Answers to common questions about Cloud Firewall features, billing, protection scope, and how it fits into your Alibaba Cloud architecture.
Features and capabilities
Why do I need to assign the service-linked role AliyunServiceRoleForCloudFW to Cloud Firewall?
How many members does the multi-account management feature support?
What are the main scenarios in which Cloud Firewall protects Internet-facing SLB instances?
What are the core defense capabilities of the Internet firewall?
What are the advantages of Cloud Firewall over self-managed firewalls?
Pay-as-you-go billing
Protection scope
Cloud Firewall and other Alibaba Cloud services
Where does the Internet firewall sit in the Alibaba Cloud network architecture?
How does traffic flow when I use Anti-DDoS, WAF, and Cloud Firewall together?
How do I use WAF and Cloud Firewall together to manage Internet exposure?
Why do CEN transit router users have higher requirements for Cloud Firewall?
Features and capabilities
Why do I need to assign the service-linked role AliyunServiceRoleForCloudFW to Cloud Firewall?
Cloud Firewall needs access to your cloud resources — Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), and Server Load Balancer (SLB) instances — to display asset traffic, monitor internal network communications, and apply access control policies in the console.
Only an Alibaba Cloud account or a Resource Access Management (RAM) user with the AliyunRAMFullAccess policy can authorize Cloud Firewall to access cloud resources.
How many members does the multi-account management feature support?
Multi-account management is available in Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition. The member limit varies by edition. See Billing details for the quota per edition.
To add more members than your current quota allows, upgrade the Managed Members specification. See Upgrade or downgrade Cloud Firewall.
Can Cloud Firewall defend against APTs?
Yes. Cloud Firewall defends against advanced persistent threats (APTs) through a layered approach: access control policies restrict unauthorized traffic, intrusion prevention detects and blocks malicious behavior in real time, breach awareness identifies suspicious activity, and log tracing provides forensic visibility into incidents.
What are the main scenarios in which Cloud Firewall protects Internet-facing SLB instances?
Cloud Firewall supports the new-generation Internet-facing SLB architecture and provides two key capabilities:
Intrusion prevention: Deploys virtual patches with a single click to protect against zero-day and other high-risk vulnerabilities — no restarts or patch installations required.
Access control: Implements fine-grained control for HTTP and HTTPS traffic, with the ability to restrict specific IP addresses, ports, and protocols, especially for TCP-based business. For example, configure policies to allow traffic only from specific regions.
What are the core defense capabilities of the Internet firewall?
After activating Cloud Firewall, the Internet firewall provides the following capabilities at the Internet boundary:
Asset inventory: Analyzes inbound and outbound traffic to identify open applications, ports, public IP addresses, and accessed cloud services.
Intrusion prevention: Detects and blocks malicious traffic and attacks in real time using threat intelligence.
Domain name blocking: Monitors outbound connections for suspicious destinations and enforces domain- or IP-based access control policies.
Vulnerability prevention: Provides virtual patching to defend against remotely exploitable high-risk vulnerabilities, even when you cannot install patches.
What are the advantages of Cloud Firewall over self-managed firewalls?
Cloud Firewall is a fully managed service that centralizes north-south and east-west traffic protection across your cloud environment, with no hardware to deploy or maintain.
Managed service: Fully managed by Alibaba Cloud. Configure it in the console and it is ready to use — no device deployment or operations overhead.
High availability and elastic scaling: Uses a dual-zone cluster deployment that scales performance smoothly without requiring you to manage high-availability configurations or capacity planning.
Deep integration with cloud services: Integrates natively with VPC, Cloud Enterprise Network (CEN), elastic IP addresses (EIPs), and SLB to control access at the cloud asset level, combining network-layer protection with endpoint security signals.
Intrusion prevention and threat intelligence: The built-in threat detection engine monitors more than 5 million active malicious IP addresses and domain names, updating continuously to detect and block Internet threats in real time.
Pay-as-you-go billing
How am I charged for Cloud Firewall (pay-as-you-go)?
Billing is per hour, and fees are calculated daily using this formula:
Daily fee = Daily configuration fee of public IP addresses + Daily traffic processing fee
Bills are generated and deducted from your account balance on the day after usage. For the full rate schedule, see Pay-as-you-go.
To reduce costs, purchase a pay-as-you-go savings plan to offset your usage fees.
How do I view usage details for Cloud Firewall (pay-as-you-go)?
In the Cloud Firewall console, go to System Settings > Bill Management to view usage details.
What is a pay-as-you-go savings plan?
A savings plan is a discount plan that reduces your pay-as-you-go costs in exchange for a commitment to a consistent usage amount over a fixed period. The larger the committed amount, the greater the discount. See Pay-as-you-go savings plans for details.
What are the differences between pay-as-you-go and subscription billing?
The two billing methods differ in how you pay and which features are available:
| Dimension | Pay-as-you-go | Subscription |
|---|---|---|
| How you pay | Per hour, billed daily based on actual usage | Upfront payment for a fixed term (monthly or yearly) |
| Cost predictability | Variable — scales with usage | Fixed for the term |
| Cost optimization | Purchase a savings plan to reduce per-hour costs | Commit upfront for a lower effective rate |
| Flexibility | Release at any time; no long-term commitment | Fixed term |
| Supported features | See Functions and features | See Functions and features |
For the complete comparison, see Subscription 2.0 and Pay-as-you-go.
How do I switch from subscription to pay-as-you-go?
See Upgrade or downgrade Cloud Firewall for the steps and impacts of switching from subscription to pay-as-you-go.
How do I switch from pay-as-you-go to subscription?
See Switch from pay-as-you-go to subscription for the steps and impacts.
How do I release Cloud Firewall (pay-as-you-go)?
In the Cloud Firewall console, go to the Overview page and choose More > Self-service Release. For details, see Release Cloud Firewall.
Why am I still charged after releasing Cloud Firewall (pay-as-you-go)?
The billing cycle is one day, and bills are generated on the day after usage. If you release Cloud Firewall today, a bill for today's usage is still generated tomorrow. This is expected behavior. For more information, see Pay-as-you-go.
Protection scope
Can Cloud Firewall protect Layer 2 EIPs?
Yes. For the full protection scope, see What is Cloud Firewall?
Does Cloud Firewall support the classic network?
Cloud Firewall can protect ECS instances and specific SLB instances that use public IP addresses in the classic network. Internal firewalls protect instances in VPCs but do not support the classic network.
Can Cloud Firewall protect Internet-facing SLB instances?
Some Internet-facing SLB instances cannot be protected due to network architecture constraints. In those cases, deploy an internal-facing SLB instance and associate an elastic IP address (EIP) with it instead.
When a firewall is enabled for an internal-facing SLB instance associated with an EIP, traffic flows through the firewall, then through the Destination Network Address Translation (DNAT) gateway associated with the EIP, and finally reaches the SLB instance.
Can Cloud Firewall protect traffic on Express Connect or CEN?
Yes, with these distinctions:
| Scenario | Protected? |
|---|---|
| VPC-to-VPC via Express Connect (same region) | Yes |
| VPC-to-Virtual Border Router (VBR) via Express Connect | No |
| VPC-to-VPC via CEN | Yes |
| VPC-to-VBR via CEN | Yes |
To protect cross-region traffic between VPCs or between a VPC and a Virtual Border Router (VBR), migrate the VPCs from a peering connection in Express Connect to a CEN instance.
Can the Internet firewall protect traffic destined for a public VPN gateway?
No. Traffic to a public VPN gateway is encrypted by the VPN gateway, and the Internet firewall cannot inspect or protect encrypted traffic.
Can VPC Firewall protect traffic destined for a VPC over an IPsec-VPN connection?
It depends on how your IPsec-VPN connection is deployed.
Scenario 1: IPsec-VPN associated with a CEN transit router
If your IPsec-VPN connection is associated with a CEN transit router and connected to a business VPC, VPC Firewall can protect traffic to that VPC.
Scenario 2: IPsec-VPN deployed in a business VPC with cross-VPC traffic
If your IPsec-VPN connection uses a VPN gateway deployed in a business VPC, and your services involve cross-VPC traffic (for example, VPCs connected via CEN or a VPC peering connection), VPC Firewall can protect traffic to other business VPCs — but not traffic to the VPC where the IPsec-VPN connection is deployed.
To protect traffic to the VPC where the IPsec-VPN connection is deployed, move the IPsec-VPN connection to a dedicated VPC. Cloud Firewall can then protect traffic from that dedicated VPC to your business VPCs.
Scenario 3: IPsec-VPN deployed in a business VPC with no cross-VPC traffic
If your IPsec-VPN connection uses a VPN gateway in a business VPC and there is no cross-VPC traffic, VPC Firewall cannot protect traffic to that VPC.
Cloud Firewall and other Alibaba Cloud services
Where does the Internet firewall sit in the Alibaba Cloud network architecture?
The Internet firewall sits at the boundary between the Internet and your cloud assets. It provides two core functions:
Defends against inbound attacks from the Internet.
Controls outbound connections from cloud assets to the Internet.
The following figure shows the logical position of Cloud Firewall relative to other Alibaba Cloud services.
How does traffic flow when I use Anti-DDoS, WAF, and Cloud Firewall together?
The traffic flow depends on your WAF deployment mode:
WAF in CNAME record mode: Anti-DDoS → WAF → Cloud Firewall → backend service
WAF in cloud native mode: Anti-DDoS → Cloud Firewall → WAF → backend service
How do I use WAF and Cloud Firewall together to manage Internet exposure?
Internet exposure refers to assets accessible from the Internet — IP addresses, ports, domain names, applications, and APIs. WAF and Cloud Firewall address different parts of that surface:
Web Application Firewall (WAF) — asset identification: WAF aggregates configuration data from Alibaba Cloud Certificate Management Service, Alibaba Cloud DNS, WAF, and HiChina to provide a global view of your web application assets. This ensures all assets are inventoried and can be fully protected.
Cloud Firewall — network asset management: Cloud Firewall monitors communication traffic between the Internet and your public IP addresses. Use it to disable unnecessary open ports, restrict exposed IP addresses, and configure fine-grained access control policies.
Why do CEN transit router users have higher requirements for Cloud Firewall?
Enterprises running multi-VPC architectures with CEN transit routers face complex east-west traffic management challenges:
Cross-VPC and hybrid cloud traffic control: Different VPCs often have different security levels, but business requirements mean multiple VPCs need to communicate selectively. As the number of VPCs and cross-VPC connections grows, controlling east-west traffic and defending against lateral movement attacks becomes significantly more complex.
Compliance requirements: When migrating to the cloud, many enterprises must meet standards such as Multi-Level Protection Scheme (MLPS) and ISO 27001. For example, MLPS cloud computing security extensions require access control mechanisms at each network boundary with session- and application-level enforcement. Cloud Firewall Enterprise Edition is designed to meet these east-west traffic control requirements.