Web Application Firewall (WAF) 3.0 is a new version of WAF with redesigned access modes, protection configuration logic, and billing rules. This topic covers the key differences between WAF 3.0 and WAF 2.0.
WAF 3.0 and WAF 2.0 differ in underlying architecture, specifications, configuration logic, and user experience. A single Alibaba Cloud account cannot have both a WAF 2.0 instance and a WAF 3.0 instance at the same time. When you log on to the WAF console, you are directed to the interface that corresponds to the version of WAF instance you purchased. WAF 2.0 instances cannot be automatically migrated to WAF 3.0. For migration assistance, join the DingTalk group (group ID: 34657699).
WAF 2.0 instances cannot be automatically migrated to WAF 3.0. If you want to migrate a WAF 2.0 instance to WAF 3.0, join the DingTalk group (group ID: 34657699) for technical support.
What's different
WAF 3.0 improves on WAF 2.0 in three areas:
Access modes — WAF 3.0 adds native integration with ALB, MSE, and Function Compute
Protection configuration — WAF 3.0 supports bulk rule configuration, global rule visibility, and editable default templates
Billing — WAF 3.0 simplifies billing with QPS-only measurement and SeCU-based pay-as-you-go units
Access modes
WAF supports two access modes: CNAME record mode and cloud native mode.
| Access mode | WAF 3.0 | WAF 2.0 |
|---|---|---|
| CNAME record mode (Figure 1) | Supported. Update your CNAME record with your DNS provider to map your domain name to the WAF-provided CNAME. WAF acts as a reverse proxy cluster — blocking malicious requests and forwarding legitimate ones to the origin server. See CNAME record mode. | Supported. |
| Cloud native mode (Figure 2) | Supported. Add traffic redirection ports to WAF so that your instance gateways automatically redirect web service traffic to WAF. WAF acts as a reverse proxy cluster. See Enable WAF protection for a Layer 7 CLB instance, Enable WAF protection for a Layer 4 CLB instance, and Enable WAF protection for an ECS instance. | Supported. |
| Cloud native mode (Figure 3) | Supported. WAF 3.0 is integrated as an SDK module directly into the gateways of Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute — no DNS changes, certificate configuration, or back-to-origin setup required. WAF inspects traffic in-process without forwarding it, avoiding compatibility and stability issues. This mode also extends to self-managed gateways such as NGINX in multi-cloud or hybrid cloud environments, and covers all regions where cloud-native Alibaba Cloud services are available. Web services in multiple environments can be added to WAF 3.0 based on network environments and compliance requirements and managed in the WAF 3.0 console. See Enable WAF protection for an ALB instance, Enable WAF protection for an MSE instance, and Enable WAF protection for a custom domain name bound to a web application in Function Compute. | Not supported. |
Protection configuration
| Protection configuration | WAF 3.0 | WAF 2.0 |
|---|---|---|
| Configure a rule for multiple protected objects | Supported. Add domain names or cloud service instances as protected objects, then group them into protected object groups. One rule applied to a group automatically covers all objects in that group. Domain names on cloud service instances can also be added as separate protected objects with their own custom rules. | Not supported. Rules apply to one protected object at a time. Configuring the same rule for 100 domain names requires 100 separate operations. |
| Configure rules for cloud native mode instances | Supported. Instances added via cloud native mode become protected objects automatically, with full rule configuration available. | Not supported. For a transparent proxy mode instance with 100 domain names, all 100 domain names must be added to WAF before any rule changes are possible. Until then, only unmodifiable default rules apply. |
| View all protection rules globally | Supported. Browse and manage protection rules by module in the WAF 3.0 console. View the protection templates for each module and the protected objects or groups they cover. Search rules by rule ID. | Not supported. No centralized view of rules configured across domain names. |
| Modify default protection rules | Supported. Edit the default protection template to change how WAF handles new domain names. For example, set the default action to Monitor mode to observe traffic before blocking. | Not supported. Protection rules can only be configured after domain names are added to WAF 2.0. |
WAF 3.0-only features
The following features are available in WAF 3.0 only:
Custom response — Configure custom block pages returned to clients when requests are blocked. Specify a custom status code, response header, and response body. See Configure protection rules for the custom response module to configure custom block pages.
Major event protection — Apply intelligent protection policies during high-risk periods without configuring complex rules. See Major event protection.
Asset center — Inventory domain names inside and outside Alibaba Cloud, and assess risk based on attack activity. See Asset center.
Security reports — View per-module protection details for security analysis. See Security reports.
Whitelist — Manage all whitelist module rules in one place. See Configure protection rules for the whitelist module to allow specific requests.
Billing
Subscription
WAF 3.0 simplifies subscription billing in several ways:
Basic edition added — A new entry-level edition for applications that do not have large service traffic.
QPS-only measurement — Traffic is measured in queries per second (QPS) only. Bandwidth limits that vary by edition are removed.
Burstable QPS — A pay-as-you-go burst capacity feature that prevents WAF 3.0 instances from being throttled to the sandbox.
Simplified domain name counting — The total domain name count includes second-level domain names, subdomain names, and wildcard domain names. Additional domain names follow tiered pricing with discounts applied per tier.
Hybrid cloud protection — Available across more editions than in WAF 2.0.
Pay-as-you-go
WAF 3.0 introduces a redesigned pay-as-you-go model:
QPS-only measurement — No bandwidth-based limits.
SeCU billing units — Charges are calculated in security capacity units (SeCUs), simplifying cost estimation. Resource plans are provided for SeCUs, and you can obtain more savings based on the size of your resource plan.
Hourly billing — Bills are generated every hour. When a feature is disabled or its configuration is deleted, billing for that feature stops automatically.
WAF 3.0 supports the pay-as-you-go billing method.
What's next
Website configuration overview — Access modes supported by WAF 3.0 and how to set them up.
Protection configuration overview — Protection capabilities in WAF 3.0 and configuration procedures.