Web Application Firewall (WAF) 3.0 is a new version of WAF that was released in January 2022 and became available to the public on October 31, 2022. You can purchase subscription or pay-as-you-go WAF 3.0 instances based on your business requirements. You can no longer purchase new WAF 2.0 instances on the WAF buy page.
If you want to purchase new WAF 2.0 instances, contact your account manager.
Benefits of WAF 3.0
WAF 3.0 supports the CNAME record mode and cloud native mode. It is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and a console that allows you to configure protection settings in a more efficient manner. This helps improve user experience.
WAF 3.0 provides the following advantages compared with WAF 2.0:
New cloud native architecture
WAF 3.0 is deeply integrated as an SDK module into the gateways of cloud services, such as ALB and Microservices Engine (MSE), to detect threats and protect traffic. During the protection process, WAF does not forward traffic. You can enable WAF protection for cloud service instances in specific regions without the need to modify the DNS records or the settings of certificates, ports, and back-to-origin algorithms. This helps improve the stability and performance of your business and reduce access latency. For more information, see Cloud native architecture.
New protection configuration mode
WAF 3.0 allows you to add cloud service instances or domain names as protected objects and create protected object groups. WAF 3.0 also allows you to create protection rule templates for different protected objects in different protection modules. WAF 3.0 allows you to perform the following operations, which helps you configure protection in a more efficient manner:
Create protected object groups to apply a set of protection rules to multiple protected objects that have similar protection requirements. You can also configure custom protection rules for specific protected objects.
Configure default protection templates to apply predefined protection rules to new protected objects.
For more information, see Protection configuration overview.
New billing mode
WAF 3.0 supports the pay-as-you-go billing method. The billing unit is security capacity units (SeCUs). All fees are calculated based on SeCUs. This helps simplify the calculation process and billing logic. Bills are generated on an hourly basis based on your SeCU usage. You can purchase resource plans to offset SeCU usage fees based on your business requirements. For more information, see Billing overview.
New features and improved user experience
WAF 3.0 provides new features, such as the custom response feature. In WAF 3.0, the fees of the Simple Log Service for WAF feature are included in the bills of Simple Log Service. The Simple Log Service for WAF feature allows you to specify a custom storage capacity and retention period for logs. WAF 3.0 also optimizes the configurations for adding services in CNAME record mode and the configurations for security reports and rule searches. For more information, see Configure custom response rules to configure custom block pages, Overview of log management, Add a domain name to WAF, and Security reports.
Activation and applicable scope of WAF 3.0
Activation
For information about how to purchase a WAF 3.0 instance, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Applicable scope
Cloud native mode: For information about the limits on regions, see the "Limits" sections in the following topics: Enable WAF protection for an ALB instance, Enable WAF protection for an MSE instance, Enable WAF protection for a custom domain name bound to a web application in Function Compute, Add a Layer 7 Classic Load Balancer (CLB) instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an Elastic Compute Service (ECS) instance to WAF.
CNAME record mode: No limits are imposed on the regions of domain names.
What is the relationship between WAF 2.0 and WAF 3.0?
WAF 3.0 is different from WAF 2.0 in terms of its underlying architecture, specifications, configuration logic, and user experience. This is one of the reasons why an Alibaba Cloud account cannot have both a WAF 2.0 instance and a WAF 3.0 instance at the same time.
You can still use, renew, and upgrade existing WAF 2.0 instances. The service level agreement (SLA) of WAF 2.0 is also guaranteed.
WAF 2.0 instances cannot be automatically upgraded to WAF 3.0 instances. For information about how to manually upgrade a WAF 2.0 instance to a WAF 3.0 instance, join the DingTalk group 34657699 for technical support.