This topic covers the billable items for the legacy billing method 1.0, the main differences between versions 1.0 and 2.0, and instructions for upgrading.
Starting October 15, 2025, Cloud Firewall will introduce billing method 2.0, which will become the default for new purchases. Existing users can continue to use billing method 1.0 or choose to upgrade to 2.0. To check your current billing method, go to the Overview page in the Cloud Firewall console. If you see an option to upgrade to billing method 2.0, you are using version 1.0.
Subscription 1.0
Billing
Important update: Starting October 15, 2025, only the Enterprise and Ultimate editions of the subscription plan support the threat intelligence feature in IPS configurations. The Premium Edition no longer supports this feature.
Scope: The traffic or cloud assets mentioned in the billable items refer to the combined total from your primary account and all its member accounts.
Excess usage: If your service traffic exceeds the processing capacity of your Cloud Firewall instance, the Service-Level Agreement (SLA) is not guaranteed. This may cause security features (for example, access control, IPS, or log audit) to fail, the disabling of the firewall for assets with the highest excess traffic, or packet loss due to rate limiting.
If your service traffic may exceed the limit, see Pay-as-you-go for elastic traffic of subscription instances.
Features and billable items | Premium edition | Enterprise edition | Ultimate edition | Description | |
Base price | USD 420/month | USD 1,450/month | USD 3,900/month | The base price includes only the default specifications. It does not include add-ons or capacity expansions. | |
Subscription duration | Available subscription durations: 1 month, 3 months, 6 months, 1 year, 2 years, and 3 years. | N/A | |||
Internet firewall | Number of protectable public IP addresses | The base price includes 20 addresses. You can increase the number to a value from 20 to 1,000. | The base price includes 50 addresses. You can increase the number to a value from 50 to 1,000. | The base price includes 400 addresses. You can increase the number to a value from 400 to 1,000. | The number of public IP addresses that the internet firewall protects. Expansion fee: USD 7/IP address/month |
Public internet traffic processing capability | The base price includes 10 Mbps. You can increase the bandwidth to a value from 10 Mbps to 5,000 Mbps. | The base price includes 50 Mbps. You can increase the bandwidth to a value from 50 Mbps to 5,000 Mbps. | The base price includes 200 Mbps. You can increase the bandwidth to a value from 200 Mbps to 15,000 Mbps. | The peak bandwidth of protected internet traffic. The billable bandwidth is the greater of the inbound or outbound traffic. Expansion fee: USD 7/Mbps/month If the expandable bandwidth range does not meet your needs, contact your account manager. | |
NAT firewall | Number of NAT firewall instances | Not included in the base price. You can add 1 to 20 instances. | The base price includes 1 instance. You can increase the number to a value from 1 to 100. | The base price includes 2 instances. You can increase the number to a value from 2 to 1,000. | The number of NAT firewalls you can create. Each NAT Gateway instance corresponds to one NAT firewall. Expansion fee: USD 32/instance/month. |
NAT private network traffic processing capability | Not included in the base price. You can expand the bandwidth to a value from 5 Mbps to 1,000 Mbps. | The base price includes 10 Mbps. You can increase the bandwidth to a value from 10 Mbps to 5,000 Mbps. | The base price includes 20 Mbps. You can increase the bandwidth to a value from 20 Mbps to 10,000 Mbps. | The peak bandwidth of protected traffic from private network assets to the internet. Expansion fees:
| |
VPC firewall | Number of VPC firewall instances | Not supported | The base price includes 2 instances. You can increase the number to a value from 2 to 100. | The base price includes 5 instances. You can increase the number to a value from 5 to 200. | The number of VPC firewalls that you can create. Expansion fee: USD 300/instance/month |
VPC traffic processing capability | Not supported | The base price includes 200 Mbps. You can increase the bandwidth to a value from 200 Mbps to 5,000 Mbps. | The base price includes 1,000 Mbps. You can increase the bandwidth to a value from 1,000 Mbps to 10,000 Mbps. | The peak total bandwidth of traffic between VPCs that can be protected. Expansion fee: USD 7.5/10 Mbps. If your service requires more than 10 Gbps of traffic, you must contact your account manager one month in advance. | |
Common capabilities for all firewalls | elastic traffic processing capability | Not included in the base price. You can enable it on demand. | Not included in the base price. You can enable it on demand. | Not included in the base price. You can enable it on demand. | After you enable this feature, you receive a daily quota of 10 GB of free excess elastic traffic. You are charged for usage that exceeds 10 GB. Fees for the previous day are calculated and settled at 18:00 (UTC+8) each day. Price: USD 0.06/GB For more information about pay-as-you-go billing for excess elastic traffic, see Pay-as-you-go for elastic traffic of subscription instances. You can use this feature with pay-as-you-go savings plans to reduce costs. |
Sensitive Data Leak Detection | 100 GB included (free) after activation | 300 GB included (free) after activation | 500 GB included (free) after activation |
| |
Access control policy quota If the default access control policy quota for your edition is insufficient, you can purchase an additional policy quota. This quota is shared by internet firewalls, NAT firewalls, and VPC firewalls. | Included policy quota:
Additional policy quota range: 0 to 100,000. | Included policy quota:
Additional policy quota range: 0 to 200,000. | Included policy quota:
Additional policy quota range: 0 to 300,000 | Fees for additional policy quotas:
Note For more information about how policy quotas are calculated, see Policy quota calculation. | |
Log storage capacity for log analysis | Not included in the base price. You can expand the capacity to a value from 1,000 GB to 100,000 GB. | Not included in the base price. You can expand the capacity to a value from 1,000 GB to 100,000 GB. | Not included in the base price. You can expand the capacity to a value from 1,000 GB to 100,000 GB. | Cloud Firewall stores audit logs for 7 days by default. These logs include event logs, traffic logs, and operation logs. To store logs for a longer period or to meet compliance requirements, enable the log analysis feature. Expansion fee for log analysis storage capacity: USD 80/1,000 GB/month. | |
Multi-account management | Includes a free quota of 1,000. | Includes a free quota of 1,000. | Includes a free quota of 1,000. | To increase the quota, contact your account manager. | |
Billing example
An enterprise has 60 public IP addresses in its Alibaba Cloud account. The enterprise purchases a 6-month Cloud Firewall Enterprise Edition subscription and increases the protected internet traffic bandwidth to 60 Mbps.
The total fee is calculated as follows: (USD 1,450 + 10 additional public IP addresses × USD 7 + 10 Mbps additional bandwidth × USD 7) × 6
Pay-as-you-go 1.0
Billing
For a pay-as-you-go Cloud Firewall instance, billing is based on the actual number of protected assets and the amount of processed traffic. Fees for the previous day's usage are calculated and deducted from your account on the following day.
The formula for calculating the fees for a pay-as-you-go Cloud Firewall instance is:
The daily bill is the sum of the following fees: public IP address configuration, internet traffic processing, NAT firewall instance, NAT firewall traffic processing, VPC firewall instance, and VPC firewall traffic processing.
Important update: Starting December 1, 2025, the configuration fee for public IP addresses for internet firewalls will increase from USD 0.008/IP address/hour to USD 0.014/IP address/hour. In addition, the threat intelligence feature in IPS configurations will no longer be supported. To use this feature, you must upgrade to pay-as-you-go 2.0.
Minimum billing unit: The minimum billing unit for a pay-as-you-go Cloud Firewall instance is one hour. Usage for less than one hour is billed as one full hour. For example, usage from 15:55 to 16:05 is billed as two hours because the usage spans two separate one-hour billing periods (15:00-16:00 and 16:00-17:00).
Overdue payments: If your account balance is insufficient and a payment is overdue by more than 15 days, your pay-as-you-go Cloud Firewall instance is automatically released. If no assets are protected for more than 30 consecutive days, Cloud Firewall automatically disables the corresponding border firewall modules.
Firewall type | Billable item | Unit price | Description |
Internet firewall | Public IP address configuration fee | USD 0.014/IP address/hour | Billed daily based on the number of public IP addresses with protection enabled. Daily public IP address configuration fee = Number of protected public IP addresses × Unit price of public IP address configuration |
internet traffic processing fee | USD 0.06/GB | Billed daily based on the volume of internet traffic processed by the firewall. Daily internet traffic processing fee = (Processed outbound traffic + Processed inbound traffic) × Unit price per GB of traffic | |
NAT firewall | NAT firewall instance fee | USD 0.06/instance/hour | Billed based on the number of NAT firewall instances created on a given day. Daily NAT firewall instance fee = Number of enabled NAT firewalls × Unit price per NAT firewall instance Note This is based on the number of NAT firewall instances created. Each NAT Gateway instance corresponds to one NAT firewall instance. For more information, see NAT firewall. |
NAT firewall traffic processing fee | USD 0.06/GB | Billed based on the actual amount of private network traffic processed by the NAT firewall on a given day. Daily NAT firewall traffic processing fee = Processed outbound traffic × Unit price per GB of traffic | |
VPC firewall | VPC firewall instance fee | USD 0.39/instance/hour | Billed based on the number of VPC firewall instances created on a given day. Daily VPC firewall instance fee = Number of enabled VPC firewalls × Unit price per VPC firewall instance Note The number of VPC firewall instances depends on your network architecture:
For more information, see VPC firewall. |
VPC firewall traffic processing fee | USD 0.06/GB | Billed based on the actual amount of traffic processed by the VPC firewall on a given day. Daily VPC firewall traffic processing fee = Processed outbound traffic × Unit price per GB of traffic | |
Common capabilities | Sensitive Data Leak Detection | Free within the default quota. After the quota is used up, the fee is USD 0.02/GB. |
|
Access control policy expansion | Free within the default quota. After the quota is used up, the fee is . USD 0.003/100 policies/hour. |
|
The default specifications for a pay-as-you-go Cloud Firewall instance are as follows:
Number of protected public IP addresses: A maximum of 1,000 public IP addresses can be protected.
Traffic for Sensitive Data Leak Detection: 100 GB per month is included for free after you enable the feature.
Default access control policy quota:
Internet firewall: 2,000
NAT firewall: 2,000
VPC firewall: 10,000
For more information about how policy quotas are calculated, see Policy quota calculation.
Peak traffic processing bandwidth: Up to 5 Gbps.
NoteCloud Firewall does not guarantee security for traffic that exceeds the peak bandwidth. You can view the firewall status on the Firewall page in the Cloud Firewall console. If the Firewall Status is Protected, your asset traffic is protected. If the Firewall Status is Unprotected, your asset traffic bypasses the firewall and is not protected or billed.
A pay-as-you-go Cloud Firewall instance automatically synchronizes your assets and detects their protection status in real time. If the system detects that no assets have been protected by your instance for a continuous period of 1 to 30 days, it sends you a notification.
NoteIf no assets are protected for more than 30 consecutive days, Cloud Firewall automatically disables the relevant internet firewall, NAT firewall, or VPC firewall modules, and other related modules are reset to their initial state. You can re-enable the modules when needed. For more information, see internet firewall, NAT firewall, or VPC firewall.
Billing examples
Scenario | Hourly bill |
You have a pay-as-you-go Cloud Firewall instance but have not enabled protection for any cloud assets. | 0 USD |
You have a pay-as-you-go Cloud Firewall instance and have enabled protection for the public IP addresses of two cloud assets. The processed inbound and outbound traffic is about 1 GB per hour. You have not enabled a NAT firewall. | 2 × USD 0.014 + 1 GB × USD 0.06/GB = USD 0.088 |
You have a pay-as-you-go Cloud Firewall instance and have enabled protection for the public IP addresses of two cloud assets. The processed inbound and outbound traffic is about 1 GB per hour. You have also enabled one NAT firewall, and the processed private network traffic is about 0.5 GB per hour. | 2 × USD 0.014 + 1 GB × USD 0.06/GB + 1 × USD 0.06 + 0.5 GB × USD 0.06/GB = USD 0.178 |
Differences between billing 1.0 and 2.0
Subscription
Simplified billable items: In billing method 2.0, instance and traffic fees are unified across different firewall types. Internet firewalls are now billed based on the number of protected regions instead of public IP addresses. The Premium, Enterprise, and Ultimate editions include 1, 3, and 5 firewall instances, respectively. You can expand the number of instances and bandwidth.
Feature changes: Compared to version 1.0, version 2.0 offers more bandwidth per edition, introduces tiered pricing for bandwidth expansion, and enables the elastic traffic feature by default (it cannot be disabled). It also increases the minimum storage capacity for log analysis and charges a feature fee for Sensitive Data Leak Detection.
Bandwidth calculation change: Internet firewall bandwidth is now calculated as the sum of inbound and outbound traffic, not the greater of the two values.
Waived fees: In billing method 2.0, fees for internet firewall public IP address configuration and access control policy expansion are waived.
Pay-as-you-go
Simplified billable items: In billing method 2.0, instance and traffic fees are unified across different firewall types. The instance fee is USD 0.36/instance/hour, and the traffic fee is USD 0.06/GB. Internet firewalls are billed based on the number of protected regions, not public IP addresses.
Log analysis change: In billing method 2.0, log analysis fees are billed by Cloud Firewall instead of Simple Log Service (SLS). The fee is USD 0.3/TB/hour. If log analysis was enabled before the upgrade, you are charged for a default storage capacity of 1 TB after the upgrade. You can adjust the storage capacity in the console later.
Bandwidth calculation change: The bandwidth for an internet firewall is now calculated as the sum of inbound and outbound traffic, instead of the previous method of using the greater of the two values.
Waived fees: In billing method 2.0, fees for internet firewall public IP address configuration and access control policy expansion are waived. You can configure up to 10,000 access control policies.
Upgrade billing from 1.0 to 2.0
Upgrade impact
After you upgrade to billing method 2.0, you cannot revert to 1.0. We recommend that you fully understand the billing rules and the impact of the upgrade before you proceed.
If you are using a subscription 1.0 instance, note the following:
Subscription 2.0 and subscription 1.0 are independent Cloud Firewall instances. To upgrade to version 2.0, you must first purchase a subscription 2.0 instance. After you confirm the purchase, promptly unsubscribe from the subscription 1.0 instance. If both subscription 2.0 and 1.0 instances exist in your account, the Cloud Firewall Overview page prompts you to unsubscribe from the 1.0 instance.
ImportantStrictly follow the purchase-then-unsubscribe procedure. If you unsubscribe from the 1.0 instance before purchasing a 2.0 instance, your configuration data is lost.
The upgrade process does not affect your services. Your Cloud Firewall configurations, including the Automatic Protection for New Assets status, are automatically migrated to the 2.0 instance.
If you are using a pay-as-you-go 1.0 instance, note the following:
Fees incurred on the day of the upgrade to 2.0 are billed the next day, and two separate bills are generated:
Fees incurred before the upgrade (including the hour in which the upgrade occurred) are calculated based on the 1.0 billing rules.
Fees incurred after the upgrade are calculated based on the 2.0 billing rules.
The upgrade process does not affect your services. Cloud Firewall configurations are automatically migrated to the 2.0 instance.
If log analysis was enabled in version 1.0, the feature is automatically disabled during the upgrade. To continue using it, you must re-enable it manually.
After upgrading to pay-as-you-go 2.0, the log analysis data from your 1.0 instance is retained in a Simple Log Service (SLS) project named
cloudfirewallnew-project-<Your_Alibaba_Cloud_Account_ID>-<Region_ID>. This data storage will continue to incur SLS fees. If you no longer need this data, you can manually delete the project.
If you previously used billing method 1.0, you are automatically upgraded to billing method 2.0 when you switch the billing method. For more information, see Switch between subscription and pay-as-you-go.
Procedure
Log on to the Cloud Firewall console. On the Overview tab, find the Protection Status section on the right, and click Upgrade to Subscription 2.0 or Upgrade to PAYG 2.0.
Follow the on-screen instructions to complete the upgrade purchase.
If you are upgrading a subscription 1.0 instance, go to the page to cancel the old instance immediately after completing the purchase.