Scenarios

更新时间:
复制 MD 格式

Cloud Firewall protects your cloud infrastructure from network threats and enforces security policies across every traffic boundary.

Enterprise data center in the cloud

When you migrate services to the cloud or operate large-scale data centers, public assets are exposed to inbound threats, and uncontrolled east-west traffic creates lateral movement risks. Cloud Firewall provides network-wide traffic analysis, blocks malicious Internet traffic, and supports custom access control policies.

Internet firewall — north-south traffic

The Internet firewall sits at the Internet border and manages all inbound and outbound traffic for your public assets. It provides fine-grained control over traffic between public assets and the Internet, reducing your attack surface and lowering security risk for service traffic.

NAT firewalls — outbound traffic from VPCs

When resources in a virtual private cloud (VPC), such as Elastic Compute Service (ECS) or Elastic Container Instance (ECI) instances, access the Internet through a NAT Gateway, they are exposed to unauthorized access, data breaches, and malicious traffic. Enable NAT firewalls to block unauthorized traffic.

VPC firewall — east-west traffic between VPCs and data centers

The VPC firewall inspects and controls east-west traffic between VPCs, and between VPCs and data centers. Traffic flowing through an Enterprise Edition transit router, Basic Edition transit router, or Express Connect is covered. The firewall secures internal traffic between different VPCs, and between a VPC and a data center (Virtual Border Router, or VBR), a third-party cloud (VBR), or a VPN.

Internal firewall — ECS instance-level control

The internal firewall manages ECS security groups to control inbound and outbound traffic for each ECS instance in a VPC. Access control policies you publish are automatically synchronized to ECS security groups. The internal firewall also supports security group compliance checks and visualization of security group microsegmentation.

image

Compliance with classified protection or internal security audits

North-south and east-west traffic access control

  • You can deploy Cloud Firewall to analyze north-south and east-west network traffic, visualize network-wide traffic, analyze and block outbound connections, and create or modify whitelist policies.

  • You can deploy Cloud Firewall to centrally manage north-south access policies for traffic from the Internet to your services and east-west microsegmentation policies for traffic between services. This provides fine-grained access control at the protocol, port, region, and application levels.

  • You can deploy Cloud Firewall to use the policy hit count feature. This feature helps ensure that no redundant policies exist. You can configure priorities for access control policies in Cloud Firewall to optimize your access control lists as needed.

  • You can deploy Cloud Firewall to configure strict inbound and outbound access control policies. Access control policies include parameters such as source type, source, destination type, destination, protocol type, destination port, application protocol, action, description, and priority.

  • You can deploy Cloud Firewall to perform stateful, real-time blocking of malicious intrusions and common attacks from the Internet.

  • You can deploy Cloud Firewall to control access for data streams across VPCs based on application protocols and content.

Intrusion prevention for malicious traffic

  • You can deploy Cloud Firewall to perform real-time blocking of malicious intrusions and common attacks from the Internet.

  • You can deploy Cloud Firewall to analyze outbound traffic, including outbound connections and breach awareness. It also provides attack prevention and access control for outbound traffic.

  • You can deploy Cloud Firewall to use threat intelligence and an intelligent engine to detect and block malicious traffic in real time. It can defend against new types of network attacks, such as mining worms. The firewall also accumulates many malicious attack samples to create precise defense rules. The intrusion detection feature of Cloud Firewall can detect mining worm infection events.

  • You can deploy Cloud Firewall to detect and record attack behavior. It provides a network blocking feature and records details such as the risk level, event name, defense status, source IP address, destination IP address, direction, detection source, time, and action.

  • You can deploy Cloud Firewall to detect and protect against malicious code attacks. It also regularly updates the malicious code detection rules in real time.

Log tracing for threat events

  • You can deploy Cloud Firewall to use the log audit module to record all traffic logs, event logs, and operation logs.

  • You can deploy Cloud Firewall to log information about scan events. This information includes the scan time, threat type, traffic direction, source and destination IP addresses, application type, severity level, and action status.

  • You can deploy Cloud Firewall to use the log analysis feature. This feature relies on Simple Log Service to store log data and provide real-time log analysis.

For more information, see Classified Protection Compliance Capabilities.

Hybrid cloud and cloud-based DMZ

Running a hybrid cloud means traffic flows in both directions — north-south between your demilitarized zone (DMZ) and the Internet, and east-west between your on-premises data center and cloud VPCs. A gap in either direction leaves your environment exposed.

Cloud Firewall covers both traffic paths. It provides north-south traffic protection for the DMZ and east-west traffic protection between your data center and VPCs, securing communication across your entire hybrid environment. If your DMZ is deployed in the cloud, Cloud Firewall also secures traffic between the DMZ and your on-premises data center.

image

Multi-account management

Managing security across multiple Alibaba Cloud accounts typically requires switching between consoles and duplicating policy work. Cloud Firewall integrates with Resource Directory to centralize this.

You can enable the multi-account management feature to centrally protect resources across multiple accounts from the Cloud Firewall console, configure security policies for every account from a single interface, and monitor VPC traffic per account — all without jumping between separate consoles. This provides protection across multiple network borders while reducing operations overhead.

image

Major events and high-confrontation scenarios

Large-scale attack campaigns, zero-day exploits, and targeted high-confrontation threats require faster response than standard policy workflows allow. Cloud Firewall lets you block IP addresses or domain names in batches, trace and counter attackers, and prevent zero-day vulnerability attacks — so your team can respond at scale without manual bottlenecks.

image