Web Application Firewall (WAF) supports the subscription billing method. This topic describes the applicable business scales and protection features of the subscription billing method.
WAF plans and versions
For the subscription billing method, WAF provides an on-cloud deployment plan (On-cloud WAF) and a hybrid cloud deployment plan (Hybrid Cloud WAF). Based on the supported business scale and protection features, On-cloud WAF instances are available in Pro, Business, Enterprise, and Exclusive (sales suspended) editions. Hybrid Cloud WAF instances are available only in the Exclusive edition.
Applicable business scales
The following table describes the applicable business scales for different WAF editions. For medium-sized enterprise websites, you can select the Business or Enterprise edition.
Specification | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (sales suspended) | Hybrid Cloud WAF Exclusive |
Site scale | Small and medium-sized websites that have no special security requirements. | Medium-sized enterprise websites or services that are open to the public on the Internet, focus on data security, and have high security requirements. | Medium and large-sized enterprise websites that have a large business scale or have special custom security requirements. | Large-sized enterprise websites that have a large business scale and require custom configurations based on business features. | Medium and large-sized enterprise websites that have on-premises services and web traffic that cannot be protected by On-cloud WAF. These websites require the same high-standard web security protection as On-cloud WAF. |
Peak concurrent requests for On-cloud WAF | 2,000 QPS | 5,000 QPS | Over 10,000 QPS | 5,000 QPS | 0 QPS. This is extendable. |
Number of on-premises cluster nodes and the corresponding peak concurrent requests | Not supported | Supported for a fee | Supported for a fee | Supported for a fee | 2 protection nodes, 10,000 QPS. |
Service bandwidth threshold (origin server deployed on Alibaba Cloud) | 50 Mbps | 100 Mbps | 200 Mbps | 100 Mbps | 0 Mbps. This is extendable. |
Service bandwidth threshold (origin server not deployed on Alibaba Cloud) | 10 Mbps | 30 Mbps | 50 Mbps | 30 Mbps | |
Default number of protected root domain names | 1 | 1 | 1 | 1,000 | 200 (regardless of domain name level). You can add 100 for each additional node. |
Default total number of protected domain names (wildcard domain names are supported) | 10 | 10 | 10 | 1,000 |
Feature list by version (the Chinese mainland)
The following table describes the features supported by different editions of WAF instances in the Chinese mainland (subscription instances for which you select the Chinese mainland region).
Legend:
Feature Module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (sales suspended) | Hybrid Cloud WAF Exclusive |
Service access | ||||||
Provides one-click, site-wide HTTPS protection. |
|
|
|
|
| |
Proactively discovers and manages site assets. Supports one-click protection. |
|
|
|
|
| |
Directly forwards service traffic from origin servers (SLB instances and ECS instances) to WAF for protection. |
|
|
|
|
| |
Protects websites that use HTTP/2. |
|
|
|
|
| |
Protects services on specific non-standard ports other than 80, 8080, 443, and 8443. |
|
|
|
|
| |
Detects and protects against IPv6-based requests. |
|
|
|
|
| |
Provides custom access and protection capabilities based on business features. |
|
|
|
|
| |
Deploys a WAF protection cluster in an on-premises data center to protect web traffic that does not pass through Alibaba Cloud. |
|
|
|
|
| |
Uses multi-node intelligent access technology to implement automatic scheduling and disaster recovery for origin servers across multiple nodes and lines. |
|
|
|
|
| |
Lets you enable exclusive IP address protection for a domain name. |
|
|
|
|
| |
Website protection | ||||||
Defends against common web attacks, such as SQL injection and XSS. |
|
|
|
|
| |
Automatically updates protection rules against web 0-day vulnerabilities. |
|
|
|
|
| |
Locks website pages to prevent malicious tampering. |
|
|
|
|
| |
Prevents sensitive data leakage, including important private data such as phone numbers, ID card numbers, and bank card numbers. |
|
|
|
|
| |
Defends against common CC attacks. Supports built-in protection and emergency mode. |
|
|
|
|
| |
Detects dictionary attacks, brute-force attacks, spam registrations, weak password sniffing, and bot traffic on CAPTCHA interfaces for services related to accounts, such as registration and logon. |
|
|
|
|
| |
Provides one-click blocking of access from specific IP addresses and CIDR blocks. |
|
|
|
|
| |
Includes the preceding feature and provides one-click blocking of access from IP addresses in specified geographic locations. |
|
|
|
|
| |
Supports high-frequency web attack blocking (default rule), directory traversal blocking (default rule), scan tool blocking, and collaborative defense. |
|
|
|
|
| |
Includes the preceding features and lets you customize rules for high-frequency web attack blocking and directory traversal blocking. |
|
|
|
|
| |
Basic precise access control: Provides ACL-based access control based on basic fields, including IP, URL, Referer, User-Agent, and Params. |
|
|
|
|
| |
Advanced precise access control: Includes basic fields and supports advanced fields, such as Cookie, Content-Type, Header, and Http-Method. |
|
|
|
|
| |
Supports rate limiting (custom CC attack protection rules). You can define rate limiting conditions based on precise match conditions to accurately filter abnormal requests. Lets you set rate limiting policies based on the number of requests from an IP address or session. |
|
|
|
|
| |
Supports rate limiting. Lets you set rate limiting policies based on the number of requests from custom fields, including IP and Session. |
|
|
|
|
| |
DDoS attack prevention | Provides free DDoS attack prevention. For more information about the mitigation capabilities, see thresholds that trigger blackhole filtering in Anti-DDoS Basic. |
|
|
|
|
|
Supports custom protection rule groups. |
|
|
|
|
| |
Provides proactive defense capabilities based on deep learning of website traffic. |
|
|
|
|
| |
Defends against bot-driven fraudulent activities on key services of your website, such as registration, logon, campaigns, and forums. |
|
|
|
|
| |
Provides a whitelist of legitimate search engine bots to allow their access requests to your domain name. |
|
|
|
|
| |
Provides bot threat intelligence rules from multiple dimensions, such as dial-up IP pools, data center IP addresses, malicious scan tool IP addresses, and a malicious bot library generated by a real-time cloud model. This helps you block access requests from malicious bots to an entire domain name or a specific path. |
|
|
|
|
| |
Provides security protection for native apps, such as trusted communication and bot traffic prevention. It can effectively detect requests from proxies, emulators, and illegally signed apps. |
|
|
|
|
| |
Security analytics and support | ||||||
Lets you configure WAF event monitoring and threshold-based monitoring rules using CloudMonitor. |
|
|
|
|
| |
Collects all WAF logs and stores them in Simple Log Service. Provides features such as near real-time query and analysis and online report display. |
|
|
|
|
| |
Feature list by version (outside the Chinese mainland)
The following table describes the features supported by different editions of WAF instances outside the Chinese mainland (subscription instances for which you select a region outside the Chinese mainland).
Legend:
Features | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (sales suspended) | Hybrid Cloud WAF Exclusive |
Service access | ||||||
Provides one-click, site-wide HTTPS protection. |
|
|
|
|
| |
Directly forwards service traffic from origin servers (SLB instances and ECS instances) to WAF for protection. |
|
|
|
|
| |
Protects websites that use HTTP/2. |
|
|
|
|
| |
Protects services on specific non-standard ports other than 80, 8080, 443, and 8443. |
|
|
|
|
| |
Provides custom access and protection capabilities based on business features. |
|
|
|
|
| |
Detects and protects against IPv6-based requests. |
|
|
|
|
| |
Uses multi-node intelligent access technology to implement automatic scheduling and disaster recovery for origin servers across multiple nodes and lines. |
|
|
|
|
| |
Deploys a WAF protection cluster in an on-premises data center to protect web traffic that does not pass through Alibaba Cloud. |
|
|
|
|
| |
Lets you enable exclusive IP address protection for a domain name. |
|
|
|
|
| |
Website protection | ||||||
Detects dictionary attacks, brute-force attacks, spam registrations, weak password sniffing, and bot traffic on CAPTCHA interfaces for services related to accounts, such as registration and logon. |
|
|
|
|
| |
Defends against common web attacks, such as SQL injection and XSS. |
|
|
|
|
| |
Automatically updates protection rules against web 0-day vulnerabilities. |
|
|
|
|
| |
Defends against common CC attacks. Supports built-in protection and emergency mode. |
|
|
|
|
| |
Provides one-click blocking of access from specific IP addresses and CIDR blocks. |
|
|
|
|
| |
Includes the preceding feature and provides one-click blocking of access from IP addresses in specified geographic locations. |
|
|
|
|
| |
Supports high-frequency web attack blocking (default rule), directory traversal blocking (default rule), scan tool blocking, and collaborative defense. |
|
|
|
|
| |
Includes the preceding features and lets you customize rules for high-frequency web attack blocking and directory traversal blocking. |
|
|
|
|
| |
Basic precise access control: Provides ACL-based access control based on basic fields, including IP, URL, Referer, User-Agent, and Params. |
|
|
|
|
| |
Advanced precise access control: Includes basic fields and supports advanced fields, such as Cookie, Content-Type, Header, and Http-Method. |
|
|
|
|
| |
Supports rate limiting (custom CC attack protection rules). You can define rate limiting conditions based on precise match conditions to accurately filter abnormal requests. Lets you set rate limiting policies based on the number of requests from an IP address or session. |
|
|
|
|
| |
Supports rate limiting. Lets you set rate limiting policies based on the number of requests from custom fields, including IP and Session. |
|
|
|
|
| |
Locks website pages to prevent malicious tampering. |
|
|
|
|
| |
Prevents sensitive data leakage, including important private data such as phone numbers, ID card numbers, and bank card numbers. |
|
|
|
|
| |
Supports custom protection rule groups. |
|
|
|
|
| |
Provides proactive defense capabilities based on deep learning of website traffic. |
|
|
|
|
| |
Defends against bot-driven fraudulent activities on key services of your website, such as registration, logon, campaigns, and forums. |
|
|
|
|
| |
DDoS attack prevention | Provides free DDoS attack prevention. For more information about the mitigation capabilities, see thresholds that trigger blackhole filtering in Anti-DDoS Basic. |
|
|
|
|
|
Provides a whitelist of legitimate search engine bots to allow their access requests to your domain name. |
|
|
|
|
| |
Provides bot threat intelligence rules from multiple dimensions, such as dial-up IP pools, data center IP addresses, malicious scan tool IP addresses, and a malicious bot library generated by a real-time cloud model. This helps you block access requests from malicious bots to an entire domain name or a specific path. |
|
|
|
|
| |
Provides security protection for native apps, such as trusted communication and bot traffic prevention. It can effectively detect requests from proxies, emulators, and illegally signed apps. |
|
|
|
|
| |
Security analytics and support | ||||||
Lets you configure WAF event monitoring and threshold-based monitoring rules using CloudMonitor. |
|
|
|
|
| |
Collects all WAF logs and stores them in Simple Log Service. Provides features such as near real-time query and analysis and online report display. |
|
|
|
|
| |