How subscription WAF instances are billed - Web Application Firewall

A subscription is a prepayment billing method. Use it when your resource requirements are stable, predictable, or require long-term protection. Compared to pay-as-you-go, subscriptions offer lower unit prices and help reduce web application security protection costs. This topic explains the billing rules for the WAF subscription edition.

Billing Principles

A subscription WAF bill includes two parts: base service fees and value-added service fees.

Base service fee (required): Charged for the default mitigation capabilities included with your selected WAF edition, such as Pro or Enterprise. This is a prepayment.
Value-added service fee (optional): Used to enable extra features or expand default specifications when the default mitigation capabilities do not meet your business needs. Specifically:
- Burst QPS (Pay-As-You-Go) and Bot Management: Risk Identification are billed monthly based on actual usage (pay-as-you-go).
- All other value-added services use prepayment.

Billing Items

Note

Differences between editions: The following table lists pricing for each billing item in the WAF subscription edition. For differences in mitigation features across WAF editions, see Version Guide.
Price changes: Prices for the products and services listed below may change. Your final bill amount appears on your Alibaba Cloud bill.

Base Service Fees

Subscription Edition	Unit Price
Basic Edition	USD 140/month
Pro Edition	USD 556/month
Enterprise Edition	USD 1,400/month
Ultimate Edition	USD 4,260/month

Value-Added Service Fees (Prepaid)

Note

You can try Bot Management – Web Protection, Bot Management – App Protection, and API Security for free once with the Pro, Enterprise, or Ultimate Edition. The trial lasts 7 days from the time you enable the feature. After the trial ends, if you do not purchase the full version, the related protection settings are automatically cleared.

Billing Item	Unit Price
API Security	Pro Edition: USD 720/month. Enterprise Edition: USD 1,440/month. Ultimate Edition: USD 2,880/month.
Bot Management - Web Application Protection	Legacy Bot Management: Pro Edition: USD 500/month. Enterprise Edition: USD 1,000/month. Ultimate Edition: USD 1,720/month. New Bot Management: USD 1,150/month. Note WAF has launched a new Bot Management feature. If you already purchased the legacy Bot Management subscription, you can renew at the legacy price. For details, see [Announcement] Major Bot Management Upgrade and Pricing Update.
Bot Management - App Protection	Legacy Bot Management: USD 300/month. New Bot Management: USD 1,750/month.
Peak Traffic Throttling	USD 1,200/month.
Additional QPS	WAF in the Chinese mainland: Base fee, tiered pricing: 0 < Extended QPS ≤ 10,000: USD 0.5/QPS/month. 10,000 < Extended QPS ≤ 30,000: USD 0.48/QPS/month. Feature fee: If you enable API Security or Bot Management, add USD 0.3/QPS/month to the base fee for each enabled feature. WAF outside the Chinese mainland: Base fee: USD 0.6/QPS/month. Feature fee: If you enable API Security or Bot Management, add USD 0.3/QPS/month to the base fee for each enabled feature. Note QPS extension pricing changed on February 1, 2024 (UTC+8). For details, see [Announcement] International Website Prepaid Product Price Adjustment. Bot Management includes Bot Management – Web Protection and Bot Management – App Protection. Enabling either or both counts as enabling Bot Management. If you need more QPS extension than the maximum allowed, contact your account manager.
CNAME Record: Additional Domains	Tiered pricing based on total number of additional domain names: 0 ≤ Additional domain names ≤ 10: USD 22/domain/month. 10 < Additional domain names ≤ 100: USD 16/domain/month. 100 < Additional domain names ≤ 300: USD 9/domain/month. 300 < Additional domain names ≤ 500: USD 5/domain/month. 500 < Additional domain names ≤ 2,000: USD 3/domain/month. 2,000 < Additional domain names ≤ 5,000: USD 2/domain/month.
CNAME Record: Exclusive IP	USD 30/IP address/month
CNAME Record: Intelligent Load Balancing	USD 150/instance/month
Log Service	USD 75/TB/month Important After you enable Simple Log Service, the minimum log storage capacity you can purchase is 3 TB.
Multi-cloud/Hybrid-cloud WAF Extension Nodes	Tiered pricing based on total number of extension nodes: 0 < Extension nodes ≤ 3: USD 1,440/node/month. 3 < Extension nodes ≤ 8: USD 1,360/node/month. 8 < Extension nodes ≤ 500: USD 1,290/node/month. Note If your business runs in multi-cloud, on-premises IDC, private network, or Apsara Stack environments—and cannot connect to public cloud WAF using CNAME—but still needs WAF protection, buy multi-cloud/hybrid-cloud protection extension nodes. These let you deploy local WAF for protection. Mitigation capabilities vary by deployment mode: Reverse proxy mode: Each node supports up to: HTTP requests: 5,000 QPS. HTTPS requests: 3,000 QPS. SDK integration mode: Each node supports up to 15,000 QPS for HTTP/HTTPS requests. Scale out by adding more nodes.
Multi-cloud/Hybrid-cloud Bot Nodes	Tiered pricing based on total number of extension nodes: 0 < Extension nodes ≤ 3: USD 720/node/month. 3 < Extension nodes ≤ 8: USD 680/node/month. 8 < Extension nodes ≤ 500: USD 645/node/month. Note Buy these nodes to enable bot protection in multi-cloud/hybrid-cloud clusters.
Multi-cloud/Hybrid-cloud API Security Nodes	Tiered pricing based on total number of extension nodes: 0 < Extension nodes ≤ 3: USD 720/node/month. 3 < Extension nodes ≤ 8: USD 680/node/month. 8 < Extension nodes ≤ 500: USD 645/node/month. Note Buy these nodes to enable API security protection in multi-cloud/hybrid-cloud clusters.
Critical Event Protection	Enable Major Event Support after purchasing a WAF instance. It takes effect immediately (its effective time is independent of the WAF instance purchase time). For more information, seeMajor Event Support.

Value-Added Service Fees (Pay-as-you-go)

Note

Pay-as-you-go features may cause overdue payments. Overdue payments affect normal WAF operation. Monitor your expenses closely. Resolve overdue payments promptly. For resolution methods and details, see Overdue Payments.

Billing Item	Unit Price
Bot Management: Risk Identification	Billed per rule hit. Unit price: USD 0.007/hit. Note No charge applies if Fraud Detection is enabled but no rules are configured, or if rules are configured but receive no traffic hits.
Burst QPS (Pay-As-You-Go)	For detailed billing information, see Elastic Pay-as-you-go.

Important

When you enable WAF protection for an ALB instance, ALB incurs separate charges in addition to the WAF charges listed above. For more information, see Enable WAF Protection for ALB.

Billing Cycle

The prepayment portion of a subscription follows the order’s purchase cycle (in UTC+8). A billing cycle starts at the exact second you enable or renew the resource. It ends at 00:00:00 the day after the expiration date.
The pay-as-you-go portion of value-added services is settled daily (in UTC+8). A new settlement cycle begins after each settlement.

Note

Subscription billing cycles measured in years or months refer to calendar years and calendar months.
Major Event Support billing starts at the time you enable it and ends at the revert time you select during setup.
Pay-as-you-go settlements usually occur overnight. To avoid changes being applied to the previous day’s bill, make changes—such as adding domains or enabling new protection features—after 06:00 daily.
If your available balance—including your Alibaba Cloud account balance and vouchers—is less than the pending bill, you receive an SMS or email alert about insufficient funds.

Instance Expiration

Subscription WAF instance expiration rules:

Expiration reminders: The system sends renewal reminders via SMS or email 15, 7, 3, and 1 day before the instance expires.
Impact of expiration: If you do not renew before expiration, WAF retains your existing configuration for 15 days after expiration.
- If you renew within 15 days, your original configuration remains active.
- If you do not renew within 15 days, the system automatically releases your configuration on day 16. Protection stops immediately. To resume WAF service, you must purchase a new instance and reconfigure it.
  Important
  For domains integrated via CNAME, Alibaba Cloud deletes the CNAME record when the configuration is released. If you have not updated your domain’s DNS records to point back to the origin server, the domain becomes unreachable.

To avoid service interruption, renew promptly when notified.

View Bills

To view detailed billing information for your WAF 3.0 subscription instances and value-added services—and to check actual usage for pay-as-you-go features—see View Bills.

FAQ

What is the difference between edition-included QPS, QPS extension, and elastic pay-as-you-go QPS?

A WAF’s total QPS handling capacity equals the sum of edition-included QPS, Additional QPS, and Burst QPS (Pay-As-You-Go).

Billing Item	Description
QPS Included in Edition	Subscription WAF provides a default QPS capacity. See QPS Limits by Edition for exact values.
Additional QPS	Use this when your business consistently needs more QPS than your edition provides—and you do not want to upgrade your WAF edition. This is prepaid.
Burst QPS (Pay-As-You-Go)	Use this for highly variable or bursty traffic. This is pay-as-you-go.

What happens if QPS exceeds the limit?

If actual QPS exceeds the WAF’s handling capacity, WAF no longer guarantees its Service-Level Agreement (SLA). Protected objects may experience abnormal access, including packet loss, rate limiting, connection limits, failed protection, abnormal logs or reports, and timeouts.

If QPS exceeds the limit repeatedly or for extended periods, the WAF instance may enter sandbox mode. See Conditions That Trigger Sandbox Mode for exact conditions.

To avoid exceeding QPS limits, do one of the following:

Purchase Additional QPS.
Enable Burst QPS (Pay-As-You-Go).
Upgrade your WAF edition.