You can upgrade or downgrade Cloud Firewall. For example, you can upgrade or downgrade the edition and specifications of Cloud Firewall, temporarily upgrade the protected bandwidth, and change the billing method. You can perform the preceding operations based on your business requirements. This helps improve resource utilization and optimize costs.
Feature description
Supported operations
The following table describes the operations that you can perform on Cloud Firewall.
Operation | Item |
Upgrade |
|
Downgrade |
|
Change the billing method |
Usage notes
Your workloads are not affected during a self-service upgrade or downgrade.
You can upgrade or downgrade the edition and specifications of Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall that uses the subscription billing method.
You can upgrade or downgrade the following Cloud Firewall specifications: Protected Public IP Addresses, Protected Internet Traffic, Number of VPC Firewalls, Protected VPC Traffic, Quota for Additional Policy, Multi-account Management, and Log Storage. For more information, visit the Cloud Firewall buy page.
Each specification after an upgrade cannot exceed the specification threshold of the current edition of Cloud Firewall. Each specification after a downgrade cannot be lower than the default specification in the current Cloud Firewall edition or lower than the quota that is consumed.
For example, if you use Cloud Firewall Ultimate Edition and the default value of Protected Public IP Addresses is 400, you cannot decrease Protected Public IP Addresses to a value less than 400 when you perform a downgrade.
Upgrade
Billing rules
If you perform an upgrade, you must pay the price difference for the upgrade. The price on the Cloud Firewall buy page shall prevail.
Upgrade the edition or specifications of Cloud Firewall
You can upgrade the edition and specifications of Cloud Firewall, and enable disabled features to use more advanced protection capabilities of Cloud Firewall. After an upgrade, the expiration time of Cloud Firewall remains unchanged.
Prerequisites
Before you perform an upgrade, you must view the current edition and the purchased specifications of Cloud Firewall, and determine whether to upgrade the edition or specifications of Cloud Firewall based on the following information: the quota consumption, costs, thresholds of the Cloud Firewall specifications, and your business requirements.
You can log on to the Cloud Firewall console and view the current edition and specifications of Cloud Firewall on the right side of the Overview page.
For more information about the specification thresholds in each edition of Cloud Firewall, see Subscription.
The following suggestions are provided for specific upgrade scenarios:
If the actual usage of Protected Public IP Addresses, VPC Firewalls, NAT Firewalls, and the protected bandwidth, such as Protected Internet Traffic, Protected Private Network Traffic of NAT Gateway, or Protected VPC Traffic, exceed the specification thresholds of the current edition of Cloud Firewall, we recommend that you upgrade the edition of Cloud Firewall to use the more advanced protection capabilities of Cloud Firewall.
If the actual usage of Protected Public IP Addresses, VPC Firewalls, or NAT Firewalls exceeds the specification that you purchased, we recommend that you upgrade the specification.
If the actual bandwidth exceeds the purchased specification for Protected Internet Traffic, Protected Private Network Traffic of NAT Gateway, or Protected VPC Traffic, we recommend that you upgrade the protected bandwidth.
If the number of the configured access control policies exceeds the specification threshold of the current edition of Cloud Firewall, we recommend that you configure the Quota for Additional Policy parameter to obtain an additional quota for access control policies. The additional quota is applicable to access control policies for the Internet firewall, NAT firewalls, and virtual private cloud (VPC) firewalls.
If the actual usage of Protected Public IP Addresses and the actual bandwidth exceed the specifications that you purchased, the protection effect of Cloud Firewall may be affected and your assets may be attacked. To ensure that Cloud Firewall can provide continuous and effective security protection, we recommend that you check the specification usage on a regular basis and ensure that your quotas are sufficient.
You can also enable the burstable protected traffic feature during an upgrade. Cloud Firewall provides the burstable protected traffic feature for traffic spikes that last a short period of time. After you enable the burstable protected traffic feature, if excess traffic is generated, the excess traffic can be processed and pay-as-you-go bills are generated on the next day. The upgrade operation immediately takes effect. You can perform an upgrade only once a day.
Procedure
Log on to the Cloud Firewall console.
In the Protection Status section of the Overview page, click Upgrade.
On the Upgrade/Downgrade page, view the specifications of the current edition and select an edition or specifications based on your business requirements.
You can also enable disabled features on the Upgrade/Downgrade page based on your business requirements.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
After you complete the payment, the new specifications of Cloud Firewall immediately take effect. In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the upgrade.
Temporarily upgrade the bandwidth
You can temporarily upgrade the protected bandwidth on an hourly basis, including Protected Internet Traffic, Protected VPC Traffic, and Protected Private Network Traffic of NAT Gateway. When the restoration time that you specified arrives, the new specifications that you specified during the temporary upgrade are automatically restored to the specifications before the upgrade. Bandwidth upgrade is a temporary solution to increase the specifications of the current edition of Cloud Firewall. However, the restoration time that you specify must be earlier than the expiration time of your Cloud Firewall. You cannot downgrade the specifications of Cloud Firewall.
If you upgrade the protected bandwidth by upgrading the specifications of Cloud Firewall before the restoration time, the protected bandwidth after the upgrade prevails. In this case, the temporary bandwidth upgrade becomes invalid.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose
On the Temporary Upgrade page, specify each type of bandwidth and restoration time based on your business requirements.
Read and select Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
After you complete the payment, the new specifications of Cloud Firewall immediately take effect. In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the upgrade.
Downgrade
If the specifications of Cloud Firewall exceed your business requirements, you can downgrade the specifications and disable unnecessary features to reduce costs. The following flowchart shows the downgrade process.
Billing rules
If you downgrade the edition or specifications of Cloud Firewall, the system calculates the price difference based on the usage duration and the specifications after the downgrade and provides a refund. The refund amount displayed on the Downgrade page shall prevail.
For more information about the rules for unsubscribing from Alibaba Cloud services, see Request a refund for the downgrade of resource specifications.
After you downgrade the specifications or unsubscribe from Cloud Firewall, you can perform the following operations to view the details of the refund: Log on to the Expenses and Costs console. In the left-side navigation pane, click Orders.
Downgrade the specifications of Cloud Firewall
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose
.On the Downgrade page, downgrade the specifications of the current edition of Cloud Firewall based on your business requirements.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the downgrade.
Disable a feature
You can disable a feature that you no longer require on the Downgrade page. You can disable the log analysis and burstable protected traffic features. After you disable a feature, you can re-enable the feature by upgrading the specifications of Cloud Firewall. For more information, see Upgrade the edition or specification.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose
.On the Downgrade page, select No for the feature that you no longer require.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
In the upper-right corner of the Overview page in the Cloud Firewall console, you can click Purchased Specifications to view information about the new edition and specifications after the downgrade.
Downgrade the edition of Cloud Firewall
You can perform the following operations to downgrade the edition of Cloud Firewall:
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose
.On the Downgrade page, select the required edition based on your business requirements.
Read and select I have read and agree to Cloud Firewall Terms of Service, click Buy Now, and then complete the payment.
Change the billing method
After you change the billing method, Cloud Firewall uses the new billing method.
Precautions
Before you change the billing method from subscription to pay-as-you-go, take note of the following items:
During the change, a transient connection that lasts several milliseconds may occur. We recommend that you change the billing method during off-peak hours.
After you change the billing method from subscription to pay-as-you-go, logs are delivered to a new project of SLS. The fees are included in the bills of SLS instead of Cloud Firewall. The original Logstore will be deleted. Back up logs before you change the billing method. For more information, see Export logs.
Before you change the billing method from pay-as-you-go to subscription, take note of the following items:
During the change, a transient connection that lasts several milliseconds may occur. We recommend that you change the billing method during off-peak hours.
When you change the billing method, make sure that the new specifications are the same as or higher than the existing specifications.
After the subscription billing method takes effect, some historical data changes.
The existing access control policies are not affected.
The historical data of intrusion events is retained.
The log audit data is retained.
The log analysis data of Cloud Firewall that uses the pay-as-you-go billing method is stored in a project named cloudfirewallnew-project-Alibaba Cloud Account ID-RegionID in Simple Log Service (SLS). Fees are generated. If you no longer require the data, you can manually delete it. For more information, see What is Simple Log Service?
Change the billing method from subscription to pay-as-you-go
After you change the billing method from subscription to pay-as-you-go, fees of the unused resources for Cloud Firewall that uses the subscription billing method are refunded based on the refund rules.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose
.In the message that appears, read the information and click OK.
On the Cloud Firewall (Pay-as-you-go) | Switch to Pay-As-You-Go page, read Note, read and select I have read and agree Cloud Firewall (Pay-as-you-go) Terms of Service, and then click Buy Now.
Change the billing method from pay-as-you-go to subscription
If you change the billing method of Cloud Firewall from pay-as-you-go to subscription, the fees before the change are generated and settled at 18:00 on the next day.
Log on to the Cloud Firewall console.
In the upper-right corner of the Overview page, choose
.On the Switch Billing Method of Cloud Firewall from Pay-as-you-go to Subscription page, read Note, select I have read and understand the preceding note., and then click Confirm.
On the Cloud Firewall buy page, select an edition of Cloud Firewall based on your business requirements.
The subscription billing method takes effect after you complete the payment. All configurations of Cloud Firewall that uses the pay-as-you-go billing method remain unchanged before you complete the payment. After you complete the payment, you are charged for Cloud Firewall based on the subscription billing method.