All Products
Search
Document Center

Cloud Firewall:What is Cloud Firewall?

Last Updated:Aug 16, 2024

Cloud Firewall of Alibaba Cloud is a cloud security solution that provides firewalls as a service. Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall is the first line of defense to protect your workloads in Alibaba Cloud.

Positioning of Cloud Firewall

image

Features

Internet firewall

The Internet firewall controls the inbound and outbound traffic of all Internet-facing assets in a centralized manner at the Internet boundary. You can use the Internet firewall to manage the inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of Internet-facing assets on the Internet and the security risks of business traffic. The built-in intrusion prevention module of the Internet firewall allows you to detect compromised servers, block outbound connections initiated by your servers, and view the relationships among cloud services. You can enable the Internet firewall to protect your assets with a few clicks. You are not required to configure access to networks or install images. The Internet firewall is deployed in a cluster and can be smoothly scaled up and out.

NAT firewall

When resources such as Elastic Compute Service (ECS) instances and elastic container instances in VPCs directly access the Internet by using NAT gateways, security risks, such as unauthorized access, data leaks, and traffic attacks, may occur. To reduce these risks, you can enable NAT firewalls to block unauthorized traffic.

VPC firewall

A VPC firewall can help you monitor and control east-west traffic between VPCs or between a VPC and a data center that are connected by using an Enterprise Edition transit router, a Basic Edition transit router, or an Express Connect circuit. This helps ensure the security of east-west traffic between VPCs, a VPC and a virtual border router (VBR) in a data center, a VPC and a VBR of a third-party cloud, and a VPC and a VPN gateway.

Internal firewall

Internal Firewall can be used to manage ECS security groups and control the inbound and outbound traffic of ECS instances in VPCs. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. Compliance checks and micro-segmentation visualization are supported for ECS security groups.

Protection scope

Protection scope

Description

References

Cloud assets and traffic

Cloud Firewall can protect the following cloud assets or traffic:

  • The Internet firewall can protect the north-south traffic of assets, such as public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of ECS instances, public IP addresses of Classic Load Balancer (CLB) instances, EIPs of CLB instances, EIPs of Application Load Balancer (ALB) instances, EIPs of Network Load Balancer (NLB) instances, EIPs (including Layer 2 EIPs), EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, EIPs of high-availability virtual IP addresses (HAVIPs), and IP addresses of bastion hosts.

  • A NAT firewall can protect traffic from an internal network to the Internet.

  • A VPC firewall can protect east-west traffic.

    • A VPC firewall that is created for an Enterprise Edition transit router can protect the following types of traffic:

      • Traffic between VPCs in the same region

      • Traffic between cross-region VPCs that are connected by using an Enterprise Edition transit router

      • Traffic between a VPC and a VBR or a data center

      • Traffic between a VPC and a CCN instance

      • Traffic between VBRs

      • Traffic between a VBR and a CCN instance

    • A VPC firewall that is created for a Basic Edition transit router can protect the following types of traffic:

      • Traffic between VPCs in the same region

      • Traffic between cross-region VPCs that are connected by using a Basic Edition transit router

      • Traffic between a VPC and a VBR or a data center

      • Traffic between a VPC and a CCN instance

    • A VPC firewall that is created for an Express Connect circuit can protect the following types of traffic:

      • Traffic between VPCs that are connected by using an Express Connect circuit, reside in the same region, and belong to the same account

      • Traffic between VPCs that are connected by using a VPC peering connection and reside in the same region

  • An internal firewall can protect inbound and outbound traffic between ECS instances.

Note

Cloud Firewall does not support traffic redirection for a small number of Internet-facing Server Load Balancer (SLB) instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection.

Cloud network type

  • VPC: Cloud Firewall supports all Alibaba Cloud VPCs.

  • Classic network: The Internet Firewall and intrusion prevention system (IPS) features support the classic network. Internal firewalls can protect instances in VPCs but not in the classic network.

-

Region

Regions that are supported by Cloud Firewall.

Supported regions

Editions

Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. The following table describes the differences among the editions. For more information about the protection capabilities supported by different editions of Cloud Firewall, see Functions and features.

Edition

Description

Billing method

Free Edition

Cloud Firewall Free Edition provides basic security check capabilities. You can use features such as security group check, classified protection compliance check, and asset exception notification.

If your Alibaba Cloud account has cloud assets that can be protected, you can use Cloud Firewall Free Edition to protect the assets without the need to purchase Cloud Firewall.

Cloud Firewall that uses the pay-as-you-go billing method

Cloud Firewall that uses the pay-as-you-go billing method delivers reliable security protection capabilities for Internet-facing assets. You can use features such as attack awareness, attack prevention, and asset exception notification. You can also configure access control policies for the Internet firewall.

Pay-as-you-go.

The pay-as-you-go billing method is suitable for scenarios in which your resource usage frequently fluctuates and your business has short-term requirements on resources. The pay-as-you-go billing method allows you to purchase, upgrade, or release Cloud Firewall at any time.

Premium Edition

Cloud Firewall Premium Edition protects Internet-facing assets. You can use features such as traffic analysis and protection for your assets, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification.

Subscription.

Compared with the pay-as-you-go billing method, the subscription billing method allows you to reserve resources and reduce costs at discounted rates. The subscription billing method is suitable for scenarios in which your resource usage does not frequently fluctuate and resources are used for a long period of time.

Enterprise Edition

Cloud Firewall Enterprise Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification.

Cloud Firewall Enterprise Edition offers all capabilities provided by Cloud Firewall Premium Edition. Cloud Firewall Enterprise Edition also provides value-added services such as visualization, network security defense across VPCs, and centralized management of security groups.

Ultimate Edition

Cloud Firewall Ultimate Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification.

Cloud Firewall Ultimate Edition offers all capabilities provided by Cloud Firewall Enterprise Edition. Compared with Cloud Firewall Enterprise Edition, Cloud Firewall Ultimate Edition provides more powerful protection capabilities.

Free trial

The first time you purchase Cloud Firewall, you can use the free trial of Cloud Firewall that uses the pay-as-you-go billing method. For more information, see Free trial.

Compliance

Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Security, Trust, Assurance, and Risk (STAR) Registry, and Payment Card Industry (PCI) Data Security Standards (DSS).

Contact us

If you have questions about the features, prices, and specifications of Cloud Firewall when you purchase Cloud Firewall, or if you want to apply for a free trial of Cloud Firewall, you can submit a ticket to obtain technical support.

References