Cloud Firewall is a cloud security solution that provides firewalls as a service. It manages both north-south and east-west traffic and provides features, such as traffic monitoring, precise access control, and real-time intrusion prevention, to deliver protection at the network boundaries. This topic describes Cloud Firewall features and the Cloud Firewall editions that support the features.
Cloud Firewall features
The following table describes Cloud Firewall features and the Cloud Firewall editions that support the features. For more information about the subscription billing method of Cloud Firewall, see Billing.
Note
- Cross (×): The feature is not supported by the edition.
- Tick (√): The feature is supported by the edition.
| Scenario | Feature | Description | Free Edition | Premium Edition | Enterprise Edition | Ultimate Edition | Pay-as-you-go Edition | References |
|---|---|---|---|---|---|---|---|---|
| Access traffic analysis and attack detection of on-cloud networks | Overview | Provides an overview of defense features that are enabled and disabled and shows statistics on access traffic and detected security risks from the last seven days. | × | √ | √ | √ | √ | Overview |
| Access control | Internet Firewall | Supports domain name-based access control to strictly control the traffic of outbound connections and supports two-way access control over north-south IPv4 traffic. | × | √ | √ | √ | × | Create access control policies for outbound and inbound traffic on the Internet firewall |
| VPC Firewall | Controls traffic between virtual private clouds (VPCs). | × | × | √ | √ | × | Create an access control policy for a VPC firewall | |
| Internal Firewall | Controls east-west traffic among your Elastic Compute Service (ECS) instances on an internal network. | × | × | √ | √ | × | Access control on an internal firewall between ECS instances | |
| Policy Assistant | Checks for ECS security group rules whose risk level is High and provides suggestions to modify the rules. This allows you to use security groups in a more secure and efficient manner. | √ | √ | √ | √ | × | Check security group rules | |
| Network traffic analysis | Outbound Connections | Monitors outbound connections of cloud assets in real time. | × | √ | √ | √ | × | Outbound connections |
| Internet Access | Collects and analyzes the statistics on access traffic of on-cloud networks. | × | √ | √ | √ | × | Internet access | |
| VPC Access | Monitors the traffic between VPCs in real time, which allows you to dynamically obtain the VPC traffic data and identify and handle suspicious traffic at the earliest opportunity. | × | × | √ | √ | × | VPC access | |
| All Access Activities | Allows you to query traffic that passes through Cloud Firewall based on conditions. | × | √ | √ | √ | × | All access activities | |
| Attack prevention | Vulnerability Prevention | Detects vulnerabilities that can be exploited by attacks in real time and defends against these vulnerabilities. | × | √ | √ | √ | √ | Vulnerability protection |
| Breach Awareness | Provides the details about intrusion events that are detected by the intrusion prevention system (IPS) and the solutions to handle the intrusion events. | × | √ | √ | √ | √ | Breach awareness | |
| Intrusion Prevention | Provides the details about protection for traffic between VPCs, inbound Internet traffic, and outbound Internet traffic. | × | √ | √ | √ | √ | Intrusion prevention | |
| Prevention Configuration | Provides the built-in threat detection engine that delivers the following capabilities:
Notice Cloud Firewall Pay-as-you-go Edition does not provide the details about existing intrusion
prevention rules or support the creation of custom intrusion prevention rules.
|
× | √ | √ | √ | √ | Prevention configuration | |
| Log management | Log Audit | Provides log audit and behavior backtracking.
|
× | √ | √ | √ | × | Log audit |
| Log Analysis | Automatically collects, stores, and analyzes both inbound and outbound traffic logs in real time and supports real-time monitoring and alerting based on specific metrics. This ensures timely responses if exceptions occur in critical business. The value of a log storage duration ranges from 7 to 365 days. | × | √ | √ | √ | × | Enable the log analysis feature | |
| Common tools for network traffic detection | Toolbox | Allows you to back up and roll back access control policies of the Internet firewall and VPC firewalls. | × | × | √ | √ | × | Back up and roll back an access control policy |
| Supports the packet capture feature, which helps you troubleshoot network failures and analyze attacks. | × | × | √ | √ | × | Create a packet capture task | ||
| Supports the strict mode of the Internet firewall. After the strict mode is enabled, the Internet firewall blocks traffic that meets the following conditions: The traffic matches an access control policy, and the application type of the traffic is identified Unknown. | × | × | √ | √ | × | Strict mode of the Internet firewall | ||
| Checks whether the requirements of classified protection are met. | √ | √ | √ | √ | × | None | ||
| Business visualization | Custom Groups | Allows you to create custom groups to build relationships between the applications of your cloud assets and application groups or business groups. | × | √ | √ | √ | × | Create application groups and business groups |
| Centralized account management | Central Account Management | Allows you to add Alibaba Cloud accounts as members, which helps you manage the resources of the accounts in a centralized manner. | × | × | × | √ | × | Use centralized account management |