Cloud Firewall offers four editions. This page lists the features each edition supports so you can choose the right one before you purchase.
Starting October 15, 2025, Cloud Firewall uses Billing 2.0. New users use Billing 2.0 by default. Existing users can stay on Billing 1.0 or upgrade. See Billing 1.0 and upgrade instructions for details.
Feature list
The table below covers all features under Billing 2.0.
— Not supported
— Supported
Dashboard
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Overview | Shows protected assets, traffic data for the last 7 days, and defended security risks. |
|
|
|
| |
Traffic topology graph | Displays a visual traffic topology graph for cloud assets protected by Cloud Firewall. |
|
|
|
|
Firewall switch
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Internet firewall | Protects inbound and outbound traffic between the Internet and public assets (IPv4 and IPv6). |
|
|
|
| |
NAT firewall | Protects traffic from private IP assets that access the Internet through a NAT gateway. |
|
|
|
| |
VPC firewall | Protects traffic between virtual private clouds (VPCs) and between VPCs and data centers. |
|
|
|
|
Network traffic analysis
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Suspicious outbound connections | Monitors outbound connections from public and private assets to the Internet in real time to detect unusual traffic. |
|
|
|
| |
Internet exposure | Detects the IP addresses, ports, and applications of protected assets exposed to the Internet, with visual analytics reports. |
|
|
|
| |
VPC access | Monitors traffic between interconnected VPCs in real time to detect and troubleshoot unusual traffic. |
|
|
|
|
Attack prevention
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Intrusion prevention | Detects and blocks malicious traffic in real time, including hacker attacks, exploits, brute-force attacks, worms, mining programs, backdoor trojans, and DoS attacks. |
|
|
|
| |
Vulnerability prevention | Syncs vulnerabilities detected by Security Center on public assets and provides attack prevention for them, closing the loop between detection and protection. |
|
|
|
| |
Breach awareness | Detects server intrusion events to prevent business losses. |
|
|
|
| |
Data breach | Detects sensitive data leaks and risky payloads in outbound connections from your cloud assets. |
|
|
|
| |
IPS configuration | Configures the threat detection engine with five protection modes: Basic protection intercepts common cloud attacks such as port scans, database attacks, reverse shells, and exploits. Virtual patching blocks popular vulnerabilities and high-risk exploits without requiring patches. Threat intelligence draws on Alibaba Cloud's global database of malicious IPs and domains to block unknown threats (not available in Premium). Intelligent defense uses AI to detect advanced unknown attacks. Protection whitelist lets normal service traffic pass even if it resembles attack traffic. |
|
|
|
|
Access control
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Internet border | Layer 4–7 access control (north-south) for inbound and outbound traffic on public assets. Blocks external attacks and controls active outbound connections. |
|
|
|
| |
NAT border | Layer 4–7 access control (north-south) for private IP traffic behind a NAT gateway that accesses the public network. |
|
|
|
| |
VPC border | Access control (east-west) for traffic between VPCs, between VPCs and data centers, or between VPCs and third-party clouds. |
|
|
|
| |
Internal border | Access control for inbound and outbound traffic between ECS instances to restrict unauthorized lateral movement. |
|
|
|
| |
Security group check | Audits high-risk rules in ECS security groups and suggests remediation. |
|
|
|
| |
Address books | Groups IP addresses, ports, or domain names into reusable address books — custom, cloud service, or threat intelligence. Reference and auto-update them in access control policies with one click. |
|
|
|
|
Synchronization nodes
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
ACK cluster synchronization nodes | Dynamically collects pod IP addresses from ACK container environments and syncs them to address books. Eliminates manual updates caused by frequent IP changes. |
|
|
|
| |
Private DNS synchronization nodes | Automatically resolves domain name-to-IP mappings from PrivateZone or self-managed DNS servers for use in domain-based access control policies. |
Up to 5Log monitoring
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Log auditing | Retains 7 days of logs by default for event tracing and troubleshooting. Covers three log types: Event logs (traffic that matched an access control policy, including threat type, source and destination IPs, application type, and severity), Traffic logs (all traffic through Cloud Firewall for post-incident analysis), and Operation logs (all configuration changes, such as enabling the firewall or modifying IPS settings). |
|
|
|
| |
Log analysis | Collects and analyzes all traffic logs in real time. Storage duration is configurable from 7 to 730 days, and you can customize the delivery switch. Supports custom real-time alerts on specific metrics. |
|
|
|
|
Management and monitoring
Feature | Description | Pay-as-you-go | Premium | Enterprise | Ultimate | References |
Business visualization | Groups cloud assets into applications, application groups, and business groups. Visualizes asset information and access relationships across your entire cloud environment. |
|
|
|
| Custom groups, Security group visualization, Application Group Visualization |
Multi-account management | Manages multiple Alibaba Cloud accounts from a single console to share resources and ensure secure traffic access. |
|
|
|
| |
Alert notifications | Sends SMS or email alerts when traffic anomalies, host compromises, suspicious outbound connections, vulnerability threats, disabled protection, or disabled intrusion prevention are detected. |
|
|
|
|
References
Pre-sales FAQ — frequently asked questions about Cloud Firewall features
Subscription 2.0 — billing for Premium, Enterprise, and Ultimate editions
Pay-as-you-go 2.0 — billing for the Pay-as-you-go edition
Purchase Cloud Firewall — how to buy Cloud Firewall