Pay-as-you-go is a billing method that allows you to pay for resources after you use the resources. You are charged based on your resource usage. Fees are deducted from the balance of your Alibaba Cloud account after bills are generated at the end of each billing cycle. You can also purchase security capacity unit (SeCU) resource plans to offset the fees and reduce costs. This topic describes the billing rules of pay-as-you-go Web Application Firewall (WAF) instances.
Scenarios
The pay-as-you-go billing method is more suitable than the subscription billing method for the following scenarios:
Frequently changing protection resource usage: If your protection resource usage is unpredictable, we recommend that you select the pay-as-you-go billing method.
Temporary and sudden protection resource usage: In this scenario, you can select the pay-as-you-go billing method to ensure the availability of protection resources and improve cost efficiency.
SeCUs
WAF 3.0 uses SeCUs as billing units. SeCUs have the following attributes:
The unit price is USD 0.01. Each SeCU costs USD 0.01.
SeCU usage is measured on an hourly basis. For example, SeCU usage is measured for the period from 10:00:00 to 10:59:59.
SeCU usage is rounded up to the nearest integer. For example, if only 0.5 SeCUs are used from 10:00:00 to 10:59:59, you are charged for 1 SeCU for the hour.
Billable items
The product and service prices may change. Refer to your Alibaba Cloud bill for the final amount.
If you enable WAF protection for an Application Load Balancer (ALB) instance, you are charged by WAF and ALB. For more information about the billing rules of WAF-enabled ALB instances, see Activate and manage WAF-enabled ALB instances.
Major event protection fees
If you enable the major event protection feature, you are charged based on the subscription duration of the feature. The minimum subscription duration is 30 days. For more information about the major event protection feature and the fees for the feature, see Major event protection.
To enable the major event protection feature, perform the following steps: Log on to the WAF 3.0 console and select the resource group and region in which your WAF instance is deployed. In the left-side navigation pane, choose Protection Configuration > Protection for Major Events. On the Protection for Major Events page, enable the major event protection feature.
The major event protection feature takes effect immediately after you enable it. The validity period of the feature is the subscription duration that you specify when you enable the feature. After the validity period ends, the major event protection feature no longer protects your services.
Pay-as-you-go WAF instance fees
If you purchase a pay-as-you-go WAF instance, you are charged request processing fees and feature fees.
You can use SeCUs to offset request processing fees and feature fees. For more information about the offset rules, see SeCU resource plan.
Pay-as-you-go WAF 3.0 instances support the traffic billing protection feature. You can use the feature to prevent large bills in scenarios when queries per second (QPS) unexpectedly surges due to reasons such as HTTP flood attacks. For more information about the traffic billing protection feature, see Traffic billing protection.
If the peak QPS of your pay-as-you-go WAF instance exceeds the threshold value for traffic billing protection, the WAF instance is added to the sandbox and no bills are generated.
Billable items of pay-as-you-go WAF instances
The basic protection rule module of WAF is upgraded. For more information, see Announcement of changes to the billing and implementation of pay-as-you-go WAF 3.0 instances. If you use the new version of the basic protection rule module, see Billable items (new). If you use the old version of the basic protection rule module, see Billable items (old).
Billable items (new)
Billable items (old)
Billing details
Description
The basic protection rule module of WAF is upgraded. For more information, see Announcement of changes to the billing and implementation of pay-as-you-go WAF 3.0 instances. If you use the new version of the basic protection rule module, see Billable details (new). If you use the old version of the basic protection rule module, see Billable details (old).
Billable details (new)
Fee | Billable item | Description | SeCU | |
Request processing fees: fees for request processing within an hour. | Basic traffic | You are charged based on the number of requests initiated by clients within an hour, including normal requests and malicious requests, but not server responses. | 1 SeCU per 5,000 requests Note
| |
Bot management | If you enable the bot management feature, you are charged based on the number of requests that match bot management rules within an hour. Otherwise, you are not charged. | 1 SeCU per 10,000 requests Note If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples. | ||
API security | If you enable the API security feature, you are charged based on the number of requests that match API security rules within an hour. Otherwise, you are not charged. | 1 SeCU per 10,000 requests Note If the number of requests is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples. | ||
Peak QPS | You are charged based on the peak QPS within an hour. |
Note If the excess portion is less than 5 QPS, it is calculated as 5 QPS. | ||
Risk identification (paid feature of bot management) | You are charged based on the number of times that risk identification rules are matched. | 1 SeCU per time Note The risk identification feature takes effect only after the bot management and risk identification features are enabled. For more information, see Risk identification. | ||
Slider CAPTCHA verification in custom rules | You are charged based on the number of verification operations that are performed. | 1 SeCU per 10 operations per hour Note If the number is less than 10, it is rounded up to 10. | ||
Feature fees: fees for different features within an hour. | Billed based on configured protection rules Important Fees are generated even if the configured protections rules are disabled. To prevent fees in this scenario, delete the protection rules. | IP address blacklist | You are charged based on the number of protection rules configured for the IP address blacklist module, including enabled and disabled rules. | 2 SeCUs per rule |
Custom rule | You are charged based on the number of protection rules configured for the custom rule module, including enabled and disabled rules. |
Note Rules that meet one of the following conditions are advanced rules, and the others are basic rules:
| ||
Scan protection | You are charged based on the number of protection rules configured for the scan protection module, including enabled and disabled rules. Each protection template of the scan protection module contains three protection rules. | 1 SeCU per rule | ||
HTTP flood protection | You are charged based on the number of protection rules configured for the HTTP flood protection module, including enabled and disabled rules. | 2 SeCUs per rule | ||
Region blacklist | You are charged based on the number of protection rules configured for the region blacklist module, including enabled and disabled rules. | 3 SeCUs per rule | ||
Custom response | You are charged based on the number of protection rules configured for the custom response module, including enabled and disabled rules. Each protection template of the custom response module contains one protection rule. | 10 SeCUs per rule | ||
Website tamper-proofing | You are charged based on the number of protection rules configured for the website tamper-proofing module, including enabled and disabled rules. | 5 SeCUs per rule | ||
Data leakage prevention | You are charged based on the number of protection rules configured for the data leakage prevention module, including enabled and disabled rules. | 5 SeCUs per rule | ||
Billed based on resource usage | Bot management | You are charged based on the number of configured bot management templates, including enabled and disabled templates. | 50 SeCUs per template | |
API security | You are charged based on the number of protected objects for which API security is enabled. | 20 SeCUs per protected object | ||
Exclusive IP address | You are charged based on the number of domain names that have the exclusive IP address feature enabled and are added to WAF in CNAME record mode. | 15 SeCUs per exclusive IP address | ||
Domain names added in CNAME record mode | You are charged based on the number of domain names that are added to WAF in CNAME record mode. The domain names include second-level domain names and their subdomain names, and exact-match and wildcard domain names. |
| ||
Billed based on feature status | Non-standard port protection | You are charged only after non-standard ports are protected. |
| |
Intelligent whitelist engine | You are charged only after you enable the intelligent whitelist engine feature. You can enable the feature when you create a protection template for the basic protection rule module. |
| ||
Intelligent load balancing | You are charged only after you enable the intelligent load balancing feature. |
| ||
IPv6 protection | You are charged only after you enable the IPv6 protection feature. |
| ||
Asset center | You are charged only after you enable the asset center feature. |
| ||
Basic protection rule | You are charged only after you add protected objects to WAF. |
| ||
Billed by other cloud services | Simple Log Service for WAF | You are charged and billed by Alibaba Cloud Simple Log Service. | 0 SeCUs on the WAF side |
Billing details (old)
Fee | Billable item | Description | SeCU | |
Request processing fees: fees for request processing within an hour. | Basic traffic | You are charged based on the number of requests initiated by clients within an hour, including normal requests and malicious requests, but not server responses. | 1 SeCU per 5,000 requests
Note If the number of requests that WAF processes within an hour is not a multiple of 5,000, it is rounded up to the nearest multiple of 5,000. If WAF processes no requests within an hour, you are not charged. For more information, see Billing examples. | |
Bot management | If you enable the bot management feature, you are charged based on the number of requests that match bot management rules within an hour. Otherwise, you are not charged. | 1 SeCU per 10,000 requests Note If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples. | ||
API security | If you enable the API security feature, you are charged based on the number of requests that match API security rules within an hour. Otherwise, you are not charged. | 1 SeCU per 10,000 requests Note If the number of requests is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples. | ||
Peak QPS | You are charged based on the peak QPS within an hour. |
Note If the excess portion is less than 5 QPS, it is calculated as 5 QPS. | ||
Risk identification (paid feature of bot management) | You are charged based on the number of times that risk identification rules are matched. | 1 SeCU per time Note The risk identification feature takes effect only after the bot management and risk identification features are enabled. For more information, see Risk identification. | ||
Slider CAPTCHA verification in custom rules | You are charged based on the number of verification operations that are performed. | 1 SeCU per 10 operations per hour Note If the number is less than 10, it is rounded up to 10. | ||
Feature fees: fees for different features within an hour. | Billed based on configured protection rules. Important Fees are generated even if the configured protections rules are disabled. To prevent fees in this scenario, delete the protection rules. | IP address blacklist | You are charged based on the number of protection rules configured for the IP address blacklist module, including enabled and disabled rules. | 2 SeCUs per rule |
Custom rule | You are charged based on the number of protection rules configured for the custom rule module, including enabled and disabled rules. |
Note Rules that meet one of the following conditions are advanced rules, and the others are basic rules:
| ||
Scan protection | You are charged based on the number of protection rules configured for the scan protection module, including enabled and disabled rules. Each protection template of the scan protection module contains three protection rules. | 1 SeCU per rule | ||
HTTP flood protection | You are charged based on the number of protection rules configured for the HTTP flood protection module, including enabled and disabled rules. | 2 SeCUs per rule | ||
Region blacklist | You are charged based on the number of protection rules configured for the region blacklist module, including enabled and disabled rules. | 3 SeCUs per rule | ||
Custom response | You are charged based on the number of protection rules configured for the custom response module, including enabled and disabled rules. Each protection template of the custom response module contains one protection rule. | 10 SeCUs per rule | ||
Website tamper-proofing | You are charged based on the number of protection rules configured for the website tamper-proofing module, including enabled and disabled rules. | 5 SeCUs per rule | ||
Data leakage prevention | You are charged based on the number of protection rules configured for the data leakage prevention module, including enabled and disabled rules. | 5 SeCUs per rule | ||
Billed based on resource usage | Protection rule groups (custom rule groups) | You are charged based on the number of configured rule groups, including rule groups associated with or not associated with protection templates. You can configure up to 30 custom rule groups. Note You are not charged for the three built-in rule groups. | 2 SeCUs per rule group | |
Bot management | You are charged based on the number of configured bot management templates, including enabled and disabled templates. | 50 SeCUs per template | ||
API security | You are charged based on the number of protected objects for which API security is enabled. | 20 SeCUs per protected object | ||
Exclusive IP address | You are charged based on the number of domain names that have the exclusive IP address feature enabled and are added to WAF in CNAME record mode. | 15 SeCUs per exclusive IP address | ||
Domain names added in CNAME record mode | You are charged based on the number of domain names that are added to WAF in CNAME record mode. The domain names include second-level domain names and their subdomain names, and exact-match and wildcard domain names. |
| ||
Billed based on feature status | Non-standard port protection | You are charged only after non-standard ports are protected. | 25 SeCUs per hour | |
Intelligent whitelist | You are charged only after you enable the intelligent whitelist feature. You can enable the feature when you create a protection template for the basic protection rule module. |
| ||
Intelligent load balancing | You are charged only after you enable the intelligent load balancing feature. |
| ||
IPv6 protection | You are charged only after you enable the IPv6 protection feature. |
| ||
Protocol compliance | You are charged only after you enable the protocol compliance feature. |
| ||
Asset center | You are charged only after you enable the asset center feature. |
| ||
Basic protection rule | You are charged only after you add protected objects to WAF. |
| ||
Billed by other cloud services | Simple Log Service for WAF | You are charged and billed by Alibaba Cloud Simple Log Service. | 0 SeCUs on the WAF side |
Billing examples
Example 1
You added five domain names to WAF in CNAME record mode and configured two protection rules for the IP address blacklist module. Within an hour, no requests are sent to your domain names and the peak QPS is 0.
In this scenario, the request processing fee is 0 SeCUs and the feature fee is 13 SeCUs. The total fee is USD 0.13. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU usage (rounded up to the nearest integer within an hour) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic | 1 SeCU per 5,000 requests | 0 SeCUs | 0.01 × 0 = USD 0 |
Peak QPS | Peak QPS ≤ 5,000: 0 SeCUs per hour | 0 SeCUs | 0.01 × 0 = USD 0 | |
Feature fees | Domain names added in CNAME record mode | One domain name: 0 SeCUs More than one domain name: 2 SeCUs for each additional domain name | 8 SeCUs | 0.01 × 8 = USD 0.08 |
IP address blacklist | 2 SeCUs per rule | 4 SeCUs | 0.01 × 4 = USD 0.04 | |
Basic protection rule Note You are charged for the basic protection rule module only after you add protected objects to WAF. | Protected objects added: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 |
Example 2
You added 12 domain names to WAF in CNAME record mode, enabled the exclusive IP address and intelligent load balancing features for two domain names, and created one protection template of the scan protection module. Within an hour, 50,001 requests are sent to your domain names and the peak QPS is 4,000.
In this scenario, the request processing fee is 11 SeCUs and the feature fee is 106 SeCUs. The total fee is USD 1.17. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU usage (rounded up to the nearest integer within an hour) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic | 1 SeCU per 5,000 requests | 11 SeCUs | 0.01 × 11 = USD 0.11 |
Peak QPS | Peak QPS ≤ 5,000: 0 SeCUs per hour | 0 SeCUs | 0.01 × 0 = USD 0 | |
Feature fees | Domain names added in CNAME record mode | One domain name: 0 SeCUs More than one domain name: 2 SeCUs per additional domain name | 22 SeCUs | 0.01 × 22 = USD 0.22 |
Exclusive IP address | 15 SeCUs per exclusive IP address | 30 SeCUs | 0.01 × 30 = USD 0.3 | |
Intelligent load balancing | Enabled: 50 SeCUs per hour | 50 SeCUs | 0.01 × 50 = USD 0.5 | |
Scan protection Note Each scan protection template contains three rules. | 1 SeCU per rule | 3 SeCUs | 0.01 × 3 = USD 0.03 | |
Basic protection rule Note You are charged for the basic protection rule module only after you add protected objects to WAF. | Protected objects added: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 |
Example 3
You added a Layer 7 Classic Load Balancer (CLB) instance in the US (Silicon Valley) region to WAF in cloud native mode and added domain names hosted on the CLB instance to WAF as protected objects. You configured protection rules for the basic protection rule module and enabled bot management and HTTP flood protection for the CLB instance. You configured two protection rules for the HTTP flood protection module and one protection template for the bot management module. The protection rules are disabled and the template is enabled. You also enabled risk identification and configured related protection rules. Within an hour, 4,200 requests are sent to your domain names, the peak QPS is 537, the bot management rules are matched 34 times, and the risk identification rules are matched 3 times.
In this scenario, the request processing fee is 35 SeCUs and the feature fee is 58 SeCUs. The total fee is USD 0.93. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU usage (rounded up to the nearest integer within an hour) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic | 1 SeCU per 5,000 requests | 1 SeCU | 0.01 × 1 = USD 0.01 |
Peak QPS | Peak QPS ≤ 5,000: 0 SeCUs per hour | 0 SeCUs | 0.01 × 0 = USD 0 | |
Bot management | You are charged based on the number of requests that match bot management rules within an hour. | 34 SeCUs | 0.01 × 34 = USD 0.34 | |
Feature fees | Basic protection rule Note You are charged for the basic protection rule module only after you add protected objects to WAF. | Protected objects added: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 |
Bot management | You are charged based on the number of configured bot management templates, including enabled and disabled templates. | 50 SeCUs | 0.01 × 50 = USD 0.5 | |
Risk identification | You are charged based on the number of times that risk identification rules are matched. 1 SeCU per time | 3 SeCUs | 0.01 × 3 = USD 0.03 | |
HTTP flood protection | You are charged based on the number of protection rules configured for the HTTP flood protection module, including enabled and disabled rules. 2 SeCUs per rule | 4 SeCUs | 0.01 × 4 = USD 0.04 |
Example 4
You enabled WAF protection for an ALB instance in the US (Silicon Valley) region and created two protection templates of the custom response module. The protection templates apply to different protected objects. Within an hour, 50,004 requests are sent to your domain names and the peak QPS is 5,997.
In this scenario, the request processing fee is 211 SeCUs and the feature fee is 21 SeCUs. The WAF-enabled ALB instance fee is USD 0.035 per hour. The total fee is USD 2.355. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU usage (rounded up to the nearest integer within an hour) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic | 1 SeCU per 5,000 requests | 11 SeCUs | 0.01 × 11 = USD 0.11 |
Peak QPS | Peak QPS > 5,000: 1 SeCU per 5 QPS per hour for the portion exceeding 5,000 QPS | 200 SeCUs | 0.01 × 200 = USD 2 | |
Feature fees | Custom response | 10 SeCUs per rule | 20 SeCUs | 0.01 × 20 = USD 0.2 |
Basic protection rule Note You are charged for the basic protection rule module only after you add protected objects to WAF. | Protected objects added: 1 SeCU per hour | 1 SeCUs | 0.01 × 1 = USD 0.01 | |
WAF-enabled ALB instance fee | USD 0.035 per hour (Refer to the buy page for the actual price.) | N/A | 0.035 × 1 = USD 0.035 |
If you need to estimate the costs for pay-as-you-go WAF instances on a daily basis or for a longer period, we recommend that you take into account the actual traffic fluctuation over time. For example, if your business has higher traffic from 06:00 to 18:00 daily and few requests during the remaining hours, we recommend that you estimate the costs during the active hours as the average daily costs. This approach provides a more accurate long-term cost estimate.
After you purchase a pay-as-you-go WAF instance, refer to your Alibaba Cloud bill for the actual usage and fees.
Billing cycles
Bills for pay-as-you-go WAF instances are generated and settled on a daily basis based on UTC+8 time. After a bill is settled, a new billing cycle begins.
The bills for pay-as-you-go WAF instances are generated and settled each day before 06:00. If you want to change instance configurations, we recommend that you perform the change after 06:00. Otherwise, the change is included in the bill of the previous day.
If the available balance in your account, including Alibaba Cloud account balance and vouchers, is less than the amount due for a pending bill, you are notified that your balance is low by text message or email.
Overdue payments
If your Alibaba Cloud account has overdue payments, the use of WAF is affected. We recommend that you check whether your account has overdue payments in the Expenses and Costs console and top up your account at the earliest opportunity For more information about how to handle overdue payments, see Overdue payments.
If your Alibaba Cloud account has overdue payments, your WAF service may be suspended, and the system reminds or notifies you of the issue. You can top up your account at the earliest opportunity.
Bill query
You can view the billing details and actual usage of your pay-as-you-go WAF instance on the Bills page in the WAF console. For more information, see View bills.
References
For more information about how to unsubscribe from a subscription WAF 3.0 instance or terminate the WAF service for a pay-as-you-go WAF 3.0 instance, see Refund policy.
For more information about how to handle business errors caused by automated tools, such as scripts and simulators, see Enable and configure the bot management module.
For more information about how to detect API risks, such as unauthorized access, excessive exposure of sensitive data, or internal API leaks, reconstruct API anomaly events from reports, review cross-border data transfer, and trace sensitive data leakage events, see API security.
For more information about how to query the traffic of protected objects and view attack prevention logs, see Overview of log management.
For more information about advanced and basic rules, see Match conditions.