Cloud Firewall can protect your services in the cloud and effectively defend against network attacks. Cloud Firewall also allows you to configure network security policies.
Network security control for enterprise-level data centers in the cloud
Cloud Firewall can help you protect data in the cloud in scenarios such as migrating enterprise workloads to the cloud and building large-sized data centers in the cloud. Cloud Firewall supports in-depth analysis of network-wide traffic, comprehensively defends against malicious Internet traffic, and allows you to configure custom access control policies.
Internet firewall
The Internet firewall controls the inbound and outbound traffic of all Internet-facing assets in a centralized manner at the Internet boundary. You can use the Internet firewall to manage inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of Internet-facing assets on the Internet and the security risks of business traffic.
NAT firewall
When resources such as Elastic Compute Service (ECS) instances and elastic container instances in virtual private clouds (VPCs) directly access the Internet by using NAT gateways, security risks, such as unauthorized access, data leaks, and traffic attacks, may occur. To reduce these risks, you can enable NAT firewalls to block unauthorized traffic.
VPC firewall
A VPC firewall can help you monitor and control east-west traffic between VPCs or between a VPC and a data center that are connected by using an Enterprise Edition transit router, a Basic Edition transit router, or an Express Connect circuit. This helps ensure the security of east-west traffic between VPCs, a VPC and a virtual border router (VBR) in a data center, a VPC and a VBR of a third-party cloud, and a VPC and a VPN gateway.
Internal firewall
Internal Firewall can be used to manage ECS security groups and control the inbound and outbound traffic of ECS instances in VPCs. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. Compliance checks and micro-segmentation visualization are supported for ECS security groups.
Advanced protection in hybrid clouds (data center and cloud) or DMZs
Cloud Firewall provides comprehensive traffic protection capabilities, including traffic protection for north-south traffic in demilitarized zones (DMZs) and east-west traffic between data centers and VPCs. This way, traffic between your data centers and cloud assets can be protected and communication between your hybrid cloud services can be secured. If your DMZs are deployed on the cloud, Cloud Firewall can also protect the security of traffic between DMZs and data centers.
Security protection for multi-account scenarios
To manage resources across multiple accounts and reduce security O&M costs, Cloud Firewall provides the multi-account management feature based on Resource Directory. After you enable the multi-account management feature, you can protect the resources of multiple accounts in the Cloud Firewall console in a centralized manner. This greatly improves the efficiency of security O&M and reduces costs. You can configure and manage security policies for multiple accounts in the Cloud Firewall console. You do not need to separately configure security policies for each account. You can also control the traffic security of VPCs across multiple accounts. You can monitor and manage the traffic of VPCs across multiple accounts in the Cloud Firewall console to ensure security at multiple network boundaries.
Security protection for scenarios that require strong protection such as major event protection
Cloud Firewall can block IP addresses or domain names in batches, trace attackers, and prevent attacks that are initiated by exploiting zero-day vulnerabilities to meet requirements for strong protection and security requirements for major events during special business periods.