All Products
Search
Document Center

Web Application Firewall:Billing rules of pay-as-you-go WAF 3.0 instances

Last Updated:Dec 04, 2024

Pay-as-you-go is a billing method that allows you to pay for resources after you use the resources. You are charged based on your resource usage. Fees are deducted from the balance of your Alibaba Cloud account after bills are generated at the end of each billing cycle. You can also purchase security capacity unit (SeCU) resource plans to offset the fees and reduce costs. This topic describes the billing rules of pay-as-you-go Web Application Firewall (WAF) instances.

Scenarios

The pay-as-you-go billing method is more suitable than the subscription billing method for the following scenarios:

  • Frequently changing protection resource usage: If your protection resource usage is unpredictable, we recommend that you select the pay-as-you-go billing method.

  • Temporary and sudden protection resource usage: In this scenario, you can select the pay-as-you-go billing method to ensure the availability of protection resources and improve cost efficiency.

SeCUs

WAF 3.0 uses SeCUs as billing units. SeCUs have the following attributes:

  • The unit price is USD 0.01. Each SeCU costs USD 0.01.

  • SeCU usage is measured on an hourly basis. For example, SeCU usage is measured for the period from 10:00:00 to 10:59:59.

  • SeCU usage is rounded up to the nearest integer. For example, if only 0.5 SeCUs are used from 10:00:00 to 10:59:59, you are charged for 1 SeCU for the hour.

Billable items

Important
  • The product and service prices may change. Refer to your Alibaba Cloud bill for the final amount.

  • If you enable WAF protection for an Application Load Balancer (ALB) instance, you are charged by WAF and ALB. For more information about the billing rules of WAF-enabled ALB instances, see Activate and manage WAF-enabled ALB instances.

Major event protection fees

If you enable the major event protection feature, you are charged based on the subscription duration of the feature. The minimum subscription duration is 30 days. For more information about the major event protection feature and the fees for the feature, see Major event protection.

Note
  • To enable the major event protection feature, perform the following steps: Log on to the WAF 3.0 console and select the resource group and region in which your WAF instance is deployed. In the left-side navigation pane, choose Protection Configuration > Protection for Major Events. On the Protection for Major Events page, enable the major event protection feature.

  • The major event protection feature takes effect immediately after you enable it. The validity period of the feature is the subscription duration that you specify when you enable the feature. After the validity period ends, the major event protection feature no longer protects your services.

Pay-as-you-go WAF instance fees

If you purchase a pay-as-you-go WAF instance, you are charged request processing fees and feature fees.

Note
  • You can use SeCUs to offset request processing fees and feature fees. For more information about the offset rules, see SeCU resource plan.

  • Pay-as-you-go WAF 3.0 instances support the traffic billing protection feature. You can use the feature to prevent large bills in scenarios when queries per second (QPS) unexpectedly surges due to reasons such as HTTP flood attacks. For more information about the traffic billing protection feature, see Traffic billing protection.

  • If the peak QPS of your pay-as-you-go WAF instance exceeds the threshold value for traffic billing protection, the WAF instance is added to the sandbox and no bills are generated.

Billable items of pay-as-you-go WAF instances

Important

The basic protection rule module of WAF is upgraded. For more information, see Announcement of changes to the billing and implementation of pay-as-you-go WAF 3.0 instances. If you use the new version of the basic protection rule module, see Billable items (new). If you use the old version of the basic protection rule module, see Billable items (old).

Billable items (new)

image

Billable items (old)

image

Billing details

Important

Description

The basic protection rule module of WAF is upgraded. For more information, see Announcement of changes to the billing and implementation of pay-as-you-go WAF 3.0 instances. If you use the new version of the basic protection rule module, see Billable details (new). If you use the old version of the basic protection rule module, see Billable details (old).

Billable details (new)

Fee

Billable item

Description

SeCU

Request processing fees: fees for request processing within an hour.

Basic traffic

You are charged based on the number of requests initiated by clients within an hour, including normal requests and malicious requests, but not server responses.

1 SeCU per 5,000 requests

Note
  • If the number of requests that WAF processes within an hour is not a multiple of 5,000, it is rounded up to the nearest multiple of 5,000. If WAF processes no requests within an hour, you are not charged. For more information, see Billing examples.

  • The basic traffic fee covers the feature fee for the whitelist feature.

Bot management

If you enable the bot management feature, you are charged based on the number of requests that match bot management rules within an hour. Otherwise, you are not charged.

1 SeCU per 10,000 requests

Note

If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples.

API security

If you enable the API security feature, you are charged based on the number of requests that match API security rules within an hour. Otherwise, you are not charged.

1 SeCU per 10,000 requests

Note

If the number of requests is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples.

Peak QPS

You are charged based on the peak QPS within an hour.

  • Peak QPS ≤ 5,000: 0 SeCUs per hour

  • Peak QPS > 5,000: 1 SeCU per 5 QPS per hour for the portion exceeding 5,000 QPS

Note

If the excess portion is less than 5 QPS, it is calculated as 5 QPS.

Risk identification (paid feature of bot management)

You are charged based on the number of times that risk identification rules are matched.

1 SeCU per time

Note

The risk identification feature takes effect only after the bot management and risk identification features are enabled. For more information, see Risk identification.

Slider CAPTCHA verification in custom rules

You are charged based on the number of verification operations that are performed.

1 SeCU per 10 operations per hour

Note

If the number is less than 10, it is rounded up to 10.

Feature fees: fees for different features within an hour.

Billed based on configured protection rules

Important

Fees are generated even if the configured protections rules are disabled. To prevent fees in this scenario, delete the protection rules.

IP address blacklist

You are charged based on the number of protection rules configured for the IP address blacklist module, including enabled and disabled rules.

2 SeCUs per rule

Custom rule

You are charged based on the number of protection rules configured for the custom rule module, including enabled and disabled rules.

  • Basic rules: 1 SeCU per rule

  • Advance rules: 2 SeCUs per rule

Note

Rules that meet one of the following conditions are advanced rules, and the others are basic rules:

  • The rule type is throttling.

  • The following match fields are used: Body and Body Parameter.

  • The following logical operators are used: regular expression match and regular expression mismatch.

  • The following advanced settings are configured: canary release and effective mode.

Scan protection

You are charged based on the number of protection rules configured for the scan protection module, including enabled and disabled rules. Each protection template of the scan protection module contains three protection rules.

1 SeCU per rule

HTTP flood protection

You are charged based on the number of protection rules configured for the HTTP flood protection module, including enabled and disabled rules.

2 SeCUs per rule

Region blacklist

You are charged based on the number of protection rules configured for the region blacklist module, including enabled and disabled rules.

3 SeCUs per rule

Custom response

You are charged based on the number of protection rules configured for the custom response module, including enabled and disabled rules. Each protection template of the custom response module contains one protection rule.

10 SeCUs per rule

Website tamper-proofing

You are charged based on the number of protection rules configured for the website tamper-proofing module, including enabled and disabled rules.

5 SeCUs per rule

Data leakage prevention

You are charged based on the number of protection rules configured for the data leakage prevention module, including enabled and disabled rules.

5 SeCUs per rule

Billed based on resource usage

Bot management

You are charged based on the number of configured bot management templates, including enabled and disabled templates.

50 SeCUs per template

API security

You are charged based on the number of protected objects for which API security is enabled.

20 SeCUs per protected object

Exclusive IP address

You are charged based on the number of domain names that have the exclusive IP address feature enabled and are added to WAF in CNAME record mode.

15 SeCUs per exclusive IP address

Domain names added in CNAME record mode

You are charged based on the number of domain names that are added to WAF in CNAME record mode. The domain names include second-level domain names and their subdomain names, and exact-match and wildcard domain names.

  • One domain name: 0 SeCUs

  • More than one domain name: 2 SeCUs per additional domain name

Billed based on feature status

Non-standard port protection

You are charged only after non-standard ports are protected.

  • Disabled: 0 SeCUs per hour

  • Enabled: 25 SeCUs per hour

Intelligent whitelist engine

You are charged only after you enable the intelligent whitelist engine feature. You can enable the feature when you create a protection template for the basic protection rule module.

  • Disabled: 0 SeCUs per hour

  • Enabled: 10 SeCUs per hour

Intelligent load balancing

You are charged only after you enable the intelligent load balancing feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 50 SeCUs per hour

IPv6 protection

You are charged only after you enable the IPv6 protection feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 50 SeCUs per hour

Asset center

You are charged only after you enable the asset center feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 1 SeCU per hour

Basic protection rule

You are charged only after you add protected objects to WAF.

  • No protected objects added: 0 SeCUs per hour

  • Protected objects added: 1 SeCU per hour

Billed by other cloud services

Simple Log Service for WAF

You are charged and billed by Alibaba Cloud Simple Log Service.

0 SeCUs on the WAF side

Billing details (old)

Fee

Billable item

Description

SeCU

Request processing fees: fees for request processing within an hour.

Basic traffic

You are charged based on the number of requests initiated by clients within an hour, including normal requests and malicious requests, but not server responses.

1 SeCU per 5,000 requests

    Note

    If the number of requests that WAF processes within an hour is not a multiple of 5,000, it is rounded up to the nearest multiple of 5,000. If WAF processes no requests within an hour, you are not charged. For more information, see Billing examples.

  • The basic traffic fee covers the feature fee for the whitelist feature.

Bot management

If you enable the bot management feature, you are charged based on the number of requests that match bot management rules within an hour. Otherwise, you are not charged.

1 SeCU per 10,000 requests

Note

If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples.

API security

If you enable the API security feature, you are charged based on the number of requests that match API security rules within an hour. Otherwise, you are not charged.

1 SeCU per 10,000 requests

Note

If the number of requests is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples.

Peak QPS

You are charged based on the peak QPS within an hour.

  • Peak QPS ≤ 5,000: 0 SeCUs per hour

  • Peak QPS > 5,000: 1 SeCU per 5 QPS per hour for the portion exceeding 5,000 QPS

Note

If the excess portion is less than 5 QPS, it is calculated as 5 QPS.

Risk identification (paid feature of bot management)

You are charged based on the number of times that risk identification rules are matched.

1 SeCU per time

Note

The risk identification feature takes effect only after the bot management and risk identification features are enabled. For more information, see Risk identification.

Slider CAPTCHA verification in custom rules

You are charged based on the number of verification operations that are performed.

1 SeCU per 10 operations per hour

Note

If the number is less than 10, it is rounded up to 10.

Feature fees: fees for different features within an hour.

Billed based on configured protection rules.

Important

Fees are generated even if the configured protections rules are disabled. To prevent fees in this scenario, delete the protection rules.

IP address blacklist

You are charged based on the number of protection rules configured for the IP address blacklist module, including enabled and disabled rules.

2 SeCUs per rule

Custom rule

You are charged based on the number of protection rules configured for the custom rule module, including enabled and disabled rules.

  • Basic rules: 1 SeCU per rule

  • Advance rules: 2 SeCUs per rule

Note

Rules that meet one of the following conditions are advanced rules, and the others are basic rules:

  • The rule type is throttling.

  • The following match fields are used: Body and Body Parameter.

  • The following logical operators are used: regular expression match and regular expression mismatch.

  • The following advanced settings are configured: canary release and effective mode.

Scan protection

You are charged based on the number of protection rules configured for the scan protection module, including enabled and disabled rules. Each protection template of the scan protection module contains three protection rules.

1 SeCU per rule

HTTP flood protection

You are charged based on the number of protection rules configured for the HTTP flood protection module, including enabled and disabled rules.

2 SeCUs per rule

Region blacklist

You are charged based on the number of protection rules configured for the region blacklist module, including enabled and disabled rules.

3 SeCUs per rule

Custom response

You are charged based on the number of protection rules configured for the custom response module, including enabled and disabled rules. Each protection template of the custom response module contains one protection rule.

10 SeCUs per rule

Website tamper-proofing

You are charged based on the number of protection rules configured for the website tamper-proofing module, including enabled and disabled rules.

5 SeCUs per rule

Data leakage prevention

You are charged based on the number of protection rules configured for the data leakage prevention module, including enabled and disabled rules.

5 SeCUs per rule

Billed based on resource usage

Protection rule groups (custom rule groups)

You are charged based on the number of configured rule groups, including rule groups associated with or not associated with protection templates. You can configure up to 30 custom rule groups.

Note

You are not charged for the three built-in rule groups.

2 SeCUs per rule group

Bot management

You are charged based on the number of configured bot management templates, including enabled and disabled templates.

50 SeCUs per template

API security

You are charged based on the number of protected objects for which API security is enabled.

20 SeCUs per protected object

Exclusive IP address

You are charged based on the number of domain names that have the exclusive IP address feature enabled and are added to WAF in CNAME record mode.

15 SeCUs per exclusive IP address

Domain names added in CNAME record mode

You are charged based on the number of domain names that are added to WAF in CNAME record mode. The domain names include second-level domain names and their subdomain names, and exact-match and wildcard domain names.

  • One domain name: 0 SeCUs

  • More than one domain name: 2 SeCUs per additional domain name

Billed based on feature status

Non-standard port protection

You are charged only after non-standard ports are protected.

25 SeCUs per hour

Intelligent whitelist

You are charged only after you enable the intelligent whitelist feature. You can enable the feature when you create a protection template for the basic protection rule module.

  • Disabled: 0 SeCUs per hour

  • Enabled: 10 SeCUs per hour

Intelligent load balancing

You are charged only after you enable the intelligent load balancing feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 50 SeCUs per hour

IPv6 protection

You are charged only after you enable the IPv6 protection feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 50 SeCUs per hour

Protocol compliance

You are charged only after you enable the protocol compliance feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 20 SeCUs per hour per template in which the protocol compliance feature is enabled

Asset center

You are charged only after you enable the asset center feature.

  • Disabled: 0 SeCUs per hour

  • Enabled: 1 SeCU per hour

Basic protection rule

You are charged only after you add protected objects to WAF.

  • No protected objects added: 0 SeCUs per hour

  • Protected objects added: 1 SeCU per hour

Billed by other cloud services

Simple Log Service for WAF

You are charged and billed by Alibaba Cloud Simple Log Service.

0 SeCUs on the WAF side

Billing examples

Example 1

You added five domain names to WAF in CNAME record mode and configured two protection rules for the IP address blacklist module. Within an hour, no requests are sent to your domain names and the peak QPS is 0.

In this scenario, the request processing fee is 0 SeCUs and the feature fee is 13 SeCUs. The total fee is USD 0.13. The following table describes the billing details.

Fee

Billable item

Unit price

SeCU usage (rounded up to the nearest integer within an hour)

Total fee (1 SeCU = USD 0.01)

Request processing fees

Basic traffic

1 SeCU per 5,000 requests

0 SeCUs

0.01 × 0 = USD 0

Peak QPS

Peak QPS ≤ 5,000: 0 SeCUs per hour

0 SeCUs

0.01 × 0 = USD 0

Feature fees

Domain names added in CNAME record mode

One domain name: 0 SeCUs

More than one domain name: 2 SeCUs for each additional domain name

8 SeCUs

0.01 × 8 = USD 0.08

IP address blacklist

2 SeCUs per rule

4 SeCUs

0.01 × 4 = USD 0.04

Basic protection rule

Note

You are charged for the basic protection rule module only after you add protected objects to WAF.

Protected objects added: 1 SeCU per hour

1 SeCU

0.01 × 1 = USD 0.01

Example 2

You added 12 domain names to WAF in CNAME record mode, enabled the exclusive IP address and intelligent load balancing features for two domain names, and created one protection template of the scan protection module. Within an hour, 50,001 requests are sent to your domain names and the peak QPS is 4,000.

In this scenario, the request processing fee is 11 SeCUs and the feature fee is 106 SeCUs. The total fee is USD 1.17. The following table describes the billing details.

Fee

Billable item

Unit price

SeCU usage (rounded up to the nearest integer within an hour)

Total fee (1 SeCU = USD 0.01)

Request processing fees

Basic traffic

1 SeCU per 5,000 requests

11 SeCUs

0.01 × 11 = USD 0.11

Peak QPS

Peak QPS ≤ 5,000: 0 SeCUs per hour

0 SeCUs

0.01 × 0 = USD 0

Feature fees

Domain names added in CNAME record mode

One domain name: 0 SeCUs

More than one domain name: 2 SeCUs per additional domain name

22 SeCUs

0.01 × 22 = USD 0.22

Exclusive IP address

15 SeCUs per exclusive IP address

30 SeCUs

0.01 × 30 = USD 0.3

Intelligent load balancing

Enabled: 50 SeCUs per hour

50 SeCUs

0.01 × 50 = USD 0.5

Scan protection

Note

Each scan protection template contains three rules.

1 SeCU per rule

3 SeCUs

0.01 × 3 = USD 0.03

Basic protection rule

Note

You are charged for the basic protection rule module only after you add protected objects to WAF.

Protected objects added: 1 SeCU per hour

1 SeCU

0.01 × 1 = USD 0.01

Example 3

You added a Layer 7 Classic Load Balancer (CLB) instance in the US (Silicon Valley) region to WAF in cloud native mode and added domain names hosted on the CLB instance to WAF as protected objects. You configured protection rules for the basic protection rule module and enabled bot management and HTTP flood protection for the CLB instance. You configured two protection rules for the HTTP flood protection module and one protection template for the bot management module. The protection rules are disabled and the template is enabled. You also enabled risk identification and configured related protection rules. Within an hour, 4,200 requests are sent to your domain names, the peak QPS is 537, the bot management rules are matched 34 times, and the risk identification rules are matched 3 times.

In this scenario, the request processing fee is 35 SeCUs and the feature fee is 58 SeCUs. The total fee is USD 0.93. The following table describes the billing details.

Fee

Billable item

Unit price

SeCU usage (rounded up to the nearest integer within an hour)

Total fee (1 SeCU = USD 0.01)

Request processing fees

Basic traffic

1 SeCU per 5,000 requests

1 SeCU

0.01 × 1 = USD 0.01

Peak QPS

Peak QPS ≤ 5,000: 0 SeCUs per hour

0 SeCUs

0.01 × 0 = USD 0

Bot management

You are charged based on the number of requests that match bot management rules within an hour.

34 SeCUs

0.01 × 34 = USD 0.34

Feature fees

Basic protection rule

Note

You are charged for the basic protection rule module only after you add protected objects to WAF.

Protected objects added: 1 SeCU per hour

1 SeCU

0.01 × 1 = USD 0.01

Bot management

You are charged based on the number of configured bot management templates, including enabled and disabled templates.

50 SeCUs

0.01 × 50 = USD 0.5

Risk identification

You are charged based on the number of times that risk identification rules are matched.

1 SeCU per time

3 SeCUs

0.01 × 3 = USD 0.03

HTTP flood protection

You are charged based on the number of protection rules configured for the HTTP flood protection module, including enabled and disabled rules.

2 SeCUs per rule

4 SeCUs

0.01 × 4 = USD 0.04

Example 4

You enabled WAF protection for an ALB instance in the US (Silicon Valley) region and created two protection templates of the custom response module. The protection templates apply to different protected objects. Within an hour, 50,004 requests are sent to your domain names and the peak QPS is 5,997.

In this scenario, the request processing fee is 211 SeCUs and the feature fee is 21 SeCUs. The WAF-enabled ALB instance fee is USD 0.035 per hour. The total fee is USD 2.355. The following table describes the billing details.

Fee

Billable item

Unit price

SeCU usage (rounded up to the nearest integer within an hour)

Total fee (1 SeCU = USD 0.01)

Request processing fees

Basic traffic

1 SeCU per 5,000 requests

11 SeCUs

0.01 × 11 = USD 0.11

Peak QPS

Peak QPS > 5,000: 1 SeCU per 5 QPS per hour for the portion exceeding 5,000 QPS

200 SeCUs

0.01 × 200 = USD 2

Feature fees

Custom response

10 SeCUs per rule

20 SeCUs

0.01 × 20 = USD 0.2

Basic protection rule

Note

You are charged for the basic protection rule module only after you add protected objects to WAF.

Protected objects added: 1 SeCU per hour

1 SeCUs

0.01 × 1 = USD 0.01

WAF-enabled ALB instance fee

USD 0.035 per hour (Refer to the buy page for the actual price.)

N/A

0.035 × 1 = USD 0.035

Note
  • If you need to estimate the costs for pay-as-you-go WAF instances on a daily basis or for a longer period, we recommend that you take into account the actual traffic fluctuation over time. For example, if your business has higher traffic from 06:00 to 18:00 daily and few requests during the remaining hours, we recommend that you estimate the costs during the active hours as the average daily costs. This approach provides a more accurate long-term cost estimate.

  • After you purchase a pay-as-you-go WAF instance, refer to your Alibaba Cloud bill for the actual usage and fees.

Billing cycles

Bills for pay-as-you-go WAF instances are generated and settled on a daily basis based on UTC+8 time. After a bill is settled, a new billing cycle begins.

Note
  • The bills for pay-as-you-go WAF instances are generated and settled each day before 06:00. If you want to change instance configurations, we recommend that you perform the change after 06:00. Otherwise, the change is included in the bill of the previous day.

  • If the available balance in your account, including Alibaba Cloud account balance and vouchers, is less than the amount due for a pending bill, you are notified that your balance is low by text message or email.

Overdue payments

If your Alibaba Cloud account has overdue payments, the use of WAF is affected. We recommend that you check whether your account has overdue payments in the Expenses and Costs console and top up your account at the earliest opportunity For more information about how to handle overdue payments, see Overdue payments.

Warning

If your Alibaba Cloud account has overdue payments, your WAF service may be suspended, and the system reminds or notifies you of the issue. You can top up your account at the earliest opportunity.

Bill query

You can view the billing details and actual usage of your pay-as-you-go WAF instance on the Bills page in the WAF console. For more information, see View bills.

References

  • For more information about how to unsubscribe from a subscription WAF 3.0 instance or terminate the WAF service for a pay-as-you-go WAF 3.0 instance, see Refund policy.

  • For more information about how to handle business errors caused by automated tools, such as scripts and simulators, see Enable and configure the bot management module.

  • For more information about how to detect API risks, such as unauthorized access, excessive exposure of sensitive data, or internal API leaks, reconstruct API anomaly events from reports, review cross-border data transfer, and trace sensitive data leakage events, see API security.

  • For more information about how to query the traffic of protected objects and view attack prevention logs, see Overview of log management.

  • For more information about advanced and basic rules, see Match conditions.