Cloud Firewall of Alibaba Cloud is a cloud security solution that provides firewalls as a service. Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall is the first line of defense to protect your workloads in Alibaba Cloud.
Introduction
Cloud Firewall provides the following types of firewalls: Internet firewall, VPC firewall, and internal firewall.
Internet firewall
The Internet firewall is deployed at the boundary of the Internet to manage public IP addresses in a centralized manner.
Internal firewall
Internal firewalls work in the same manner as security groups to manage communication between Elastic Compute Service (ECS) instances.
VPC firewall
VPC firewalls are deployed at the boundaries of VPCs to manage traffic over Cloud Enterprise Network (CEN) and Express Connect.
Scenarios
You can use the Internet firewall, internal firewalls, and VPC firewalls to manage access behavior in a fine-grained manner and build the following protection systems: Internet traffic protection, VPC protection, and instance protection.

- Cloud Firewall provides centralized access control. You can configure inbound and outbound access control policies for applications and domain names to deliver fine-grained access control.
- Cloud Firewall allows you to manage the traffic of all VPCs and regions in a centralized manner. You can use the monitor mode and address books to optimize your access control policies. This requires only simple configurations.

- Cloud Firewall provides distributed access control. Cloud Firewall is developed based on security groups and supports visualization of internal network traffic. This allows you to optimize policies for traffic between ECS instances.
- Cloud Firewall also provides the following features: monitor mode, blocked traffic analysis, and intelligent policy.
Recommended configurations
Cloud Firewall allows you to configure firewalls based on network boundaries to build multiple logical protection systems, which facilitates maintenance.
Internet traffic protection
If you want to protect only traffic over the Internet, you need to only configure inbound or outbound access control policies on the Internet firewall. For more information, see Create inbound and outbound access control policies for the Internet firewall.
Protection of traffic between ECS instances
If you want to protect traffic over the Internet and traffic between ECS instances, you can use the Internet firewall together with internal firewalls. You need to only configure access control policies on the Internet firewall and internal firewalls. For more information, see Create an access control policy for an internal firewall between ECS instances.
Protection of traffic between VPCs and traffic between VPCs and data centers
If you want to protect traffic over the Internet, traffic between VPCs, and traffic between VPCs and data centers, you can use the Internet firewall together with VPC firewalls. You need to configure access control policies on the Internet firewall and VPC firewalls. For more information, see Create an access control policy for a VPC firewall.
Protection scope
Cloud Firewall can protect the following cloud assets or traffic:
The Internet firewall can protect the north-south traffic of the following assets: public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of CLB instances, EIPs of CLB instances, EIPs of ALB instances, EIPs of NLB instances, high-availability virtual IP addresses (HAVIPs), EIPs (including L2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, IPv6 addresses of SLB instances, IPv6 addresses of ECS instances, and IP addresses of bastion hosts.
A virtual private cloud (VPC) firewall can protect east-west traffic.
A VPC firewall that is created for an Enterprise Edition transit router can protect the following types of traffic:
Traffic between VPCs in the same region
Traffic between cross-region VPCs that are connected by using an Enterprise Edition transit router
Traffic between a VPC and a VBR or a data center
Traffic between a VPC and a Cloud Connect Network (CCN) instance
Traffic between VBRs
Traffic between a VBR and a CCN instance
A VPC firewall that is created for a Basic Edition transit router can protect the following types of traffic:
Traffic between VPCs in the same region
Traffic between cross-region VPCs that are connected by using a Basic Edition transit router
Traffic between a VPC and a VBR or a data center
Traffic between a VPC and a CCN instance
A VPC firewall that is created for an Express Connect circuit can protect the following types of traffic:
Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account
Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region
An internal firewall can protect traffic between ECS instances.
Editions
Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition. Cloud Firewall that uses the pay-as-you-go billing method is also supported. The following table describes the differences among the editions. For more information about the protection capabilities that are supported by different editions of Cloud Firewall, see Functions and features.
Edition | Description | Billing method |
Free Edition | Cloud Firewall Free Edition provides basic security check capabilities. You can use features such as security group check, classified protection compliance check, and asset exception notification. | If your Alibaba Cloud account has cloud assets that can be protected, you can use Cloud Firewall Free Edition to protect the assets without the need to purchase Cloud Firewall. |
Cloud Firewall that uses the pay-as-you-go billing method | Cloud Firewall that uses the pay-as-you-go billing method delivers reliable security protection capabilities for Internet-facing assets. You can use features such as attack awareness, attack prevention, and asset exception notification. You can also configure access control policies for the Internet firewall. | Pay-as-you-go. The pay-as-you-go billing method is ideal for scenarios in which your resource usage frequently fluctuates and your business has short-term requirements on resources. The pay-as-you-go billing method allows you to purchase, upgrade, or release Cloud Firewall at any time. |
Premium Edition | Cloud Firewall Premium Edition protects Internet-facing assets. You can use features such as traffic analysis and prevention for your assets, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification. | Subscription. Compared with the pay-as-you-go billing method, the subscription billing method allows you to reserve resources and reduce costs at discounted rates. The subscription billing method is ideal for scenarios in which your resource usage does not frequently fluctuate and resources are used for a long period of time. |
Enterprise Edition | Cloud Firewall Enterprise Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification. Cloud Firewall Enterprise Edition offers all capabilities provided by Cloud Firewall Premium Edition. Cloud Firewall Enterprise Edition also provides value-added services such as visualization, network security defense across VPCs, and centralized management of security groups. | |
Ultimate Edition | Cloud Firewall Ultimate Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification. Cloud Firewall Ultimate Edition offers all capabilities provided by Cloud Firewall Enterprise Edition. Compared with Cloud Firewall Enterprise Edition, Cloud Firewall Ultimate Edition provides more powerful protection capabilities. |
Free trial
The first time you purchase Cloud Firewall, you can use the free trial of Cloud Firewall Premium Edition. For more information, see Free trial for new users.
Compliance
Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Security, Trust, Assurance, and Risk (STAR) Registry, and Payment Card Industry (PCI) Data Security Standards (DSS).
Contact us
If you have questions about the features, prices, and specifications of Cloud Firewall when you purchase Cloud Firewall, or if you want to apply for a trial of Cloud Firewall, you can join DingTalk group 33081734 for technical support.