When enterprises run workloads across many Alibaba Cloud accounts, managing firewall protection separately for each account creates gaps in visibility and inconsistent policy enforcement. Cloud Firewall's multi-account management feature consolidates protection across all accounts into a single view. From one console, you can apply traffic redirection and protection, policy configuration, traffic analysis, intrusion prevention, attack prevention, breach awareness, log audit, and log analysis across all member accounts.
Account types
Cloud Firewall multi-account management is built on Alibaba Cloud Resource Directory. Three account types have distinct roles:
| Account type | Role in Resource Directory | Role in Cloud Firewall |
|---|---|---|
| Management account | Invites accounts to join the resource directory; manages all enterprise assets | Manages all assets protected by Cloud Firewall |
| Delegated administrator account | Specified by the management account; can manage all assets of the enterprise, access the resource directory structure and members, and manage business within it | Manages all assets protected by Cloud Firewall |
| Member | Joined the resource directory at the management account's invitation; manages only its own assets | Cannot purchase Cloud Firewall |
The delegated administrator account separates organization management from business management. The management account handles organization-level tasks; the delegated administrator account handles Cloud Firewall operations across the resource directory.
Limitations
Multi-account management covers Internet firewalls, VPC firewalls, NAT firewalls, and assets protected by secure forward proxies.
Member accounts added for centralized management cannot purchase Cloud Firewall. Their asset traffic is managed centrally.
For quota details by edition, see Subscription.
Prerequisites
Before you begin, ensure that you have:
Cloud Firewall Premium Edition, Enterprise Edition, or Ultimate Edition — or Cloud Firewall with pay-as-you-go billing