Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features supported by subscription WAF instances of different editions.
Deployment plans and editions
In subscription mode, WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. The Exclusive edition is unavailable for purchase now. Hybrid Cloud WAF supports only the Exclusive edition.
Editions and supported business scales
The following table describes the business scales supported by different WAF editions. For medium-sized enterprise websites, we recommend that you select the Business edition or Enterprise edition.
Specification | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
Website scale | Small- and medium-sized websites that do not have special security requirements | Medium-sized enterprise-grade websites that can be accessed over the Internet and have high data security requirements | Medium- and large-sized enterprise-grade websites that have special security requirements | Large-sized enterprise-grade websites that require business-specific configurations | Medium- and large-sized enterprise-grade websites that cannot be protected by On-cloud WAF due to on-premises deployment and require the same level of web protection capabilities as On-cloud WAF |
Peak queries per second (QPS) | 2,000 | 5,000 | Higher than 10,000 | 5,000 | 0 (scalable) |
Number of nodes in an on-premises protection cluster and peak QPS | Not supported | Supported with fees | Supported with fees | Supported with fees | 2 nodes and 10,000 QPS |
Maximum bandwidth in Mbit/s (The origin server is deployed on Alibaba Cloud.) | 50 | 100 | 200 | 100 | 0 (scalable) |
Maximum bandwidth in Mbit/s (The origin server is not deployed on Alibaba Cloud.) | 10 | 30 | 50 | 30 | |
Default number of second-level domains that can be protected | 1 | 1 | 1 | 1,000 | 200 (Domains at all levels can be protected. Each additional node can protect up to 100 domains.) |
Default number of domains that can be protected in total (Wildcard domains are supported.) | 10 | 10 | 10 | 1,000 |
Editions and supported features in the Chinese mainland
The following table describes the features supported by each edition of subscription WAF instances in the Chinese mainland.
Symbol descriptions:
: indicates that the feature is supported by the edition.
: indicates that the feature is not supported by the edition.
: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Feature | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
Website access | ||||||
Allows you to configure HTTPS protection for websites with a few clicks. |
|
|
|
|
| |
Discovers and manages website assets. You can add assets to WAF with a few clicks. |
|
|
|
|
| |
Redirects traffic that is destined for origin servers to WAF. The origin servers can be Elastic Compute Service (ECS) instances or servers that are added to Server Load Balancer (SLB) instances. |
|
|
|
|
| |
Protects websites that use HTTP/2. |
|
|
|
|
| |
Protects services that use custom ports other than standard ports. The standard ports include port 80, port 8080, port 443, and port 8443. |
|
|
|
|
| |
Detects and protects IPv6 traffic. |
|
|
|
|
| |
Allows you to configure custom access and protection settings. |
|
|
|
|
| |
Allows you to deploy a WAF protection cluster in a data center to protect traffic that does not pass through Alibaba Cloud. |
|
|
|
|
| |
Allows you to deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing. |
|
|
|
|
| |
Provides exclusive IP addresses to protect specific domain names. |
|
|
|
|
| |
Website protection | ||||||
Protects services against common web attacks, such as SQL injection and Cross-Site Scripting (XSS) attacks. |
|
|
|
|
| |
Updates protection rules that are configured for web zero-day vulnerabilities. |
|
|
|
|
| |
Locks web pages to prevent content tampering. |
|
|
|
|
| |
Prevents sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers, from being leaked. |
|
|
|
|
| |
Protects services against common HTTP flood attacks in Normal or Emergency mode. |
|
|
|
|
| |
Detects dictionary attacks, brute-force attacks, spam user registrations, weak password sniffing, and SMS flood attacks on service endpoints, such as registration endpoints and logon endpoints. |
|
|
|
|
| |
Blocks access requests that are sent from specific IP addresses or CIDR blocks. |
|
|
|
|
| |
Blocks access requests that are sent from IP addresses in specific regions. |
|
|
|
|
| |
Provides default rules to block the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature also supports scanner blocking and collaborative defense. |
|
|
|
|
| |
Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. |
|
|
|
|
| |
Supports ACL-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params. |
|
|
|
|
| |
Supports ACL-based access control by using advanced fields, such as Cookie, Content-Type, Header, and Http-Method. |
|
|
|
|
| |
Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and throttling settings to configure HTTP flood protection rules. |
|
|
|
|
| |
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. |
|
|
|
|
| |
DDoS attack mitigation | Defends against DDoS attacks. This feature is free of charge. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic. |
|
|
|
|
|
Allows you to configure custom protection rule groups. |
|
|
|
|
| |
Provides positive defense capabilities based on the deep learning operations that are performed on website traffic. |
|
|
|
|
| |
Protects critical website services against frauds. These services include registrations, logons, activities, and forums. |
|
|
|
|
| |
Maintains a whitelist that consists of authorized search engines. The crawlers of the search engines are allowed to access specified domain names. |
|
|
|
|
| |
Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents the crawlers from accessing all pages that are related to your domain name or specific directories. |
|
|
|
|
| |
Provides secure connections and anti-bot protection for native applications. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. |
|
|
|
|
| |
Security analysis and support | ||||||
Allows you to configure event monitoring and alerting for WAF. |
|
|
|
|
| |
Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. |
|
|
|
|
| |
Editions and supported features (outside the Chinese mainland)
The following table describes the features supported by each edition of subscription WAF instances outside the Chinese mainland.
Symbol descriptions:
- : indicates that the feature is supported by the edition.
- : indicates that the feature is not supported by the edition.
- : indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Feature | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
Website access | ||||||
Allows you to configure HTTPS protection for websites with a few clicks. |
|
|
|
|
| |
Redirects traffic that is destined for origin servers to WAF. The origin servers can be ECS instances or servers that are added to SLB instances. |
|
|
|
|
| |
Protects websites that use HTTP/2. |
|
|
|
|
| |
Protects services that use custom ports other than standard ports. The standard ports include port 80, port 8080, port 443, and port 8443. |
|
|
|
|
| |
Allows you to configure custom access and protection settings. |
|
|
|
|
| |
Detects and protects IPv6 traffic. |
|
|
|
|
| |
Allows you to deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing. |
|
|
|
|
| |
Allows you to deploy a WAF protection cluster in a data center to protect traffic that does not pass through Alibaba Cloud. |
|
|
|
|
| |
Provides exclusive IP addresses to protect specific domain names. |
|
|
|
|
| |
Website protection | ||||||
Detects dictionary attacks, brute-force attacks, spam user registrations, weak password sniffing, and SMS flood attacks on service endpoints, such as registration endpoints and logon endpoints. |
|
|
|
|
| |
Protects services against common web attacks, such as SQL injection and XSS attacks. |
|
|
|
|
| |
Updates protection rules that are configured for web zero-day vulnerabilities. |
|
|
|
|
| |
Protects services against common HTTP flood attacks in Normal or Emergency mode. |
|
|
|
|
| |
Blocks access requests that are sent from specific IP addresses or CIDR blocks. |
|
|
|
|
| |
Blocks access requests that are sent from IP addresses in specific regions. |
|
|
|
|
| |
Provides default rules to block the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature also supports scanner blocking and collaborative defense. |
|
|
|
|
| |
Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. |
|
|
|
|
| |
Supports ACL-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params. |
|
|
|
|
| |
Supports ACL-based access control by using advanced fields, such as Cookie, Content-Type, Header, and Http-Method. |
|
|
|
|
| |
Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and throttling settings to configure HTTP flood protection rules. |
|
|
|
|
| |
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. |
|
|
|
|
| |
Locks web pages to prevent content tampering. |
|
|
|
|
| |
Prevents sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers, from being leaked. |
|
|
|
|
| |
Allows you to configure custom protection rule groups. |
|
|
|
|
| |
Provides positive defense capabilities based on the deep learning operations that are performed on website traffic. |
|
|
|
|
| |
Protects critical website services against frauds. These services include registrations, logons, activities, and forums. |
|
|
|
|
| |
DDoS attack mitigation | Defends against DDoS attacks. This feature is free of charge. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic. |
|
|
|
|
|
Maintains a whitelist that consists of authorized search engines. The crawlers of the search engines are allowed to access specified domain names. |
|
|
|
|
| |
Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents the crawlers from accessing all pages that are related to your domain name or specific directories. |
|
|
|
|
| |
Provides secure connections and anti-bot protection for native applications. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. |
|
|
|
|
| |
Security analysis and support | ||||||
Allows you to configure event monitoring and alerting for WAF. |
|
|
|
|
| |
Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. |
|
|
|
|
| |