Latest News
Positioned as a Challenger in the Gartner® Magic Quadrant™ for Network Firewalls for two consecutive years
Learn more >Pay-as-you-go savings plans for Cloud Firewall are available
Learn more >Cloud Firewall obtained IPS certification from ICSA Labs
Learn more >
Comprehensively Protect Cloud Network Borders
Cloud Firewall is a cloud-native cloud network border protection service that provides features (such as real-time intrusion protection based on exclusive network-wide threat intelligence, visualized full-traffic analysis, intelligent access control, log tracking, and analysis). Cloud Firewall helps protect network border security. Cloud Firewall can protect the following cloud assets or traffic:
• Internet Firewall protects north-south traffic of assets (such as public IP addresses of Elastic Compute Service (ECS) instances, elastic IP addresses (EIPs) of Server Load Balancer (SLB) instances, public IP addresses of SLB instances, high-availability virtual IP addresses (HAVIPs), EIPs, EIPs of ECS instances, EIPs of elastic network interfaces (ENIs), EIPs of NAT gateways, ENIs of Application Load Balancer (ALB) instances, IPv6 addresses of SLB instances, IPv6 addresses of ECS instances, and IP addresses of bastion hosts).
• VPC Firewall protects east-west traffic of different types, including traffic between VPCs, traffic between a VPC and a data center (such as a Virtual Border Router (VBR) or a VPN), and traffic between a third-party VBR or a VPN.
• Internal Firewall protects traffic between ECS instances within a VPC.
Cloud Firewall Editions
• Outbound abnormal traffic defense and access controls
• Inbound Internet attack defense and access controls
• Basic Firewall Capability
• Provide North-South Flow Control
• Provide Network IPS for N-S Traffic
• Traffic analysis and log management
• Traffic topology
• Security Group Centralized Mgmt.
• Multi-Account Centralized Mgmt.
• Support custom protection rules
• All features provided by the Enterprise edition
• Protect traffic between multi-accounts' VPCs connected by a CEN instance
• Outbound abnormal traffic defense and access controls
• Inbound Internet attack defense and access controls
• Basic Firewall Capability
• Provide North-South Flow Control
• Provide Network IPS for N-S Traffic
• Traffic analysis and log management
• Traffic topology
• Security Group Centralized Mgmt.
• Multi-Account Centralized Mgmt.
• Support custom protection rules
• All features provided by the Enterprise edition
• Protect traffic between multi-accounts' VPCs connected by a CEN instance
Benefits
Integration within Seconds
• Cloud Firewall is a fully-managed service that eliminates the need for device deployment.
• Cloud Firewall can be integrated within seconds. You can immediately use the service to protect your network.
Elastic Scaling
Cloud Firewall is a Software as a Service (SaaS) solution deployed in cluster mode that supports smooth scaling.
• Cloud Firewall is developed based on the network function virtualization (NFV) architecture and provides a protection capability of over 100 Gbit/s for east-west traffic.
Cloud-Native Intelligent Protection
• Cloud Firewall provides a comprehensive access control capability.
• Cloud Firewall has a built-in intelligent threat detection engine and threat intelligence.
Visualized Full-Traffic Access
• Cloud Firewall supports network-wide traffic topology visualization.
• Cloud Firewall allows you to analyze the trends and trace the sources of abnormal traffic.
Centralized Management of Multiple Accounts
• Cloud Firewall provides unified enterprise security policies.
• Cloud Firewall supports unified security protection and defends against attacks at the earliest opportunity.
Features
Fine-Grained Access Control
Cloud Firewall allows you to centrally manage access control policies from the Internet to services and microsegmentation policies between services. Cloud Firewall supports fine-grained access control from Layer 4 to Layer 7, including access control based on IP addresses, ports, applications, domains, and locations.
Detection and Protection of Outbound Connections
Cloud Firewall can detect and analyze the outbound connection traffic of cloud resources to help distinguish malicious requests. Cloud Firewall can display outbound connection traffic mirror sessions for your assets in real-time, helping detect suspicious hosts and breaches at the earliest opportunity.
VPC Isolation-and Control
VPC firewalls help detect and control the traffic between VPCs and the traffic between VPCs and data centers. This way, you can implement fine-grained control over the traffic between VPCs, the traffic between VPCs and data centers, and the protection against internal lateral movement attacks.
Real-Time Intrusion Detection and Protection
Cloud Firewall uses the built-in threat detection engine and threat intelligence to block and intercept malicious traffic intrusions and common attacks on the Internet in real-time, including command executions, reverse shells, database attacks, mining and trojan programs, viruses, and worms.
Virtual Patch Protection for Vulnerabilities
Cloud Firewall can integrate with Security Center to detect vulnerabilities exploited by hackers to launch attacks on your Internet-facing assets. Cloud Firewall also provides virtual patches to defend against these vulnerabilities, including zero-day vulnerabilities. This way, you can prevent your assets from being intruded using vulnerabilities.
Control of Asset Exposure Risks
Cloud Firewall allows you to centrally manage and analyze assets exposed to the Internet (such as EIPs, public IP addresses of ECS instances, SLB instances, and ENIs). Cloud Firewall also supports fine-grained access control and Internet risk defense, helping reduce the network attack surface.
Multi-Account Management
Cloud Firewall supports the Resource Management features to help implement centralized security control over resources of multiple accounts (such as resource protection integration, security policy configurations, attack protections, and viewing log statistics). This helps improve the efficiency of security O&M.
Visualized Traffic Analysis
Cloud Firewall can display the traffic information in a visualized manner (such as the traffic information and traffic trend charts of all public IP addresses, statistics on top inbound and outbound traffic, and the trend charts and distribution of traffic across VPCs), helping monitor the outbound traffic for your Internet-facing assets and internal assets.
Network Log Audit and Analysis
Cloud Firewall supports the log audit feature for log records (including traffic logs, event logs, and operation logs) to help audit network traffic in real-time. For example, you can audit and track attack defense logs and hit results of access control rules.
Cloud Firewall vs. Traditional Firewall Services
| Feature | Alibaba Cloud Firewall (Cloud-native) | Traditional Firewall Service |
|---|---|---|
| Scalability | Cloud Firewall is a SaaS solution deployed in cluster mode that can be scaled based on business requirements. | Traditional firewall services add devices to improve security capabilities. The high availability and performance of traditional firewall services highly depend on virtual devices, which cannot be flexibly scaled. |
| Easy O&M | You can activate Cloud Firewall with a few clicks. It is an out-of-the-box service that makes it easy to manage and perform O&M. | Traditional firewall services build physical architectures on the cloud but provide poor maintenance performance and have more network failure points. |
| Dynamic Synchronization of Cloud Assets | Cloud Firewall supports real-time dynamic synchronization of network assets on the cloud. This facilitates the security control of cloud assets. | Traditional firewall services cannot effectively identify the attribute profiles of cloud network assets, which is inconvenient for the security management of cloud assets. |
| Security Collaboration of Cloud Services | Cloud Firewall supports collaboration with services (such as Security Center, Bastionhost, and Resource Directory). | Traditional firewall services cannot effectively collaborate with cloud host security, cloud Bastionhost, and cloud network services. |
| Threat Intelligence Sharing | Cloud Firewall supports the threat intelligence sharing feature for hundreds of millions of threats and emergency responses to vulnerabilities. | Traditional firewall services are deployed in a silo architecture. Threat information cannot be efficiently shared within the system because threat attack is not associated with security protection. |
| Centralized Management across Accounts | Cloud Firewall supports centralized security management for multiple accounts over the Internet and across VPCs. | Centralized management across accounts is unsupported for enterprises that have multiple businesses or multiple account groups on the cloud. |
Scenarios
Security Capabilities Required for Internet-Facing Asset Protection and Control
Cloud Firewall provides automatic protection for your Internet-facing assets. It combines network-wide threat intelligence and virtual patch features to protect your Internet-facing assets against attacks. In addition, Cloud Firewall allows you to sort your Internet-facing assets and control access to your Internet-facing assets.
Highlights
-
Prevention of Risks Introduced by the Exposure of on-Cloud Assets to the InternetYou can easily handle the security issues caused by the exposure of cloud assets.
-
Access Policy and Security Specification Management
Cloud Firewall helps check the access policies for inbound and outbound traffic.
Related Service
Cloud Firewall Solutions in Hybrid Cloud Scenarios
You can deploy a cloud firewall among multiple VPCs or between a VPC and a data center to isolate VPCs and defend against lateral movement attacks. You can also deploy Cloud Firewall to protect leased line connections between a VPC and a data center in hybrid cloud scenarios.
Highlights
-
Traffic Security between VPCs
Cloud Firewall can help you detect and control the traffic between multiple VPCs.
-
Prevention of Risks Introduced by Access between VPCs and Data Centers
The control and protection feature for the traffic between VPCs also applies to the traffic between VPCs and data centers.
Related Service
Meeting the Requirements of Classified Protection of Cybersecurity
You can deploy Cloud Firewall to meet the level 2 and level 3 requirements of Classified Protection of Cybersecurity 2.0 (such as requirements for border protection, access control, intrusion prevention, malicious code prevention, spam prevention, and security audit).
Highlights
-
Classified Protection of Cybersecurity
You can deploy Cloud Firewall to meet the requirements of Classified Protection of Cybersecurity 2.0 (such as requirements for zone border protection, network access control, network intrusion prevention, and traffic security audit).
Related Service
Customer Stories
Alibaba Cloud has delivered reliable and powerful products and services to support our business over the years. We are excited to continue working with Alibaba Cloud to deliver trusted digital solutions to our customers, empowering our growth and efficiency with AI!
Dr. Luan Huanbo | Founder and CEO of 6Estates
We utilize Cloud Firewall for its rich features (like access control, traffic analysis, and intrusion prevention). This service offers real-time monitoring of network traffic, allowing us to set and enforce security policies easily. It also aids in detecting and mitigating potential network threats, ensuring the security and stability of our cloud environment.
Alibaba Cloud's extensive product offerings (such as storage, computing, security, and networking) meet our various needs and expectations.
Kan Tse | HRIS, Chow Sang Sang Holdings International Ltd.
In order to ensure a secure, stable, smooth digital experience, Chow Sang Sang adopted a combination of basic Alibaba Cloud products to store, process, and provide access to data. Chow Sang Sang uses multiple security products (such as Web Application Firewall (WAF), Cloud Firewall, and Bastionhost) to safeguard and manage their security online.
Hundsun & IHS Markit China is proud to be one of the first financial institutions to deploy its core bank application systems on Alibaba FinCloud. Hundsun & IHS Markit China hopes to continue its fruitful partnership with Alibaba Cloud by experimenting with more services and innovating new solutions together.
Hundsun & IHS Markit China adopted a range of Alibaba Cloud Security products and services, including Anti-DDoS, WAF, KMS, Bastionhost, and Cloud Firewall while closely with Alibaba Cloud's Compliance Team to meet IT regulations for financial institutions set by the People’s Bank of China.
Tonghai Financial is planning to migrate more applications and systems to Alibaba Cloud in the future. Its IT engineers can focus on their jobs and minimize the workload on building infrastructure and hardware maintenance.
The support of Alibaba Cloud can guarantee the agility and scalability of its IT infrastructure. Alibaba Cloud's full range of security solutions (such as Anti-DDoS, Cloud Firewall, and Security Center) enhanced the security posture of Tonghai Financial and helped fulfill regulatory requirements.
Kiplepay looks forward to continuing its growth with Alibaba Cloud as a strategic partner and provider. It hopes to continue powering payment ecosystems for its customers and clients, growing their confidence and trust in Kiplepay in the market.
Ricky Lew | Chief Executive Officer, Kiplepay Sdn. Bhd.
Alibaba Cloud's Cloud Firewall, Web Application Firewall (WAF), and Security Center monitoring services protect Kiplepay's backend processing from cyber-attacks and handle vulnerabilities and systems baseline, enabling smooth daily business operations that enhance the user experience.
Alibaba Cloud provides dynamic scaling capabilities to automatically provision and de-provision cloud resources based on workload requirements. Key Links wanted to tap into these capabilities to overcome its business challenges and chose Alibaba Cloud as its cloud partner.
Key Links leveraged Cloud Firewall to set policies, safeguard its network, and control the traffic originating from the Internet. It used Web Application Firewall (WAF) to identify and mitigate real-time threats (such as malicious traffic) from end-user-facing interfaces.
The partnership with Alibaba Cloud helped Matrix operate a secure and regulated global trading and clearing venue, optimize infrastructure costs, and expand its operations in the UAE.
Basab Banerjee | CIO of Matrix
Matrix deployed a variety of cloud-based security products, such as Alibaba Cloud Anti-DDoS, Cloud Firewall, and Web Application Firewall (WAF), to bolster the overall security capabilities of its trading platform.
