You can upgrade or downgrade Cloud Firewall. For example, you can upgrade or downgrade the edition and specifications of Cloud Firewall, temporarily upgrade the protected bandwidth, and change the billing method. You can perform the preceding operations based on your business requirements. This helps improve resource utilization and optimize costs.
Overview
Supported operations
The following table describes the operations that you can perform on Cloud Firewall.
Operation | Item |
Upgrade | |
Downgrade | |
Change the billing method |
|
Usage notes
Your workloads are not affected during a self-service upgrade or downgrade.
You can upgrade and downgrade the edition and specifications of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method. Cloud Firewall that uses the subscription billing method provides the following editions that are sorted in ascending order by specification: Premium Edition, Enterprise Edition, and Ultimate Edition.
You can change the following Cloud Firewall specifications: Protected Public IP Addresses, Protected Internet Traffic, Number of VPC Firewalls, Protected VPC Traffic, Quota for Additional Policy, Multi-account Management, and Log Storage. For more information, visit the Cloud Firewall buy page.
Each specification after an upgrade cannot exceed the specification threshold of the current edition of Cloud Firewall. Each specification after a downgrade cannot be lower than the default specification in the current Cloud Firewall edition or lower than the quota that is consumed.
For example, if you use Cloud Firewall Ultimate Edition and the default value of Protected Public IP Addresses is 400, you cannot decrease Protected Public IP Addresses to a value less than 400 when you perform a downgrade.
Upgrade
Billing rules
If you perform an upgrade, you must pay the price difference for the upgrade. The price on the Cloud Firewall buy page shall prevail.
Upgrade the edition or specifications of Cloud Firewall
You can upgrade the edition and specifications of Cloud Firewall, and enable disabled features to use more advanced protection capabilities of Cloud Firewall. After an upgrade, the expiration time of Cloud Firewall remains unchanged.
Prerequisites
Before you perform an upgrade, you must view the current edition and the purchased specifications of Cloud Firewall, and determine whether to upgrade the edition or specifications of Cloud Firewall based on the following information: the quota consumption, costs, thresholds of the Cloud Firewall specifications, and your business requirements.
You can log on to the Cloud Firewall console and view the current edition and specifications of Cloud Firewall in the upper-right corner of the Overview page.
For more information about the specification thresholds in each edition of Cloud Firewall, see Subscription.
The following list provides suggestions on specific upgrade scenarios:
If the actual usage of both Protected Public IP Addresses and the protected bandwidth, such as Protected Internet Traffic, Protected Private Network Traffic of NAT Gateway, or Protected VPC Traffic, exceed the specification thresholds of the current edition of Cloud Firewall, we recommend that you upgrade the edition of Cloud Firewall to use more advanced protection capabilities of Cloud Firewall.
If the actual usage of Protected Public IP Addresses exceeds the specification that you purchased, but the maximum protected bandwidth does not exceed the purchased specification, we recommend that you increase the value of Protected Public IP Addresses.
If the actual usage of Protected Public IP Addresses does not exceed the specification that you purchased, but the maximum protected bandwidth exceeds the purchased specification, we recommend that you upgrade the protected bandwidth.
If the actual usage of Protected Public IP Addresses and the maximum protected bandwidth exceed the specifications that you purchased, the protection effect of Cloud Firewall may be affected and your assets may be attacked. To ensure that Cloud Firewall can provide continuous and effective security protection, we recommend that you check the specification usage on a regular basis and ensure that your quotas are sufficient.
Procedure
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, click Upgrade.
On the Upgrade/Downgrade page, view the specifications of the current edition and select an edition or specifications based on your business requirements.
You can also enable disabled features on the Upgrade/Downgrade page based on your business requirements.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
After the payment is complete, the new specifications of Cloud Firewall immediately take effect. In the upper-right corner of the Overview page, you can click Purchased Specifications to view information about the new edition and specifications after the upgrade.
Temporarily upgrade the bandwidth
You can temporarily upgrade the protected bandwidth on an hourly basis, including Protected Internet Traffic, Protected VPC Traffic, and Protected Private Network Traffic of NAT Gateway. When the restoration time that you specified arrives, the new specifications that you specified during the temporary upgrade are automatically restored to the specifications before the upgrade. Bandwidth upgrade is a temporary solution to increase the specifications of the current edition of Cloud Firewall. However, the restoration time that you specify must be earlier than the expiration time of your Cloud Firewall. You cannot downgrade the specifications of Cloud Firewall.
If you upgrade the protected bandwidth by upgrading the specifications of Cloud Firewall before the restoration time, the protected bandwidth after the upgrade prevails. In this case, the temporary bandwidth upgrade becomes invalid.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose .
On the Temporary Upgrade page, specify each type of bandwidth and restoration time based on your business requirements.
Read and select Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
After the payment is complete, the new specifications of Cloud Firewall immediately take effect. In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the upgrade.
Downgrade
If the specifications of Cloud Firewall exceed your business requirements, you can downgrade the specifications and disable unnecessary features to reduce costs. The following flowchart shows the downgrade process.
Billing rules
If you downgrade the edition or specifications of Cloud Firewall, the system calculates the price difference based on the usage duration and the specifications after the downgrade and provides a refund. The refund amount displayed on the Downgrade page shall prevail.
For more information about the rules for unsubscribing from Alibaba Cloud services, see Request a refund for the downgrade of resource specifications.
After you downgrade the specifications or unsubscribe from Cloud Firewall, you can perform the following operations to view the details of the refund: Log on to the Billing Management console. In the left-side navigation pane, click Orders.
Downgrade the specifications of Cloud Firewall
You can downgrade the following specifications: Protected Public IP Addresses, Protected Internet Traffic, NAT Firewall, Protected Private Network Traffic of NAT Gateway, Number of VPC Firewalls, Protected VPC Traffic, and Quota for Additional Policy.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose .
On the Downgrade page, downgrade the specifications of the current edition of Cloud Firewall based on your business requirements.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the downgrade.
Disable a feature
You can disable a feature that you no longer require on the Downgrade page. You can disable the following features: multi-account management, log analysis, and expert service. After you disable a feature, you can enable the feature by upgrading the specifications of Cloud Firewall. For more information, see Upgrade the edition or specification.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose .
On the Downgrade page, select No for the feature that you no longer require.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the downgrade.
Downgrade the edition of Cloud Firewall
You can perform the following operations to downgrade the edition of Cloud Firewall:
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose .
On the Downgrade page, select the required edition based on your business requirements.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
Change the billing method
After you change the billing method, Cloud Firewall uses the new billing method.
Precautions
The log audit data of Cloud Firewall that uses the pay-as-you-go billing method and the log audit data of Cloud Firewall that uses the subscription billing method are isolated. After you change the billing method, you cannot view the historical log audit data.
Before you change the billing method from subscription to pay-as-you-go, take note of the following items:
When you release Cloud Firewall, a transient connection that lasts several seconds may occur.
When you release Cloud Firewall, a transient connection that lasts several seconds may occur.
After you release Cloud Firewall, the configuration data of Cloud Firewall is retained for 15 days. The configuration data includes the configuration data of access control policies, protection policies, and traffic analysis policies. However, the data of log analysis is not retained. If you reactivate Cloud Firewall within 15 days after it is released, the original configuration data is retained. After the 15 days, the configuration data is deleted.
If you enabled virtual private clouds (VPC) firewalls or NAT firewalls, you must disable the VPC firewalls and NAT firewalls before you release Cloud Firewall. When you disable a firewall, a transient connection may occur due to a route switchover.
Before you change the billing method from pay-as-you-go to subscription, take note of the following items:
During the change, a transient connection that lasts several milliseconds may occur. We recommend that you change the billing method during off-peak hours.
When you change the billing method, make sure that the new specifications are the same as or higher than the existing specifications.
After the subscription billing method takes effect, some historical data changes.
The existing access control policies are not affected.
The historical data of intrusion events is deleted and cannot be restored.
The log audit data is recollected. You cannot view the historical data of log audit.
After the subscription billing method takes effect, you cannot change the billing method to pay-as-you-go.
Change the billing method from subscription to pay-as-you-go
You cannot directly change the billing method of Cloud Firewall from subscription to pay-as-you-go. If you want to change the billing method of Cloud Firewall from subscription to pay-as-you-go, you can release Cloud Firewall that uses the subscription billing method, and then purchase Cloud Firewall that uses the pay-as-you-go billing method.
Change the billing method from pay-as-you-go to subscription
If you change the billing method of Cloud Firewall from pay-as-you-go to subscription, bills before the change are generated and settled at 18:00 on the next day. After the change is complete, you are charged for Cloud Firewall based on the billable items of the subscription billing method. For more information, see Subscription.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, click Switch Billing Method from Pay-as-you-go to Subscription.
On the Switch Billing Method of Cloud Firewall from Pay-as-you-go to Subscription page, read Note and select I have read and understand the preceding note., and then click Confirm.
On the Cloud Firewall buy page, select an edition of Cloud Firewall based on your business requirements.
The subscription billing method takes effect after you complete the payment. All configurations of Cloud Firewall that uses the pay-as-you-go billing method remain unchanged before you complete the payment. After you complete the payment, you are charged for Cloud Firewall based on the subscription billing method.