Benefits

Deploy in seconds

Add Cloud Firewall to your environment without changing your existing network architecture.

• Internet-facing assets are enrolled in the Internet firewall within seconds, immediately protecting inbound and outbound traffic.

• NAT firewalls activate automatically to monitor traffic from private networks to the Internet.

• VPC firewalls activate automatically to isolate east-west traffic across virtual private clouds (VPCs), eliminating complex deployment configurations and reducing security risks.

Flexible billing for any team size

Cloud Firewall supports pay-as-you-go, subscription, and pay-as-you-go savings plans.

Small and medium-sized enterprises can start with pay-as-you-go to consume resources before incurring charges, then apply pay-as-you-go savings plans to reduce costs.

Large and medium-sized enterprises that need predictable capacity can choose a subscription plan: Cloud Firewall Premium Edition, Enterprise Edition, or Ultimate Edition. Capacity can be scaled out as the business grows.

You can upgrade or downgrade Cloud Firewall, manually release Cloud Firewall, temporarily upgrade the specifications of Cloud Firewall, and use the burstable protected traffic feature.

New users get a free trial worth USD 50 on the pay-as-you-go billing method.CNY 500

Elastic scaling with built-in high availability

Cloud Firewall scales traffic-processing capacity up or down without service interruptions, covering scenarios such as sales promotions, testing, business development, and attack and defense drills.

During off-peak hours, scale down to reduce costs — with no interruption to traffic.

For reliability, Cloud Firewall includes a high-availability mechanism with dual-zone disaster recovery at different boundaries. Automated end-to-end health checks, session synchronization, storage synchronization, and failover are all handled for you, so you don't need to manage high availability manually.

Intelligent threat defense

Intrusion prevention detects and blocks malicious traffic in real time — including attacks, vulnerability exploits, brute-force attacks, worms, mining programs, and backdoor trojans — protecting enterprise systems in the cloud against attacks, unauthorized access, and breach events.

Threat intelligence identifies unknown threats early. Cloud Firewall integrates with Security Center to deliver virtual patches for server vulnerabilities, enabling closed-loop vulnerability management and protection.

Access control policy analysis lets Cloud Firewall automatically learn from traffic and logs, then generate and refine policies to strengthen defense over time.

Native Alibaba Cloud integration

Cloud Firewall integrates natively with Alibaba Cloud network services to discover and protect assets automatically.

It identifies cloud assets in real time, including:

• IPv4 and IPv6 addresses of Elastic Compute Service (ECS) instances, load balancer assets, and bastion hosts

• Elastic IP addresses (EIPs), EIPs of NAT gateways, EIPs of Global Accelerator (GA) instances, and EIPs associated with high-availability virtual IP addresses (HAVIPs)

Enable automatic protection for new assets so they are secured the moment they are provisioned, minimizing exposure windows.

For log audit and permission management, Cloud Firewall integrates with Simple Log Service, CloudMonitor, Resource Access Management (RAM), Cloud Config, and Resource Management.

Centralized multi-account management

The multi-account management feature is provided free of charge.

Purchase a single Cloud Firewall instance under one Alibaba Cloud account and use the multi-account management feature to cover all member accounts in a resource directory — no separate purchases, deployments, or maintenance per account.

From the management account, enable firewalls, and use the traffic analysis, intrusion prevention, access control, log audit, and weekly report capabilities across Internet-facing assets, NAT gateways, and VPCs for every member account in one place.