Position of Cloud Firewall in the Alibaba Cloud architecture

Cloud Firewall provides the following types of firewalls:

  • Internet firewall: The Internet firewall is deployed in front of elastic IP addresses (EIPs) and serves as the first protection node for the outbound traffic from an EIP to the Internet. The Internet firewall is used to control the traffic of the EIPs. Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition support the Internet firewall.
  • VPC firewall: A virtual private cloud (VPC) firewall is deployed between VPCs to control the traffic of the private IP addresses of Elastic Compute Service (ECS) instances. Cloud Firewall Enterprise Edition and Ultimate Edition support VPC firewalls.
  • Internal firewall: An internal firewall serves as a security group to control inbound and outbound traffic between ECS instances. Cloud Firewall Enterprise Edition and Ultimate Edition support internal firewalls.

Relationship between Cloud Firewall and other security services such as WAF and Anti-DDoS Pro or Anti-DDoS Premium

The preceding figure shows the relationships between Cloud Firewall and other security services such as Web Application Firewall (WAF) and Anti-DDoS Pro or Anti-DDoS Premium. Cloud Firewall protects the origin IP addresses of both WAF instances and Anti-DDoS Pro or Anti-DDoS Premium instances.

Relationship between Cloud Firewall and CDN

When you use Cloud Firewall together with Alibaba Cloud Content Delivery Network (CDN), Cloud Firewall protects the origin IP addresses of CDN edge nodes.

Relationship between Cloud Firewall and OSS or ApsaraDB RDS

You cannot use Cloud Firewall together with Object Storage Service (OSS) or ApsaraDB RDS.

The default IP address whitelist contains only the 127.0.0.1 IP address. This indicates that your RDS instance denies access from all IP addresses over the Internet or an internal network. You can configure a whitelist on the Data Security page of the ApsaraDB RDS console. You can also configure a whitelist by using the ApsaraDB RDS API. After you update a whitelist, you do not need to restart your RDS instance. This avoids interruptions to your workloads.

If you use a self-managed RDS database that is deployed on an ECS instance, you can use VPC firewalls to protect the self-managed database. For more information, see Create an access control policy for a VPC firewall.