{"id":54,"date":"2026-04-12T16:16:56","date_gmt":"2026-04-12T16:16:56","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-firewall-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-12T16:16:56","modified_gmt":"2026-04-12T16:16:56","slug":"alibaba-cloud-firewall-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-firewall-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Alibaba Cloud Firewall Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Security<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Alibaba Cloud Cloud Firewall<\/strong> is a managed network security service that helps you centrally control and monitor traffic between the Internet and your cloud assets, and (depending on your edition and configuration) between networks such as VPCs. It is designed to reduce exposure, enforce least-privilege network access, and provide visibility into traffic and threats\u2014without requiring you to deploy and manage your own firewall appliances.<\/p>\n\n\n\n

In simple terms: Cloud Firewall sits \u201cin front of\u201d or \u201cbetween\u201d cloud network boundaries and enforces your security rules<\/strong>. You define what is allowed and denied (for example, only allow SSH from your office IP), and Cloud Firewall helps apply those rules at scale and provides logs for audit and troubleshooting.<\/p>\n\n\n\n

Technically, Cloud Firewall is a cloud-native firewall and policy management layer<\/strong> that integrates with Alibaba Cloud networking constructs (such as public IP assets, VPCs, and related gateways) to apply access control and (in supported scenarios) threat prevention capabilities. It complements\u2014rather than replaces\u2014controls like security groups<\/strong> and NACLs<\/strong>, while offering a centralized place to manage policies and gain traffic visibility.<\/p>\n\n\n\n

The core problem Cloud Firewall solves is this: as environments grow, network security becomes fragmented<\/strong> (security groups spread across teams, inconsistent rules, unclear traffic paths, missing logs). Cloud Firewall helps unify policy, improve governance, and strengthen perimeter and inter-network security with consistent rules and auditing.<\/p>\n\n\n\n

\n

Service status \/ naming note: The official service name is Cloud Firewall<\/strong> under Alibaba Cloud Security<\/strong>. If you see variations in console menus or documentation structure, use the official docs to confirm the latest terminology and workflows:\nhttps:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall\/<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Cloud Firewall?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

Cloud Firewall is Alibaba Cloud\u2019s managed firewall service used to centrally control network access<\/strong>, analyze traffic<\/strong>, and improve security posture<\/strong> for cloud assets that face the Internet and for network-to-network traffic where supported by the product.<\/p>\n\n\n\n

Core capabilities (high level)<\/h3>\n\n\n\n

Cloud Firewall typically provides capabilities in these areas (availability depends on your purchased edition and supported asset types):<\/p>\n\n\n\n

    \n
  • Centralized access control policies<\/strong> for ingress\/egress traffic (allow\/deny rules)<\/li>\n
  • Asset visibility<\/strong>: discover and list Internet-exposed and network-connected assets<\/li>\n
  • Traffic logging and analysis<\/strong> for audit and incident investigation<\/li>\n
  • Threat prevention \/ intrusion prevention features<\/strong> in supported modes (verify exact IPS features and coverage in official docs for your edition)<\/li>\n
  • Alerting and reporting<\/strong> (for example, on blocked traffic, suspicious traffic, policy hits)<\/li>\n<\/ul>\n\n\n\n

    Major components (conceptual)<\/h3>\n\n\n\n

    While Alibaba Cloud may describe modules differently across editions and updates, you can generally think of Cloud Firewall as having:<\/p>\n\n\n\n

      \n
    1. \n

      Asset management \/ protection scope<\/strong>\n – The set of public IPs, ECS instances, load balancers, NAT gateways, or VPC connections that Cloud Firewall can protect (exact asset types: verify in official docs for your account and region).<\/p>\n<\/li>\n

    2. \n

      Policy engine (access control)<\/strong>\n – Rule definitions (source\/destination, port, protocol, direction, action, priority)\n – Policy evaluation and enforcement<\/p>\n<\/li>\n

    3. \n

      Logging and analytics<\/strong>\n – Event logs for allowed\/blocked flows (where enabled)\n – Reporting dashboards and\/or export to a log platform (for example Log Service integration\u2014verify current integration options in docs)<\/p>\n<\/li>\n

    4. \n

      Operations and governance<\/strong>\n – Role-based access to manage policies\n – Change visibility (often via audit services such as ActionTrail\u2014verify current integrations)<\/p>\n<\/li>\n<\/ol>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • Managed security service<\/strong> (SaaS-style control plane with cloud-native enforcement)<\/li>\n
      • You do not typically deploy firewall VMs or manage HA pairs; enforcement is integrated with Alibaba Cloud network paths supported by Cloud Firewall.<\/li>\n<\/ul>\n\n\n\n

        Scope (regional vs global)<\/h3>\n\n\n\n
          \n
        • Cloud Firewall is account-scoped<\/strong> (within an Alibaba Cloud account) with configuration that can apply to assets across regions, depending on what the service supports in your account. <\/li>\n
        • Some protected assets and enforcement points are inherently regional<\/strong> (because VPCs and many networking services are regional). <\/li>\n
        • Verify in official docs<\/strong> how Cloud Firewall applies across regions for your asset types and whether cross-region scenarios require separate configuration.<\/li>\n<\/ul>\n\n\n\n

          How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n

          Cloud Firewall is most effective when used alongside:<\/p>\n\n\n\n

            \n
          • ECS Security Groups<\/strong> (instance-level virtual firewall)<\/li>\n
          • VPC Network ACLs (NACLs)<\/strong> (subnet-level stateless controls, where used)<\/li>\n
          • Web Application Firewall (WAF)<\/strong> (Layer 7 protection for HTTP\/HTTPS workloads)<\/li>\n
          • Anti-DDoS<\/strong> services (L3\/L4 volumetric and protocol DDoS mitigation)<\/li>\n
          • Security Center<\/strong> (host and vulnerability management, baseline checks)<\/li>\n
          • ActionTrail<\/strong> (audit trail for API and console actions)<\/li>\n
          • Log Service (SLS)<\/strong> \/ CloudMonitor<\/strong> (central logging and monitoring, if integrated)<\/li>\n<\/ul>\n\n\n\n
            \n\n\n\n

            3. Why use Cloud Firewall?<\/h2>\n\n\n\n

            Business reasons<\/h3>\n\n\n\n
              \n
            • Reduce breach risk from misconfigurations<\/strong>: Central policy reduces accidental \u201c0.0.0.0\/0:22\u201d exposures.<\/li>\n
            • Improve audit readiness<\/strong>: Centralized logs and consistent policy management help with compliance evidence.<\/li>\n
            • Faster incident response<\/strong>: Quickly block traffic patterns, IPs, or ports from one place.<\/li>\n<\/ul>\n\n\n\n

              Technical reasons<\/h3>\n\n\n\n
                \n
              • Centralized network access control<\/strong> across many assets and environments.<\/li>\n
              • Better visibility<\/strong> into north-south traffic (Internet \u2194 cloud) and, where supported, east-west traffic between networks.<\/li>\n
              • Layered security<\/strong>: Cloud Firewall complements security groups and NACLs, reducing reliance on any one control.<\/li>\n<\/ul>\n\n\n\n

                Operational reasons<\/h3>\n\n\n\n
                  \n
                • Standardization<\/strong>: Enforce company-wide baseline policies (e.g., \u201cdeny all inbound by default\u201d).<\/li>\n
                • Change control<\/strong>: Fewer distributed rule sets, more consistent management.<\/li>\n
                • Troubleshooting<\/strong>: Flow logs and hit counts help explain connectivity issues.<\/li>\n<\/ul>\n\n\n\n

                  Security\/compliance reasons<\/h3>\n\n\n\n
                    \n
                  • Helps implement:<\/li>\n
                  • Least privilege<\/strong> networking<\/li>\n
                  • Segmentation<\/strong> between environments (prod vs dev), where supported<\/li>\n
                  • Audit logging<\/strong> for security investigations<\/li>\n
                  • Supports a governance narrative aligned with common control frameworks (ISO 27001, SOC 2, PCI DSS). Map controls to your policy standards\u2014Cloud Firewall is a tool, not a compliance guarantee.<\/li>\n<\/ul>\n\n\n\n

                    Scalability\/performance reasons<\/h3>\n\n\n\n
                      \n
                    • Scales to large numbers of assets and policies without requiring you to manage firewall appliances.<\/li>\n
                    • Central policy can reduce duplicated rules across hundreds of security groups.<\/li>\n<\/ul>\n\n\n\n

                      When teams should choose it<\/h3>\n\n\n\n

                      Choose Cloud Firewall when you need one or more of the following:<\/p>\n\n\n\n

                        \n
                      • A central control point<\/strong> for Internet access rules across many public-facing assets<\/li>\n
                      • Consistent deny-by-default<\/strong> enforcement with auditing<\/li>\n
                      • Visibility into traffic and policy hits for operations and security teams<\/li>\n
                      • A platform to implement network segmentation at scale (where supported)<\/li>\n<\/ul>\n\n\n\n

                        When teams should not choose it<\/h3>\n\n\n\n

                        Cloud Firewall may not be the right fit if:<\/p>\n\n\n\n

                          \n
                        • You only have a few assets and security groups already meet your needs, and you don\u2019t need centralized policy\/logging.<\/li>\n
                        • You require deep Layer 7 application protections<\/strong> (use WAF for HTTP\/HTTPS).<\/li>\n
                        • You require full custom packet inspection<\/strong> or appliance-specific features not offered by Cloud Firewall (consider third-party firewall appliances).<\/li>\n
                        • Your architecture is highly specialized and depends on features that Cloud Firewall does not support for your asset type or region (verify in official docs).<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          4. Where is Cloud Firewall used?<\/h2>\n\n\n\n

                          Industries<\/h3>\n\n\n\n

                          Common in regulated or security-sensitive industries such as:<\/p>\n\n\n\n

                            \n
                          • FinTech and payments<\/li>\n
                          • E-commerce and marketplaces<\/li>\n
                          • SaaS providers<\/li>\n
                          • Healthcare and life sciences<\/li>\n
                          • Gaming (anti-abuse controls)<\/li>\n
                          • Manufacturing\/IoT backends<\/li>\n
                          • Education platforms with large user bases<\/li>\n<\/ul>\n\n\n\n

                            Team types<\/h3>\n\n\n\n
                              \n
                            • Cloud platform teams implementing shared guardrails<\/li>\n
                            • Security engineering teams enforcing standards and monitoring exposure<\/li>\n
                            • Network\/security operations (SecOps) for incident response<\/li>\n
                            • DevOps\/SRE teams troubleshooting connectivity and enforcing policy-as-code patterns (where supported via API)<\/li>\n<\/ul>\n\n\n\n

                              Workloads<\/h3>\n\n\n\n
                                \n
                              • Internet-facing APIs, web apps, and microservices<\/li>\n
                              • Bastion\/jump host access patterns<\/li>\n
                              • Hybrid connectivity (on-prem \u2194 cloud) when traffic traverses supported enforcement points<\/li>\n
                              • Multi-VPC environments with shared services and segmentation needs<\/li>\n<\/ul>\n\n\n\n

                                Architectures<\/h3>\n\n\n\n
                                  \n
                                • Single VPC with multiple public services<\/li>\n
                                • Hub-and-spoke with shared services VPC<\/li>\n
                                • Multi-environment (dev\/test\/prod) segmentation<\/li>\n
                                • Internet ingress via SLB\/ALB, API Gateway, or direct public IPs (asset types depend on service support)<\/li>\n<\/ul>\n\n\n\n

                                  Production vs dev\/test usage<\/h3>\n\n\n\n
                                    \n
                                  • Production<\/strong>: strict allowlists, logging enabled, change control, integration with alerting.<\/li>\n
                                  • Dev\/test<\/strong>: lighter policies, but still benefit from \u201cdeny risky ports globally\u201d and centralized visibility.<\/li>\n<\/ul>\n\n\n\n
                                    \n\n\n\n

                                    5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                    Below are realistic scenarios where Alibaba Cloud Cloud Firewall is commonly used. For each, the exact implementation depends on your protected assets and edition\u2014always confirm capabilities in the official docs.<\/p>\n\n\n\n

                                    1) Centralized inbound policy for all public IP assets<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Security groups are managed by many teams and drift over time.<\/li>\n
                                    • Why Cloud Firewall fits:<\/strong> Provides a central policy layer to standardize inbound exposure rules.<\/li>\n
                                    • Example:<\/strong> Organization enforces \u201conly ports 80\/443 allowed from Internet; management ports only from corporate IP ranges.\u201d<\/li>\n<\/ul>\n\n\n\n

                                      2) Lock down SSH\/RDP to corporate IPs only<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Admin ports exposed to the world increase brute-force risk.<\/li>\n
                                      • Why Cloud Firewall fits:<\/strong> Create deny-by-default rules and allowlists for specific source IPs.<\/li>\n
                                      • Example:<\/strong> Only allow TCP\/22 from office IPs to Linux ECS; block all other sources.<\/li>\n<\/ul>\n\n\n\n

                                        3) Temporary emergency block during an incident<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Active exploitation attempts from known IP ranges.<\/li>\n
                                        • Why Cloud Firewall fits:<\/strong> Quick centralized block rules, often faster than updating dozens of security groups.<\/li>\n
                                        • Example:<\/strong> Add a high-priority deny rule for attacker IPs across all Internet-facing assets.<\/li>\n<\/ul>\n\n\n\n

                                          4) Outbound (egress) control to reduce data exfiltration risk<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Workloads can connect to the Internet freely (C2 risk, data exfil).<\/li>\n
                                          • Why Cloud Firewall fits:<\/strong> Define outbound allowlists (e.g., only approved update mirrors).<\/li>\n
                                          • Example:<\/strong> Allow outbound only to package repos and payment gateways; deny outbound to unknown destinations.<\/li>\n<\/ul>\n\n\n\n

                                            5) Environment segmentation (prod\/dev) between VPCs (where supported)<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Dev environment has weaker controls; lateral movement into prod is risky.<\/li>\n
                                            • Why Cloud Firewall fits:<\/strong> Enforce VPC-to-VPC allowlist rules.<\/li>\n
                                            • Example:<\/strong> Allow dev to call specific staging APIs, but block any dev-to-prod access.<\/li>\n<\/ul>\n\n\n\n

                                              6) Control shared services access (DNS, logging, CI\/CD)<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Shared services become overly open because multiple teams need access.<\/li>\n
                                              • Why Cloud Firewall fits:<\/strong> Central rules for who can reach shared endpoints.<\/li>\n
                                              • Example:<\/strong> Only CI runners can access artifact repositories; only app subnets can access internal databases (when enforcement is supported).<\/li>\n<\/ul>\n\n\n\n

                                                7) Visibility and audit of network flows for investigations<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> After an incident, you need to answer \u201cwho talked to what, when?\u201d<\/li>\n
                                                • Why Cloud Firewall fits:<\/strong> Traffic logs and policy hit information.<\/li>\n
                                                • Example:<\/strong> Investigate unexpected outbound connections from a production subnet.<\/li>\n<\/ul>\n\n\n\n

                                                  8) Enforce baseline deny rules for risky ports<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem:<\/strong> Teams accidentally open SMB, database ports, or admin interfaces to the Internet.<\/li>\n
                                                  • Why Cloud Firewall fits:<\/strong> Central block rules for known-risk ports (e.g., 3389, 445, DB ports), with exceptions only by approval.<\/li>\n
                                                  • Example:<\/strong> Deny inbound 3306\/5432\/6379 globally; allow only from trusted VPN IPs.<\/li>\n<\/ul>\n\n\n\n

                                                    9) Simplify security group sprawl<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem:<\/strong> Hundreds of security groups with inconsistent naming and rules.<\/li>\n
                                                    • Why Cloud Firewall fits:<\/strong> Use security groups for instance-level needs, Cloud Firewall for global perimeter baseline.<\/li>\n
                                                    • Example:<\/strong> Security groups handle app-tier to DB-tier; Cloud Firewall handles Internet ingress standards.<\/li>\n<\/ul>\n\n\n\n

                                                      10) Protect internet-exposed gateways and edge services<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem:<\/strong> NAT gateways, load balancers, and other edge services are common choke points.<\/li>\n
                                                      • Why Cloud Firewall fits:<\/strong> Applies centralized policies and logging to supported edge asset types.<\/li>\n
                                                      • Example:<\/strong> Monitor and restrict inbound\/outbound flows at gateways, and export logs for SOC monitoring (verify exact supported assets).<\/li>\n<\/ul>\n\n\n\n

                                                        11) Controlled partner access to APIs<\/h3>\n\n\n\n
                                                          \n
                                                        • Problem:<\/strong> External partners need access, but you want tight control and audit.<\/li>\n
                                                        • Why Cloud Firewall fits:<\/strong> IP-based allowlists and clear logging of access.<\/li>\n
                                                        • Example:<\/strong> Allow partner IP ranges to reach API gateway endpoints; deny everything else.<\/li>\n<\/ul>\n\n\n\n

                                                          12) Change-control-friendly policy management<\/h3>\n\n\n\n
                                                            \n
                                                          • Problem:<\/strong> Network changes cause outages; you need predictable rollout and rollback.<\/li>\n
                                                          • Why Cloud Firewall fits:<\/strong> Central rules with ordering\/priority and visibility into hits.<\/li>\n
                                                          • Example:<\/strong> Implement staged allow rules, validate traffic, then remove old exceptions.<\/li>\n<\/ul>\n\n\n\n
                                                            \n\n\n\n

                                                            6. Core Features<\/h2>\n\n\n\n

                                                            Cloud Firewall\u2019s exact feature set varies by edition and ongoing product updates. The features below reflect common Cloud Firewall capabilities; verify your edition\u2019s capabilities and supported asset types in official documentation<\/strong>:\nhttps:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall\/<\/p>\n\n\n\n

                                                            6.1 Internet boundary access control (ingress\/egress)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Lets you define allow\/deny policies for traffic between the Internet and your protected public-facing cloud assets (public IPs, and other supported asset types).<\/li>\n
                                                            • Why it matters:<\/strong> Reduces attack surface and enforces consistent exposure rules.<\/li>\n
                                                            • Practical benefit:<\/strong> \u201cDefault deny inbound; allow only 80\/443; allow SSH only from corp IP.\u201d<\/li>\n
                                                            • Caveats:<\/strong> Enforcement scope depends on what assets are included in Cloud Firewall protection. Some assets may still require security group controls.<\/li>\n<\/ul>\n\n\n\n

                                                              6.2 VPC boundary \/ inter-network firewalling (where supported)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Controls traffic between networks such as VPCs (and potentially between VPC and other networks, depending on supported connectivity and edition).<\/li>\n
                                                              • Why it matters:<\/strong> Segmentation reduces lateral movement and limits blast radius.<\/li>\n
                                                              • Practical benefit:<\/strong> Separate prod\/dev, isolate shared services, enforce strict east-west policy.<\/li>\n
                                                              • Caveats:<\/strong> Coverage depends on how your networks are connected (CEN, peering, etc.) and what Cloud Firewall supports for those paths. Verify supported topologies.<\/li>\n<\/ul>\n\n\n\n

                                                                6.3 Policy prioritization, ordering, and hit visibility<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Allows multiple rules with a priority\/order and often provides hit counts to understand which rules are used.<\/li>\n
                                                                • Why it matters:<\/strong> Prevents ambiguity; helps identify stale rules.<\/li>\n
                                                                • Practical benefit:<\/strong> You can safely add an allow exception above a broader deny rule and verify it\u2019s being used.<\/li>\n
                                                                • Caveats:<\/strong> Rule evaluation behavior (first-match vs best-match) must be confirmed in docs.<\/li>\n<\/ul>\n\n\n\n

                                                                  6.4 Address books \/ reusable objects (commonly available)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Create reusable IP sets (e.g., \u201cCorpOfficeIPs\u201d, \u201cPartnerA\u201d) referenced by multiple rules.<\/li>\n
                                                                  • Why it matters:<\/strong> Prevents repeated edits across many rules and reduces mistakes.<\/li>\n
                                                                  • Practical benefit:<\/strong> Update one address book when office IP changes.<\/li>\n
                                                                  • Caveats:<\/strong> Size limits may apply; verify quotas.<\/li>\n<\/ul>\n\n\n\n

                                                                    6.5 Traffic logs and event history<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does:<\/strong> Records traffic events (allowed\/blocked) and policy match information, depending on configuration.<\/li>\n
                                                                    • Why it matters:<\/strong> Essential for auditing, troubleshooting, and incident response.<\/li>\n
                                                                    • Practical benefit:<\/strong> Confirm whether a blocked connection failed due to Cloud Firewall or a security group.<\/li>\n
                                                                    • Caveats:<\/strong> Log retention may be limited or billable; export\/storage may incur additional costs.<\/li>\n<\/ul>\n\n\n\n

                                                                      6.6 Alerts and reporting<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does:<\/strong> Highlights security events, potential threats, and policy-related anomalies (feature names vary).<\/li>\n
                                                                      • Why it matters:<\/strong> Supports security operations and compliance reporting.<\/li>\n
                                                                      • Practical benefit:<\/strong> SOC can monitor spikes in blocked traffic or suspicious destinations.<\/li>\n
                                                                      • Caveats:<\/strong> Alert quality depends on configuration; avoid alert fatigue.<\/li>\n<\/ul>\n\n\n\n

                                                                        6.7 Threat intelligence \/ IPS-style prevention (edition dependent)<\/h3>\n\n\n\n
                                                                          \n
                                                                        • What it does:<\/strong> Blocks or detects known malicious patterns or sources based on threat intelligence and intrusion prevention capabilities (exact capabilities depend on product version\/edition).<\/li>\n
                                                                        • Why it matters:<\/strong> Adds a layer beyond static allow\/deny.<\/li>\n
                                                                        • Practical benefit:<\/strong> Automatically blocks known bad IPs attempting brute-force attacks.<\/li>\n
                                                                        • Caveats:<\/strong> Do not rely solely on IPS; still implement least privilege. Verify coverage, supported protocols, and tuning options.<\/li>\n<\/ul>\n\n\n\n

                                                                          6.8 Centralized management and governance<\/h3>\n\n\n\n
                                                                            \n
                                                                          • What it does:<\/strong> Consolidates firewall policy management for an Alibaba Cloud account, often enabling separation of duties.<\/li>\n
                                                                          • Why it matters:<\/strong> Security teams can set baselines while app teams manage app-specific needs.<\/li>\n
                                                                          • Practical benefit:<\/strong> Standardize naming, tagging, review workflows.<\/li>\n
                                                                          • Caveats:<\/strong> Your organization must design the RBAC model carefully.<\/li>\n<\/ul>\n\n\n\n

                                                                            6.9 API\/automation support (where available)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • What it does:<\/strong> Allows managing resources and policies using APIs\/SDKs (availability depends on Alibaba Cloud OpenAPI coverage for Cloud Firewall).<\/li>\n
                                                                            • Why it matters:<\/strong> Enables Infrastructure as Code and CI\/CD integration for policy changes.<\/li>\n
                                                                            • Practical benefit:<\/strong> Apply standard policies to new accounts\/environments consistently.<\/li>\n
                                                                            • Caveats:<\/strong> API coverage can differ by feature; verify current OpenAPI docs.<\/li>\n<\/ul>\n\n\n\n
                                                                              \n\n\n\n

                                                                              7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                              7.1 High-level architecture<\/h3>\n\n\n\n

                                                                              Cloud Firewall typically works as a central policy decision and enforcement system<\/strong> integrated with Alibaba Cloud networking.<\/p>\n\n\n\n

                                                                              At a high level:<\/p>\n\n\n\n

                                                                                \n
                                                                              • You enable protection<\/strong> for supported assets (for example, public IP assets, gateways, or network connections).<\/li>\n
                                                                              • You define access control policies<\/strong> (allow\/deny) and optional threat prevention settings.<\/li>\n
                                                                              • Cloud Firewall enforces<\/strong> those policies on traffic paths supported by the service.<\/li>\n
                                                                              • Logs and events are made available in the Cloud Firewall console and\/or via integration with logging services (verify exact options).<\/li>\n<\/ul>\n\n\n\n

                                                                                7.2 Request\/data\/control flow (conceptual)<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Control plane<\/strong><\/li>\n
                                                                                • Admin configures policies in Cloud Firewall console or API.<\/li>\n
                                                                                • \n

                                                                                  Policies are stored and distributed to enforcement points.<\/p>\n<\/li>\n

                                                                                • \n

                                                                                  Data plane<\/strong><\/p>\n<\/li>\n

                                                                                • Network traffic flows between sources and destinations (Internet \u2194 public IP assets, or between networks).<\/li>\n
                                                                                • Cloud Firewall evaluates traffic against the policy set and enforces allow\/deny (and optional prevention).<\/li>\n
                                                                                • Logs\/events are emitted.<\/li>\n<\/ul>\n\n\n\n

                                                                                  7.3 Integrations with related services (typical)<\/h3>\n\n\n\n

                                                                                  Integrations can include (verify exact, current integrations):<\/p>\n\n\n\n

                                                                                    \n
                                                                                  • ActionTrail<\/strong> for auditing who changed firewall policies<\/li>\n
                                                                                  • Log Service (SLS)<\/strong> for centralized log retention and querying<\/li>\n
                                                                                  • CloudMonitor<\/strong> for metrics\/alerts (where supported)<\/li>\n
                                                                                  • Security Center<\/strong> for broader posture management and host security context<\/li>\n<\/ul>\n\n\n\n

                                                                                    7.4 Dependency services<\/h3>\n\n\n\n

                                                                                    Cloud Firewall depends on your networking services and assets to provide enforcement, such as:<\/p>\n\n\n\n

                                                                                      \n
                                                                                    • ECS instances with public IP or EIP (or other public endpoints)<\/li>\n
                                                                                    • VPCs and their connectivity constructs (CEN\/peering\/VPN\/Express Connect), if using inter-network controls<\/li>\n
                                                                                    • Gateways (NAT, etc.), if protected by Cloud Firewall (verify asset support)<\/li>\n<\/ul>\n\n\n\n

                                                                                      7.5 Security\/authentication model<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Access to Cloud Firewall configuration is governed by Alibaba Cloud RAM (Resource Access Management)<\/strong>.<\/li>\n
                                                                                      • Use least privilege RAM policies for:<\/li>\n
                                                                                      • Viewing assets and logs<\/li>\n
                                                                                      • Managing address books and policies<\/li>\n
                                                                                      • Enabling protection and changing prevention settings<\/li>\n<\/ul>\n\n\n\n

                                                                                        7.6 Networking model considerations<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Cloud Firewall is not a replacement for:<\/li>\n
                                                                                        • Security groups (instance-level controls)<\/li>\n
                                                                                        • NACLs (subnet-level)<\/li>\n
                                                                                        • WAF (application layer)<\/li>\n
                                                                                        • Anti-DDoS (DDoS mitigation)<\/li>\n
                                                                                        • Treat Cloud Firewall as a central network security control plane<\/strong> that strengthens boundary controls and visibility.<\/li>\n<\/ul>\n\n\n\n

                                                                                          7.7 Monitoring\/logging\/governance<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Establish:<\/li>\n
                                                                                          • A logging retention plan (how long logs must be kept, where)<\/li>\n
                                                                                          • A change approval flow (who can modify policies)<\/li>\n
                                                                                          • Standard rule naming conventions (environment\/app\/owner\/ticket)<\/li>\n<\/ul>\n\n\n\n

                                                                                            Simple architecture diagram (Mermaid)<\/h4>\n\n\n\n
                                                                                            flowchart LR\n  Internet((Internet)) --> CF[Alibaba Cloud\\nCloud Firewall]\n  CF --> Pub[Public IP Assets\\n(ECS\/EIP\/SLB\/etc.)]\n  Pub --> App[Applications]\n  Admin[Admin \/ SecOps] -->|Policies| CF\n  CF --> Logs[Logs\/Events]\n<\/code><\/pre>\n\n\n\n
                                                                                            Production-style architecture diagram (Mermaid)<\/h4>\n\n\n\n
                                                                                            flowchart TB\n  subgraph Users\n    U1[Customers]\n    U2[Partners]\n    U3[Admins]\n  end\n\n  subgraph AlibabaCloud[Alibaba Cloud Account]\n    CF[Cloud Firewall\\nCentral Policy + Logging]\n\n    subgraph Edge[Internet-facing Layer]\n      LB[Load Balancer \/ Public Endpoints\\n(asset types vary)]\n      NAT[NAT \/ Egress Gateway\\n(if supported)]\n    end\n\n    subgraph Networks[Network Segments]\n      VPC1[Prod VPC]\n      VPC2[Dev VPC]\n      SHARED[Shared Services VPC]\n    end\n\n    subgraph Workloads[Workloads]\n      WEB[Web\/API Tier]\n      DB[Database Tier]\n      BASTION[Bastion Host]\n      CICD[CI\/CD Runners]\n    end\n\n    Logs[(Central Logs\\n(SLS or other; verify))]\n    Audit[(ActionTrail\\n(verify))]\n  end\n\n  U1 --> CF --> LB --> WEB --> DB\n  U2 --> CF --> LB\n  U3 --> CF --> BASTION\n\n  NAT --> CF\n  VPC2 --> CF --> VPC1\n  CICD --> CF --> SHARED\n\n  CF --> Logs\n  CF --> Audit\n<\/code><\/pre>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            8. Prerequisites<\/h2>\n\n\n\n
                                                                                            Before you start with Cloud Firewall on Alibaba Cloud, ensure you have:<\/p>\n\n\n\n
                                                                                            Account and billing<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • An Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n
                                                                                            • A Cloud Firewall purchase\/subscription<\/strong> or enabled trial (if available in your region\/account).  <\/li>\n
                                                                                            • Availability of trial\/free quota varies\u2014verify in the official pricing page<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Permissions (RAM)<\/h3>\n\n\n\n
                                                                                              You need RAM permissions that allow you to:\n– Open\/enable Cloud Firewall and view protected assets\n– Create\/edit access control policies<\/strong>\n– View logs and events<\/p>\n\n\n\n
                                                                                              If you use a RAM user (recommended), ask your account admin to attach appropriate Cloud Firewall permissions.\nVerify exact policy names and required actions<\/strong> in Alibaba Cloud RAM documentation and Cloud Firewall docs.<\/p>\n\n\n\n
                                                                                              Tools<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Alibaba Cloud console access<\/li>\n
                                                                                              • Optional:<\/li>\n
                                                                                              • ECS SSH client (OpenSSH on macOS\/Linux; PuTTY on Windows)<\/li>\n
                                                                                              • A way to determine your public IP (for allowlisting)<\/li>\n<\/ul>\n\n\n\n
                                                                                                Region availability<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Cloud Firewall availability and asset support can vary by region and edition.\nVerify supported regions and protected asset types in official docs<\/strong>:\n  https:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall\/<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Quotas\/limits<\/h3>\n\n\n\n
                                                                                                  Common quota areas to check (exact limits vary by edition):\n– Number of protected public IP assets\n– Number of policies\/rules\n– Address book size\n– Log retention duration<\/p>\n\n\n\n
                                                                                                  Prerequisite services for this lab<\/h3>\n\n\n\n
                                                                                                  For the hands-on tutorial in this article, you need:\n– An ECS instance<\/strong> in a VPC\n– A public IP<\/strong> (either an ECS public IP or an EIP attached to the instance\u2014choose what your account supports and what is cheapest\/standard in your region)<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                  Cloud Firewall pricing changes by region, edition, and included quotas. Do not rely on blog posts or third-party summaries\u2014use official sources:<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  • Product page: https:\/\/www.alibabacloud.com\/product\/cloud-firewall  <\/li>\n
                                                                                                  • Documentation: https:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall\/  <\/li>\n
                                                                                                  • Pricing page (verify current URL and details): https:\/\/www.alibabacloud.com\/product\/cloud-firewall\/pricing<\/li>\n<\/ul>\n\n\n\n
                                                                                                    9.1 Pricing dimensions (typical model)<\/h3>\n\n\n\n
                                                                                                    Cloud Firewall is commonly priced based on a combination of:<\/p>\n\n\n\n
                                                                                                      \n
                                                                                                    • Edition \/ plan tier<\/strong><\/li>\n
                                                                                                    • Different editions include different capabilities (for example, baseline access control vs advanced threat prevention).<\/li>\n
                                                                                                    • \n
                                                                                                      Edition names and inclusions can change\u2014verify in the official pricing page<\/strong>.<\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Protected asset quantity<\/strong><\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Often measured by number of public IPs\/EIPs or other protected endpoints.<\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Traffic volume \/ bandwidth<\/strong><\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Some plans include a traffic capacity; exceeding it may incur additional charges.<\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Log storage\/retention<\/strong><\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Longer retention or exporting logs to a log service may cost extra.<\/p>\n<\/li>\n
                                                                                                    • \n
                                                                                                      Add-on features<\/strong><\/p>\n<\/li>\n
                                                                                                    • Advanced threat prevention, additional logs, or extended analysis features may be add-ons or edition features.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      9.2 Free tier \/ trial<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Alibaba Cloud sometimes offers trials or promotional pricing for security products.\nVerify current free tier\/trial availability in your account and on the official pricing page<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        9.3 Main cost drivers<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Number of protected Internet-facing assets (public IPs\/EIPs)<\/li>\n
                                                                                                        • Amount of traffic inspected\/processed<\/li>\n
                                                                                                        • Whether you enable advanced inspection\/prevention capabilities<\/li>\n
                                                                                                        • Log volume and retention duration<\/li>\n<\/ul>\n\n\n\n
                                                                                                          9.4 Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Data transfer charges<\/strong>: Even if Cloud Firewall itself does not charge per GB in your plan, your architecture may incur:<\/li>\n
                                                                                                          • Internet egress charges from ECS, SLB, NAT, etc.<\/li>\n
                                                                                                          • \n
                                                                                                            Cross-region traffic charges (if applicable)<\/p>\n<\/li>\n
                                                                                                          • \n
                                                                                                            Log retention<\/strong>:<\/p>\n<\/li>\n
                                                                                                          • \n
                                                                                                            If you export logs to Log Service (SLS) or another system, you\u2019ll pay for ingest, storage, and query in that service.<\/p>\n<\/li>\n
                                                                                                          • \n
                                                                                                            Operational overhead<\/strong>:<\/p>\n<\/li>\n
                                                                                                          • Time spent maintaining policies, responding to alerts, and tuning rules.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            9.5 Cost optimization tips<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Protect only what needs protection (but don\u2019t under-protect critical assets).<\/li>\n
                                                                                                            • Start with deny-by-default inbound<\/strong> plus minimal allow rules.<\/li>\n
                                                                                                            • Use address books<\/strong> to reduce rule count and mistakes (operational cost).<\/li>\n
                                                                                                            • Tune logging:<\/li>\n
                                                                                                            • Keep high-value logs longer (blocked traffic, admin policy changes).<\/li>\n
                                                                                                            • Export to a centralized log platform only if needed for compliance\/SOC.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              9.6 Example low-cost starter estimate (non-numeric)<\/h3>\n\n\n\n
                                                                                                              A low-cost starter setup usually includes:\n– One small Cloud Firewall subscription\/edition\n– Protecting a small number of public IP assets<\/strong>\n– Basic inbound policies (allow SSH from your IP, allow web ports)\n– Short log retention (or minimal logging)<\/p>\n\n\n\n
                                                                                                              Because actual prices vary by region and promotions, use the Alibaba Cloud pricing page and your console cart to validate<\/strong>.<\/p>\n\n\n\n
                                                                                                              9.7 Example production cost considerations (non-numeric)<\/h3>\n\n\n\n
                                                                                                              For production, budget for:\n– Protecting all Internet-facing assets (public IPs, gateways, etc.)\n– Higher traffic volumes (more inspection capacity)\n– Longer log retention (compliance)\n– Possible add-ons for advanced prevention features\n– Centralized logging export (SLS) and SIEM ingestion costs<\/p>\n\n\n\n
                                                                                                              \n\n\n\n
                                                                                                              10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                              Objective<\/h3>\n\n\n\n
                                                                                                              Deploy a minimal, realistic Cloud Firewall configuration that:\n1. Protects an ECS instance reachable via a public IP\n2. Allows SSH only from your<\/strong> public IP\n3. Allows HTTP for a simple web test\n4. Blocks all other inbound traffic at the Cloud Firewall layer\n5. Verifies enforcement and reviews logs\n6. Cleans up all created resources<\/p>\n\n\n\n
                                                                                                              Lab Overview<\/h3>\n\n\n\n
                                                                                                              You will:\n– Create (or reuse) an ECS instance with a public IP\n– Configure its security group to allow inbound traffic broadly (for demonstration)\n– Enable Cloud Firewall protection for the asset\n– Create Cloud Firewall inbound rules:\n  – Allow SSH (22) from your public IP\n  – Allow HTTP (80) from anywhere (or restrict to your IP)\n  – Deny all other inbound traffic\n– Validate with SSH and HTTP tests\n– Review Cloud Firewall logs\/events\n– Clean up policies and optionally release ECS<\/p>\n\n\n\n
                                                                                                              \n
                                                                                                              Cost note: ECS + public IP + Cloud Firewall subscription can incur charges. If you already have a lab ECS instance, reuse it and clean up carefully.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                              \n\n\n\n
                                                                                                              Step 1: Prepare an ECS instance with a public IP<\/h3>\n\n\n\n
                                                                                                              Option A (simplest):<\/strong> Create a new ECS instance with a public IPv4 address in your preferred region.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                              1. Go to the ECS console: https:\/\/ecs.console.aliyun.com\/<\/li>\n
                                                                                                              2. Create an instance:\n   – Choose a low-cost instance type suitable for a lab\n   – Use a standard Linux image (for example Alibaba Cloud Linux \/ CentOS \/ Ubuntu)\n   – Ensure it is in a VPC\n   – Enable a public IPv4 address<\/strong> (or plan to attach an EIP)<\/li>\n
                                                                                                              3. Configure login:\n   – Use an SSH key pair (recommended) or password (less recommended)<\/li>\n
                                                                                                              4. Create or select a security group:\n   – For the lab, allow inbound SSH and HTTP from the Internet so Cloud Firewall\u2019s effect is obvious.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                Security group inbound rules for the lab (example):<\/strong>\n– TCP 22 from 0.0.0.0\/0<\/code>\n– TCP 80 from 0.0.0.0\/0<\/code><\/p>\n\n\n\n
                                                                                                                \n
                                                                                                                This is intentionally permissive for demonstration. In production, you would not do this.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                Expected outcome<\/strong>\n– You have an ECS instance with:\n  – A public IPv4 address (or an EIP)\n  – Security group allowing SSH\/HTTP inbound<\/p>\n\n\n\n
                                                                                                                Verification<\/strong>\n– Note the instance public IP from the ECS instance details page.<\/p>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 2: Install a simple web service (NGINX) on the ECS instance<\/h3>\n\n\n\n
                                                                                                                SSH into the instance from your laptop:<\/p>\n\n\n\n
                                                                                                                ssh <username>@<public-ip>\n<\/code><\/pre>\n\n\n\n
                                                                                                                Install NGINX (commands vary by distro). Examples:<\/p>\n\n\n\n
                                                                                                                Ubuntu\/Debian:<\/strong><\/p>\n\n\n\n
                                                                                                                sudo apt-get update\nsudo apt-get install -y nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                                CentOS\/RHEL\/Alibaba Cloud Linux (may vary):<\/strong><\/p>\n\n\n\n
                                                                                                                sudo yum install -y nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                                Confirm NGINX is listening:<\/p>\n\n\n\n
                                                                                                                sudo ss -lntp | grep ':80'\n<\/code><\/pre>\n\n\n\n
                                                                                                                Expected outcome<\/strong>\n– NGINX is running and listening on port 80.<\/p>\n\n\n\n
                                                                                                                Verification<\/strong>\nFrom your laptop:<\/p>\n\n\n\n
                                                                                                                curl -I http:\/\/<public-ip>\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                You should see an HTTP response (for example 200 OK<\/code> or 301 Moved Permanently<\/code> depending on distro config).<\/p>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 3: Determine your public IP address for SSH allowlisting<\/h3>\n\n\n\n
                                                                                                                From your laptop, find your public IP (examples):<\/p>\n\n\n\n
                                                                                                                curl -s https:\/\/ifconfig.me\n<\/code><\/pre>\n\n\n\n
                                                                                                                or:<\/p>\n\n\n\n
                                                                                                                curl -s https:\/\/api.ipify.org\n<\/code><\/pre>\n\n\n\n
                                                                                                                Record the result as:<\/p>\n\n\n\n
                                                                                                                  \n
                                                                                                                • MY_IP = x.x.x.x<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                  You will use MY_IP\/32<\/code> in firewall rules.<\/p>\n\n\n\n
                                                                                                                  Expected outcome<\/strong>\n– You know the exact public IP you will allow for SSH.<\/p>\n\n\n\n
                                                                                                                  Verification<\/strong>\n– If you are on a corporate VPN, verify whether the VPN changes your public IP.<\/p>\n\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  Step 4: Activate Cloud Firewall and locate your Internet-facing asset<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Open the Cloud Firewall console (from Alibaba Cloud console search for \u201cCloud Firewall\u201d), or go via product page links:\n   – https:\/\/www.alibabacloud.com\/product\/cloud-firewall<\/li>\n
                                                                                                                  2. If this is your first time:\n   – Follow prompts to activate\/subscribe<\/strong>.<\/li>\n
                                                                                                                  3. In Cloud Firewall, find the section that lists Internet-exposed\/protected assets (often labeled similar to \u201cInternet Firewall\u201d or \u201cAssets\u201d depending on console version).<\/li>\n
                                                                                                                  4. Confirm your ECS public IP (or EIP) appears in the asset list.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                    Expected outcome<\/strong>\n– Cloud Firewall is active in your account.\n– Your public IP asset is visible and can be placed under Cloud Firewall protection.<\/p>\n\n\n\n
                                                                                                                    Verification<\/strong>\n– If the asset does not appear:\n  – Confirm the ECS has a public IPv4\/EIP.\n  – Confirm you are in the correct account.\n  – Check region-related views in the console.\n  – Verify supported asset types in docs.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 5: Enable protection for the ECS public IP (if required)<\/h3>\n\n\n\n
                                                                                                                    Depending on how Cloud Firewall presents assets, you may need to:\n– \u201cEnable protection\u201d for the public IP, or\n– Add it to a protected asset scope.<\/p>\n\n\n\n
                                                                                                                    In the Cloud Firewall console:\n1. Select the asset representing your ECS public IP\/EIP.\n2. Choose the action to enable protection.<\/p>\n\n\n\n
                                                                                                                    Expected outcome<\/strong>\n– The public IP asset is marked as protected\/managed by Cloud Firewall.<\/p>\n\n\n\n
                                                                                                                    Verification<\/strong>\n– Look for a status such as \u201cProtected\u201d, \u201cEnabled\u201d, or similar.<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                    If you cannot find an explicit enable step, Cloud Firewall may be protecting assets by default once subscribed. Verify in official docs<\/strong> for your console version.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 6: Create Cloud Firewall inbound access control policies<\/h3>\n\n\n\n
                                                                                                                    Go to the Cloud Firewall access control policy area for Internet inbound<\/strong> rules (menu labels vary; commonly \u201cInternet Firewall\u201d \u2192 \u201cAccess Control\u201d).<\/p>\n\n\n\n
                                                                                                                    Create rules in this order (high priority first). If Cloud Firewall uses numeric priorities, use smaller numbers for higher priority; verify rule evaluation logic in your console<\/strong>.<\/p>\n\n\n\n
                                                                                                                    Rule 1: Allow SSH from your IP only<\/h4>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Direction: Inbound<\/li>\n
                                                                                                                    • Action: Allow<\/li>\n
                                                                                                                    • Protocol: TCP<\/li>\n
                                                                                                                    • Source: MY_IP\/32<\/code><\/li>\n
                                                                                                                    • Destination: your ECS public IP asset (or \u201call protected assets\u201d if you want a broader rule\u2014use caution)<\/li>\n
                                                                                                                    • Destination port: 22<\/code><\/li>\n
                                                                                                                    • Description: Allow SSH from my IP<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Rule 2: Allow HTTP (port 80)<\/h4>\n\n\n\n
                                                                                                                      For a safer lab, you can also restrict to your IP, but allowing from anywhere makes it easier to validate quickly.<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Direction: Inbound<\/li>\n
                                                                                                                      • Action: Allow<\/li>\n
                                                                                                                      • Protocol: TCP<\/li>\n
                                                                                                                      • Source: 0.0.0.0\/0<\/code> (or MY_IP\/32<\/code>)<\/li>\n
                                                                                                                      • Destination: your ECS public IP asset<\/li>\n
                                                                                                                      • Destination port: 80<\/code><\/li>\n
                                                                                                                      • Description: Allow HTTP<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Rule 3: Deny all other inbound traffic<\/h4>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Direction: Inbound<\/li>\n
                                                                                                                        • Action: Deny<\/li>\n
                                                                                                                        • Protocol: Any (or TCP\/UDP\/ICMP as supported)<\/li>\n
                                                                                                                        • Source: 0.0.0.0\/0<\/code><\/li>\n
                                                                                                                        • Destination: your ECS public IP asset<\/li>\n
                                                                                                                        • Destination port: Any<\/li>\n
                                                                                                                        • Description: Default deny inbound<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>\n– Cloud Firewall rules now define an explicit allowlist and a default deny.<\/p>\n\n\n\n
                                                                                                                          Verification<\/strong>\n– Confirm the policies are \u201cEnabled\/Effective\u201d.\n– Confirm rule order is correct (allow rules above deny-all).<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 7: Validate enforcement (SSH and HTTP)<\/h3>\n\n\n\n
                                                                                                                          Validate SSH works from your IP<\/h4>\n\n\n\n
                                                                                                                          From your laptop:<\/p>\n\n\n\n
                                                                                                                          ssh <username>@<public-ip>\n<\/code><\/pre>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>\n– SSH succeeds from your allowlisted IP.<\/p>\n\n\n\n
                                                                                                                          Validate HTTP works (if allowed)<\/h4>\n\n\n\n
                                                                                                                          From your laptop:<\/p>\n\n\n\n
                                                                                                                          curl -I http:\/\/<public-ip>\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>\n– HTTP returns headers successfully.<\/p>\n\n\n\n
                                                                                                                          Validate \u201cdeny all other inbound\u201d is effective<\/h4>\n\n\n\n
                                                                                                                          You need a source IP not in your allowlist<\/strong> to test. Options:\n– Disable VPN (if it changes your IP) and retry SSH; or\n– Use a different network (mobile hotspot) and retry SSH; or\n– Ask a colleague to try SSH from their IP (do not share credentials).<\/p>\n\n\n\n
                                                                                                                          If you attempt SSH from a non-allowed IP, you should see a timeout or connection failure.<\/p>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>\n– SSH from non-allowlisted IP fails.\n– Allowed services still work as configured.<\/p>\n\n\n\n
                                                                                                                          Important note about troubleshooting:<\/strong> If SSH fails even from your allowlisted IP, the cause could be:\n– Rule order\/priority\n– Wrong source IP (your IP changed)\n– Security group\/NACL issues\n– OS firewall (iptables\/nftables\/ufw)\n– Cloud Firewall asset protection not enabled<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 8: Review Cloud Firewall logs\/events for the blocked traffic<\/h3>\n\n\n\n
                                                                                                                          In Cloud Firewall console:\n1. Navigate to logs\/events\/traffic analysis (menu names vary).\n2. Filter:\n   – Asset = your public IP\n   – Direction = inbound\n   – Ports = 22 or 80\n3. Look for:\n   – Allowed SSH from your IP\n   – Blocked SSH attempts (if you tested from another IP)\n   – Deny-all rule hits<\/p>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>\n– You can see policy hits and traffic events that match your tests.<\/p>\n\n\n\n
                                                                                                                          Verification<\/strong>\n– If you see no logs:\n  – Confirm logging is enabled in your Cloud Firewall edition\/configuration.\n  – Verify log latency (some logs appear after a delay).\n  – Verify whether logs require additional configuration or paid retention.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Validation<\/h3>\n\n\n\n
                                                                                                                          Use this checklist:<\/p>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. ECS security group allows inbound 22\/80 from 0.0.0.0\/0<\/code> (lab setup).<\/li>\n
                                                                                                                          2. Cloud Firewall allows:\n   – SSH only from MY_IP\/32<\/code>\n   – HTTP as configured<\/li>\n
                                                                                                                          3. Cloud Firewall denies all other inbound.<\/li>\n
                                                                                                                          4. SSH works from your IP.<\/li>\n
                                                                                                                          5. SSH fails from non-allowlisted IP.<\/li>\n
                                                                                                                          6. Logs show allowed\/blocked events and rule hits.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Troubleshooting<\/h3>\n\n\n\n
                                                                                                                            Problem: SSH fails even from MY_IP<\/h4>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Confirm your current public IP:\n  bash\n  curl -s https:\/\/api.ipify.org<\/code><\/li>\n
                                                                                                                            • Update the Cloud Firewall allow rule to the correct MY_IP\/32<\/code>.<\/li>\n
                                                                                                                            • Check rule order: allow rule must be above deny-all.<\/li>\n
                                                                                                                            • Check ECS security group allows inbound 22 from your source.<\/li>\n
                                                                                                                            • Check OS firewall:<\/li>\n
                                                                                                                            • Ubuntu: sudo ufw status<\/code><\/li>\n
                                                                                                                            • General: sudo iptables -S<\/code> or sudo nft list ruleset<\/code> (varies)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Problem: Policies exist but don\u2019t seem to take effect<\/h4>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Confirm the asset is actually under Cloud Firewall protection.<\/li>\n
                                                                                                                              • Confirm the rule targets the correct asset (public IP vs EIP vs \u201call assets\u201d).<\/li>\n
                                                                                                                              • Verify Cloud Firewall supports that asset type\/path in your region\/edition.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Problem: No logs appear<\/h4>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Verify logging is enabled and supported by your edition.<\/li>\n
                                                                                                                                • Check if log viewing requires additional configuration or retention purchase.<\/li>\n
                                                                                                                                • Look for delays; retry after a few minutes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Problem: HTTP works but logs show it blocked (or vice versa)<\/h4>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Ensure you are testing the correct IP and port.<\/li>\n
                                                                                                                                  • Confirm there isn\u2019t another listener (like a different service) redirecting traffic.<\/li>\n
                                                                                                                                  • Re-check rule evaluation logic (first match vs other behavior).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    \n\n\n\n
                                                                                                                                    Cleanup<\/h3>\n\n\n\n
                                                                                                                                    To avoid ongoing charges and reduce risk exposure:<\/p>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    1. Delete or disable Cloud Firewall policies<\/strong> created for the lab:\n   – Remove allow SSH\/HTTP rules and deny-all rules (or disable them).<\/li>\n
                                                                                                                                    2. Disable protection<\/strong> for the lab asset (if your console provides that control).<\/li>\n
                                                                                                                                    3. ECS cleanup (optional but recommended):<\/strong>\n   – Stop and release the ECS instance if it was created only for this lab.<\/li>\n
                                                                                                                                    4. Release public IP resources<\/strong> if applicable:\n   – Release EIP (if you allocated one separately).<\/li>\n
                                                                                                                                    5. Log retention\/export cleanup:<\/strong>\n   – If you enabled log export to an external logging service, disable export and clean up log stores (only if safe and compliant).<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                      Architecture best practices<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Use layered controls<\/strong>:<\/li>\n
                                                                                                                                      • Cloud Firewall for centralized boundary policy and logging<\/li>\n
                                                                                                                                      • Security groups for instance-level segmentation<\/li>\n
                                                                                                                                      • NACLs where subnet-level stateless control is needed<\/li>\n
                                                                                                                                      • WAF for HTTP\/HTTPS application-layer protections<\/li>\n
                                                                                                                                      • Design network segmentation<\/strong> explicitly:<\/li>\n
                                                                                                                                      • Separate prod\/dev\/test<\/li>\n
                                                                                                                                      • Separate public subnets (DMZ) from private app\/data subnets<\/li>\n
                                                                                                                                      • Prefer private connectivity<\/strong> for internal services (use internal SLB, private endpoints) and expose only necessary public endpoints.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Use RAM roles\/users<\/strong>; avoid using the root account for daily operations.<\/li>\n
                                                                                                                                        • Apply least privilege<\/strong>:<\/li>\n
                                                                                                                                        • Security engineers can manage baseline policies<\/li>\n
                                                                                                                                        • App teams can request exceptions via a controlled workflow<\/li>\n
                                                                                                                                        • Enable MFA<\/strong> for privileged users.<\/li>\n
                                                                                                                                        • Use ActionTrail<\/strong> (or equivalent audit logging) for policy changes (verify integration).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Cost best practices<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Keep protected scope aligned to risk:<\/li>\n
                                                                                                                                          • Protect all Internet-facing assets in production<\/li>\n
                                                                                                                                          • Avoid protecting unused\/temporary public IPs<\/li>\n
                                                                                                                                          • Control logging costs:<\/li>\n
                                                                                                                                          • Define a retention period<\/li>\n
                                                                                                                                          • Export only required logs to SIEM<\/li>\n
                                                                                                                                          • Regularly prune unused rules and address books.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Performance best practices<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Keep rule sets manageable and well-structured:<\/li>\n
                                                                                                                                            • Use address books for IP ranges<\/li>\n
                                                                                                                                            • Group rules by environment and application<\/li>\n
                                                                                                                                            • Avoid overly broad allow rules that negate security value.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Treat policy changes as production changes:<\/li>\n
                                                                                                                                              • Use change windows for risky rules<\/li>\n
                                                                                                                                              • Validate with staging first<\/li>\n
                                                                                                                                              • Maintain rollback procedures (previous rule snapshots)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Operations best practices<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Create a standard rule naming convention<\/strong>:<\/li>\n
                                                                                                                                                • env-app-direction-action-port-owner-ticket<\/code><\/li>\n
                                                                                                                                                • Review rule hit counts and logs regularly.<\/li>\n
                                                                                                                                                • Set up alerting for:<\/li>\n
                                                                                                                                                • Spikes in denied traffic<\/li>\n
                                                                                                                                                • Newly detected public exposures (if Cloud Firewall provides exposure insights)<\/li>\n
                                                                                                                                                • Changes to critical deny\/allow rules<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Use consistent naming for:<\/li>\n
                                                                                                                                                  • Address books (e.g., AB-CORP-OFFICE-IPV4<\/code>)<\/li>\n
                                                                                                                                                  • Policies (e.g., PROD-WEB-INBOUND-ALLOW-443<\/code>)<\/li>\n
                                                                                                                                                  • Track ownership and ticket references in rule descriptions.<\/li>\n
                                                                                                                                                  • Periodically run access reviews (quarterly is common in regulated environments).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    \n\n\n\n
                                                                                                                                                    12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                    Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Cloud Firewall management is controlled through Alibaba Cloud RAM<\/strong>.<\/li>\n
                                                                                                                                                    • Implement separation of duties:<\/li>\n
                                                                                                                                                    • Read-only access for auditors and most engineers<\/li>\n
                                                                                                                                                    • Change access for a small group with approvals<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Encryption<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Cloud Firewall is a managed service; encryption at rest and in transit for control plane data is handled by Alibaba Cloud according to product design.<\/li>\n
                                                                                                                                                      • For logs exported to other services:<\/li>\n
                                                                                                                                                      • Ensure encryption is enabled in the destination logging\/storage service (for example, Log Service settings\u2014verify).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Network exposure<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Cloud Firewall helps reduce exposure, but you must still:<\/li>\n
                                                                                                                                                        • Close unnecessary ports at security group level<\/li>\n
                                                                                                                                                        • Avoid public IPs for private services<\/li>\n
                                                                                                                                                        • Use bastions\/VPN for admin access<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Do not store secrets in firewall rule descriptions or address books.<\/li>\n
                                                                                                                                                          • Use Secrets Manager or equivalent secret stores for credentials used to access ECS.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Enable audit trails for Cloud Firewall configuration changes (ActionTrail).<\/li>\n
                                                                                                                                                            • Enable traffic logging where required for compliance.<\/li>\n
                                                                                                                                                            • Define retention and access policies for logs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                              Cloud Firewall can support compliance evidence by providing:\n– Central policy definitions\n– Change history (via audit trails)\n– Traffic logs demonstrating enforcement<\/p>\n\n\n\n
                                                                                                                                                              However:\n– Compliance frameworks require process and governance; Cloud Firewall is only one part of a control system.<\/p>\n\n\n\n
                                                                                                                                                              Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Leaving a broad allow rule above a deny-all (accidental exposure).<\/li>\n
                                                                                                                                                              • Allowlisting \u201ctemporary\u201d IP ranges and never removing them.<\/li>\n
                                                                                                                                                              • Assuming Cloud Firewall replaces security groups and then leaving SGs overly open.<\/li>\n
                                                                                                                                                              • Not validating rule order\/priority after changes.<\/li>\n
                                                                                                                                                              • Not monitoring logs; blocking critical traffic unintentionally.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Start with deny-by-default inbound<\/strong>, then explicitly allow required ports.<\/li>\n
                                                                                                                                                                • Restrict management access (SSH\/RDP) to:<\/li>\n
                                                                                                                                                                • Corporate IPs, VPN egress IPs, or bastion hosts<\/li>\n
                                                                                                                                                                • Keep production logging enabled and protected from tampering (least privilege, retention policies).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                  13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                  Because Cloud Firewall capabilities evolve and vary by edition\/region, treat the following as common considerations and verify details in official docs<\/strong>.<\/p>\n\n\n\n
                                                                                                                                                                  Known limitations \/ constraints to check<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Supported asset types<\/strong>: Not every network product\/path may be protectable.<\/li>\n
                                                                                                                                                                  • Regional support<\/strong>: Some features may be limited to certain regions.<\/li>\n
                                                                                                                                                                  • Protocol\/port coverage<\/strong>: Verify which protocols (TCP\/UDP\/ICMP) and which traffic directions are supported for each firewall type.<\/li>\n
                                                                                                                                                                  • IPv6<\/strong>: Verify whether IPv6 traffic is supported for your scenario.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    Quotas<\/h3>\n\n\n\n
                                                                                                                                                                    Common quota categories:\n– Maximum number of protected assets (public IPs\/EIPs)\n– Maximum number of access control rules\n– Address book size and number of objects\n– Log retention and storage limits<\/p>\n\n\n\n
                                                                                                                                                                    Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Log retention\/export can become expensive at scale.<\/li>\n
                                                                                                                                                                    • Traffic-based pricing components (if applicable in your edition) can be a major driver.<\/li>\n
                                                                                                                                                                    • Protecting large numbers of public IPs across multiple teams can increase subscription size.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Overlapping controls: Security groups, NACLs, route tables, and Cloud Firewall can all affect traffic.<\/li>\n
                                                                                                                                                                      • If you use multiple enforcement layers, troubleshooting requires checking each layer in order.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Rule order matters<\/strong>: A deny-all placed above allow rules will break access.<\/li>\n
                                                                                                                                                                        • Your source IP changes<\/strong>: VPN and ISP changes can cause lockouts if you rely on IP allowlisting.<\/li>\n
                                                                                                                                                                        • Log delay<\/strong>: Some event logs may appear after a short delay; don\u2019t assume \u201cno logs\u201d means \u201cno enforcement.\u201d<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Moving from \u201csecurity groups only\u201d to Cloud Firewall requires:<\/li>\n
                                                                                                                                                                          • Rule normalization<\/li>\n
                                                                                                                                                                          • Ownership mapping (who owns which exceptions)<\/li>\n
                                                                                                                                                                          • Testing to avoid outages<\/li>\n
                                                                                                                                                                          • A rollback plan<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • Console menus and terminology may change over time. Always cross-check the latest:<\/li>\n
                                                                                                                                                                            • Cloud Firewall docs: https:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall\/<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              \n\n\n\n
                                                                                                                                                                              14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                              Cloud Firewall is part of a broader set of network and security controls. The best choice often depends on the traffic layer (L3\/L4 vs L7), where you want enforcement, and operational needs.<\/p>\n\n\n\n
                                                                                                                                                                              How Cloud Firewall differs from nearby Alibaba Cloud services<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • Security Groups (ECS):<\/strong> Instance-level virtual firewall rules, great for micro-segmentation but decentralized across teams.<\/li>\n
                                                                                                                                                                              • Network ACLs (VPC):<\/strong> Subnet-level stateless controls; useful for coarse segmentation.<\/li>\n
                                                                                                                                                                              • WAF:<\/strong> L7 protection for HTTP\/HTTPS (OWASP Top 10, bot protection depending on product).<\/li>\n
                                                                                                                                                                              • Anti-DDoS:<\/strong> DDoS mitigation, not a policy-based firewall replacement.<\/li>\n
                                                                                                                                                                              • Third-party firewall appliances on ECS:<\/strong> Full control and deep features, but you manage scaling\/HA and operational overhead.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                Comparison table<\/h3>\n\n\n\n
                                                                                                                                                                                \n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                Alibaba Cloud Cloud Firewall<\/strong><\/td>\nCentralized network policy, visibility, audit across many assets<\/td>\nCentral control, unified policies, logging\/visibility, reduces SG sprawl<\/td>\nEdition\/asset-type constraints; cost grows with assets\/logs; needs governance<\/td>\nYou need centralized control and audit for Internet and supported inter-network traffic<\/td>\n<\/tr>\n
                                                                                                                                                                                ECS Security Groups<\/strong><\/td>\nInstance-level segmentation<\/td>\nSimple, close to workloads, no extra subscription<\/td>\nDecentralized management, inconsistent policies, harder auditing<\/td>\nSmall environments or when you need workload-level micro-segmentation primarily<\/td>\n<\/tr>\n
                                                                                                                                                                                VPC Network ACL (NACL)<\/strong><\/td>\nSubnet-level coarse control<\/td>\nStateless, can enforce at subnet boundary<\/td>\nHarder to manage at scale; limited context; can be error-prone<\/td>\nYou need subnet-level deny\/allow independent of instance SGs<\/td>\n<\/tr>\n
                                                                                                                                                                                Alibaba Cloud WAF<\/strong><\/td>\nWeb apps\/APIs over HTTP\/HTTPS<\/td>\nL7 protections, virtual patching, bot and application threat mitigation (product-dependent)<\/td>\nOnly for HTTP\/HTTPS; not for generic TCP services<\/td>\nYou expose web workloads and need OWASP and L7 security<\/td>\n<\/tr>\n
                                                                                                                                                                                Alibaba Cloud Anti-DDoS<\/strong><\/td>\nDDoS mitigation<\/td>\nHandles volumetric\/protocol attacks<\/td>\nNot an access-control firewall<\/td>\nYou\u2019re under DDoS risk and need mitigation at scale<\/td>\n<\/tr>\n
                                                                                                                                                                                Self-managed firewall appliance (3rd party) on ECS<\/strong><\/td>\nCustom firewall features, deep inspection, complex routing<\/td>\nFull feature control, vendor ecosystem<\/td>\nYou manage HA, scaling, upgrades; higher ops cost<\/td>\nYou need appliance-specific features not provided by Cloud Firewall<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                                Enterprise example: regulated fintech with multi-environment segmentation<\/h3>\n\n\n\n
                                                                                                                                                                                Problem<\/strong>\nA fintech runs multiple products on Alibaba Cloud across prod, staging, and dev VPCs. Different teams manage security groups inconsistently. Audit requires clear evidence of inbound restrictions and change tracking.<\/p>\n\n\n\n
                                                                                                                                                                                Proposed architecture<\/strong>\n– Internet-facing endpoints behind supported public assets (for example load balancers or public IPs).\n– Cloud Firewall:\n  – Central inbound allowlist for web ports and admin ports\n  – Deny risky ports globally\n  – Environment segmentation rules (where supported) between VPCs\n  – Centralized logging and export to SIEM (via log integration\u2014verify)\n– Security groups:\n  – Service-to-service micro-segmentation within each VPC\n– ActionTrail enabled for audit of policy changes\n– WAF in front of web apps for L7 threats (if web traffic)<\/p>\n\n\n\n
                                                                                                                                                                                Why Cloud Firewall was chosen<\/strong>\n– Central policy management for audit and governance\n– Visibility and investigation support through logs\n– Reduced configuration drift across many teams<\/p>\n\n\n\n
                                                                                                                                                                                Expected outcomes<\/strong>\n– Reduced public exposure incidents\n– Faster audit reporting (clear rules and change history)\n– Improved incident response: quick blocks and verifiable enforcement<\/p>\n\n\n\n
                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                Startup\/small-team example: SaaS team securing a small fleet of ECS instances<\/h3>\n\n\n\n
                                                                                                                                                                                Problem<\/strong>\nA SaaS startup has a small number of ECS instances with public IPs. They need to reduce brute-force attempts and avoid accidentally exposing admin ports.<\/p>\n\n\n\n
                                                                                                                                                                                Proposed architecture<\/strong>\n– Cloud Firewall:\n  – Allow SSH only from founders\u2019 fixed IPs \/ VPN\n  – Allow 80\/443 publicly\n  – Deny all else\n  – Basic logging for troubleshooting\n– Security groups remain minimal and aligned with Cloud Firewall\n– Optional: WAF once the web app grows and becomes a target<\/p>\n\n\n\n
                                                                                                                                                                                Why Cloud Firewall was chosen<\/strong>\n– Central, simple rules rather than per-instance security group complexity\n– Quick way to enforce \u201cno public SSH\u201d except for trusted IPs<\/p>\n\n\n\n
                                                                                                                                                                                Expected outcomes<\/strong>\n– Fewer intrusion attempts reaching the hosts\n– Clear visibility into blocked traffic\n– Reduced chance of misconfiguration as the team scales<\/p>\n\n\n\n
                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                                1) Is Cloud Firewall a replacement for ECS security groups?<\/strong>\nNo. Use Cloud Firewall for centralized boundary policies and visibility; use security groups for instance-level controls and micro-segmentation. In most environments, you use both.<\/p>\n\n\n\n
                                                                                                                                                                                2) Does Cloud Firewall protect Layer 7 (HTTP) attacks like SQL injection?<\/strong>\nCloud Firewall is primarily a network firewall service. For HTTP\/HTTPS application-layer protections, use Alibaba Cloud WAF<\/strong>. Confirm any L7 features in Cloud Firewall (if mentioned) in official docs for your edition.<\/p>\n\n\n\n
                                                                                                                                                                                3) Can I restrict SSH to my office IP using Cloud Firewall?<\/strong>\nYes, that\u2019s a common pattern: allow TCP\/22 from your_ip\/32<\/code> and deny other inbound traffic. Ensure rule priority is correct.<\/p>\n\n\n\n
                                                                                                                                                                                4) Why do I still need security groups if Cloud Firewall blocks traffic?<\/strong>\nDefense in depth. Security groups provide local segmentation and prevent lateral movement within a VPC. Also, some traffic paths may not be covered by Cloud Firewall depending on asset type.<\/p>\n\n\n\n
                                                                                                                                                                                5) How do I know if Cloud Firewall is actually enforcing policies?<\/strong>\nValidate with controlled tests (allow then deny), check policy hit counters (if available), and review traffic logs for allowed\/blocked events.<\/p>\n\n\n\n
                                                                                                                                                                                6) Can Cloud Firewall control outbound traffic?<\/strong>\nOften yes for supported scenarios, but outbound coverage depends on protected asset type and edition. Verify outbound policy support in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                7) Does Cloud Firewall support IPv6?<\/strong>\nIPv6 support varies by product and scenario. Verify IPv6 coverage in the Cloud Firewall documentation.<\/p>\n\n\n\n
                                                                                                                                                                                8) What is the biggest operational risk when using Cloud Firewall?<\/strong>\nLockouts due to rule ordering and incorrect allowlisting (for example, your IP changes). Always keep an emergency access path and test changes.<\/p>\n\n\n\n
                                                                                                                                                                                9) How should I structure rules for large organizations?<\/strong>\nStart with baseline global denies and minimal global allows, then add scoped exceptions per application\/environment using address books and clear naming conventions.<\/p>\n\n\n\n
                                                                                                                                                                                10) Can I export Cloud Firewall logs to a SIEM?<\/strong>\nMany organizations export logs via a centralized logging service (often Log Service). Verify current supported export\/integration options in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                11) How do I troubleshoot a connection issue when both Cloud Firewall and security groups exist?<\/strong>\nCheck in order:\n– Cloud Firewall policy matches\/logs\n– Security group inbound\/outbound rules\n– NACLs (if used)\n– Route tables and gateways\n– OS firewall\n– Application listener\/service health<\/p>\n\n\n\n
                                                                                                                                                                                12) Does Cloud Firewall block DDoS attacks?<\/strong>\nDDoS mitigation is typically handled by Anti-DDoS services. Cloud Firewall can help with policy-based blocking, but it\u2019s not a DDoS scrubbing service.<\/p>\n\n\n\n
                                                                                                                                                                                13) How do I avoid paying too much for logs?<\/strong>\nKeep only required retention, filter\/export selectively, and implement a data lifecycle policy in your logging backend.<\/p>\n\n\n\n
                                                                                                                                                                                14) Can I apply Cloud Firewall policies across multiple accounts?<\/strong>\nMulti-account governance depends on Alibaba Cloud\u2019s account management features and Cloud Firewall\u2019s support for centralized management. Verify current best practice for multi-account setups in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                15) What\u2019s the safest way to roll out a deny-by-default policy?<\/strong>\nStart in staging, add allow rules for required services, monitor logs, then roll out gradually to production. Keep a rollback plan and avoid making simultaneous large changes.<\/p>\n\n\n\n
                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                17. Top Online Resources to Learn Cloud Firewall<\/h2>\n\n\n\n
                                                                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                Official documentation<\/td>\nCloud Firewall Documentation (Alibaba Cloud Help Center) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall\/<\/td>\nMost accurate and current feature\/workflow reference<\/td>\n<\/tr>\n
                                                                                                                                                                                Official product page<\/td>\nCloud Firewall Product Page \u2013 https:\/\/www.alibabacloud.com\/product\/cloud-firewall<\/td>\nHigh-level overview, links to docs and getting started<\/td>\n<\/tr>\n
                                                                                                                                                                                Official pricing<\/td>\nCloud Firewall Pricing \u2013 https:\/\/www.alibabacloud.com\/product\/cloud-firewall\/pricing<\/td>\nCurrent pricing model, editions, and billing dimensions (verify details per region)<\/td>\n<\/tr>\n
                                                                                                                                                                                Official RAM docs<\/td>\nResource Access Management (RAM) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\nRequired for least-privilege access and operational governance<\/td>\n<\/tr>\n
                                                                                                                                                                                Official audit logging<\/td>\nActionTrail \u2013 https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\nTrack who changed firewall configuration (verify integration patterns)<\/td>\n<\/tr>\n
                                                                                                                                                                                Official logging<\/td>\nLog Service (SLS) \u2013 https:\/\/www.alibabacloud.com\/help\/en\/log-service<\/td>\nCentralized retention, search, and SIEM export for security logs<\/td>\n<\/tr>\n
                                                                                                                                                                                Official compute docs<\/td>\nECS Documentation \u2013 https:\/\/www.alibabacloud.com\/help\/en\/ecs<\/td>\nNeeded for lab setup, security groups, networking<\/td>\n<\/tr>\n
                                                                                                                                                                                Official networking docs<\/td>\nVPC Documentation \u2013 https:\/\/www.alibabacloud.com\/help\/en\/vpc<\/td>\nConcepts for VPC segmentation and traffic paths that Cloud Firewall may control<\/td>\n<\/tr>\n
                                                                                                                                                                                Architecture guidance<\/td>\nAlibaba Cloud Architecture Center \u2013 https:\/\/www.alibabacloud.com\/solutions\/architecture<\/td>\nReference architectures and security patterns (verify relevant ones for Cloud Firewall)<\/td>\n<\/tr>\n
                                                                                                                                                                                Video learning<\/td>\nAlibaba Cloud YouTube Channel \u2013 https:\/\/www.youtube.com\/c\/AlibabaCloud<\/td>\nWebinars, demos, and product walkthroughs (availability varies)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                1. \n
                                                                                                                                                                                  DevOpsSchool.com<\/strong>\n   – Suitable audience:<\/strong> DevOps engineers, SREs, platform and security engineers\n   – Likely learning focus:<\/strong> DevOps + cloud operations; may include cloud security fundamentals and firewalling concepts\n   – Mode:<\/strong> Check website\n   – Website:<\/strong> https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                2. \n
                                                                                                                                                                                  ScmGalaxy.com<\/strong>\n   – Suitable audience:<\/strong> Beginners to intermediate IT professionals\n   – Likely learning focus:<\/strong> DevOps tooling, SCM, automation fundamentals that support secure operations\n   – Mode:<\/strong> Check website\n   – Website:<\/strong> https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                3. \n
                                                                                                                                                                                  CLoudOpsNow.in<\/strong>\n   – Suitable audience:<\/strong> Cloud operations and platform teams\n   – Likely learning focus:<\/strong> CloudOps practices, monitoring, governance, operational security basics\n   – Mode:<\/strong> Check website\n   – Website:<\/strong> https:\/\/cloudopsnow.in\/<\/p>\n<\/li>\n
                                                                                                                                                                                4. \n
                                                                                                                                                                                  SreSchool.com<\/strong>\n   – Suitable audience:<\/strong> SREs, operations engineers, reliability-focused teams\n   – Likely learning focus:<\/strong> Reliability engineering, incident response, production operations (including security operationalization)\n   – Mode:<\/strong> Check website\n   – Website:<\/strong> https:\/\/sreschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                5. \n
                                                                                                                                                                                  AiOpsSchool.com<\/strong>\n   – Suitable audience:<\/strong> Ops teams adopting AIOps\/automation\n   – Likely learning focus:<\/strong> Monitoring automation, event correlation, operational analytics that can complement security monitoring\n   – Mode:<\/strong> Check website\n   – Website:<\/strong> https:\/\/aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                  19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  1. \n
                                                                                                                                                                                    RajeshKumar.xyz<\/strong>\n   – Likely specialization:<\/strong> Cloud\/DevOps training content (verify specific course offerings on site)\n   – Suitable audience:<\/strong> Engineers seeking practical DevOps and cloud guidance\n   – Website:<\/strong> https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n
                                                                                                                                                                                  2. \n
                                                                                                                                                                                    devopstrainer.in<\/strong>\n   – Likely specialization:<\/strong> DevOps training and mentoring (verify cloud security topics on site)\n   – Suitable audience:<\/strong> Beginners to professionals building DevOps skills\n   – Website:<\/strong> https:\/\/devopstrainer.in\/<\/p>\n<\/li>\n
                                                                                                                                                                                  3. \n
                                                                                                                                                                                    devopsfreelancer.com<\/strong>\n   – Likely specialization:<\/strong> Freelance DevOps services\/training resources (verify current offerings)\n   – Suitable audience:<\/strong> Teams\/individuals seeking hands-on guidance\n   – Website:<\/strong> https:\/\/devopsfreelancer.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                  4. \n
                                                                                                                                                                                    devopssupport.in<\/strong>\n   – Likely specialization:<\/strong> DevOps support and enablement (verify training vs support offerings)\n   – Suitable audience:<\/strong> Teams needing operational support and knowledge transfer\n   – Website:<\/strong> https:\/\/devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                    20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    1. \n
                                                                                                                                                                                      cotocus.com<\/strong>\n   – Likely service area:<\/strong> Cloud\/DevOps consulting and implementation support (verify specific services on site)\n   – Where they may help:<\/strong> Cloud migrations, secure cloud architecture reviews, DevOps enablement\n   – Consulting use case examples:<\/strong> <\/p>\n
                                                                                                                                                                                        \n
                                                                                                                                                                                      • Designing network segmentation and firewall policies  <\/li>\n
                                                                                                                                                                                      • Setting up centralized logging and audit trails  <\/li>\n
                                                                                                                                                                                      • Implementing infrastructure governance patterns  <\/li>\n
                                                                                                                                                                                      • Website:<\/strong> https:\/\/cotocus.com\/<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                      • \n
                                                                                                                                                                                        DevOpsSchool.com<\/strong>\n   – Likely service area:<\/strong> DevOps and cloud consulting, training-led enablement\n   – Where they may help:<\/strong> Platform engineering, CI\/CD, operational readiness, basic security guardrails\n   – Consulting use case examples:<\/strong> <\/p>\n
                                                                                                                                                                                          \n
                                                                                                                                                                                        • Building standard operating procedures for firewall policy changes  <\/li>\n
                                                                                                                                                                                        • Designing a multi-environment rollout plan  <\/li>\n
                                                                                                                                                                                        • Operations playbooks for troubleshooting and incident response  <\/li>\n
                                                                                                                                                                                        • Website:<\/strong> https:\/\/www.devopsschool.com\/<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                                                        • \n
                                                                                                                                                                                          DEVOPSCONSULTING.IN<\/strong>\n   – Likely service area:<\/strong> DevOps consulting services (verify scope on site)\n   – Where they may help:<\/strong> Cloud operations, automation, governance, production readiness\n   – Consulting use case examples:<\/strong> <\/p>\n
                                                                                                                                                                                            \n
                                                                                                                                                                                          • Policy standardization and rule lifecycle management  <\/li>\n
                                                                                                                                                                                          • Logging\/monitoring integration design  <\/li>\n
                                                                                                                                                                                          • Secure baseline implementation across multiple teams  <\/li>\n
                                                                                                                                                                                          • Website:<\/strong> https:\/\/devopsconsulting.in\/<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                            What to learn before Cloud Firewall<\/h3>\n\n\n\n
                                                                                                                                                                                              \n
                                                                                                                                                                                            • Networking fundamentals:<\/li>\n
                                                                                                                                                                                            • TCP\/IP, ports, routing, NAT basics<\/li>\n
                                                                                                                                                                                            • Cloud networking on Alibaba Cloud:<\/li>\n
                                                                                                                                                                                            • VPC, subnets\/vSwitches, route tables<\/li>\n
                                                                                                                                                                                            • Security groups vs NACLs<\/li>\n
                                                                                                                                                                                            • Public IP vs EIP concepts<\/li>\n
                                                                                                                                                                                            • Linux administration basics (for validation and troubleshooting)<\/li>\n
                                                                                                                                                                                            • IAM basics:<\/li>\n
                                                                                                                                                                                            • Alibaba Cloud RAM users, roles, policies<\/li>\n
                                                                                                                                                                                            • Logging fundamentals:<\/li>\n
                                                                                                                                                                                            • What to log, retention, and access control<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                              What to learn after Cloud Firewall<\/h3>\n\n\n\n
                                                                                                                                                                                                \n
                                                                                                                                                                                              • Alibaba Cloud WAF<\/strong> for application-layer security<\/li>\n
                                                                                                                                                                                              • Security Center<\/strong> for host security, vulnerability management, baseline hardening<\/li>\n
                                                                                                                                                                                              • ActionTrail<\/strong> + Log Service<\/strong> pipelines for centralized audit and SIEM integration<\/li>\n
                                                                                                                                                                                              • Threat modeling and incident response playbooks<\/li>\n
                                                                                                                                                                                              • Infrastructure as Code:<\/li>\n
                                                                                                                                                                                              • Automating firewall policies via OpenAPI\/SDKs (verify Cloud Firewall API coverage)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                                  \n
                                                                                                                                                                                                • Cloud Security Engineer<\/li>\n
                                                                                                                                                                                                • Security Operations Engineer (SecOps)<\/li>\n
                                                                                                                                                                                                • Cloud Network Engineer<\/li>\n
                                                                                                                                                                                                • Platform Engineer<\/li>\n
                                                                                                                                                                                                • SRE \/ Production Engineer<\/li>\n
                                                                                                                                                                                                • DevOps Engineer (with security responsibility)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                  Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                                                                  Alibaba Cloud certifications and security specialty paths change over time.\n– Check Alibaba Cloud certification portal and official training pages for current security-related certifications.\n– If a Cloud Firewall-specific credential exists, verify in official Alibaba Cloud training\/certification resources<\/strong>.<\/p>\n\n\n\n
                                                                                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                                    \n
                                                                                                                                                                                                  1. Build a baseline policy set:\n   – Deny risky ports globally\n   – Allow web ports only where needed<\/li>\n
                                                                                                                                                                                                  2. Implement a bastion-only admin access design:\n   – No direct SSH to app servers from Internet<\/li>\n
                                                                                                                                                                                                  3. Create environment segmentation (dev\/staging\/prod) and validate allowed flows<\/li>\n
                                                                                                                                                                                                  4. Export firewall logs to Log Service and build dashboards for:\n   – Top denied sources\n   – Top targeted ports\n   – New destination anomalies (egress)<\/li>\n
                                                                                                                                                                                                  5. Create an \u201cemergency response\u201d runbook:\n   – How to block an IP range quickly\n   – How to confirm enforcement and rollback<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                                      \n
                                                                                                                                                                                                    • Access control policy:<\/strong> A rule that allows or denies traffic based on source, destination, port, protocol, and direction.<\/li>\n
                                                                                                                                                                                                    • Address book:<\/strong> A reusable set of IP addresses or CIDR blocks used in multiple firewall rules.<\/li>\n
                                                                                                                                                                                                    • CIDR:<\/strong> Notation for IP ranges (e.g., 203.0.113.5\/32<\/code> for a single IP).<\/li>\n
                                                                                                                                                                                                    • Defense in depth:<\/strong> Using multiple layers of controls (Cloud Firewall + security groups + WAF) so one failure doesn\u2019t cause a breach.<\/li>\n
                                                                                                                                                                                                    • ECS:<\/strong> Elastic Compute Service; Alibaba Cloud virtual machine service.<\/li>\n
                                                                                                                                                                                                    • EIP:<\/strong> Elastic IP; a public IP that can be associated with cloud resources.<\/li>\n
                                                                                                                                                                                                    • Egress traffic:<\/strong> Outbound traffic leaving your cloud network to the Internet or other networks.<\/li>\n
                                                                                                                                                                                                    • Ingress traffic:<\/strong> Inbound traffic entering your cloud network from the Internet or other networks.<\/li>\n
                                                                                                                                                                                                    • Least privilege:<\/strong> Granting only the minimum access required to do a job.<\/li>\n
                                                                                                                                                                                                    • North-south traffic:<\/strong> Traffic between the Internet and your environment.<\/li>\n
                                                                                                                                                                                                    • East-west traffic:<\/strong> Traffic within or between internal networks (e.g., VPC-to-VPC).<\/li>\n
                                                                                                                                                                                                    • NACL:<\/strong> Network Access Control List; subnet-level stateless filtering.<\/li>\n
                                                                                                                                                                                                    • RAM:<\/strong> Resource Access Management; Alibaba Cloud identity and access service.<\/li>\n
                                                                                                                                                                                                    • Security group:<\/strong> Instance-level stateful virtual firewall for ECS and related resources.<\/li>\n
                                                                                                                                                                                                    • WAF:<\/strong> Web Application Firewall; protects HTTP\/HTTPS applications from common web attacks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                      \n\n\n\n
                                                                                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                                      Alibaba Cloud Cloud Firewall<\/strong> is a managed Security<\/strong> service that centralizes firewall policy, visibility, and (edition-dependent) prevention capabilities for Internet-facing and supported inter-network traffic paths. It matters because it reduces configuration drift, improves auditability, and gives security and operations teams a clear, scalable way to enforce least-privilege network access across many assets.<\/p>\n\n\n\n
                                                                                                                                                                                                      Cost is driven mainly by edition<\/strong>, number of protected assets<\/strong>, traffic volume<\/strong>, and log retention\/export<\/strong>. Security-wise, Cloud Firewall should be used as part of defense in depth<\/strong>\u2014alongside security groups, NACLs where appropriate, WAF for web apps, and strong IAM\/auditing with RAM and ActionTrail.<\/p>\n\n\n\n
                                                                                                                                                                                                      Use Cloud Firewall when you need centralized control and logging at scale; avoid relying on it alone for application-layer security or for traffic paths it doesn\u2019t support in your region\/edition. Next, deepen your skills by integrating Cloud Firewall logs with centralized logging (Log Service) and building a standard operating model for policy change control and incident response.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                                      Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10],"tags":[],"class_list":["post-54","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=54"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/54\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}