Web Application Firewall:Purchase a subscription WAF 3.0 instance

Purchase instructions

You can purchase a subscription WAF 3.0 instance that runs one of the following editions: Basic, Pro, Enterprise, and Ultimate. For more information about the editions, see the following topics:

• Features and specifications supported by each WAF edition

• Peak QPS supported by each WAF edition

• Impacts on WAF instances when QPS limits are exceeded

Prerequisites

Your Alibaba Cloud account does not have a WAF instance. If your Alibaba Cloud account has a WAF 2.0 instance, you must release the WAF 2.0 instance before you purchase a WAF 3.0 instance. For more information about how to release a WAF 2.0 instance, see Terminate the WAF service.

Procedure

1. Go to the Web Application Firewall 3.0 (Subscription) buy page.

2. Set the Billing Method parameter to Subscription. Then, configure other parameters based on your business requirements. The following table describes the parameters.

Purchase a WAF 3.0 Basic instance

If your web services require only basic security protection, we recommend that you purchase a WAF 3.0 Basic instance.

Parameter	Description
Region	Select the region where you want to deploy the instance. Valid values: Chinese Mainland and Outside Chinese Mainland.
Edition	Select the edition of the instance. For this example, select Basic.
Extra Domains	Specify the additional domain name quota that you want to purchase. If you purchase a Basic instance, you can add three domain names to WAF free of charge. You can purchase an additional domain name quota of 10.
Subscription Duration	Select the subscription duration of the instance and specify whether to enable Auto-renewal. Note If you want to test a WAF instance before you purchase the instance, contact your account manager to apply for a proof of concept (PoC) project and set the Subscription Duration parameter to 7-day Trial. Then, you are provided a seven-day free trial.

Purchase a WAF 3.0 Pro, Enterprise, or Ultimate instance

• If you want to enable the Simple Log Service for WAF, classified protection, bot management, and API security features for your web services, we recommend that you purchase a WAF 3.0 Pro, Enterprise, or Ultimate instance.

• If you want to configure custom protection rules, we recommend that you purchase a WAF 3.0 Enterprise or Ultimate instance.

• If you have special security requirements, purchase an Ultimate instance.

Parameter	Description
Region	Select the region where you want to deploy the instance. Valid values: Chinese Mainland and Outside Chinese Mainland.
Edition	Select the edition of the instance. For this example, select Pro, Enterprise, or Ultimate.
Bot Management - Web Application Protection	Specify whether to enable the web application protection feature of the bot management module. You can enable this feature to mitigate the security threats that arise from bot traffic on web pages or HTML5 pages. For more information, see Create anti-crawler rules for websites.
Bot Management - App Protection	Specify whether to enable the app protection feature of the bot management module. If your web services support native apps and you have security requirements, such as requirements for trusted communications or bot prevention, we recommend that you enable this feature. For more information, see Create anti-crawler rules for apps.
API Security	Specify whether to enable the API security module. For more information, see API security.
Extended QPS	Specify the additional queries per second (QPS) quota that you want to purchase. If the peak traffic of the web services that you want to add to WAF 3.0 exceeds the default QPS quota of the edition that you purchase, you can purchase an additional QPS quota. Note The default QPS quota and additional QPS quota that you can purchase vary based on the WAF edition. For more information, see QPS.
Threshold of Burstable QPS (Pay-as-you-go)	Specify the QPS threshold for the burstable QPS (pay-as-you-go) feature. For more information, see Burstable QPS (pay-as-you-go). If the peak traffic of your web services exceeds the total QPS quota of your WAF instance, your WAF instance may be added to the sandbox. In this case, you can configure this parameter to enable the burstable QPS (pay-as-you-go) feature. After the feature is enabled, you are charged for excess QPS usage based on the pay-as-you-go billing method. If a WAF 3.0 instance is added to the sandbox, the service level agreement (SLA) is no longer guaranteed, and access errors may occur. For more information, see Sandbox overview.
Extra Domains	Specify the additional domain name quota that you want to purchase. If the number of domain names that you want to add to your WAF 3.0 instance exceeds the default quota, you can purchase an additional quota. Note The default quota and additional quota that you can purchase vary based on the WAF edition. For more information, see Number of domain names.
Exclusive IP Address	Specify the quota for exclusive IP addresses that you want to purchase. You can use the feature to protect only domain names that are added to WAF in CNAME record mode. If you want to protect an important domain name, you can purchase the quota and assign an exclusive IP address to the domain name for protection. For more information, see Exclusive IP addresses.
Additional Hybrid Cloud Protection Nodes	Specify the number of protection nodes for hybrid cloud clusters. The Pro edition does not support this feature. If your web services are deployed on third-party clouds, private clouds, and data centers, you can add your web services to WAF in hybrid cloud mode. This way, you can manage and protect the web services in a centralized manner. Before you add your services to WAF 3.0 in hybrid cloud mode, you must deploy hybrid cloud clusters as WAF protection clusters. You must deploy at least two protection nodes for a hybrid cloud cluster. If the number of protection nodes that you want to deploy exceeds the default quota, you can purchase an additional quota for hybrid cloud protection nodes. For more information, see Hybrid cloud mode.
Intelligent Load Balancing	Specify whether to enable the intelligent load balancing feature. You can use the feature to protect only domain names that are added to WAF in CNAME record mode. If you want to ensure high availability and minimize latency during automatic disaster recovery, you can enable the intelligent load balancing feature. For more information, see Intelligent load balancing.
Log Service	Specify whether to enable the Simple Log Service for WAF feature. If you want to store, view, and analyze WAF logs in real time, you can enable the Simple Log Service for WAF feature. For more information, see Overview of log management.
Subscription Duration	Select the subscription duration of the instance and specify whether to enable Auto-renewal. Note If you want to test a WAF instance before you purchase the instance, contact your account manager to apply for a PoC project and set the Subscription Duration parameter to 7-day Trial. Then, you are provided a seven-day free trial.

3. Click Buy Now and complete the payment.

What to do next

After you purchase a WAF 3.0 instance, use the instance to protect your web services. Procedure:

1. Add your web services to WAF 3.0. For more information, see Website configuration overview.

2. Configure protection rules for protected objects in WAF 3.0. For more information, see Protection configuration overview.

3. View protection data. For more information, see View security reports.

References

• For more information about the scenarios and billing rules of subscription WAF instances, see Billing overview.

• If your WAF 3.0 instance no longer meets your protection requirements due to changes in your web services, you can upgrade or downgrade the instance. For more information, see Upgrade or downgrade a WAF instance.

• If you no longer want to use WAF 3.0, you can request a refund for your subscription WAF instance or terminate the WAF service for your pay-as-you-go WAF instance. For more information, see Refund policy.