All Products
Search

This Product

    Cloud Firewall:What is Cloud Firewall?

    Document Center

    Cloud Firewall:What is Cloud Firewall?

    Last Updated:Jun 20, 2025

    Alibaba Cloud Cloud Firewall is a cloud security solution that provides firewalls as a service. It implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall serves as the first line of defense to protect your workloads in Alibaba Cloud.

    Positioning of Cloud Firewall

    image

    Features

    Internet firewall

    Supports fine-grained control of inbound and outbound traffic between Internet-facing assets and the Internet, reducing exposure risks of public assets. The built-in threat defense module supports compromised host detection, outbound connection blocking, and access relationship visualization. It uses cluster deployment, requires no complex configuration, supports one-click protection enabling, and allows performance scaling.

    NAT firewall

    When VPC resources access the Internet through NAT gateways, they may face security risks such as unauthorized access, data leaks, and malicious traffic attacks. Enabling NAT firewalls can block unauthorized traffic.

    VPC firewall

    Monitors and controls east-west traffic between VPCs or between a VPC and a data center that are connected by using an Enterprise Edition transit router, a Basic Edition transit router, or an Express Connect circuit. This helps ensure the security of east-west traffic between VPCs, a VPC and a virtual border router (VBR) in a data center, a VPC and a VBR of a third-party cloud, and a VPC and a VPN gateway.

    Internal firewall

    Supports managing Elastic Compute Service (ECS) security groups and controlling traffic for ECS instances in VPCs. Access control policies are automatically synchronized to ECS security groups. Supports security group compliance checks and micro-segmentation visualization.

    Protection scope

    Protection scope

    Description

    References

    Cloud assets and traffic

    Cloud Firewall can protect the following cloud assets or traffic:

    • Internet firewall (north-south): IPv4 and IPv6 addresses of assets such as Elastic Compute Service (ECS) instances, load balancer assets, and bastion hosts, elastic IP addresses (EIPs), EIPs of NAT gateways, EIPs of Global Accelerator (GA) instances, and EIPs associated with high-availability virtual IP addresses (HAVIPs).

      Supported asset types

      IPv4

      IPv6

      • EIPs of Application Load Balancer (ALB) instances

      • Egress IP addresses of bastion hosts

      • IP addresses of bastion hosts

      • Ingress IP addresses of bastion hosts

      • EIPs

      • EIPs of ECS instances

      • Public IP addresses of ECS instances

      • EIPs of elastic network interfaces (ENIs)

      • EIPs of GA instances

        Note

        • The GA instance to which the accelerated IP addresses belong must be a standard GA instance.

        • The accelerated IP addresses must be of the EIP type.

        • The acceleration region to which the accelerated IP addresses belong cannot be an Alibaba Cloud point of presence (POP).

          To check whether an acceleration region is a POP of Alibaba Cloud, call the ListAvailableBusiRegions operation.

      • HAVIPs

      • EIPs of NAT gateways

      • Public IP addresses of NAT gateways

      • EIPs of Network Load Balancer (NLB) instances

      • EIPs of Server Load Balancer (SLB) instances

      • Public IP addresses of SLB instances

      • IPv6 addresses of ALB instances

      • IPv6 addresses of ECS instances

      • IPv6 EIPs of ENIs

      • IPv6 EIPs of GA instances

        Note

        • The GA instance to which the accelerated IP addresses belong must be a standard GA instance.

        • The accelerated IP addresses must be of the EIP type.

        • The acceleration region to which the accelerated IP addresses belong cannot be an Alibaba Cloud point of presence (POP).

          To check whether an acceleration region is a POP of Alibaba Cloud, call the ListAvailableBusiRegions operation.

      • IPv6 addresses of NLB instances

      • IPv6 addresses of SLB instances

    • NAT firewall: traffic from an internal network to the Internet.

    • VPC firewall (east-west):

      • VPC firewall created for an Enterprise Edition transit router

        • Traffic between VPCs in the same region

        • Traffic between VPCs that are connected by using an Enterprise Edition transit router and reside in different regions

        • Traffic between a VPC and a VBR, which also refers to traffic between a VPC and a data center

        • Traffic between a VPC and a CCN instance

        • Traffic between VBRs

        • Traffic between a VBR and a CCN instance

      • VPC firewall created for a Basic Edition transit router

        • Traffic between VPCs in the same region

        • Traffic between VPCs that are connected by using a Basic Edition transit router and reside in different regions

        • Traffic between a VPC and a VBR, which also refers to traffic between a VPC and a data center

        • Traffic between a VPC and a CCN instance

      • VPC firewall created for an Express Connect circuit

        • Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account

        • Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region

    • Internal firewall: inbound and outbound traffic between ECS instances.

    Note

    Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection.

    Cloud network type

    • VPC: Cloud Firewall supports all Alibaba Cloud VPCs.

    • Classic network: The Internet Firewall and intrusion prevention system (IPS) features support the classic network. Internal firewalls can protect instances in VPCs but not in the classic network.

    -

    Supported regions

    Regions that are supported by Cloud Firewall.

    Supported regions

    Editions

    Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. The following table describes the differences among the editions. For more information about the protection capabilities supported by different editions of Cloud Firewall, see Features.

    Edition

    Description

    Billing method

    Free Edition

    Cloud Firewall Free Edition provides basic security check capabilities. You can use features such as security group check, classified protection compliance check, and asset exception notification.

    If your Alibaba Cloud account has cloud assets that can be protected, you can use Cloud Firewall Free Edition to protect the assets without purchasing Cloud Firewall.

    Cloud Firewall that uses the pay-as-you-go billing method

    Cloud Firewall that uses the pay-as-you-go billing method delivers reliable security protection capabilities for Internet-facing assets. You can use features such as attack awareness, attack prevention, and asset exception notification. You can also configure access control policies for the Internet firewall.

    Pay-as-you-go.

    The pay-as-you-go billing method flexibly adapts to business requirements and is suitable for scenarios in which your resource usage frequently fluctuates and your business has temporary or burst requirements on resources.

    Premium Edition

    Cloud Firewall Premium Edition protects Internet-facing assets. You can use features such as traffic analysis and protection for your assets, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification.

    Subscription.

    Compared with the pay-as-you-go billing method, the subscription billing method allows you to reserve resources and reduce costs at discounted rates. The subscription billing method is suitable for scenarios in which your resource usage does not frequently fluctuate and resources are used for a long period of time.

    Enterprise Edition

    Cloud Firewall Enterprise Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification.

    Cloud Firewall Enterprise Edition offers all capabilities provided by Cloud Firewall Premium Edition. Cloud Firewall Enterprise Edition also provides value-added services such as visualization, network security defense across VPCs, and centralized management of security groups.

    Ultimate Edition

    Cloud Firewall Ultimate Edition offers all capabilities provided by Cloud Firewall Enterprise Edition. Compared with Cloud Firewall Enterprise Edition, Cloud Firewall Ultimate Edition provides more powerful protection capabilities.

    Free trial

    The first time you purchase Cloud Firewall, you can apply for a free trial of Cloud Firewall that uses the pay-as-you-go billing method.

    Compliance

    Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR), and Payment Card Industry (PCI) Data Security Standards (DSS).

    Contact us

    If you have questions about purchasing or trying Cloud Firewall, you can submit a ticket to contact technical experts.

    References