Help Center/ Cloud Firewall/ Best Practices/ Using CFW to Protect EIPs Across Accounts
Updated on 2025-05-23 GMT+08:00
View PDF
Share

Using CFW to Protect EIPs Across Accounts

Application Scenarios

Protect resources across accounts. For example, different departments in an enterprise use different accounts but need to share CFW protection policies.

This section describes how to use CFW to protect the EIPs under multiple accounts.

Solution Overview

The solution for protecting EIPs across accounts is as follows: Account A is an organization administrator or delegated administrator. Accounts B and C are added to the organization. Account A purchases CFW and adds accounts B and C to the organization. Enable EIP protection and configure protection policies.

Figure 1 Cross-account protection

Constraints

  • EIPs cannot be protected across regions. To use CFW in another region, switch to that region and purchase a firewall. For details, see Purchasing a CFW.
  • The number of accounts that can be protected by a single firewall instance is as follows:
    • Yearly/Monthly CFW:
      • Standard edition: 20
      • Professional edition: 50
    • Pay-per-use CFW (professional edition): 20

Resource and Cost Planning

Table 1 Resource description

Resource

Description

Quantity

Cost

Enterprise Center

Provides comprehensive management services for enterprise customers to manage organizations and finance on the cloud.

To use the Organizations service, you need to enable Enterprise Center.

1

Enterprise Center is free of charge.

Organizations

The Organizations service helps you govern multiple accounts within your organization.

1

The Organizations service is free of charge.

Cloud Firewall (CFW)

CFW protects cloud resources.

1

For details, see CFW Pricing Details .

Elastic IP (EIP)

Protected resource.

Configure based on service demands.

For details, see EIP Pricing Details .

Protecting EIPs Across Accounts

  1. Prepare accounts and permissions. In the following steps, account A is an organization administrator.

    If account A is not an organization administrator, let the organization administrator add account A as a delegated administrator. For details, see Adding a Delegated Administrator.

    1. Perform the following operations using account A:
      1. Purchase the CFW standard or professional edition. For details, see Purchasing CFW.
      2. (Optional) Enable the Enterprise Center. For details,see Enabling Enterprise Center.

        If the Enterprise Center has been enabled, skip this step.

      3. (Optional) Enable the Organizations service and create an organization.

        If the Organizations service has been enabled, skip this step.

        If you are already in an organization, leave the organization before creating another organization. For details, see Removing a Member Account from Your Organization.

        1. Log in to the management console.
        2. Click in the upper left corner and choose Management & Governance > Organizations.
        3. Go to the page for enabling the Organizations service, and click Enable Organizations.
          Figure 2 Enabling Organizations

          After the Organizations service is enabled, your organization and the root are automatically created, and your login account is defined as the management account.

      4. Invite accounts B and C to join the organization. For details, see Inviting an Account to Join Your Organization.
      5. Set CFW as a trusted service. For details, see Enabling or Disabling a Trusted Service.
    2. Let accounts B and C join the organization of account A. For details, see Accepting or Rejecting an Invitation from an Organization.

  2. Use account A to add accounts B and C to the firewall.

    1. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
    2. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
    3. In the navigation pane, choose System Management > Multi-Account Management.
    4. Click Add Account. On the page that is displayed, select accounts B and C in the account tree view to add them to the Selected area on the right. Click OK.
      • An account to be added must belong to the same organization. For details about organization accounts, see Overview of an Account.
      • The account should not be protected by other firewalls.
      Figure 3 Adding an account to an organization

  3. Enable EIP protection.

    1. In the navigation pane, choose Assets > EIPs.
    2. Search for the EIPs under accounts B and C. Select Owner from the search box and select accounts B and C.

      If the EIPs of account B or C cannot be found, click Synchronize EIP in the upper right corner of the page to synchronize the EIPs to the list.

    3. Select the EIPs to be protected and click Enable Protection above the table.

      The account that an EIP belongs to is displayed in the Owner column.

  4. Configure protection policies.

  5. View log information. For details, see Protection Log Overview.

References

To protect VPC resources across accounts, see Using CFW to Protect VPCs Across Accounts.