Cloud Firewall of Alibaba Cloud is a cloud security solution that provides firewalls as a service. Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, virtual private cloud (VPC), and host boundaries. Cloud Firewall is the first line of defense to protect your workloads in Alibaba Cloud.
Positioning of Cloud Firewall
Features
Internet firewall
The Internet firewall controls the inbound and outbound traffic of all Internet-facing assets in a centralized manner at the Internet boundary. You can use the Internet firewall to manage the inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of Internet-facing assets on the Internet and the security risks of business traffic. The built-in intrusion prevention module of the Internet firewall allows you to detect compromised servers, block outbound connections initiated by your servers, and view the relationships among cloud services. You can enable the Internet firewall to protect your assets with a few clicks. You are not required to configure access to networks or install images. The Internet firewall is deployed in a cluster and can be smoothly scaled up and out.
NAT firewall
When resources such as Elastic Compute Service (ECS) instances and elastic container instances in VPCs directly access the Internet by using NAT gateways, security risks, such as unauthorized access, data leaks, and traffic attacks, may occur. To reduce these risks, you can enable NAT firewalls to block unauthorized traffic.
VPC firewall
A VPC firewall can help you monitor and control east-west traffic between VPCs or between a VPC and a data center that are connected by using an Enterprise Edition transit router, a Basic Edition transit router, or an Express Connect circuit. This helps ensure the security of east-west traffic between VPCs, a VPC and a virtual border router (VBR) in a data center, a VPC and a VBR of a third-party cloud, and a VPC and a VPN gateway.
Internal firewall
Internal Firewall can be used to manage ECS security groups and control the inbound and outbound traffic of ECS instances in VPCs. The access control policies that you configure and publish for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. Compliance checks and micro-segmentation visualization are supported for ECS security groups.
Protection scope
Protection scope | Description | References |
Cloud assets and traffic | Cloud Firewall can protect the following cloud assets or traffic:
Note Cloud Firewall does not support traffic redirection for a small number of Internet-facing Server Load Balancer (SLB) instances due to the historical network architecture. We recommend that you associate EIPs with the internal-facing SLB instances to redirect traffic to Cloud Firewall for protection. | |
Cloud network type |
| - |
Region | Regions that are supported by Cloud Firewall. |
Editions
Cloud Firewall is available in the following editions: Free Edition, Premium Edition, Enterprise Edition, Ultimate Edition, and Cloud Firewall that uses the pay-as-you-go billing method. The following table describes the differences among the editions. For more information about the protection capabilities supported by different editions of Cloud Firewall, see Functions and features.
Edition | Description | Billing method |
Free Edition | Cloud Firewall Free Edition provides basic security check capabilities. You can use features such as security group check, classified protection compliance check, and asset exception notification. | If your Alibaba Cloud account has cloud assets that can be protected, you can use Cloud Firewall Free Edition to protect the assets without the need to purchase Cloud Firewall. |
Cloud Firewall that uses the pay-as-you-go billing method | Cloud Firewall that uses the pay-as-you-go billing method delivers reliable security protection capabilities for Internet-facing assets. You can use features such as attack awareness, attack prevention, and asset exception notification. You can also configure access control policies for the Internet firewall. | Pay-as-you-go. The pay-as-you-go billing method is suitable for scenarios in which your resource usage frequently fluctuates and your business has short-term requirements on resources. The pay-as-you-go billing method allows you to purchase, upgrade, or release Cloud Firewall at any time. |
Premium Edition | Cloud Firewall Premium Edition protects Internet-facing assets. You can use features such as traffic analysis and protection for your assets, Internet traffic management, attack prevention, log analysis, multi-account management, and asset exception notification. | Subscription. Compared with the pay-as-you-go billing method, the subscription billing method allows you to reserve resources and reduce costs at discounted rates. The subscription billing method is suitable for scenarios in which your resource usage does not frequently fluctuate and resources are used for a long period of time. |
Enterprise Edition | Cloud Firewall Enterprise Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification. Cloud Firewall Enterprise Edition offers all capabilities provided by Cloud Firewall Premium Edition. Cloud Firewall Enterprise Edition also provides value-added services such as visualization, network security defense across VPCs, and centralized management of security groups. | |
Ultimate Edition | Cloud Firewall Ultimate Edition protects Internet-facing assets, VPCs, and ECS instances. You can use features such as traffic analysis and protection, traffic management for access between the Internet and internal networks, attack prevention, log analysis, multi-account management, and asset exception notification. Cloud Firewall Ultimate Edition offers all capabilities provided by Cloud Firewall Enterprise Edition. Compared with Cloud Firewall Enterprise Edition, Cloud Firewall Ultimate Edition provides more powerful protection capabilities. |
Free trial
The first time you purchase Cloud Firewall, you can use the free trial of Cloud Firewall that uses the pay-as-you-go billing method. For more information, see Free trial.
Compliance
Cloud Firewall complies with the following standards: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, ISO 27701, BS 10012, Cloud Security Alliance (CSA) Security, Security, Trust, Assurance, and Risk (STAR) Registry, and Payment Card Industry (PCI) Data Security Standards (DSS).
Contact us
If you have questions about the features, prices, and specifications of Cloud Firewall when you purchase Cloud Firewall, or if you want to apply for a free trial of Cloud Firewall, you can submit a ticket to obtain technical support.
References
For more information about the billing of Cloud Firewall, see Billing.
For more information about the capabilities provided by Cloud Firewall, see Get started with Cloud Firewall that uses the pay-as-you-go billing method, Select a Cloud Firewall edition, and Get started with Cloud Firewall that uses the subscription billing method.