Cloud Firewall can help you isolate and protect your business in the cloud to ensure business security and meet compliance requirements. This topic provides information to facilitate the use of Cloud Firewall and deliver optimal protection.
Why is Cloud Firewall required for isolating and protecting security domains in the cloud?
After the business of a general enterprise is migrated to the cloud, security domains of the enterprise are in the default mode due to factors such as the business type, network size, and business management. As a result, the business network architecture of the enterprise becomes disorganized as the business grows. For example, ports that are not required for business are opened on the Internet, and excessive permissions on internal communication are granted. If your business is intruded, security risks may occur.
A network security domain is similar to a hotel. Different guests can stay on different floors and rooms without interfering with each other. In an actual IT environment, servers that host databases and web servers that are available for clients are at different security levels. In addition, servers in the test environment and servers in the production environment are at different security levels. In this case, you must classify security domains of business assets from aspects such as the functionality and communication relationship.
How to design security domains for isolation
Enterprise business is categorized into Internet services and internal systems by business. Enterprise business is categorized into production zones, development and testing zones, and shared zones by system. You can use Cloud Firewall to isolate and protect the zones by security domain.
Security design for inbound Internet traffic
Design principles: Ensure flexibility, automatic scaling, and security.
Design suggestions:
Configure the Internet firewall to manage inbound and outbound Internet traffic. You can use Cloud Firewall together with Web Application Firewall (WAF) and Anti-DDoS.
Optional. Configure virtual private clouds (VPCs) for demilitarized zones. You can configure VPCs together with elastic IP addresses (EIPs), Server Load Balancer (SLB) instances, and public IP addresses of Elastic Compute Service (ECS) instances to protect inbound Internet traffic.
Security design for outbound Internet traffic
Design principles: Ensure flexibility, automatic scaling, and security.
Design suggestions:
Configure the Internet firewall and NAT firewalls to separately manage outbound Internet traffic and outbound private network traffic.
Optional. Configure different VPCs for demilitarized zones. You can configure VPCs together with EIPs and NAT gateways to protect outbound Internet traffic.
Security design for cloud business interconnections
Design principles: Implement environmental isolation and ensure required connectivity and security.
Design suggestions:
Configure Cloud Enterprise Network (CEN) instances. We recommend that you associate Enterprise Edition transit routers with VPCs to implement interconnection for network instances in the cloud, or associate Enterprise Edition transit routers with virtual border routers (VBRs) to implement cross-cloud interconnection and access.
Configure VPC firewalls to implement access control for traffic across VPCs or clouds from Layer 4 to Layer 7, protect traffic against lateral movement attacks, and perform audit and source tracing on traffic.
Configure internal firewalls to implement microsegmentation in VPCs.
Security design for communication between cloud services and data centers
Design principles: Implement communication between cloud services and data centers and ensure security.
Design suggestions:
Configure CEN instances or Express Connect circuits to implement communication between data centers and VPCs by connecting VBRs to CEN instances or by using Express Connect circuits.
Configure VPC firewalls to monitor unusual traffic between data centers and VPCs, manage traffic from Layer 4 to Layer 7, and protect traffic against lateral movement attacks. You can also perform log audit.
For subsidiaries of large-sized groups, security domains of the production network are categorized into group security domains and subsidiary security domains. Group security domains are further categorized into Internet-facing production zones, internal-facing production zones, and demilitarized zones. Security domains of the internal production network are categorized into general business security domains, core business security domains, and database security domains based on the business type.
For most small-sized enterprises, security domains are categorized into domains such as general business security domains, core business security domains, data security domains, and Direct Messaging Application (DMA) security domains based on the business type, functionality, and network communication relationship.
Editions
What is Cloud Firewall?
For more information, see What is Cloud Firewall? and Common scenarios.
How to select a Cloud Firewall edition
Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. Pay-as-you-go savings plans are available for Cloud Firewall that uses the pay-as-you-go billing method. Each edition provides different features, protects different assets, and supports different additional specifications. The following section describes how to select an edition. For more information, see Functions and features.
How to select an edition
Pay-as-you-go (including pay-as-you-go savings plans): Cloud Firewall that uses the pay-as-you-go billing method allows you to use resources before you pay for them. You can also use pay-as-you-go savings plans to reduce costs.
Cloud Firewall that uses the pay-as-you-go billing method is suitable for scenarios in which your workload frequently fluctuates or you have short-term requirements on resources.
Cloud Firewall that uses the pay-as-you-go billing method is suitable for small- and medium-sized enterprises that have less than 10 public assets or whose network traffic is less than 10 Mbit/s.
Subscription: Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition use the subscription billing method. Subscription is a billing method that requires you to pay for resources before you can use the resources. The subscription billing method allows you to reserve resources to protect a large number of assets.
The subscription billing method is suitable for enterprises whose usage period of resources can be estimated and resource usage remains relatively flat.
Cloud Firewall that uses the subscription billing method is suitable for enterprises that have more than 10 public assets or whose network traffic is more than 10 Mbit/s.
Protected public IP addresses | Protected VPCs | Quota for multi-account management | Recommended Cloud Firewall edition | Core feature |
1 to 1,000 | None | Not supported | Cloud Firewall that uses the pay-as-you-go billing method |
|
20 to 1,000 | None | 1 to 20 | Premium Edition | |
50 to 2,000 | 2 to 200 | 1 to 50 | Enterprise Edition |
|
400 to 4,000 | 5 to 500 | 1 to 1,000 | Ultimate Edition |
|
Supports management of assets within other Alibaba Cloud accounts. | Premium Edition: 1 to 20 Enterprise Edition: 1 to 50 Ultimate Edition: 1 to 1,000 | Supported | Premium Edition, Enterprise Edition, and Ultimate Edition |
Protection scope of Cloud Firewall
Protection scope | Description | References |
Cloud assets and traffic | Cloud Firewall can protect the following cloud assets or traffic:
Note Cloud Firewall does not support traffic redirection for a small number of Internet-facing SLB instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection. | |
Cloud network type |
| - |
Region | Regions that are supported by Cloud Firewall. |