All Products
Search
Document Center

Cloud Firewall:Select a Cloud Firewall edition

Last Updated:Jun 24, 2024

Cloud Firewall can help you isolate and protect your business in the cloud to ensure business security and meet compliance requirements. This topic provides information to facilitate the use of Cloud Firewall and deliver optimal protection.

Why is Cloud Firewall required for isolating and protecting security domains in the cloud?

After the business of a general enterprise is migrated to the cloud, security domains of the enterprise are in the default mode due to factors such as the business type, network size, and business management. As a result, the business network architecture of the enterprise becomes disorganized as the business grows. For example, ports that are not required for business are opened on the Internet, and excessive permissions on internal communication are granted. If your business is intruded, security risks may occur.

A network security domain is similar to a hotel. Different guests can stay on different floors and rooms without interfering with each other. In an actual IT environment, servers that host databases and web servers that are available for clients are at different security levels. In addition, servers in the test environment and servers in the production environment are at different security levels. In this case, you must classify security domains of business assets from aspects such as the functionality and communication relationship.

How to design security domains for isolation

Enterprise business is categorized into Internet services and internal systems by business. Enterprise business is categorized into production zones, development and testing zones, and shared zones by system. You can use Cloud Firewall to isolate and protect the zones by security domain.

Security design for inbound Internet traffic

  • Design principles: Ensure flexibility, automatic scaling, and security.

  • Design suggestions:

    • Configure the Internet firewall to manage inbound and outbound Internet traffic. You can use Cloud Firewall together with Web Application Firewall (WAF) and Anti-DDoS.

    • Optional. Configure virtual private clouds (VPCs) for demilitarized zones. You can configure VPCs together with elastic IP addresses (EIPs), Server Load Balancer (SLB) instances, and public IP addresses of Elastic Compute Service (ECS) instances to protect inbound Internet traffic.

Security design for outbound Internet traffic

  • Design principles: Ensure flexibility, automatic scaling, and security.

  • Design suggestions:

    • Configure the Internet firewall and NAT firewalls to separately manage outbound Internet traffic and outbound private network traffic.

    • Optional. Configure different VPCs for demilitarized zones. You can configure VPCs together with EIPs and NAT gateways to protect outbound Internet traffic.

Security design for cloud business interconnections

  • Design principles: Implement environmental isolation and ensure required connectivity and security.

  • Design suggestions:

    • Configure Cloud Enterprise Network (CEN) instances. We recommend that you associate Enterprise Edition transit routers with VPCs to implement interconnection for network instances in the cloud, or associate Enterprise Edition transit routers with virtual border routers (VBRs) to implement cross-cloud interconnection and access.

    • Configure VPC firewalls to implement access control for traffic across VPCs or clouds from Layer 4 to Layer 7, protect traffic against lateral movement attacks, and perform audit and source tracing on traffic.

    • Configure internal firewalls to implement microsegmentation in VPCs.

Security design for communication between cloud services and data centers

  • Design principles: Implement communication between cloud services and data centers and ensure security.

  • Design suggestions:

    • Configure CEN instances or Express Connect circuits to implement communication between data centers and VPCs by connecting VBRs to CEN instances or by using Express Connect circuits.

    • Configure VPC firewalls to monitor unusual traffic between data centers and VPCs, manage traffic from Layer 4 to Layer 7, and protect traffic against lateral movement attacks. You can also perform log audit.

For subsidiaries of large-sized groups, security domains of the production network are categorized into group security domains and subsidiary security domains. Group security domains are further categorized into Internet-facing production zones, internal-facing production zones, and demilitarized zones. Security domains of the internal production network are categorized into general business security domains, core business security domains, and database security domains based on the business type.

For most small-sized enterprises, security domains are categorized into domains such as general business security domains, core business security domains, data security domains, and Direct Messaging Application (DMA) security domains based on the business type, functionality, and network communication relationship.

image

Editions

What is Cloud Firewall?

For more information, see What is Cloud Firewall? and Common scenarios.

How to select a Cloud Firewall edition

Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. Pay-as-you-go savings plans are available for Cloud Firewall that uses the pay-as-you-go billing method. Each edition provides different features, protects different assets, and supports different additional specifications. The following section describes how to select an edition. For more information, see Functions and features.

How to select an edition

Pay-as-you-go (including pay-as-you-go savings plans): Cloud Firewall that uses the pay-as-you-go billing method allows you to use resources before you pay for them. You can also use pay-as-you-go savings plans to reduce costs.

  • Cloud Firewall that uses the pay-as-you-go billing method is suitable for scenarios in which your workload frequently fluctuates or you have short-term requirements on resources.

  • Cloud Firewall that uses the pay-as-you-go billing method is suitable for small- and medium-sized enterprises that have less than 10 public assets or whose network traffic is less than 10 Mbit/s.

Subscription: Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition use the subscription billing method. Subscription is a billing method that requires you to pay for resources before you can use the resources. The subscription billing method allows you to reserve resources to protect a large number of assets.

  • The subscription billing method is suitable for enterprises whose usage period of resources can be estimated and resource usage remains relatively flat.

  • Cloud Firewall that uses the subscription billing method is suitable for enterprises that have more than 10 public assets or whose network traffic is more than 10 Mbit/s.

Protected public IP addresses

Protected VPCs

Quota for multi-account management

Recommended Cloud Firewall edition

Core feature

1 to 1,000

None

Not supported

Cloud Firewall that uses the pay-as-you-go billing method

  • Provides basic firewall capabilities.

  • Provides network security protection for Internet traffic.

  • Provides a network intrusion prevention system (NIPS).

20 to 1,000

None

1 to 20

Premium Edition

50 to 2,000

2 to 200

1 to 50

Enterprise Edition

  • Cloud Firewall Enterprise Edition covers all capabilities of Cloud Firewall Premium Edition.

  • Provides network security protection between VPCs.

  • Supports centralized management and visualization of security groups.

  • Integrates with Security Center to provide the breach awareness feature.

400 to 4,000

5 to 500

1 to 1,000

Ultimate Edition

  • We recommend that large-sized enterprises use Cloud Firewall Ultimate Edition, which covers all capabilities of Cloud Firewall Enterprise Edition.

  • Supports security management for unified networking of multiple accounts.

Supports management of assets within other Alibaba Cloud accounts.

Premium Edition: 1 to 20

Enterprise Edition: 1 to 50

Ultimate Edition: 1 to 1,000

Supported

Premium Edition, Enterprise Edition, and Ultimate Edition

Protection scope of Cloud Firewall

Protection scope

Description

References

Cloud assets and traffic

Cloud Firewall can protect the following cloud assets or traffic:

  • The Internet firewall can protect the north-south traffic of assets such as public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Classic Load Balancer (CLB) instances, EIPs of CLB instances, EIPs of Application Load Balancer (ALB) instances, EIPs of Network Load Balancer (NLB) instances, EIPs (including Layer 2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, high-availability virtual IP addresses (HAVIPs), and IP addresses of bastion hosts.

  • A NAT firewall can protect traffic from an internal network to the Internet.

  • A VPC firewall can protect east-west traffic.

    • A VPC firewall that is created for an Enterprise Edition transit router can protect the following types of traffic:

      • Traffic between VPCs in the same region

      • Traffic between cross-region VPCs that are connected by using an Enterprise Edition transit router

      • Traffic between a VPC and a VBR or a data center

      • Traffic between a VPC and a CCN instance

      • Traffic between VBRs

      • Traffic between a VBR and a CCN instance

    • A VPC firewall that is created for a Basic Edition transit router can protect the following types of traffic:

      • Traffic between VPCs in the same region

      • Traffic between cross-region VPCs that are connected by using a Basic Edition transit router

      • Traffic between a VPC and a VBR or a data center

      • Traffic between a VPC and a CCN instance

    • A VPC firewall that is created for an Express Connect circuit can protect the following types of traffic:

      • Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account

      • Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region

  • An internal firewall can protect inbound and outbound traffic between ECS instances.

Note

Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection.

Cloud network type

  • VPC: Cloud Firewall supports all Alibaba Cloud VPCs.

  • Classic network: The Internet Firewall and intrusion prevention system (IPS) features apply to the classic network. Internal firewalls can protect instances in VPCs but not in the classic network.

-

Region

Regions that are supported by Cloud Firewall.

Supported regions

References