Cloud Firewall is a managed firewall service that provides centralized traffic control and security isolation for your Alibaba Cloud workloads. It protects your assets across three traffic boundaries — Internet, virtual private cloud (VPC), and host — without hardware deployment or complex configuration.
Use cases
Control inbound and outbound Internet traffic — Apply fine-grained access control policies to Internet-facing assets and block threats before they reach your workloads.
Secure east-west traffic between VPCs — Monitor and control traffic between VPCs, between VPCs and on-premises data centers, and across cloud network topologies.
Protect private networks accessing the Internet through NAT gateways — Block unauthorized outbound traffic before it leaves your cloud environment.
Manage ECS security groups centrally — Sync access control policies to Elastic Compute Service (ECS) security groups automatically and enforce micro-segmentation across your instances.
Detect threats and visualize access relationships — Identify compromised hosts, block unauthorized outbound connections, and map traffic flows across your cloud assets.
Enable protection with one click — Cloud Firewall uses cluster deployment and scales automatically. No infrastructure provisioning required.
Positioning of Cloud Firewall
Firewall types
Cloud Firewall provides four firewall types, each protecting a distinct segment of your traffic perimeter.
Internet firewall
Controls inbound and outbound north-south traffic between your Internet-facing assets and the Internet. The built-in threat defense module provides compromised host detection, outbound connection blocking, and access relationship visualization. Enable protection in one click — Cloud Firewall deploys as a cluster and scales automatically.
NAT firewall
Protects VPC resources that access the Internet through NAT gateways. Blocks unauthorized access, data leaks, and malicious traffic attacks before they affect your private network.
VPC firewall
Monitors and controls east-west traffic across your cloud network topology. The supported traffic flows depend on your connectivity type:
Enterprise Edition transit router:
Traffic between VPCs in the same or different regions
Traffic between a VPC and a virtual border router (VBR), representing on-premises data center connectivity
Traffic between a VPC and a Cloud Connect Network (CCN) instance
Traffic between multiple VBRs, or between a CCN instance and a VBR
Basic Edition transit router:
Traffic between VPCs in the same or different regions
Traffic between a VPC and a VBR
Traffic between a VPC and a CCN instance
Express Connect circuit:
Traffic between VPCs in the same region that belong to the same account, connected via an Express Connect circuit in VPC mode
Traffic between VPCs in the same region connected using a VPC peering connection
ECS firewall
Manages ECS security groups and controls inbound and outbound traffic for ECS instances in VPCs. Access control policies are automatically synchronized to ECS security groups. Supports security group compliance checks and micro-segmentation visualization.
Protection scope
| Protection scope | Description | References |
|---|---|---|
| Cloud assets and traffic | Internet firewall (north-south): Protects IPv4 and IPv6 assets, including ECS, Elastic IP Address (EIP) (including Layer 2 EIP), load balancing, Bastionhost, NAT, HAVIP, and GA EIP. IPv4 assets: ALB EIP, Bastionhost outbound IP address, Bastionhost IP address, Bastionhost inbound IP address, EIP, ECS EIP, ECS public IP address, elastic network interface (ENI) EIP, GA EIP (standard GA instance only; EIP type only; non-POP acceleration region only — call ListAvailableBusiRegions to verify), HAVIP, NAT EIP, NAT public IP address, Network Load Balancer (NLB) EIP, Server Load Balancer (SLB) EIP, SLB public IP address, AI gateway public IP address, API gateway public IP address. IPv6 assets: ALB IPv6, ECS IPv6, ENI EIP IPv6, GA EIP IPv6 (same constraints as IPv4 GA EIP), NLB IPv6, SLB IPv6, AI gateway public IPv6 address, API gateway public IPv6 address. NAT firewall: Traffic from private networks to the Internet. VPC firewall (east-west): See Firewall types. ECS firewall: Inbound and outbound traffic of ECS instances. | Internet Firewall, NAT Firewall, Configure a VPC firewall for an Enterprise Edition transit router, Configure a VPC firewall for a Basic Edition transit router, Configure a VPC firewall for Express Connect, Create an access control policy for an ECS firewall |
| Cloud network type | VPC: Cloud Firewall supports all Alibaba Cloud VPCs. Classic network: The Internet Firewall and intrusion prevention system (IPS) features support the classic network. ECS firewalls protect instances in VPCs but not in the classic network. | — |
| Supported regions | Regions supported by Cloud Firewall. | Supported regions |
Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. To redirect traffic to Cloud Firewall, associate EIPs with the internal-facing SLB instances.
Editions
Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and a pay-as-you-go option. For a full breakdown of protection capabilities by edition, see Features.
| Edition | What's included | Billing |
|---|---|---|
| Pay-as-you-go | Protects Internet-facing assets. Includes attack awareness, attack prevention, asset exception notification, and access control policies for the Internet firewall. | Pay-as-you-go — scales with usage. Suited for workloads with fluctuating traffic or temporary resource needs. |
| Premium Edition | Protects Internet-facing assets. Includes traffic analysis and protection, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification. | Subscription — pay upfront at a discounted rate. Suited for stable, long-running workloads. |
| Enterprise Edition | Protects Internet-facing assets, VPCs, and ECS instances. Includes all Premium Edition capabilities plus visualization, network security defense across VPCs, and centralized security group management. | Subscription |
| Ultimate Edition | Includes all Enterprise Edition capabilities with more powerful protection. | Subscription |
Compliance
Cloud Firewall complies with ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR), and Payment Card Industry (PCI) Data Security Standards (DSS).
Contact us
For pre-sales questions about purchasing or trialing Cloud Firewall, submit a ticket to reach our product team.
What's next
Billing overview — Understand how Cloud Firewall is priced across editions.
How to choose an edition — Match your requirements to the right edition.
Get started with pay-as-you-go — Activate and configure Cloud Firewall using the pay-as-you-go billing method.
Get started with subscription — Activate and configure Cloud Firewall using the subscription billing method.