Introduction to Cloud Firewall - Cloud Firewall - Alibaba Cloud Documentation Center

Alibaba Cloud Cloud Firewall is a cloud security solution that provides firewalls as a service. It implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall serves as the first line of defense to protect your workloads in Alibaba Cloud.

Positioning of Cloud Firewall

Features

Internet firewall

Supports fine-grained control of inbound and outbound traffic between Internet-facing assets and the Internet, reducing exposure risks of public assets. The built-in threat defense module supports compromised host detection, outbound connection blocking, and access relationship visualization. It uses cluster deployment, requires no complex configuration, supports one-click protection enabling, and allows performance scaling.

NAT firewall

When VPC resources access the Internet through NAT gateways, they may face security risks such as unauthorized access, data leaks, and malicious traffic attacks. Enabling NAT firewalls can block unauthorized traffic.

VPC firewall

Monitors and controls east-west traffic between VPCs or between a VPC and a data center that are connected by using an Enterprise Edition transit router, a Basic Edition transit router, or an Express Connect circuit. This helps ensure the security of east-west traffic between VPCs, a VPC and a virtual border router (VBR) in a data center, a VPC and a VBR of a third-party cloud, and a VPC and a VPN gateway.

Internal firewall

Supports managing Elastic Compute Service (ECS) security groups and controlling traffic for ECS instances in VPCs. Access control policies are automatically synchronized to ECS security groups. Supports security group compliance checks and micro-segmentation visualization.

Protection scope

Protection scope

Description

References

Cloud assets and traffic

Cloud Firewall can protect the following cloud assets or traffic:

Internet firewall (north-south): IPv4 and IPv6 addresses of assets such as Elastic Compute Service (ECS) instances, load balancer assets, and bastion hosts, elastic IP addresses (EIPs), EIPs of NAT gateways, EIPs of Global Accelerator (GA) instances, and EIPs associated with high-availability virtual IP addresses (HAVIPs).

Supported asset types

IPv4

IPv6

EIPs of Application Load Balancer (ALB) instances
Egress IP addresses of bastion hosts
IP addresses of bastion hosts
Ingress IP addresses of bastion hosts
EIPs
EIPs of ECS instances
Public IP addresses of ECS instances
EIPs of elastic network interfaces (ENIs)
EIPs of GA instances
Note
- The GA instance to which the accelerated IP addresses belong must be a standard GA instance.
- The accelerated IP addresses must be of the EIP type.
- The acceleration region to which the accelerated IP addresses belong cannot be an Alibaba Cloud point of presence (POP).
  To check whether an acceleration region is a POP of Alibaba Cloud, call the ListAvailableBusiRegions operation.
HAVIPs
EIPs of NAT gateways
Public IP addresses of NAT gateways
EIPs of Network Load Balancer (NLB) instances
EIPs of Server Load Balancer (SLB) instances
Public IP addresses of SLB instances

IPv6 addresses of ALB instances
IPv6 addresses of ECS instances
IPv6 EIPs of ENIs
IPv6 EIPs of GA instances
Note
- The GA instance to which the accelerated IP addresses belong must be a standard GA instance.
- The accelerated IP addresses must be of the EIP type.
- The acceleration region to which the accelerated IP addresses belong cannot be an Alibaba Cloud point of presence (POP).
  To check whether an acceleration region is a POP of Alibaba Cloud, call the ListAvailableBusiRegions operation.
IPv6 addresses of NLB instances
IPv6 addresses of SLB instances

NAT firewall: traffic from an internal network to the Internet.
VPC firewall (east-west):
- VPC firewall created for an Enterprise Edition transit router
  - Traffic between VPCs in the same region
  - Traffic between VPCs that are connected by using an Enterprise Edition transit router and reside in different regions
  - Traffic between a VPC and a VBR, which also refers to traffic between a VPC and a data center
  - Traffic between a VPC and a CCN instance
  - Traffic between VBRs
  - Traffic between a VBR and a CCN instance
- VPC firewall created for a Basic Edition transit router
  - Traffic between VPCs in the same region
  - Traffic between VPCs that are connected by using a Basic Edition transit router and reside in different regions
  - Traffic between a VPC and a VBR, which also refers to traffic between a VPC and a data center
  - Traffic between a VPC and a CCN instance
- VPC firewall created for an Express Connect circuit
  - Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account
  - Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region
Internal firewall: inbound and outbound traffic between ECS instances.

Note

Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection.

Cloud network type

VPC: Cloud Firewall supports all Alibaba Cloud VPCs.
Classic network: The Internet Firewall and intrusion prevention system (IPS) features support the classic network. Internal firewalls can protect instances in VPCs but not in the classic network.

Supported regions

Regions that are supported by Cloud Firewall.

Supported regions

Editions

Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. The following table describes the differences among the editions. For more information about the protection capabilities supported by different editions of Cloud Firewall, see Features.

Edition	Description	Billing method
Free Edition	Cloud Firewall Free Edition provides basic security check capabilities. You can use features such as security group check, classified protection compliance check, and asset exception notification.	If your Alibaba Cloud account has cloud assets that can be protected, you can use Cloud Firewall Free Edition to protect the assets without purchasing Cloud Firewall.
Cloud Firewall that uses the pay-as-you-go billing method	Cloud Firewall that uses the pay-as-you-go billing method delivers reliable security protection capabilities for Internet-facing assets. You can use features such as attack awareness, attack prevention, and asset exception notification. You can also configure access control policies for the Internet firewall.	Pay-as-you-go. The pay-as-you-go billing method flexibly adapts to business requirements and is suitable for scenarios in which your resource usage frequently fluctuates and your business has temporary or burst requirements on resources.
Premium Edition	Cloud Firewall Premium Edition protects Internet-facing assets. You can use features such as traffic analysis and protection for your assets, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification.	Subscription. Compared with the pay-as-you-go billing method, the subscription billing method allows you to reserve resources and reduce costs at discounted rates. The subscription billing method is suitable for scenarios in which your resource usage does not frequently fluctuate and resources are used for a long period of time.
Enterprise Edition	Cloud Firewall Enterprise Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification. Cloud Firewall Enterprise Edition offers all capabilities provided by Cloud Firewall Premium Edition. Cloud Firewall Enterprise Edition also provides value-added services such as visualization, network security defense across VPCs, and centralized management of security groups.
Ultimate Edition	Cloud Firewall Ultimate Edition offers all capabilities provided by Cloud Firewall Enterprise Edition. Compared with Cloud Firewall Enterprise Edition, Cloud Firewall Ultimate Edition provides more powerful protection capabilities.

Free trial

The first time you purchase Cloud Firewall, you can apply for a free trial of Cloud Firewall that uses the pay-as-you-go billing method.

Compliance

Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR), and Payment Card Industry (PCI) Data Security Standards (DSS).

Contact us

If you have questions about purchasing or trying Cloud Firewall, you can submit a ticket to contact technical experts.

References

For more information about the billing of Cloud Firewall, see Billing overview.
For more information about selecting a suitable Cloud Firewall edition for your business needs, see Introduction to Cloud Firewall selection.
For more information about how to activate and use Cloud Firewall that uses the pay-as-you-go billing method, see Get started with Cloud Firewall that uses the pay-as-you-go billing method.
For more information about how to activate and use Cloud Firewall that uses the subscription billing method, see Get started with Cloud Firewall that uses the subscription billing method.