Cloud Firewall allows you to manage multiple Alibaba Cloud accounts in a resource directory based on the trusted services of Alibaba Cloud Resource Directory. Each Alibaba Cloud account in a resource directory is a member. You can specify a member as a delegated administrator account to access the resources of all members in the resource directory. This way, you can perform various operations on the Internet-facing assets and virtual private clouds (VPCs) within the accounts in a centralized manner. The operations include traffic redirection and protection, policy configuration, traffic analysis, intrusion prevention, attack prevention, breach awareness, log audit, and log analysis. This topic describes how to use the multi-account management feature.
Background information
An increasing number of enterprises are migrating their business to the cloud. After enterprises purchase a large number of cloud resources, the management of resources, projects, personnel, and permissions can become complicated. Single accounts cannot be used to meet the requirements. In this case, a multi-account system is required to migrate business to the cloud. Enterprise users have requirements for centralized management of cloud resources across multiple accounts. The cloud resources include security, compliance audit, network, and O&M products.
The following table describes the information about accounts. Before you use multi-account management, we recommend that you read the information.
Account type | Description | Permission on the Resource Directory side | Permission on the Cloud Firewall side |
Management account | A management account can be used to invite the Alibaba Cloud accounts that do not belong to a resource directory to join the resource directory for centralized management. | The account can be used to manage all assets of the enterprise. | The account can be used to manage all assets that are protected by Cloud Firewall. |
Delegated administrator account | The management account of a resource directory can be used to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access the information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. Note Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. | The account can be used to manage all assets of the enterprise. | The account can be used to manage all assets that are protected by Cloud Firewall. |
Member | After an account is invited by the management account of a resource directory to join the resource directory, the account is a member of the resource directory. | The member can be used to manage only the assets that belong to the member. | The member cannot be used to purchase Cloud Firewall. |
Limits
For more information about the quota provided for multi-account management in each edition of Cloud Firewall that uses the subscription billing method, see Subscription.
The feature allows you to manage only the following resources of members: Internet firewalls, VPC firewalls, NAT firewalls, and assets that are protected by secure forward proxies.
Members that are added for centralized management cannot be used to purchase Cloud Firewall. The asset traffic of the members is also managed in a centralized manner.
Prerequisites
Cloud Firewall Premium Edition, Enterprise Edition, Ultimate Edition, or Cloud Firewall that uses the pay-as-you-go billing method is purchased.
Procedure
Before you can use the feature, you must enable a resource directory, specify a delegated administrator account, and invite members. Then, you can use the feature to add multiple members for centralized management.
Step 1: Enable a resource directory
You must use an Alibaba Cloud account that has passed enterprise real-name verification to enable a resource directory. An account that has passed only individual real-name verification cannot be used to enable a resource directory. You can use two methods to enable a resource directory. The management account that you obtain after you enable a resource directory varies based on the method that you use. For more information, see Enable a resource directory.
Step 2: Invite members
After an Alibaba Cloud account is invited to join a resource directory, the account becomes a member of the resource directory. You can specify the invited member as a delegated administrator account. For more information, see Invite an Alibaba Cloud account to join a resource directory.
If no accounts are available for you to invite, you can directly create a member. For more information, see Create a member.
Step 3: Add a delegated administrator account
Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements. You can add and use a delegated administrator account to access the Multi-account Management page of the Cloud Firewall console and perform management operations within the resource directory. For more information, see Manage a delegated administrator account.
Step 4: Add members
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select members from the Available Members section and add the members to the Selected Members section.
In the Selected Members section, select the required members and click OK.
After you add multiple members, you can view the details of each account and delete an added member in the member list. The details include the UID and name of each account. You can also perform the following operations on the Firewall Settings page: view the cloud assets within an added member, and enable or disable protection for the cloud assets.
By default, Cloud Firewall can access the resources of a member after it is added. If you want to use a VPC firewall to protect the VPCs that are attached to a Cloud Enterprise Network (CEN) instance and the VPCs are created by different Alibaba Cloud accounts from the one used to purchase Cloud Firewall, you must manually authorize Cloud Firewall to access the cloud resources within the Alibaba Cloud accounts to which the VPCs belong. For more information, see Authorize Cloud Firewall to access other cloud resources.