter conditions to view access logs between public assets and the internet. For more information, see Log Auditing.
View traffic analysis
-
On the page, view traffic data for outbound connections from your business assets to the internet. The data includes the sources of abnormal outbound traffic, the destination internet addresses that your assets access, outbound connections from public assets, and outbound connections from private assets. This helps you investigate suspicious assets and ensure business security. For more information, see Outbound Connection.
-
On the page, you can view how your business assets are exposed to the internet. The page displays data such as the sources of anomalous inbound traffic, exposed public IP addresses, open ports, exposed applications, and the number of public IP addresses for your cloud products. This information helps you investigate suspicious assets and ensure the security of your business. For more information, see Internet Exposure.
View attack protection data
On the page, in the Actions column of the target Internet firewall, click View Attacks and select to view the attack protection data for outbound or inbound traffic of public assets. For more information, see Intrusion Prevention.
View public traffic processing status
In the left-side navigation pane, click Overview. On the Overview page, in the Asset Protection section, you can view the number of firewall instances, purchased traffic, and recent peak bandwidth.