All Products
Search

This Product

    Cloud Firewall:Cloud Firewall Switch FAQ

    Document Center

    Cloud Firewall:Cloud Firewall Switch FAQ

    Last Updated:Mar 11, 2026

    This topic describes common issues you may encounter when enabling or disabling Cloud Firewall. It covers the impact of enabling the firewall on your business and changes to routing and traffic after enabling the firewall.

    What is the impact of enabling the firewall on my business?

    Firewall type

    Impact on business

    Internet firewall

    You do not need to change your current network topology to create, enable, or disable the Internet firewall. You can instantly protect or unprotect resources with one click. This has no impact on your business.

    NAT firewall

    • Creating or deleting a NAT firewall has no impact on your business.

      Creation time depends on the number of EIPs bound to the NAT Gateway. Each additional EIP adds about 2–5 minutes.

    • Enabling or disabling the NAT firewall takes about 10 seconds. During this process, persistent connections experience a transient disconnection of 1–2 seconds. Short-lived connections are unaffected.

    Express Connect VPC firewall

    Basic Edition transit router VPC firewall

    • Creating or deleting a VPC firewall has no impact on your business.

      Creation takes about 5 minutes.

    • Enabling or disabling the VPC firewall takes about 5–30 minutes, depending on the number of route entries. During this process, persistent connections experience a transient disconnection of a few seconds. Short-lived connections are unaffected.

      Note

      Before enabling the VPC firewall, check whether your applications support TCP automatic retransmission. Monitor application connection status closely to avoid connection interruptions caused by missing retransmission configurations.

    Enterprise Edition transit router VPC firewall

    Automatic traffic steering

    • Creating or deleting a VPC firewall has no impact on your business.

      Creation takes about 5 minutes.

    • Enabling or disabling the VPC firewall takes about 5–30 minutes, depending on the number of route entries. This has no impact on your business.

    Manual traffic steering

    • Creating or deleting a VPC firewall has no impact on your business.

      Creation takes about 5 minutes.

    • The impact on your business when enabling or disabling the VPC firewall varies depending on the traffic steering method used.

    How do I disable Cloud Firewall?

    If you determine that your business does not require Cloud Firewall protection, release the instance to avoid extra charges.

    What to do if service traffic exceeds the bandwidth supported by Cloud Firewall?

    If your service traffic exceeds the bandwidth of your Cloud Firewall instance, the Service-Level Agreement (SLA) is not guaranteed. This can lead to service degradation, which may include the failure of security features such as access control, IPS, and log auditing, the firewall being disabled for assets with the highest traffic, rate limiting, or packet loss.

    Why can’t I enable Cloud Firewall for my current account?

    Possible causes

    When you log on to the Cloud Firewall console, the page displays Your account cannot be used to activate Cloud Firewall.. Possible causes include the following:

    • Your current account is an Alibaba Cloud account (root account) and has been added as a member account under another Alibaba Cloud account for centralized management.

    • Your current account is a RAM user (sub-account) and has not been authorized.

    Solutions

    Move your cursor to the profile picture in the upper-right corner of the console to view your account type.

    • If your account is an Alibaba Cloud account (root account):

      Use the administrator account that manages your account to log on to the Cloud Firewall console. After enabling Cloud Firewall, enable protection for your cloud assets. For more information, see Purchase Cloud Firewall.

    • If your account is a RAM user (sub-account): Use the Alibaba Cloud account (root account) that owns this RAM user to grant the createSlr, AliyunYundunCloudFirewallReadOnlyAccess, and AliyunYundunCloudFirewallFullAccess permissions. For more information, see Manage RAM user permissions.

      The createSlr permission requires a custom policy. Create a custom policy using the following script. For more information, see Create a custom policy.

      {
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:166032244439****:role/*",
            "Effect": "Deny",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cloudfw.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
      Note

      The format of the Resource parameter is acs:ram:*:Alibaba Cloud account ID:role/*. Replace Alibaba Cloud account ID with the root account ID of the RAM user.

    Summary of Cloud Firewall enablement failures and solutions

    Error message

    Solution

    No cross-account VPCs exist in the CEN instance, cross-account VPCs are not authorized for Cloud Firewall, or your Cloud Firewall edition is not the Ultimate Edition.

    Log on to Cloud Firewall with the corresponding account to complete authorization. Then enable the VPC firewall. For more information, see Authorize Cloud Firewall to access cloud resources. To upgrade to Cloud Firewall Ultimate Edition, see Renewal policy.

    The CEN instance contains a VPC connected to Express Connect and already enabled for firewall protection.

    Submit a to contact a product technical expert.

    The region where the VPC resides in the CEN instance is not supported by the VPC firewall.

    The region where the VPC resides in the CEN instance is not supported by the VPC firewall. For more information, see Supported regions.

    A manual-mode firewall already exists in the same region of the CEN instance.

    Submit a to contact a product technical expert.

    The CEN instance contains only one network instance or no VPC.

    The CEN instance contains no VPC or only one VPC. Creating Cloud Firewall is not supported. Add more VPCs to the CEN instance and try again.

    The number of VPCs that can enable the firewall in the same region exceeds the limit.

    We recommend using the CEN transit router. For more information, submit a to contact a product technical expert.

    The root account across accounts in the CEN instance has not purchased Cloud Firewall.

    Purchase Cloud Firewall using the root account.

    The number of custom routes in the VPC instance exceeds the limit.

    Go to the Virtual Private Cloud (VPC) console. On the O&M and monitoring > Quota management page, modify the quota for custom routes in the VPC route table for your account.

    The VPC firewall quota is full.

    Increase the firewall quota.

    Check for duplicate CIDR blocks. Only duplicate CIDR blocks between VBRs are allowed. Duplicate CIDR blocks between VPCs or between VPCs and VBRs are not allowed.

    Submit a to contact a product technical expert.

    Check whether the quota for policy route priority is insufficient.

    Submit a to contact a product technical expert.

    The CEN instance contains a deny-type routing policy (except for the default system routing policy with priority 5000).

    Delete the related routing policy, or submit a to contact a product technical expert.

    The number of VPCs created in each region must be less than the regional VPC quota minus one (the VPC firewall consumes one quota).

    If the quota is full, go to the Virtual Private Cloud (VPC) console. On the Quota management page, increase the VPC quota. If the VPC quota cannot be increased, submit a to contact a product technical expert.

    Cloud Enterprise Network (CEN) publishes CIDR blocks that include public CIDR blocks. Ignore 0.0.0.0/0 to prevent connection disruptions caused by one-way access to SLB due to the private use of public IP addresses.

    Submit a to contact a product technical expert.

    Check for an upstream route pointing to BR.

    Submit a to contact a product technical expert.

    The VPC in the CEN instance uses a custom route table associated with a vSwitch.

    Delete the related custom route table or detach the vSwitch from the custom route table.

    The number of routes after enabling the firewall in the CEN instance will exceed the route limit.

    Reduce published routes to fewer than 100, or upgrade to the CEN-TR architecture. If needed, submit a to contact a product technical expert.

    The region where the transit router resides is not supported.

    The region where the transit router resides in the CEN instance is not supported by the VPC firewall. For more information, see Supported regions.

    The transit router contains a VPN connection.

    Submit a to contact a product technical expert.

    The transit router route table contains a prefix list.

    Use route publishing in the VPC instead of prefix lists.

    The transit router route table contains a blackhole route.

    Submit a to contact a product technical expert.

    The transit router route table contains a static route.

    Use route publishing in the VPC instead of static routes.

    The transit router route table contains a route conflict.

    Check whether any routes are denied.

    The transit router route table contains a system routing policy conflict.

    Check whether the matching conditions of the system routing policy with priority 5000 include CCN, VBR, VPN, or ECR in the source and destination instance types. If not, submit a to contact a product technical expert.

    The transit router route table contains IPv6 routes.

    This is not currently supported by Cloud Firewall.

    The pay-as-you-go Cloud Firewall does not have the VPC firewall enabled.

    Enable the VPC firewall in the Cloud Firewall console. For more information, see Pay-as-you-go 2.0.

    Your current Cloud Firewall edition does not support the VPC firewall.

    Upgrade your Cloud Firewall edition. For more information, see Upgrade and downgrade.

    VPC firewall asset synchronization is incomplete.

    Go to the Cloud Firewall console. In the navigation pane on the left, choose Firewall switch > VPC firewall. Click Sync Assets and wait 5–10 minutes.

    What does the Internet firewall do?

    The Internet firewall supports multiple public assets, such as public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of Server Load Balancer (SLB) instances, and elastic IP addresses (EIPs). After enabling the Internet firewall, the system forwards traffic entering or leaving the Internet border to Cloud Firewall. Cloud Firewall inspects and filters the traffic, allowing only traffic that meets the allow conditions to pass. For more information, see Internet firewall.

    Does the Internet firewall support protection for IPv6 assets?

    Yes. Cloud Firewall fully supports IPv6 asset protection starting January 8, 2025.

    For the scope of assets protected by the Internet firewall, see Protection scope.

    Does the Internet firewall affect network traffic?

    If you only enable the Internet firewall without configuring Internet access control or intrusion prevention policies, Cloud Firewall only inspects and alerts on traffic. It does not block traffic.

    After purchasing Cloud Firewall, all Internet firewall switches are enabled by default.

    What is the impact of disabling the Internet firewall?

    After disabling the Internet firewall, all traffic bypasses it. This causes the following impacts:

    • The Internet firewall’s protection capabilities become unavailable, including inbound and outbound access control policies and intrusion prevention.

    • Internet traffic statistics are no longer updated, including network traffic analysis reports and traffic logs.

    Why does the system show an SLB network restriction when I enable the Internet firewall?

    Possible cause

    When enabling the Internet firewall, the console displays Due to SLB network restrictions, the network where this IP resides does not support firewall protection. This occurs because the SLB asset has only a private IP address and does not support Cloud Firewall protection.

    Solution

    For assets with only private IP addresses, bind an EIP to redirect traffic to Cloud Firewall for protection. For more information, see Bind and manage EIPs for private CLB instances.

    After synchronizing assets in the Free Edition, some public IP assets are not displayed.

    The Cloud Firewall Free Edition only synchronizes EIP assets. New assets take one day to synchronize to Cloud Firewall. It does not synchronize public IP addresses of ECS or SLB instances.

    Why does an asset in the Internet firewall show Protection Abnormal?

    Possible causes

    • Classic network upgrade.

    • When releasing a public CLB instance, you chose to unbind its public IP as an EIP and retain it.

    Solution

    Click Disable and then click Enable to restore protection.

    Does enabling the VPC firewall affect ECS security group rules?

    No.

    After enabling the VPC firewall, Cloud Firewall automatically creates a security group named Cloud_Firewall_Security_Group and adds allow rules to permit traffic to the VPC firewall. The Cloud_Firewall_Security_Group security group applies only to traffic within that VPC. Your existing ECS security group rules remain effective and unchanged. You do not need to migrate or modify them.

    When creating a VPC firewall, why does the system report unauthorized network instances?

    Possible cause

    The CEN instance contains a VPC owned by another Alibaba Cloud account, and that account has not authorized Cloud Firewall to access cloud resources.

    Solution

    Log on to the Cloud Firewall console using the unauthorized Alibaba Cloud account. Complete service role authorization as prompted. For more information, see Authorize Cloud Firewall to access cloud resources.

    In a Basic Edition transit router scenario, why does a deny routing policy appear after enabling the VPC firewall?

    After enabling the VPC firewall for a VPC connected through a Basic Edition transit router (for example, VPC-test), Cloud Firewall creates a VPC named Cloud_Firewall_VPC under the transit router and publishes a static route. This route directs traffic from other VPCs not enabled for firewall protection to Cloud Firewall.

    Cloud Firewall also adds a static route in VPC-test pointing to the Cloud Firewall ENI to direct outbound traffic from VPC-test to Cloud Firewall. It creates a deny routing policy to prevent VPC-test from learning routes published by the CEN instance.

    Important

    Do not modify or delete these routing policies or route tables. Doing so affects traffic steering by Cloud Firewall and interrupts business traffic.

    Why does the NAT firewall require creating a route table and adding a 0.0.0.0/0 static route?

    After enabling the NAT firewall, Cloud Firewall automatically creates a custom route table named Cloud_Firewall_ROUTE_TABLE and adds a 0.0.0.0/0 route pointing to the NAT Gateway. It also modifies the 0.0.0.0/0 route entry in the system route table, changing its next hop to the Cloud Firewall ENI. This redirects outbound traffic from the NAT Gateway to Cloud Firewall.

    Important

    Do not modify or delete these route tables or route entries. Doing so affects traffic steering by Cloud Firewall and interrupts business traffic.

    When I enable the Internet, NAT, and DNS firewalls at the same time, how does outbound traffic match rules?

    When an ECS instance initiates domain name access (outbound traffic) with all three firewalls enabled, traffic matches as follows:

    1. The ECS instance sends a DNS resolution request. The request passes through the DNS firewall and matches DNS firewall access control policies.

    2. The ECS instance sends private network traffic through the NAT firewall and matches NAT firewall access control policies.

    3. Allowed private network traffic passes through the NAT Gateway, which converts the private source IP to a public NAT IP.

    4. The NAT Gateway sends public traffic to the Internet firewall and matches Internet firewall access control policies.

    5. Traffic matches threat intelligence, basic defense, intelligent defense, and virtual patching rules in Cloud Firewall.

    If traffic does not hit any deny policy during this process, it successfully accesses the domain name. If traffic hits any deny policy, it is blocked and cannot access the domain name.

    image

    After configuring NAT firewall access control policies, why can I still use telnet commands to access resources?

    An EIP is bound to SNAT and the NAT firewall is enabled. Access control policies allow only ECS instances to access specified domains using HTTP or HTTPS over TCP. However, ECS instances can still use telnet commands to access other domains.

    • Cause: Telnet commands lack application-layer protocol features (such as HTTP or HTTPS). Cloud Firewall cannot identify the application type using deep packet inspection (DPI), so the application appears as Unknown and does not match HTTP or HTTPS policies. In loose mode, if Cloud Firewall cannot identify the domain or application, it allows the unidentified traffic by default. To continue matching subsequent policies, enable strict mode.

      Important

      Strict mode is a global setting. Enabling it affects the matching logic for all traffic. Enable it only after careful consideration of your business requirements.

    • Solution: Do not use telnet for testing. Use curl commands instead.

    Why does some traffic from the transit router (TR) bypass the NAT firewall even though it is configured?

    This issue usually occurs when the TR’s VPC attachment is associated with the dedicated vSwitch automatically created by the NAT firewall.

    Explanation:

    The NAT firewall relies on specific routing configurations to control traffic. In standard configuration, the process is as follows:

    1. Steer business traffic: The route table of the business vSwitch in the VPC sets the next hop for outbound traffic to the NAT firewall, ensuring traffic passes through security inspection first.

    2. Forward firewall traffic: After inspection, the route table of the dedicated vSwitch where the NAT firewall resides sets the next hop to the NAT Gateway, enabling final Internet access.

    Impact of incorrect configuration
    If the TR attachment point is bound to the NAT firewall’s dedicated vSwitch, public traffic from the TR enters the vSwitch directly. Traffic then matches the route entry in the vSwitch with the next hop set to the NAT Gateway, bypassing the NAT firewall’s security inspection. As a result, some traffic remains uncontrolled.

    Recommended correct configuration
    To ensure all public traffic passes through the NAT firewall, follow these best practices:

    • vSwitch isolation: Do not use the NAT firewall’s dedicated vSwitch for other purposes, including as a TR attachment point.

    • Independent planning: Assign a separate vSwitch for TR’s VPC attachments.

    • Route verification: Confirm that all relevant route tables—including those associated with vSwitches used for TR attachments—have the next hop for public routes correctly set to the NAT firewall.

    image

    How do I efficiently enable and configure Internet firewall access control policies?

    Cloud computing is essential for enterprise digital transformation. Broader cloud technology adoption leads to more complex business architectures and increasingly blurred security boundaries. Enterprises can use Cloud Firewall to build network boundary protection in the cloud. However, managing access control policies becomes complex when many Internet IPs are involved.

    Cloud Firewall provides AI-powered intelligent policies. It automatically learns traffic patterns over the past 30 days, along with cloud IP assets, services accessed, and outbound connections. It recommends suitable Internet firewall access control policies for each destination IP or domain. This reduces exposure on the Internet, blocks malicious IPs and domains for outbound connections, and lowers the risk of business intrusions.

    To deploy intelligent access control policies for the Internet firewall, see Configure Internet firewall access control policies.

    What are the differences between new and old versions of VPC firewalls for CEN Enterprise Edition transit routers with automatic traffic steering?

    Cloud Firewall has updated some features of the VPC firewall for CEN Enterprise Edition transit routers. With automatic traffic steering, the firewall VPC ownership changed from user accounts to Cloud Firewall service accounts. Key differences include the following:

    1. Firewall VPC ownership: In the new version, the firewall VPC belongs to the Cloud Firewall backend account, not your user account. You cannot view or modify its resources or configurations. It also does not consume your regional VPC quota.

    2. Billing method: In the old version, TR traffic transfer fees apply both between the transit router and business VPCs and between the transit router and firewall VPC. Users bear both costs. In the new version, the firewall VPC belongs to Cloud Firewall, so Cloud Firewall bears the TR traffic transfer fee between the transit router and firewall VPC. Users no longer pay this fee.

    3. Enabling the VPC firewall: When creating a VPC firewall, you no longer need to enter three vSwitch CIDR blocks. Enter only one CIDR block of at least /27 that does not conflict with your network plan. This block is assigned to vSwitches required during firewall creation. For instructions on configuring the Enterprise Edition VPC firewall, see Configure the VPC firewall for Enterprise Edition transit routers.

      image

    Steps to enable the new version of the TR Enterprise Edition VPC firewall

    Important

    Requirements: Automatic traffic steering is required. Your Cloud Firewall edition must be pay-as-you-go or subscription with elastic traffic post-payment enabled.

    • If you have not created a VPC firewall: First enable elastic traffic post-payment (pay-as-you-go customers can skip this step), then create the VPC firewall.

      Warning

      You must follow this order exactly.

    • A VPC firewall is created.

      • Delete the traffic steering scenario and the existing VPC firewall.

      • Enable elastic traffic post-payment (pay-as-you-go customers can skip this step).

      • Recreate the VPC firewall and traffic steering scenario.

    • To enable elastic traffic post-payment, see Pay-as-you-go elastic traffic with post-payment.

    Is there latency when connecting to the VPC firewall?

    Yes.

    Latency increases by 4–8 ms across different availability zones (AZs) in the same region, and by 2–3 ms within the same AZ.