All Products
Document Center

Cloud Firewall:Use the multi-account management feature

Last Updated:Dec 22, 2023

Cloud Firewall allows you to manage multiple Alibaba Cloud accounts in a resource directory based on the trusted services of Alibaba Cloud Resource Directory. Each Alibaba Cloud account in a resource directory is a member. You can specify a member as a delegated administrator account to access the resources of all members in the resource directory. This way, you can manage the resources in a centralized manner. This topic describes how to use the multi-account management feature.


  • If you want to add more than one member, you must upgrade the specifications of your Cloud Firewall by modifying Managed Members based on your business requirements. For more information, see Subscription.

  • The feature allows you to manage only the following resources of members: Internet firewalls, virtual private cloud (VPC) firewalls, NAT firewalls, and assets that are protected by secure forward proxies.

  • Members that are added for centralized management cannot be used to purchase Cloud Firewall. The asset traffic of the members is also managed in a centralized manner.


Cloud Firewall Premium Edition, Enterprise Edition, or Ultimate Edition is purchased. Other editions of Cloud Firewall do not support the multi-account management feature.


Before you can use the feature, you must enable a resource directory, specify a delegated administrator account, and invite members. Then, you can use the feature to add multiple members for centralized management.

Step 1: Enable a resource directory

You must use an Alibaba Cloud account that has passed enterprise real-name verification to enable a resource directory. An account that has passed only individual real-name verification cannot be used to enable a resource directory. You can use two methods to enable a resource directory. The management account that you obtain after you enable a resource directory varies based on the method that you use. For more information, see Enable a resource directory.

Step 2: Invite members

After an Alibaba Cloud account is invited to join a resource directory, the account becomes a member of the resource directory. You can specify the invited member as a delegated administrator account. For more information, see Invite an Alibaba Cloud account to join a resource directory.

If no accounts are available for you to invite, you can directly create a member. For more information, see Create a member.

Step 3: Add a delegated administrator account

Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements. You can add and use a delegated administrator account to access the Multi-account Management page of the Cloud Firewall console and perform management operations within the resource directory. For more information, see Manage a delegated administrator account.

Step 4: Add members

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Settings > Multi-account Management.

  3. On the Multi-account Management page, click Add Member.

  4. In the Add Member dialog box, select members from the Available Members section and add the members to the Selected Members section.

  5. In the Selected Members section, select the required members and click OK.


    After you add multiple members, you can view the details of each account and delete an added member in the member list. The details include the UID and name of each account. You can also perform the following operations on the Firewall Settings page: view the cloud assets within an added member, and enable or disable protection for the cloud assets.


By default, Cloud Firewall can access the resources of a member after it is added. If you want to use a VPC firewall to protect the VPCs that are attached to a Cloud Enterprise Network (CEN) instance and the VPCs are created by different Alibaba Cloud accounts from the one used to purchase Cloud Firewall, you must manually authorize Cloud Firewall to access the cloud resources within the Alibaba Cloud accounts to which the VPCs belong. For more information, see Authorize Cloud Firewall to access other cloud resources.


Use Cloud Firewall to centrally manage enterprise users