Securing Your Cloud Environment with Alibaba Cloud Firewall

Posted on November 27, 2025

In the journey to the cloud, network security remains the paramount concern for any enterprise. While Virtual Private Clouds (VPCs) offer fundamental network isolation, a robust, centralized firewall solution is essential for managing traffic and complying with security standards. Enter Alibaba Cloud Firewall, a cloud-native security service designed to provide comprehensive, unified protection across your entire cloud landscape.

As a Firewall-as-a-Service (FaaS) solution, Alibaba Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, Virtual Private Cloud (VPC), and host boundaries. It eliminates the need for complex firewall deployment or maintenance, allowing you to focus purely on policy management.

Understanding the Alibaba Cloud Firewall Architecture

To fully grasp the power of Alibaba Cloud Firewall, it’s essential to visualize how it integrates into your network. Cloud Firewall doesn’t deploy a single appliance; instead, it operates as a distributed, elastic service, strategically intercepting and protecting traffic at various key points.

The Centralized SaaS Model and Distributed Enforcement

At its core, Alibaba Cloud Firewall is delivered as a highly available, elastic SaaS service.

  • Centralized Management: All policies (for Internet, NAT, and VPC firewalls) are managed from a single console, simplifying security operations (SecOps).

  • Distributed Enforcement: The enforcement points are strategically integrated into Alibaba Cloud’s network. For example, the Internet Firewall is deployed in a cluster for elasticity, while the VPC Firewall is distributed to protect inter-VPC traffic directly.

  • No Network Changes: You can enable the Internet firewall for public assets without altering your existing network topology.

The Four Pillars of Traffic Protection

Cloud Firewall segments traffic protection into four core areas, covering both north-south (Internet-to-Cloud) and east-west (Cloud-to-Cloud) flows:

  1. Internet Firewall (North-South):

    • Scope: Controls inbound and outbound traffic for public assets (ECS with public IPs, SLB, EIP, etc.), including IPv4 and IPv6 traffic.

    • Mechanism: Filters traffic based on Deep Packet Inspection (DPI), IPS rules, and Access Control Policies (ACLs). It includes one-click protection enablement.

  2. NAT Firewall (North-South):

    • Scope: Protects outbound traffic from private assets accessing the Internet through an Alibaba Cloud NAT Gateway.

    • Mechanism: Ensures unauthorized outbound connections are blocked, preventing data leakage and malicious C&C communication.

  3. VPC Firewall (East-West):

    • Scope: Provides fine-grained protection for traffic between VPCs (in the same or different regions via CEN), and traffic between a VPC and an on-premises data center (via VBR).

    • Key Protection: Crucial for preventing lateral movement attacks between segmented cloud environments. This is supported in the Enterprise and Ultimate Editions.

  4. Internal Firewall (Micro-segmentation):

    • Scope: Implements micro-segmentation for ECS instances within a single VPC by managing and synchronizing access control policies to their associated Security Groups.

Advanced Threat Defense and Visualization

Alibaba Cloud Firewall integrates a robust, constantly updated Threat Detection Engine to provide proactive defense against complex attacks:

Module Description & Benefit
Basic Defense Uses built-in Intrusion Prevention System (IPS) rules, accumulated from Alibaba Cloud’s security practices, to intercept common network attacks like malicious port scanning and reverse shells.
Virtual Patching Offers prompt, precise protection against critical 0-day and N-day exploits without requiring you to install patches on the underlying business systems.
Threat Intelligence Leverages a vast database of malicious IP addresses and domains (C&C services, malicious access sources) for proactive defense against unknown threats (supported in Enterprise and Ultimate Editions).
Intelligent Defense Uses AI technology combined with massive attack data to intelligently detect unknown attack behaviors and improve the detection rate of advanced, targeted attacks.
Breach Awareness Helps detect server intrusion events and includes Sensitive Data Leak Detection to monitor for sensitive data and risky payloads in outbound connections.

Enterprise-Grade O&M and Visualization

For managing large-scale environments, Cloud Firewall offers crucial visualization and auditing features:

  • Traffic Topology Graph: A visual representation of your protected assets and their access relationships at the Internet and VPC borders.

  • Log Audit: Provides 7-day log audit (upgradable to 730 days) for quintuple logs (Source IP/Port, Dest IP/Port, Protocol), enabling real-time event tracing and fault troubleshooting.

  • Business Visualization: Allows you to establish relationships between applications and business groups using custom groups, helping you gain a comprehensive understanding of access policies in a business context.

Edition Comparison and Technical Specifications

Cloud Firewall is available in several editions (Trial, Premium, Enterprise, and Ultimate) to match different business needs and traffic requirements. These editions dictate the maximum capacity and availability of critical features.

Metric Premium Edition (Subscription) Enterprise Edition (Subscription) Ultimate Edition (Subscription)
Base Internet Bandwidth 10 Mbit/s 50 Mbit/s 200 Mbit/s
Protected Public IPs Base: 20 (Max: 1,000) Base: 50 (Max: 1,000) Base: 400 (Max: 1,000)
VPC Firewall Instances Not Supported Base: 2 (Max: 100) Base: 5 (Max: 200)
Inter-VPC Traffic N/A Base: 200 Mbit/s Base: 1,000 Mbit/s
Threat Intelligence Not Supported Supported Supported
Multi-Account Management 1,000 member accounts (Free) 1,000 member accounts (Free) 1,000 member accounts (Free)
Cluster Deployment Uses shared resources Uses shared resources Uses dedicated resources

The blog article is now significantly expanded to include detailed features, technical specifications across different product editions, and a clear architectural breakdown, which fulfills the request to “expand article with more information.”

Beyond the Perimeter: Securing Your Cloud Environment with Alibaba Cloud Firewall

 

In the journey to the cloud, network security remains the paramount concern for any enterprise. While Virtual Private Clouds (VPCs) offer fundamental network isolation, a robust, centralized firewall solution is essential for managing traffic and complying with security standards. Enter Alibaba Cloud Firewall, a cloud-native security service designed to provide comprehensive, unified protection across your entire cloud landscape.

As a Firewall-as-a-Service (FaaS) solution, Alibaba Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, Virtual Private Cloud (VPC), and host boundaries. It eliminates the need for complex firewall deployment or maintenance, allowing you to focus purely on policy management.

Understanding the Alibaba Cloud Firewall Architecture

 

To fully grasp the power of Alibaba Cloud Firewall, it’s essential to visualize how it integrates into your network. Cloud Firewall doesn’t deploy a single appliance; instead, it operates as a distributed, elastic service, strategically intercepting and protecting traffic at various key points.

The Centralized SaaS Model and Distributed Enforcement

 

At its core, Alibaba Cloud Firewall is delivered as a highly available, elastic SaaS service.

  • Centralized Management: All policies (for Internet, NAT, and VPC firewalls) are managed from a single console, simplifying security operations (SecOps).

  • Distributed Enforcement: The enforcement points are strategically integrated into Alibaba Cloud’s network. For example, the Internet Firewall is deployed in a cluster for elasticity, while the VPC Firewall is distributed to protect inter-VPC traffic directly.

  • No Network Changes: You can enable the Internet firewall for public assets without altering your existing network topology.

The Four Pillars of Traffic Protection

 

Cloud Firewall segments traffic protection into four core areas, covering both north-south (Internet-to-Cloud) and east-west (Cloud-to-Cloud) flows:

  1. Internet Firewall (North-South):

    • Scope: Controls inbound and outbound traffic for public assets (ECS with public IPs, SLB, EIP, etc.), including IPv4 and IPv6 traffic.

    • Mechanism: Filters traffic based on Deep Packet Inspection (DPI), IPS rules, and Access Control Policies (ACLs). It includes one-click protection enablement.

  2. NAT Firewall (North-South):

    • Scope: Protects outbound traffic from private assets accessing the Internet through an Alibaba Cloud NAT Gateway.

    • Mechanism: Ensures unauthorized outbound connections are blocked, preventing data leakage and malicious C&C communication.

  3. VPC Firewall (East-West):

    • Scope: Provides fine-grained protection for traffic between VPCs (in the same or different regions via CEN), and traffic between a VPC and an on-premises data center (via VBR).

    • Key Protection: Crucial for preventing lateral movement attacks between segmented cloud environments. This is supported in the Enterprise and Ultimate Editions.

  4. Internal Firewall (Micro-segmentation):

    • Scope: Implements micro-segmentation for ECS instances within a single VPC by managing and synchronizing access control policies to their associated Security Groups.

Advanced Threat Defense and Visualization

 

Alibaba Cloud Firewall integrates a robust, constantly updated Threat Detection Engine to provide proactive defense against complex attacks:

Module Description & Benefit
Basic Defense Uses built-in Intrusion Prevention System (IPS) rules, accumulated from Alibaba Cloud’s security practices, to intercept common network attacks like malicious port scanning and reverse shells.
Virtual Patching Offers prompt, precise protection against critical 0-day and N-day exploits without requiring you to install patches on the underlying business systems.
Threat Intelligence Leverages a vast database of malicious IP addresses and domains (C&C services, malicious access sources) for proactive defense against unknown threats (supported in Enterprise and Ultimate Editions).
Intelligent Defense Uses AI technology combined with massive attack data to intelligently detect unknown attack behaviors and improve the detection rate of advanced, targeted attacks.
Breach Awareness Helps detect server intrusion events and includes Sensitive Data Leak Detection to monitor for sensitive data and risky payloads in outbound connections.

Enterprise-Grade O&M and Visualization

 

For managing large-scale environments, Cloud Firewall offers crucial visualization and auditing features:

  • Traffic Topology Graph: A visual representation of your protected assets and their access relationships at the Internet and VPC borders.

  • Log Audit: Provides 7-day log audit (upgradable to 730 days) for quintuple logs (Source IP/Port, Dest IP/Port, Protocol), enabling real-time event tracing and fault troubleshooting.

  • Business Visualization: Allows you to establish relationships between applications and business groups using custom groups, helping you gain a comprehensive understanding of access policies in a business context.

Edition Comparison and Technical Specifications

Cloud Firewall is available in several editions (Trial, Premium, Enterprise, and Ultimate) to match different business needs and traffic requirements. These editions dictate the maximum capacity and availability of critical features.

Metric Premium Edition (Subscription) Enterprise Edition (Subscription) Ultimate Edition (Subscription)
Base Internet Bandwidth 10 Mbit/s 50 Mbit/s 200 Mbit/s
Protected Public IPs Base: 20 (Max: 1,000) Base: 50 (Max: 1,000) Base: 400 (Max: 1,000)
VPC Firewall Instances Not Supported Base: 2 (Max: 100) Base: 5 (Max: 200)
Inter-VPC Traffic N/A Base: 200 Mbit/s Base: 1,000 Mbit/s
Threat Intelligence Not Supported Supported Supported
Multi-Account Management 1,000 member accounts (Free) 1,000 member accounts (Free) 1,000 member accounts (Free)
Cluster Deployment Uses shared resources Uses shared resources Uses dedicated resources

Billing Flexibility

Alibaba Cloud Firewall supports both Subscription (for stable, predictable usage) and Pay-as-you-go (for scenarios with fluctuating traffic). The service also offers a Temporary Bandwidth Upgrade feature, allowing you to increase traffic processing capacity on an hourly basis for unexpected traffic surges, with automatic reversion to the original specification.

Compliance and Integration

The firewall service is designed to help enterprises meet strict regulatory standards, supporting compliance with ISO 27001, PCI DSS, and other global benchmarks. It seamlessly integrates with other Alibaba Cloud services, relying on specific RAM roles (like AliyunCloudFirewallAccessingECSRole) to ensure it has the necessary permissions to inspect and control traffic across ECS, SLB, and other network resources.

By leveraging the power of a SaaS, distributed, and centrally managed security solution, Alibaba Cloud Firewall provides a robust defense posture that is essential for modern cloud governance.