Billing rules for different editions of Cloud Firewall - Cloud Firewall

Subscription is a billing method that requires you to pay for resources before you can use the resources. The subscription billing method allows you to reserve resources and purchase resources at discounted rates. This topic describes the billing rules of the subscription billing method.

Billing rules

Note

For more information about the traffic and cloud assets that can be protected by Cloud Firewall, see Protection scope. The following rules are based on the total traffic or cloud assets of the current account and its members.
For more information about the regions in which Cloud Firewall is supported, see Supported regions.
For more information about the features supported by each edition of Cloud Firewall that uses the subscription billing method, see Cloud Firewall features.

Feature or billable item		Premium Edition	Enterprise Edition	Ultimate Edition	Description
Basic price		USD 420 per month.	USD 1,450 per month.	USD 3,900 per month.	The basic price covers only the default specifications. Additional quotas or value-added items are not covered.
Subscription duration		Valid values: 1 Month, 3 Months, 6 Months, 1 Year, 2 Years, and 3 Years.			None.
Internet Firewall	Protected Public IP Addresses	The basic price covers 20 public IP addresses. Valid values: 20 to 1000.	The basic price covers 50 public IP addresses. Valid values: 50 to 1000.	The basic price covers 400 public IP addresses. Valid values: 400 to 1000.	The number of public IP addresses that can be protected by the Internet firewall. Extra fee: USD 7 per month for each additional public IP address that you want to protect.
Internet Firewall	Protected Internet Traffic	The basic price covers 10 Mbit/s of bandwidth. Valid values: 10 to 5000. Unit: Mbit/s.	The basic price covers 50 Mbit/s of bandwidth. Valid values: 50 to 5000. Unit: Mbit/s.	The basic price covers 200 Mbit/s of bandwidth. Valid values: 200 to 15000. Unit: Mbit/s.	The peak Internet traffic that can be protected. Metering metric: the peak outbound or inbound Internet traffic, whichever is greater. Extra fee: USD 7 per month for each 1 Mbit/s of additional bandwidth. If the bandwidth does not meet your business requirements, contact your account manager.
NAT Firewall	NAT Firewalls	The basic price does not cover this specification. Valid values for an additional quota: 1 to 20.	The basic price covers 1 NAT firewall. Valid values for an additional quota: 1 to 100.	The basic price covers 2 NAT firewalls. Valid values: 2 to 1000.	The number of NAT firewalls that can be created. You can create a NAT firewall for a NAT gateway. Extra fee: USD 32 per month for each additional NAT firewall.
NAT Firewall	Protected Private Network Traffic of NAT Gateway	The basic price does not cover this specification. Valid values for an additional quota: 5 to 1000. Unit: Mbit/s.	The basic price covers 10 Mbit/s of bandwidth. Valid values: 10 to 5000. Unit: Mbit/s.	The basic price covers 20 Mbit/s of bandwidth. Valid values: 20 to 10000. Unit: Mbit/s.	The total peak traffic from the protected internal-facing assets to the Internet. Extra fee: Additional bandwidth < 200 Mbit/s: USD 5.5 per month for each 1 Mbit/s of additional bandwidth. 200 Mbit/s ≤ Additional bandwidth < 1,000 Mbit/s: USD 3.2 per month for each 1 Mbit/s of additional bandwidth. Additional bandwidth ≥ 1,000 Mbit/s: USD 2.4 per month for each 1 Mbit/s of additional bandwidth.
Virtual private cloud (VPC) Firewall	Number of VPC Firewalls	Not supported.	The basic price covers 2 VPC firewalls. Valid values: 2 to 100.	The basic price covers 5 VPC firewalls. Valid values: 5 to 200.	The number of VPC firewalls that can be created. Extra fee: USD 300 per month for each additional VPC firewall.
Virtual private cloud (VPC) Firewall	Protected VPC Traffic	Not supported.	The basic price covers 200 Mbit/s of bandwidth. Valid values: 200 to 5000. Unit: Mbit/s.	The basic price covers 1,000 Mbit/s of bandwidth. Valid values: 1000 to 10000. Unit: Mbit/s.	The peak cross-VPC traffic that can be protected. Extra fee: USD 7.5 for each 10 Mbit/s of additional bandwidth. If you want to protect more than 10 Gbit/s of cross-VPC traffic, you must contact your account manager to apply for higher traffic processing capabilities one month in advance.
Common features	Burstable Protected Traffic	The basic price does not cover this specification. You can enable this feature based on your business requirements.	The basic price does not cover this specification. You can enable this feature based on your business requirements.	The basic price does not cover this specification. You can enable this feature based on your business requirements.	After you enable the burstable protected traffic feature, you can receive a free quota of 10 GB on burstable protected traffic each day. You are charged for excess traffic that exceeds 10 GB. Bills are generated and fees are deducted from your account balance at 18:00 on the next day. Price: USD 0.06 per GB. For more information, see Burstable protected traffic. You can use this feature together with pay-as-you-go savings plans to reduce costs. For more information, see Pay-as-you-go savings plan.
	Quota for Additional Policy Note If the default quota for access control policies is exhausted, you can purchase an additional quota for access control policies. The additional quota is applicable to access control policies for the Internet firewall, NAT firewalls, and VPC firewalls.	The basic price covers the following number of access control policies for each type of firewall: Internet firewall: 4,000. NAT firewall: 4,000. Valid values for an additional quota: 0 to 100000.	The basic price covers the following number of access control policies for each type of firewall: Internet firewall: 10,000 NAT firewall: 10,000 VPC firewall: 10,000 Valid values for an additional quota: 0 to 200000.	The basic price covers the following number of access control policies for each type of firewall: Internet firewall: 20,000 NAT firewall: 20,000 VPC firewall: 20,000 Valid values for an additional quota: 0 to 300000.	The additional quota for access control policies. Extra fee: Tier 1: If the number of additional access control policies that you want to create ranges from 0 to 10,000, the extra fee is USD 0.02 per month for each additional access control policy in this tier. Tier 2: If the number of additional access control policies that you want to create ranges from 10,000 to 50,000, the extra fee is USD 0.015 per month for each additional access control policy in this tier. Tier 3: If the number of additional access control policies that you want to create is greater than 50,000, the extra fee is USD 0.01 per month for each additional access control policy in this tier. Note For more information about how to calculate the quota that is consumed by an access control policy, see Quota consumed by access control policies.
	Storage capacity for log analysis	The basic price does not cover this specification. Valid values: 1000 to 100000. Unit: GB.	The basic price does not cover this specification. Valid values: 1000 to 100000. Unit: GB.	The basic price does not cover this specification. Valid values: 1000 to 100000. Unit: GB.	By default, Cloud Firewall stores audit logs for seven days, including event logs, traffic logs, and operation logs. If you want to store the logs for a longer period of time or meet classified protection requirements, we recommend that you enable the log analysis feature. Extra fee: USD 80 per 1,000 GB-month.
	Multi-account Management	A quota of 1,000 is provided free of charge.	A quota of 1,000 is provided free of charge.	A quota of 1,000 is provided free of charge.	To increase the quota, submit a ticket to contact technical support.

Billing examples

An enterprise user has 60 public IP addresses and requires 60 Mbit/s of Internet bandwidth. The user subscribes to Cloud Firewall Enterprise Edition for six months.

The total service fee is calculated by using the following formula: (USD 1,450 + Fee for extra 10 public IP addresses × USD 7 + Fee for extra 10 Mbit/s of bandwidth × USD 7) × 6.

Billing cycle

The billing cycle starts from the purchase date of Cloud Firewall and ends on the expiration date of Cloud Firewall.

Purchase Cloud Firewall by using the subscription billing method

Go to the Cloud Firewall buy page. Set Product Type to Subscription.

Configure the following parameters, click Buy Now, and then complete the payment.

Parameter	Description
Current Version	The edition of Cloud Firewall that you want to purchase. After you select an edition, you can view the features provided by the edition in the Features section.
Protected Public IP Addresses	The number of public IP addresses that can be protected by the Internet firewall. Premium Edition: The basic price covers 20 public IP addresses. Valid values for an additional quota: 20 to 1000. Enterprise Edition: The basic price covers 50 public IP addresses. Valid values for an additional quota: 50 to 1000. Ultimate Edition: The base price covers 400 public IP addresses. Valid values for an additional quota: 400 to 1000.
Protected Internet Traffic	The peak Internet traffic that can be protected by Cloud Firewall. The metering metric is the peak outbound or inbound Internet traffic, whichever is greater. We recommend that you set this parameter to the Internet bandwidth of your business. Premium Edition: The basic price covers 10 Mbit/s of bandwidth. Valid values for an additional quota: 10 to 2000. Unit: Mbit/s. Enterprise Edition: The basic price covers 50 Mbit/s of bandwidth. Valid values for an additional quota: 50 to 5000. Unit: Mbit/s. Ultimate Edition: The basic price covers 200 Mbit/s of bandwidth. Valid values for an additional quota: 200 to 15000. Unit: Mbit/s. If the specification does not meet your business requirements, contact your account manager to apply for a bandwidth increase.
Number of VPC Firewalls	The number of VPCs that can be protected by Cloud Firewall. You can configure this parameter only if you select Enterprise Edition or Ultimate Edition for the Current Version parameter. Enterprise Edition: The basic price covers 2 VPC firewalls. Valid values for an additional quota: 2 to 100. Ultimate Edition: The basic price covers 5 VPC firewalls. Valid values for an additional quota: 5 to 200.
Protected VPC Traffic	The peak cross-VPC traffic that can be protected. You can configure this parameter only if you select Enterprise Edition or Ultimate Edition for the Current Version parameter. Enterprise Edition: The basic price covers 200 Mbit/s of bandwidth. Valid values for an additional quota: 200 to 5000. Unit: Mbit/s. Ultimate Edition: The basic price covers 1,000 Mbit/s of bandwidth. Valid values for an additional quota: 1000 to 10000. Unit: Mbit/s. Note If cross-VPC traffic exceeds 10 Gbit/s, you must contact your account manager to apply for higher traffic processing capabilities one month in advance.
NAT Firewalls	The number of NAT firewalls that you can create. Premium Edition: The basic price does not cover this specification. Valid values for an additional quota: 1 to 20. Enterprise Edition: The basic price covers 1 NAT firewall. Valid values for an additional quota: 1 to 100. Ultimate Edition: The basic price covers 2 NAT firewalls. Valid values for an additional quota: 2 to 1000.
Protected Private Network Traffic of NAT Gateway	The peak traffic that can be protected by a NAT firewall in Cloud Firewall. The peak traffic can be specified in increments of 5 Mbit/s. Premium Edition: The basic price does not cover this specification. Valid values for an additional quota: 5 to 1000. Unit: Mbit/s. Enterprise Edition: The basic price covers 10 Mbit/s of bandwidth. Valid values for an additional quota: 10 to 5000. Unit: Mbit/s. Ultimate Edition: The basic price covers 20 Mbit/s of bandwidth. Valid values for an additional quota: 20 to 10000. Unit: Mbit/s.
Burstable Protected Traffic	Specify whether to enable the burstable protected traffic feature.
Quota for Additional Policy	The quota for access control policies. If the quota for access control policies of your Cloud Firewall is exhausted, you can increase the value of the Quota for Additional Policy parameter to purchase the quota for access control policies. Premium Edition: 0 to 100000 Enterprise Edition: 0 to 200000 Ultimate Edition: 0 to 300000
Multi-account Management	If you have multiple Alibaba Cloud accounts in your enterprise and you want to manage the accounts in a centralized manner, you can enable the multi-account management feature. To use Cloud Firewall to protect assets across multiple accounts, purchase Cloud Firewall for your account and add other accounts to Cloud Firewall as members. You do not need to purchase Cloud Firewall for other accounts. Premium Edition: A quota of 1,000 is provided free of charge. Enterprise Edition: A quota of 1,000 is provided free of charge. Ultimate Edition: A quota of 1,000 is provided free of charge. To increase the quota, submit a ticket for technical support.

Log Analysis	Specify whether to enable the log analysis feature. By default, Cloud Firewall stores audit logs for seven days. If you want to store audit logs for a longer period of time, meet classified protection requirements, or export audit logs, we recommend that you enable the log analysis feature. The log analysis feature allows Cloud Firewall to store logs from 7 to 730 days. If your Internet bandwidth is 10 Mbit/s and you want to store logs for six months, we recommend that you purchase 1,000 GB of storage capacity. Note For more information, see Overview and Billing.
Log Storage
Duration	The subscription duration. You can select or clear Auto-renewal based on your business requirements. Note The auto-renewal cycle is based on the subscription duration. If you purchase a monthly or yearly subscription, Cloud Firewall is renewed on a monthly or yearly basis. For example, if you select 6 Months for Duration and select Auto-renewal, Cloud Firewall is automatically renewed for one month after expiration.

References

What are the differences between Cloud Firewall that uses the pay-as-you-go billing method and Cloud Firewall that uses the subscription billing method?
For more information about the impacts of changing the billing method of Cloud Firewall from subscription to pay-as-you-go, see Upgrade and downgrade Cloud Firewall.
For more information about the impacts of changing the billing method of Cloud Firewall from pay-as-you-go to subscription, see Upgrade and downgrade Cloud Firewall.
Before your subscription to Cloud Firewall expires, you must renew the subscription to ensure that Cloud Firewall can continue to protect your assets. For more information, see Renewal.
If your workloads change, you can upgrade or downgrade Cloud Firewall based on your business requirements. This helps improve resource utilization and reduce costs. For more information, see Upgrade and downgrade Cloud Firewall.
If you no longer require Cloud Firewall to protect your business, you can release Cloud Firewall. For more information, see Release Cloud Firewall.
Cloud Firewall supports refunds. For more information, see Self-service unsubscription and release.