All Products
Search
Document Center

Cloud Firewall:Upgrade or downgrade Cloud Firewall

Last Updated:Sep 02, 2024

You can upgrade or downgrade Cloud Firewall. For example, you can upgrade or downgrade the edition and specifications of Cloud Firewall, temporarily upgrade the protected bandwidth, and change the billing method. You can perform the preceding operations based on your business requirements. This helps improve resource utilization and optimize costs.

Feature description

Supported operations

The following table describes the operations that you can perform on Cloud Firewall.

Operation

Item

Upgrade

Downgrade

Change the billing method

Usage notes

  • Your workloads are not affected during a self-service upgrade or downgrade.

  • You can upgrade or downgrade the edition and specifications of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method.

  • You can upgrade or downgrade the following Cloud Firewall specifications: Protected Public IP Addresses, Protected Internet Traffic, Number of VPC Firewalls, Protected VPC Traffic, Quota for Additional Policy, Multi-account Management, and Log Storage. For more information, visit the Cloud Firewall buy page.

  • Each specification after an upgrade cannot exceed the specification threshold of the current edition of Cloud Firewall. Each specification after a downgrade cannot be lower than the default specification in the current Cloud Firewall edition or lower than the quota that is consumed.

    For example, if you use Cloud Firewall Ultimate Edition and the default value of Protected Public IP Addresses is 400, you cannot decrease Protected Public IP Addresses to a value less than 400 when you perform a downgrade.

Upgrade

Billing rules

If you perform an upgrade, you must pay the price difference for the upgrade. The price on the Cloud Firewall buy page shall prevail.

Upgrade the edition or specifications of Cloud Firewall

You can upgrade the edition and specifications of Cloud Firewall, and enable disabled features to use more advanced protection capabilities of Cloud Firewall. After an upgrade, the expiration time of Cloud Firewall remains unchanged.

Prerequisites

Before you perform an upgrade, you must view the current edition and the purchased specifications of Cloud Firewall, and determine whether to upgrade the edition or specifications of Cloud Firewall based on the following information: the quota consumption, costs, thresholds of the Cloud Firewall specifications, and your business requirements.

You can log on to the Cloud Firewall console and view the current edition and specifications of Cloud Firewall on the right side of the Overview page.

Note

For more information about the specification thresholds in each edition of Cloud Firewall, see Subscription.

The following suggestions are provided for specific upgrade scenarios:

  • If the actual usage of Protected Public IP Addresses, VPC Firewalls, NAT Firewalls, and the protected bandwidth, such as Protected Internet Traffic, Protected Private Network Traffic of NAT Gateway, or Protected VPC Traffic, exceed the specification thresholds of the current edition of Cloud Firewall, we recommend that you upgrade the edition of Cloud Firewall to use the more advanced protection capabilities of Cloud Firewall.

  • If the actual usage of Protected Public IP Addresses, VPC Firewalls, or NAT Firewalls exceeds the specification that you purchased, we recommend that you upgrade the specification.

  • If the actual bandwidth exceeds the purchased specification for Protected Internet Traffic, Protected Private Network Traffic of NAT Gateway, or Protected VPC Traffic, we recommend that you upgrade the protected bandwidth.

  • If the number of the configured access control policies exceeds the specification threshold of the current edition of Cloud Firewall, we recommend that you configure the Quota for Additional Policy parameter to obtain an additional quota for access control policies. The additional quota is applicable to access control policies for the Internet firewall, NAT firewalls, and virtual private cloud (VPC) firewalls.

Important

If the actual usage of Protected Public IP Addresses and the actual bandwidth exceed the specifications that you purchased, the protection effect of Cloud Firewall may be affected and your assets may be attacked. To ensure that Cloud Firewall can provide continuous and effective security protection, we recommend that you check the specification usage on a regular basis and ensure that your quotas are sufficient.

You can also enable the burstable protected traffic feature during an upgrade. Cloud Firewall provides the burstable protected traffic feature for traffic spikes that last a short period of time. After you enable the burstable protected traffic feature, if excess traffic is generated, the excess traffic can be processed and pay-as-you-go bills are generated on the next day. The upgrade operation immediately takes effect. You can perform an upgrade only once a day.

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the Protection Status section of the Overview page, click Upgrade.

  3. On the Upgrade/Downgrade page, view the specifications of the current edition and select an edition or specifications based on your business requirements.

    You can also enable disabled features on the Upgrade/Downgrade page based on your business requirements.

  4. Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.

    After you complete the payment, the new specifications of Cloud Firewall immediately take effect. In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the upgrade.

Temporarily upgrade the bandwidth

You can temporarily upgrade the protected bandwidth on an hourly basis, including Protected Internet Traffic, Protected VPC Traffic, and Protected Private Network Traffic of NAT Gateway. When the restoration time that you specified arrives, the new specifications that you specified during the temporary upgrade are automatically restored to the specifications before the upgrade. Bandwidth upgrade is a temporary solution to increase the specifications of the current edition of Cloud Firewall. However, the restoration time that you specify must be earlier than the expiration time of your Cloud Firewall. You cannot downgrade the specifications of Cloud Firewall.

Important

If you upgrade the protected bandwidth by upgrading the specifications of Cloud Firewall before the restoration time, the protected bandwidth after the upgrade prevails. In this case, the temporary bandwidth upgrade becomes invalid.

  1. Log on to the Cloud Firewall console.

  2. In the upper-right corner of the Overview page, choose More > Temporary Bandwidth Upgrade.

  3. On the Temporary Upgrade page, specify each type of bandwidth and restoration time based on your business requirements.

    image

  4. Read and select Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.

    After you complete the payment, the new specifications of Cloud Firewall immediately take effect. In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the upgrade.

Downgrade

If the specifications of Cloud Firewall exceed your business requirements, you can downgrade the specifications and disable unnecessary features to reduce costs. The following flowchart shows the downgrade process.

image

Billing rules

  • If you downgrade the edition or specifications of Cloud Firewall, the system calculates the price difference based on the usage duration and the specifications after the downgrade and provides a refund. The refund amount displayed on the Downgrade page shall prevail.

    For more information about the rules for unsubscribing from Alibaba Cloud services, see Request a refund for the downgrade of resource specifications.

  • After you downgrade the specifications or unsubscribe from Cloud Firewall, you can perform the following operations to view the details of the refund: Log on to the Expenses and Costs console. In the left-side navigation pane, click Orders.

Downgrade the specifications of Cloud Firewall

  1. Log on to the Cloud Firewall console.

  2. In the upper-right corner of the Overview page, choose More > Downgrade.

  3. On the Downgrade page, downgrade the specifications of the current edition of Cloud Firewall based on your business requirements.

  4. Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.

    In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the downgrade.

Disable a feature

You can disable a feature that you no longer require on the Downgrade page. You can disable the log analysis and burstable protected traffic features. After you disable a feature, you can re-enable the feature by upgrading the specifications of Cloud Firewall. For more information, see Upgrade the edition or specification.

  1. Log on to the Cloud Firewall console.

  2. In the upper-right corner of the Overview page, choose More > Downgrade.

  3. On the Downgrade page, select No for the feature that you no longer require.

  4. Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.

    In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the downgrade.

Downgrade the edition of Cloud Firewall

You can perform the following operations to downgrade the edition of Cloud Firewall:

  1. Log on to the Cloud Firewall console.

  2. In the upper-right corner of the Overview page, choose More > Downgrade.

  3. On the Downgrade page, select the required edition based on your business requirements.

  4. Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.

Change the billing method

After you change the billing method, Cloud Firewall uses the new billing method.

Precautions

  • Before you change the billing method from subscription to pay-as-you-go, take note of the following items:

    When you release Cloud Firewall, a transient connection that lasts several seconds may occur.

    After you release Cloud Firewall, the configuration data of Cloud Firewall is retained for 15 days. The configuration data includes the configuration data of access control policies, protection policies, and traffic analysis policies. However, the data of log analysis is not retained. If you reactivate Cloud Firewall within 15 days after it is released, the original configuration data is retained. After the 15 days, the configuration data is deleted.

    If you enabled virtual private clouds (VPC) firewalls or NAT firewalls, you must disable the VPC firewalls and NAT firewalls before you release Cloud Firewall. When you disable a firewall, a transient connection may occur due to a route switchover.

  • Before you change the billing method from pay-as-you-go to subscription, take note of the following items:

    • During the change, a transient connection that lasts several milliseconds may occur. We recommend that you change the billing method during off-peak hours.

    • When you change the billing method, make sure that the new specifications are the same as or higher than the existing specifications.

    • After the subscription billing method takes effect, some historical data changes.

      • The existing access control policies are not affected.

      • The historical data of intrusion events is retained.

      • The log audit data is retained.

      • The log analysis data of Cloud Firewall that uses the pay-as-you-go billing method is stored in a project named cloudfirewallnew-project-Alibaba Cloud Account ID-RegionID in Simple Log Service (SLS). Fees are generated. If you no longer require the data, you can manually delete it. For more information, see What is Simple Log Service?

    • After the subscription billing method takes effect, you cannot change the billing method to pay-as-you-go.

Change the billing method from subscription to pay-as-you-go

You cannot directly change the billing method of Cloud Firewall from subscription to pay-as-you-go. If you want to change the billing method of Cloud Firewall from subscription to pay-as-you-go, you can release Cloud Firewall that uses the subscription billing method, and then purchase Cloud Firewall that uses the pay-as-you-go billing method.

  1. Release Cloud Firewall that uses the subscription billing method.

  2. Purchase Cloud Firewall that uses the pay-as-you-go billing method.

Change the billing method from pay-as-you-go to subscription

If you change the billing method of Cloud Firewall from pay-as-you-go to subscription, the fees before the change are generated and settled at 18:00 on the next day. After you change the billing method of Cloud Firewall, you are charged for Cloud Firewall based on the billable items of the subscription billing method. For more information, see Subscription.

  1. Log on to the Cloud Firewall console.

  2. In the upper-right corner of the Overview page, choose More > Switch Billing Method from Pay-as-you-go to Subscription.

  3. On the Switch Billing Method of Cloud Firewall from Pay-as-you-go to Subscription page, read Note, select I have read and understand the preceding note., and then click Confirm.

  4. On the Cloud Firewall buy page, select an edition of Cloud Firewall based on your business requirements.

    The subscription billing method takes effect after you complete the payment. All configurations of Cloud Firewall that uses the pay-as-you-go billing method remain unchanged before you complete the payment. After you complete the payment, you are charged for Cloud Firewall based on the subscription billing method.