Cloud Firewall of Alibaba Cloud is a cloud security solution that provides firewalls as a service. Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall is the first line of defense to protect your workloads in Alibaba Cloud.


Cloud Firewall provides the following types of firewalls: Internet firewall, VPC firewall, and internal firewall.

The Internet firewall is deployed at the boundary of the Internet to centrally manage public IP addresses. Internal firewalls work in the same way as security groups to control communication between Elastic Compute Service (ECS) instances. The following figure shows how the Internet firewall and internal firewalls work and where the firewalls are deployed in the network topology.How Cloud Firewall works
VPC firewalls are used to protect traffic between VPCs and are deployed at the boundaries of VPCs to manage the traffic over Express Connect. The following figure shows how a VPC firewall works and where the firewall is deployed in the network topology.How a VPC firewall works
You can use the preceding types of firewalls to refine your network access control policies and build the following protection systems: Internet traffic protection, VPC protection, and instance protection.
  • Cloud Firewall provides centralized access control by using inbound and outbound policies to support more precise control over network traffic. Cloud Firewall also provides application-specific and domain name-specific access control policies for you to centrally manage VPCs and regions. You can use the monitor mode and address books to optimize your access control policies.
  • For network traffic that requires microsegmentation, Cloud Firewall provides distributed access control. Cloud Firewall is developed based on security groups and supports visualization of internal network traffic, which allows you to tune policies for traffic between ECS instances. The monitor mode, blocked traffic analysis, and intelligent policy features will be soon available.

Cloud Firewall allows you to configure firewalls based on network boundaries to build multiple logical protection systems, which facilitates maintenance. If you want to protect only the Internet traffic, you need to only configure inbound or outbound policies on the Internet firewall. If you also want to protect your instances, you can configure access control policies for east-west traffic on internal firewalls.

Protection scope of Cloud Firewall

Cloud Firewall can protect the following cloud assets or traffic:
  • Internet traffic: traffic of public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of Server Load Balancer (SLB) instances, high-availability virtual IP addresses (HAVIPs), EIPs, EIPs of ECS instances, EIPs of Elastic Network Interfaces (ENIs), some public IP addresses of Server Load Balancer (SLB) instances, and EIPs of NAT gateways.
  • Traffic between VPCs: traffic between VPCs that are connected by using a CEN or Express Connect
  • Traffic between VPCs and data centers: The VPCs and data centers are connected by using virtual border routers (VBRs).


Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR), and Payment Card Industry (PCI) Data Security Standards (DSS).

Cloud Firewall video

Contact us

If you have questions about the features, prices, and specifications of Cloud Firewall when you purchase Cloud Firewall, or if you want to apply for a trial of Cloud Firewall, you can join the DingTalk group numbered 33081734 to consult technical experts.