A cloud firewall is a network-level firewall managed at the provider or hypervisor layer and filters traffic before it reaches your VM — ideal for default-deny posture for all ports until explicitly allowed.
A server-internal firewall (ufw/iptables) runs inside the VM; it offers fine-grained control per process/port but protects only that VM. For best security, use both — cloud firewall to filter network ingress, internal firewall to secure the OS/services.