All Products
Search
Document Center

Cloud Firewall:Pay-as-you-go

Last Updated:Nov 21, 2024

Cloud Firewall that uses the pay-as-you-go billing method allows you to use resources before you pay for them. You can also use pay-as-you-go savings plans to reduce costs.

You can view the video tutorial to quickly learn about Cloud Firewall that uses the pay-as-you-go billing method.

You can purchase Cloud Firewall that uses the pay-as-you-go billing method without the need to purchase a large number of resources in advance. You are charged based on the number of protected assets and the amount of processed traffic. The configuration fee generated for an Internet-facing asset starts from USD 0.008 per hour. Cloud Firewall that uses the pay-as-you-go billing method is suitable for the following scenarios:

  • Enterprises whose workloads frequently fluctuate or have short-term requirements on resources.

  • Small- and medium-sized enterprises that have less than 10 Internet-facing assets or whose peak traffic bandwidth is less than 10 Mbit/s. This billing method can be more cost-effective.

Cloud Firewall that uses the pay-as-you-go billing method allows you to use the following capabilities:

  • Automatic identification and one-click protection for cloud assets.

    The Internet firewall can automatically identify Internet-facing assets and can be enabled for the assets within seconds. The following assets are supported: public IP addresses of Elastic Compute Service (ECS) instances, public IP addresses of Classic Load Balancer (CLB) instances, Application Load Balancer (ALB) instances, and Network Load Balancer (NLB) instances, elastic IP addresses (EIPs) (including Layer 2 EIPs), elastic network interfaces (ENIs), and high-availability virtual IP addresses (HAVIPs).

    NAT firewalls can protect traffic of private assets over Internet-facing NAT gateways. You can also enable automatic protection for new assets.

    Virtual private cloud (VPC) firewalls can protect cross-VPC traffic. You can also enable automatic protection for new assets.

  • Real-time defense against inbound and outbound cyberattacks, including web attacks, brute-force attacks, database attacks, mining trojans, viruses, worms, command execution, reverse shells, and malicious outbound connections. Capabilities such as virtual patching for vulnerabilities, threat intelligence, and breach awareness.

  • Fine-grained isolation and access control of business domains from Layer 4 to Layer 7. Access control for traffic at the Internet, NAT, and VPC boundaries. You can configure access control policies based on IP addresses, domain names, applications, protocols, ports, and locations.

  • Network traffic analysis and visualization. This allows you to monitor traffic trends and identify exceptions in outbound connections, Internet exposure risks, outbound connections from private networks, and VPC access at the earliest opportunity.

  • Log audit and analysis of logs that are generated within 180 days. This allows you to trace and analyze attack traffic, analyze logs in a centralized manner, and meet the requirements of classified protection.

For more information about Cloud Firewall that uses the pay-as-you-go billing method, see Common scenarios, Functions and features, and Supported regions.

Billing rules

Bills of Cloud Firewall that uses the pay-as-you-go billing method are generated based on the number of protected assets and the amount of processed traffic. Bills are generated and fees are deducted from your account balance on the next day.

The daily fee of Cloud Firewall that uses the pay-as-you-go billing method is calculated by using the following formula:

Daily fee = (Daily configuration fee of public IP addresses + Daily processing fee of Internet traffic + Daily instance fee of NAT firewalls + Daily traffic processing fee of NAT firewalls + Daily instance fee of VPC firewalls + Daily traffic processing fee of VPC firewalls).

Important
  • Cloud Firewall that uses the pay-as-you-go billing method is billed on an hourly basis at the start of every hour. If you use Cloud Firewall for less than 1 hour within an hour, the billable usage duration is rounded up to 1 hour. For example, if you use Cloud Firewall that uses the pay-as-you-go billing method from 15:55 to 16:05, the time spans 2 hours on the clock, and the billable usage duration is 2 hours.

  • If your account balance is insufficient and your account has an overdue payment for more than 15 days, your Cloud Firewall that uses the pay-as-you-go billing method is automatically released. If no asset is added to a firewall feature for 30 consecutive days, Cloud Firewall automatically disables the feature.

Firewall type

Billable item

Unit price

Description

Internet firewall

Configuration fee of public IP addresses

USD 0.008 per public IP address-hour

You are charged based on the number of public IP addresses that are protected on the current day.

Daily configuration fee of public IP addresses = Number of public IP addresses that are protected on the current day × Unit price per public IP address

Processing fee of Internet traffic

USD 0.06 per GB

You are charged based on the bandwidth of traffic that is processed by the Internet firewall.

Daily processing fee of Internet traffic = (Outbound traffic + Inbound traffic) × Unit price per GB

NAT firewalls

Instance fee of NAT firewalls

USD 0.06 per NAT firewall-hour

You are charged based on the number of NAT firewalls that are enabled on the current day.

Daily instance fee of NAT firewalls = Number of NAT firewalls enabled on the current day × Unit price per NAT firewall

Note

The number of NAT firewalls varies based on the number of NAT gateways. A NAT gateway corresponds to a NAT firewall. For more information, see NAT Firewall.

Traffic processing fee of NAT firewalls

USD 0.06 per GB

You are charged based on the bandwidth of traffic that is processed by NAT firewalls.

Daily traffic processing fee of NAT firewalls = Outbound traffic × Unit price per GB

VPC firewalls

Instance fee of VPC firewalls

USD 0.39 per VPC firewall-hour

You are charged based on the number of VPC firewalls that are enabled on the current day.

Daily instance fee of VPC firewalls = Number of VPC firewalls enabled on the current day × Unit price per VPC firewall

Note

The following list describes how to calculate the number of created VPC firewalls:

  • If your VPC is deployed together with an Enterprise Edition transit router of a Cloud Enterprise Network (CEN) instance, each transit router corresponds to a VPC firewall.

  • If your VPC is deployed together with a Basic Edition transit router of a CEN instance, each VPC corresponds to a VPC firewall.

  • If your VPC is deployed together with an Express Connect circuit, a local VPC and its peer VPC correspond to a VPC firewall.

For more information, see Overview.

Traffic processing fee of VPC firewalls

USD 0.06 per GB

You are charged based on the bandwidth of traffic that is processed by VPC firewalls on the current day.

Daily traffic processing fee of VPC firewalls = Outbound traffic × Unit price per GB

  • The following list describes the default configurations of Cloud Firewall that uses the pay-as-you-go billing method:

    • Protected public IP addresses: Up to 1,000 public IP addresses can be protected.

    • Number of access control policies: Up to 2,000 access control policies can be created for the Internet firewall, 2,000 access control policies for NAT firewalls, and 10,000 access control policies for VPC firewalls.

      For more information about how to calculate the specifications, see Quota consumed by access control policies.

    • Peak processed traffic bandwidth in Cloud Firewall that uses the pay-as-you-go billing method: no more than 5 Gbit/s.

      Note

      Traffic that exceeds the peak processed traffic bandwidth cannot be protected. You can view the firewall status on the Firewall Settings page in the Cloud Firewall console. If the value in the Firewall Status column of an asset is Protected, traffic of the asset is protected. If the value in the Firewall Status column of an asset is Unprotected, traffic of the asset is not protected. You are not charged for the unprotected traffic. If you want to protect more than 5 Gbit/s of traffic, submit a ticket.

  • Cloud Firewall that uses the pay-as-you-go billing method automatically synchronizes asset information and checks whether assets are added in real time. If the system detects that no asset is added to your Cloud Firewall that uses the pay-as-you-go billing method for 30 consecutive days, the system sends notifications.

    Note

    If no asset is added to your Cloud Firewall for 30 consecutive days, Cloud Firewall automatically disables the Internet Firewall, NAT Firewall, or VPC Firewall feature, and other related modules are restored to the initial status. You can re-enable the modules based on your business requirements. For more information, see Internet Firewall, NAT Firewall, and VPC Firewall.

Billing examples

Scenario

Hourly fee

Cloud Firewall that uses the pay-as-you-go billing method is purchased, but no cloud asset is protected.

USD 0

Cloud Firewall that uses the pay-as-you-go billing method is purchased, 2 public IP addresses of cloud assets are protected, and approximately 1 GB of inbound and outbound traffic is processed every hour. No NAT firewall is enabled.

2 × USD 0.008 + 1 GB × USD 0.06 per GB = USD 0.076

Cloud Firewall that uses the pay-as-you-go billing method is purchased, 2 public IP addresses of cloud assets are protected, 1 GB of inbound and outbound traffic is processed every hour, 1 NAT firewall is enabled, and 0.5 GB of private network traffic is processed every hour.

2 × USD 0.008 + 1 GB × USD 0.06 per GB + 1 × USD 0.06 + 0.5 GB × USD 0.06 per GB = USD 0.31

Purchase Cloud Firewall that uses the pay-as-you-go billing method

  1. Go to the Cloud Firewall buy page. Set Product Type to Pay-as-you-go.

  2. On the Cloud Firewall (Pay-as-you-go) page, configure the parameters.

    • Billing Cycle: The default value is By Hour.

    • Automatic Protection for Assets: Specify whether to enable automatic protection for assets.

      If you set Automatic Protection for Assets to Yes, your network assets are automatically added to Cloud Firewall for protection after you purchase Cloud Firewall that uses the pay-as-you-go billing method. Firewalls and attack prevention are also enabled for the assets. This helps reduce risks of network assets.

      Note

      If you no longer require automatic protection, you can turn off Automatic Protection for New Assets in the Cloud Firewall console. For more information, see Internet Firewall.

  3. Read and select Terms of Service, click Buy Now, and then complete the payment.

    After you purchase Cloud Firewall that uses the pay-as-you-go billing method, Alibaba Cloud generates bills on the next day based on the actual usage.

After you purchase Cloud Firewall that uses the pay-as-you-go billing method, you can enable the NAT Firewall and VPC Firewall features based on your business requirements.

Enable the NAT Firewall feature

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

  2. On the NAT Firewall tab, click Enable Now.

    If no NAT firewall is created within 30 days after you enable the NAT Firewall feature, the feature is automatically disabled. If you want to continue using the feature, re-enable the feature. After you enable the feature, add assets to the feature for protection. The system requires approximately 1 minute to 5 minutes to synchronize asset information to the feature the first time that the feature is enabled.

Enable the VPC Firewall feature

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Firewall Settings.

  2. On the VPC Firewall tab, click Enable Now.

    If no VPC firewall is created within 30 days after you enable the VPC Firewall feature, the feature is automatically disabled. If you want to continue using the feature, re-enable the feature. After you enable the feature, add assets to the feature for protection. The system requires approximately 1 minute to 5 minutes to synchronize asset information to the feature the first time that the feature is enabled.

View the usage details

Cloud Firewall that uses the pay-as-you-go billing method is billed on an hourly basis. Bills are generated and fees are deducted from your account balance on the next day. You can query the details of the pay-as-you-go bills.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings. On the NAT Firewall tab, click Enable Now. After you enable the NAT Firewall feature, you can add a NAT gateway for protection and create a NAT firewall for the NAT gateway. For more information, see Enable a NAT firewall.

  3. In the left-side navigation pane, choose System Settings > Bill Management.

  4. On the Bill Management page, view the usage details of Cloud Firewall that uses the pay-as-you-go billing method. The details include statistical data of protected assets, enabled features, and traffic data of protected assets.

    Click View Bill Details to view the details of bills in the Expenses and Costs console. For more information, see Bill details.

Purchase pay-as-you-go savings plans together with Cloud Firewall that uses the pay-as-you-go billing method

When you purchase Cloud Firewall that uses the pay-as-you-go billing method, you can also purchase pay-as-you-go savings plans to protect assets in a more cost-effective manner. A pay-as-you-go savings plan is similar to a stored-value card. You can specify the amount of a pay-as-you-go savings plan starting from USD 10. After you purchase a pay-as-you-go savings plan, the savings plan is automatically applied to offset fees of billable items of Cloud Firewall that uses the pay-as-you-go billing method based on a specific discount. For example, if you purchase a pay-as-you-go savings plan that costs USD 20, you can also obtain a 5% discount to offset the fees for all billable items of Cloud Firewall that uses the pay-as-you-go billing method. The provided promotional discount can also be used. You can purchase multiple pay-as-you-go savings plans. For more information, see Pay-as-you-go savings plan.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Overview.

  3. On the right side of the Overview page, click Pay-as-you-go Savings Plan in the Protection Status section.

    On the Cloud Firewall (Pay-as-you-go Savings Plan) page, you can purchase a pay-as-you-go savings plan based on your business requirements. For more information, see Pay-as-you-go savings plan.

    image

Note

A savings plan is a discount plan that provides savings over pay-as-you-go rates in exchange for a commitment to consume a consistent amount of resources for a specific period of time. You can obtain a greater discount and reduce more costs when you purchase a pay-as-you-go savings plan with a larger committed consumption amount.

Change the billing method of Cloud Firewall from pay-as-you-go to subscription

You can change the billing method of Cloud Firewall from pay-as-you-go to subscription.

Precautions

Before you change the billing method of Cloud Firewall from pay-as-you-go to subscription, take note of the following items:

  • During the change, a transient connection that lasts several milliseconds may occur. We recommend that you change the billing method during off-peak hours.

  • When you change the billing method, make sure that the new specifications are the same as or higher than the existing specifications.

  • After the subscription billing method takes effect, some historical data changes.

    • The existing access control policies are not affected.

    • The historical data of intrusion events is retained.

    • The log audit data is retained.

    • The log analysis data of Cloud Firewall that uses the pay-as-you-go billing method is stored in a project named cloudfirewallnew-project-Alibaba Cloud Account ID-RegionID in Simple Log Service (SLS). Fees are generated. If you no longer require the data, you can manually delete it. For more information, see What is Simple Log Service?

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the upper-right corner of the Overview page, choose More > Switch Billing Method from Pay-as-you-go to Subscription.

  3. On the Switch Billing Method of Cloud Firewall from Pay-as-you-go to Subscription page, read Note, select I have read and understand the preceding note., and then click Confirm.

  4. On the Cloud Firewall buy page, select an edition of Cloud Firewall based on your business requirements.

    The subscription billing method takes effect after you complete the payment. All configurations of Cloud Firewall that uses the pay-as-you-go billing method remain unchanged before you complete the payment. After you complete the payment, you are charged for Cloud Firewall based on the subscription billing method.

image

Enable the log analysis feature in Cloud Firewall that uses the pay-as-you-go billing method

Cloud Firewall that uses the pay-as-you-go billing method supports the log audit feature. By default, logs are retained for seven days when the feature is enabled. If you want to store logs for a longer period of time, you can enable the log analysis feature. The default storage duration of the log analysis feature is 180 days. You can change the storage duration based on your business requirements. After you enable the log analysis feature, the fees for the feature are included in the bills of SLS instead of Cloud Firewall.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Log Monitoring > Log Analysis, and enable the feature as prompted. For more information, see Enable the log analysis feature.

Note

The fees for the log analysis feature are included in the bills of SLS instead of Cloud Firewall. SLS supports the pay-by-feature billing mode and generates pay-as-you-go bills. SLS also allows you to use resource plans to offset the fees for pay-as-you-go billable items. For more information, see Billing overview.

Release Cloud Firewall that uses the pay-as-you-go billing method

If you no longer require Cloud Firewall that uses the pay-as-you-go billing method, you can disable firewalls on the Internet Firewall, NAT Firewall, and VPC Firewall tabs. In the upper-right corner of the Overview page, choose More > Self-service Release.

image

References

  • You can use pay-as-you-go savings plans together with Cloud Firewall that uses the pay-as-you-go billing method to reduce costs. For more information, see Pay-as-you-go savings plans.

  • For more information about the features that are supported by Cloud Firewall that uses the pay-as-you-go billing method, see Functions and features.

  • For more information about how to use Cloud Firewall that uses the pay-as-you-go billing method, including adding assets for protection, configuring protection policies, and viewing protection effects, see Get started with Cloud Firewall that uses the pay-as-you-go billing method.

  • For more information about the billing details and billing cycle of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method, and how to purchase Cloud Firewall by using the subscription billing method, see Subscription.

  • For more information about Cloud Firewall, see Pre-sales FAQ.

  • For more information about how to upgrade or downgrade the edition of Cloud Firewall, upgrade or downgrade the specifications of Cloud Firewall, temporarily upgrade the protection bandwidth, and change the billing method of Cloud Firewall, see Upgrade and downgrade.

  • For more information about how to release Cloud Firewall, see Release Cloud Firewall.