When enterprises run workloads across many Alibaba Cloud accounts, managing firewall protection separately for each account creates gaps in visibility and inconsistent policy enforcement. Cloud Firewall's multi-account management feature consolidates protection across all accounts into a single view. From one console, you can apply traffic redirection and protection, policy configuration, traffic analysis, intrusion prevention, attack prevention, breach awareness, log audit, and log analysis across all member accounts.
Account types
Cloud Firewall multi-account management is built on Alibaba Cloud Resource Directory. Three account types have distinct roles:
| Account type | Role in Resource Directory | Role in Cloud Firewall |
|---|---|---|
| Management account | Invites accounts to join the resource directory; manages all enterprise assets | Manages all assets protected by Cloud Firewall |
| Delegated administrator account | Specified by the management account; can manage all assets of the enterprise, access the resource directory structure and members, and manage business within it | Manages all assets protected by Cloud Firewall |
| Member | Joined the resource directory at the management account's invitation; manages only its own assets | Cannot purchase Cloud Firewall |
The delegated administrator account separates organization management from business management. The management account handles organization-level tasks; the delegated administrator account handles Cloud Firewall operations across the resource directory.
Limitations
Multi-account management covers Internet firewalls, VPC firewalls, NAT firewalls, and assets protected by secure forward proxies.DNS firewalls,
Member accounts added for centralized management cannot purchase Cloud Firewall. Their asset traffic is managed centrally.
For quota details by edition, see Subscription.
Prerequisites
Before you begin, ensure that you have:
Cloud Firewall Premium Edition, Enterprise Edition, or Ultimate Edition — or Cloud Firewall with pay-as-you-go billing
Set up multi-account management
Complete the following steps in order. Steps 1–3 use the Resource Directory console; Step 4 uses the Cloud Firewall console.
Step 1: Enable a resource directory
To enable a resource directory, your Alibaba Cloud account must have passed enterprise real-name verification. Individual real-name verification is not sufficient.
For setup instructions and the two available enablement methods, see Enable a resource directory. The management account you receive depends on the method you choose.
Log on to the Account Center console. In the navigation pane on the left, go to the Identity Verification page to check whether your account has completed enterprise identity verification.
Step 2: Invite members
Invite Alibaba Cloud accounts to join your resource directory. Each accepted invitation creates a member. You can later designate any member as the delegated administrator account.
To invite an existing account, see Invite an Alibaba Cloud account to join a resource directory.
If no accounts are available to invite, create a new member directly. See Create a member.
Step 3: Add a delegated administrator account
Designate one member as the delegated administrator account for Cloud Firewall. This account can then access the Multi-account Management page in the Cloud Firewall console and perform management operations across the resource directory.
For instructions, see Manage a delegated administrator account.
Step 4: Add members in Cloud Firewall
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose System Settings > Multi-account Management.
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select members from the Available Members section and move them to the Selected Members section.
In the Selected Members section, select the required members and click OK.
After members are added, the member list displays each account's UID and name. You can remove a member from this list at any time.
Cloud Firewall can access member resources by default after you add a member.
If you use a VPC firewall to protect virtual private clouds (VPCs) attached to a Cloud Enterprise Network (CEN) instance, and those VPCs belong to accounts different from the one used to purchase Cloud Firewall, you must manually authorize Cloud Firewall to access those accounts' cloud resources. See Authorize Cloud Firewall to access other cloud resources.
What's next
After adding members, go to the Firewall Settings page to view cloud assets within each member account and enable or disable protection for those assets.
For a complete walkthrough of managing enterprise security across multiple accounts, see .