If you use a Web Application Firewall (WAF) 2.0 instance, you can use the self-service upgrade tool provided by Alibaba Cloud to upgrade the instance to WAF 3.0 in the WAF 2.0 console. This topic describes the upgrade conditions of a WAF 2.0 instance, how to use the self-service upgrade tool to upgrade a WAF instance, and the upgrade instructions.
The self-service upgrade tool is in canary release.
If WAF3.0 Upgrade Portal is displayed in the left-side navigation pane of the WAF 2.0 console, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0.
If WAF3.0 Upgrade Portal is not displayed and you want to urgently upgrade your WAF 2.0 instance to WAF 3.0, you can submit an upgrade application to your account manager. After the application is approved, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance.
Limits
A WAF 2.0 instance that you can upgrade to WAF 3.0 must meet the following requirements:
Your web services are added to the WAF 2.0 instance in CNAME record mode or transparent proxy mode. If your web services are added to the WAF 2.0 instance in transparent proxy mode, your origin server must be deployed on a Layer 7 Server Load Balancer (SLB), Layer 4 SLB, or Elastic Compute Service (ECS) instance. Alternatively, the WAF 2.0 instance is a Hybrid Cloud WAF instance.
NoteIf your web services are added in transparent proxy mode and your origin server is deployed on an Application Load Balancer (ALB) instance, you cannot directly upgrade your WAF 2.0 instance to WAF 3.0. You must disable traffic redirection and delete the access configurations for the ALB instance. Then, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance. For more information, see Can I upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode?
If your web services are added in transparent proxy mode and your origin server is deployed on a Layer 7 SLB, Layer 4 SLB, or ECS instance, you must click CLB(HTTP/HTTPS), CLB(TCP), or ECS on the Cloud Native tab to re-add the web services to WAF after you upgrade your WAF 2.0 instance to WAF 3.0.
Alibaba Cloud performs operations such as asset synchronization from 00:00 to 03:00 every day. We recommend that you do not upgrade a WAF 2.0 instance to which web services are added in transparent proxy mode during this period.
The WAF 2.0 instance uses the subscription billing method and runs one of the following editions: On-cloud WAF Pro, On-cloud WAF Business, On-cloud WAF Enterprise. Alternatively, the WAF 2.0 instance runs Hybrid Cloud WAF Exclusive.
The data visualization feature is disabled for the WAF 2.0 instance, and no custom features are enabled for the WAF 2.0 instance.
The WAF 2.0 instance does not expire in the next 15 days.
The WAF 2.0 instance belongs to an Alibaba Cloud account or a Resource Access Management (RAM) user that has the AliyunYundunWAFFullAccess permission. The Alibaba Cloud account or RAM user does not have overdue payments.
To view the details of your account, you can move the pointer over the profile picture in the upper-right corner of the WAF 2.0 console.
Instructions
Impacts on business
You can upgrade a WAF 2.0 instance to WAF 3.0 without service interruptions.
After the upgrade, the CNAME provided by the WAF 2.0 instance and the configured back-to-origin addresses remain unchanged. On the CNAME Record tab of the Website Configuration page in the WAF 3.0 console, you can view the domain names, CNAMEs assigned to the domain names, and origin server addresses.
Upgrade methods
The system performs a precheck for upgrading. After the precheck is passed, you can select one of the following upgrade methods:
One-click Upgrade
After the upgrade starts, the system checks whether your configurations meet the upgrade requirements. If your configurations meet the upgrade requirements, the system creates a WAF 3.0 instance and upgrades all forwarding configurations and protection configurations of your WAF 2.0 instance.
Use scenario: A small number of domain names are added to your WAF 2.0 instance and simple protection rules are configured. You want to upgrade the instance to WAF 3.0 with a few clicks.
Manual Batch Upgrade
Migrate Rules
After the upgrade starts, the system checks whether the protection rules that you select can be upgraded. If the protection rules can be upgraded, the system creates a WAF 3.0 instance and upgrades the protection rules to WAF 3.0. The protection performance of the protection rules is not affected after the upgrade. You must manually upgrade the forwarding configurations of the specified domain names and then associate protection templates with protected objects.
Use scenario: You want the protection rules to be automatically upgraded but you want to manually batch upgrade the forwarding configurations and view traffic statistics.
Do Not Migrate Rules
After the upgrade starts, the system creates a WAF 3.0 instance and configures default protection rules, but does not upgrade the forwarding configurations or protection configurations. You must manually upgrade the forwarding configurations of the specified domain names, create protection templates, add protection rules to the templates, and then associate the templates with protected objects.
Use scenario: A large number of domain names are added to your WAF 2.0 instance or complex protection rules are configured. You want to manually batch upgrade the forwarding configurations and protection configurations and view traffic statistics.
Upgrade duration
The upgrade process requires approximately 15 minutes to complete. The process covers only the automatic upgrade. During the automatic upgrade, a WAF 3.0 instance is created and the forwarding configurations and protection configurations are upgraded.
Compared with the manual batch upgrade method, the one-click upgrade method requires more time to complete because the system performs complex prechecks.
Upgrade window
Upgrade window duration
After you select an upgrade method, you can perform upgrade operations within a 15-day upgrade window. After you click Confirm Upgrade Completion, you can no longer perform upgrade operations.
You can view the remaining duration of the upgrade window on the Upgrade Tools page.
Operations that can be performed
View traffic statistics.
Perform batch upgrade for domain names.
Switch between the WAF 2.0 console and the WAF 3.0 console.
Configure protection rules in the WAF 3.0 console and check whether the new WAF 3.0 instance protects your web services as expected.
Roll back your instance to WAF 2.0.
Confirm that the upgrade is complete or cancel the upgrade.
Operations that cannot be performed
Renew, upgrade, downgrade, or unsubscribe from your WAF instance in the WAF console or the Expenses and Costs console. If you perform the preceding operations on your WAF instance, the instance may be released and fees may fail to be refunded.
Enable or disable the website tamper-proofing or data leakage prevention feature.
Create, modify, or delete forwarding configurations on the Website Access page in the WAF 2.0 console or the Website Configuration page in the WAF 3.0 console.
Usage notes
If you create an alert rule for the new WAF 3.0 instance within the upgrade window, you can receive alert notifications when the alert rule is triggered only in the WAF 2.0 console.
If you do not click Confirm Upgrade Completion within the upgrade window, the new WAF 3.0 instance and its configurations are rolled back to WAF 2.0. The new WAF instance is released, and the new configurations are deleted.
After the upgrade is complete, you can use your WAF instance only in the WAF 3.0 console. Before you click Confirm Upgrade Completion, make sure that you do not need to perform upgrade operations.
Changes after the upgrade
Editions and features
If your WAF 2.0 instance uses the subscription billing method and runs On-cloud WAF Pro, On-cloud WAF Business, or On-cloud WAF Enterprise, the new WAF 3.0 instance runs Subscription Pro Edition, Subscription Enterprise Edition, or Subscription Ultimate Edition, respectively. WAF 3.0 enhances the features of WAF 2.0 and adds new features.
In WAF 3.0, Subscription Pro Edition instances do not support the intelligent rule hosting feature of the protection rules engine or the slider CAPTCHA verification feature in custom rules. If you want to use the preceding features after the upgrade, you can upgrade your WAF 3.0 instance from Pro Edition to Enterprise Edition or Ultimate Edition. For more information, see Upgrade or downgrade a WAF instance.
WAF 3.0 provides the following new features: protection templates, custom response rules, major event protection, and the advanced asset center. After the upgrade is complete, you can enable the features based on your business requirements. For more information, see Configure protection rules for the custom response module to configure custom block pages, Major event protection, and Asset center.
WAF 3.0 does not support Hybrid Cloud WAF Exclusive. If your WAF 2.0 instance runs Hybrid Cloud WAF Exclusive, you can only obtain a WAF 3.0 Subscription Ultimate Edition instance after the upgrade.
The following table describes the changes in WAF instance specifications before and after the upgrade.
Scenario
Before the upgrade
After the upgrade
Scenario 1
Your WAF 2.0 instance runs Hybrid Cloud WAF Exclusive and you did not purchase additional quotas for protection nodes or domain names. This edition provides a quota of 2 protection nodes and 200 domain names.
The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, 1 additional protection node for hybrid cloud clusters, and 200 domain names.
Scenario 2
Your WAF 2.0 instance runs Hybrid Cloud WAF Exclusive and you purchased an additional quota of x protection nodes. This edition provides a quota of 2 protection nodes and 200 domain names.
The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, 1 additional protection node for hybrid cloud clusters, x additional protection nodes for hybrid cloud clusters, and 200 domain names.
Scenario 3
Your WAF 2.0 instance runs On-cloud WAF Enterprise and you purchased an additional quota of x protection nodes.
The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, x additional protection nodes for hybrid cloud clusters, and 200 domain names.
Scenario 4
Your WAF 2.0 instance runs On-cloud WAF Business and you purchased an additional quota of x protection nodes.
The new WAF 3.0 instance runs Enterprise Edition and provides a quota of 1 default protection node, x additional protection nodes for hybrid cloud clusters, and 200 domain names.
Fees
You are not charged for upgrade operations.
The total fees for your instance may change due to the differences between the editions and the features supported by WAF 2.0 and WAF 3.0. You can view the changes in fees the first time you renew your instance after the upgrade. For more information about WAF 3.0 pricing, visit the WAF 3.0 buy page.
After your WAF 2.0 instance is upgraded to WAF 3.0, you cannot apply for a refund if you unsubscribe from or downgrade your WAF instance before you renew the instance.
If you downgrade your WAF instance, you are charged for your WAF instance based on the new specifications when you renew the instance.
Sandbox, burstable QPS (pay-as-you-go), and traffic billing protection
Sandbox is a special mechanism of WAF 3.0. If the peak queries per second (QPS) of a WAF instance exceeds the total QPS quota, the WAF instance may be added to the sandbox. After a WAF instance is added to the sandbox, the service level agreement (SLA) is no longer guaranteed. In this case, the protected objects of the WAF instance may encounter service access exceptions, including packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing due to DDoS attacks, and blackhole filtering. For more information, see Sandbox overview.
Within the upgrade window of a WAF instance, the system does not add the WAF instance to the sandbox.
Subscription instances
If the actual QPS of a WAF instance exceeds the default QPS quota provided by the WAF edition plus the additional QPS quota that you purchase, the WAF instance may be added to the sandbox. For more information, see Burstable QPS (pay-as-you-go).
After the upgrade is complete, the actual QPS of the WAF instance may exceed the default QPS quota provided by the WAF edition. If the default QPS quota is exceeded, the WAF instance may be added to the sandbox.
To prevent the WAF instance from being added to the sandbox, you can upgrade the edition, purchase an additional QPS quota, or enable the burstable QPS (pay-as-you-go) feature.
For more information about how to upgrade the edition, see Upgrade or downgrade a WAF instance.
For more information about how to purchase an additional QPS quota, see Purchase a subscription WAF 3.0 instance.
For more information about how to enable the burstable QPS (pay-as-you-go) feature, see Burstable QPS (pay-as-you-go).
Pay-as-you-go instances
If the peak QPS of a WAF instance exceeds the specified threshold for traffic billing protection in an hour, the WAF instance is added to the sandbox. No bill is generated for the hour. This helps prevent high costs caused by excessively high QPS usage. For more information, see Traffic billing protection.
After the upgrade is complete, a WAF 3.0 instance is created. By default, Traffic Billing Protection is enabled for the WAF instance and cannot be disabled. The value of Traffic Billing Protection Threshold is set to the maximum QPS supported by pay-as-you-go WAF instances.
Chinese mainland: 100,000.
Outside the Chinese mainland: 10,000.
If the maximum QPS cannot meet your business requirements, contact your account manager.
If the peak QPS of the WAF instance is less than or equal to the specified value of Traffic Billing Protection Threshold, the WAF instance is automatically removed from the sandbox. If you want to manually remove the WAF instance from the sandbox, you can change the value of Traffic Billing Protection Threshold based on your business requirements.
Simple Log Service for WAF
After the one-click upgrade starts, the system creates a Logstore for the new WAF 3.0 instance. The Logstore of the WAF 2.0 instance is retained.
ImportantAfter the upgrade is complete, logs in the Logstore of the new WAF 3.0 instance record only the required fields. If you selected optional fields for your WAF 2.0 instance, you must re-select the fields in the WAF 3.0 console.
Within the upgrade window, you can view the Logstore of your WAF 2.0 instance in the WAF 2.0 console. After the upgrade is complete, you can view the Logstore of your WAF 2.0 instance only in the Simple Log Service console. For more information, see Query and analyze logs.
In the Logstore of the WAF 2.0 instance, the logs are deleted based on the specified retention period. The logs that are earliest stored are first deleted. If you want to retain the logs, you can back up the logs before the logs are deleted. For more information, see Download logs.
By default, the retention period for the Logstore of the new WAF 3.0 instance is 180 days. You can change the retention period in the Simple Log Service console.
Required reconfigurations
After the upgrade is complete, you must reconfigure API operations, Terraform, resource groups, CloudMonitor notifications and alerts, and the Simple Log Service for WAF feature. You must also grant your RAM user the permissions on API operations, renew your WAF instance at the earliest opportunity, and complete business changes caused by the product code change. For more information, see What to do next.
Upgrade process
When you upgrade the traffic of Layer 7 SLB, Layer 4 SLB, and ECS-related domain names that are added to your WAF 2.0 instance in transparent proxy mode, the system adds the traffic redirection ports of the cloud service instances to the WAF 3.0 instance in cloud native mode. In addition, the system adds the cloud service instances as protected objects. You can also manually add the domain names as protected objects.
When you upgrade the traffic of domain names added to Hybrid Cloud WAF, the system adds the domain names to the WAF 3.0 instance in hybrid cloud - reverse proxy mode. In addition, the system adds the domain names as protected objects.
Canary release
For the manual batch upgrade method, the system supports traffic canary release at the domain name level. The system first redirects partial traffic to WAF 3.0 and then increases the proportion of traffic to redirect until all traffic is redirected to WAF 3.0. During this process, the system ensures service reliability. The following figure shows how traffic canary release works.
The following traffic proportions are supported: 1%, 5%, 10%, 20%, 30%, 50%, 70%, 90%, and 100%. Custom proportions are not supported. Traffic proportions can be increased but cannot be decreased.
The data leakage prevention feature does not support canary release. After the upgrade starts, the detection records of the feature are stored in WAF 3.0.
Upgrade procedure
1. Perform an upgrade precheck
Before you can select an upgrade method, the system performs a precheck to examine whether the upgrade method is supported. After a precheck is complete, you can view the check time and check result on the Upgrade Tool page. If the required upgrade method is not supported, you can perform troubleshooting based on the provided reason and suggestion. After the troubleshooting is complete, you can go back to the Upgrade Tool page to perform another precheck. If the required upgrade method is supported, you can select the method to start your upgrade.
2. Select an upgrade method
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the lower part of the left-side navigation pane, click WAF3.0 Upgrade Portal.
If your WAF 2.0 instance meets the requirements that are described in the "Limits" section of this topic, read and select related items in the Upgrade Instructions panel and click I understand the upgrade instructions and agree to proceed with the upgrade. to go to the Upgrade Tool page.
If your WAF 2.0 instance does not meet the requirements, the Error message appears. You can fix the error based on the error message. If you have questions, join the DingTalk group (group ID: 34657699) for technical support.
If a domain name is added to your WAF 2.0 instance in transparent proxy mode, bind the domain name to the related cloud service. You can bind an ECS, Layer 4 SLB, or Layer 7 SLB-related domain name to ECS, CLB(TCP), or CLB(HTTP/HTTPS), respectively.
On the Upgrade Tool page, select One-click Upgrade, Manual Batch Migration - Migrate Rules, or Manual Batch Migration - Do Not Migrate Rules. Then, click Start Migration.
If you select Manual Batch Migration - Migrate Rules, you must select the protection rules that you want to upgrade. You can select multiple options.
You can select the protection rules that you want to upgrade only on the Upgrade Tool page. Make sure that you select all the required protection rules before you click Start Migration
In the Note message, click OK. After you click OK, the automatic upgrade starts, and the upgrade window also starts. The automatic upgrade requires approximately 15 minutes to complete. Do not close or refresh the current page during this period.
In the The WAF 3.0 instance is created. message, click OK. The message appears after the automatic upgrade is complete.
Switch to the WAF 3.0 console and check whether the automatic upgrade of the related configurations is complete. For more information about the configurations, see Upgrade process.
Switch to the WAF 2.0 console and check the upgrade status of domain names on the Upgrade Tools page.
One-click Upgrade
If the upgrade status of a domain name is Upgraded, all configurations of the domain name are automatically upgraded to WAF 3.0.
NoteIf the upgrade fails, the WAF instance is rolled back to WAF 2.0. In the Rollback Completed dialog box, you can view the cause of the upgrade failure.
Manual Batch Upgrade
If the upgrade status of a domain name is Not Upgraded, specific configurations of the domain name are not automatically upgraded to WAF 3.0. You must manually upgrade the configurations.
Perform the manual upgrade. This step is required only if you select the Manual Batch Upgrade method. During the upgrade, you can select Upgrade to WAF 3.0 or Canary Release for domain names. If the progress of canary release reaches 100%, the existing configurations in WAF 2.0 are deleted, and the upgrade status becomes Upgraded. For more information about canary release, see Canary release.
Manual Batch Upgrade - Migrate Rules
Upgrade the forwarding configurations of domain names
To upgrade the forwarding configurations of a domain name, find the domain name and click Upgrade to WAF 3.0 in the Actions column.
To upgrade the forwarding configurations of multiple domain names at the same time, select the domain names in the domain name list and click Batch Upgrade to WAF 3.0 below the list.
If the upgrade is successful, the Upgrade Status of the domain names changes to Upgraded.
Associate protection templates with protected objects
In the left-side navigation pane, click Switch to WAF 3.0.
In the WAF 3.0 console, associate the upgrade protection templates with protected objects.
In the left-side navigation pane, choose . Find the protection rule that you want to manage and click Edit in the Actions column. In the Apply To section of the panel that appears, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
NoteIf you want to associate a protection template created on the Bot Management - Scenario-specific Protection page with protected objects, choose in the left-side navigation pane. Then, find the protection template and click the icon. In the Configure Effective Scope step of the panel that appears, move the protected objects that you want to manage from the Objects to Select section to the Selected Objects section.
Manual Batch Upgrade - Do Not Migrate Rules
Upgrade the forwarding configurations of domain names
To upgrade the forwarding configurations of a domain name, find the domain name and click Upgrade to WAF 3.0 in the Actions column.
To upgrade the forwarding configurations of multiple domain names at the same time, select the domain names in the domain name list and click Batch Upgrade to WAF 3.0 below the list.
If the upgrade is successful, the Upgrade Status of the domain names changes to Upgraded.
Create protection templates and protection rules
Switch to the WAF 3.0 console and create protection templates and protection rules based on the existing protection configurations of your WAF 2.0 instance. For more information, see Protection Configuration.
Associate protection templates with protected objects
In the left-side navigation pane, click Switch to WAF 3.0.
In the WAF 3.0 console, associate the created protection templates with protected objects.
In the left-side navigation pane, choose . Find the protection template that you want to manage and click Edit in the Actions column. In the Apply To section of the panel that appears, move the protected objects with which you want to associate the protection template from the Objects to Select section to the Selected Objects section.
NoteIf you want to associate a protection template created on the Bot Management - Scenario-specific Protection page with protected objects, choose in the left-side navigation pane. Then, find the protection template and click the icon. In the Configure Effective Scope step of the panel that appears, move the protected objects that you want to manage from the Objects to Select section to the Selected Objects section.
Switch to the WAF 3.0 console and check whether the upgraded configurations are effective and whether your business runs as expected.
If the upgraded configurations are ineffective or your business does not run as expected, you can roll back the WAF instance and its configurations to WAF 2.0. You can find the related domain name and click Roll Back to WAF 2.0 in the Actions column. You can also select multiple domain names and click Batch Roll Back to WAF 2.0.
After domain name-related configurations that were upgraded by using the one-click upgrade method are rolled back to WAF 2.0, you can find the domain names on the Upgrade Tools page and click Upgrade to WAF 3.0 in the Actions column to re-upgrade the configurations to WAF 3.0. In this case, only the forwarding configurations of the domain names are upgraded to WAF 3.0. After the upgrade is complete, you must configure protection rules for the domain names.
Click Confirm Upgrade Completion.
Use the new WAF 3.0 instance in the WAF 3.0 console. After the upgrade is complete, your WAF 2.0 instance is released.
Click Confirm Upgrade Completion within the upgrade window. If you do not click Confirm Upgrade Completion within the upgrade window, the WAF instance and its configurations are rolled back to WAF 2.0. The new WAF instance is released, and the new configurations are deleted. The upgrade window is 15 days. If you re-upgrade your WAF 2.0 instance to WAF 3.0, restart the upgrade process.
What to do next
After the upgrade is complete, you must perform the following operations to use WAF 3.0:
Configure API operations
WAF 3.0 provides new API operations. You must configure the API operations. For more information, see List of operations by function.
Grant permissions to RAM users
You must grant RAM users the permissions on different API operations. For more information, see RAM authorization.
Reconfigure Terraform
You must reconfigure Terraform. For more information, see Terraform Registry (domain) and Terraform Registry (instance).
Reconfigure resource groups
Resource groups cannot be upgraded. You must reconfigure resource groups. For more information, see Add a domain name to WAF.
Reconfigure CloudMonitor notifications and alerts
You must reconfigure monitoring and alerting for security events and service metrics. For more information, see Configure CloudMonitor notifications.
Reconfigure log settings
You must reconfigure log settings.
Configure log fields, storage types, and protected object-level settings, such as the log collection status, log retention period, and log storage capacity. For more information, see Overview of log management.
Enable or disable the Simple Log Service for WAF feature. For more information, see Enable or disable the Simple Log Service for WAF feature.
Complete business changes caused by the product code change
After the upgrade is complete, the product code of the WAF instance changes. If your WAF instance requires business changes in this case, contact your account manager.
FAQ
Can I upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode?
Yes, you can upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode. If your origin server is deployed on a Layer 7 SLB, Layer 4 SLB, or ECS instance and your web services are added to the WAF 2.0 instance in transparent proxy mode, you can use the self-service upgrade tool to upgrade the WAF 2.0 instance to WAF 3.0. If your origin server is deployed on an ALB instance and your web services are added to the WAF 2.0 instance in transparent proxy mode, you cannot use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0. You must disable traffic redirection and delete the access configurations before you can upgrade the WAF 2.0 instance to WAF 3.0. Procedure:
On the Servers tab of the Website Access page, find the required port and click Disable Traffic Redirection in the Actions column.
On the Domain Names tab, find the required domain name and click Delete in the Actions column.
Upgrade the WAF 2.0 instance. For more information, see the "Upgrade process" section of this topic.
Enable WAF protection for the ALB instance in the WAF 3.0 console. For more information, see Cloud native mode.
Can I upgrade a WAF 2.0 Exclusive instance to WAF 3.0?
Yes, you can contact your account manager or submit a ticket to upgrade a WAF 2.0 Exclusive instance to WAF 3.0.
Am I charged for upgrade operations?
No, you are not charged for upgrade operations. If you use a subscription WAF instance, you are charged only when you renew your WAF instance after the upgrade.
Can I upgrade a WAF 2.0 Business instance to a WAF 3.0 Pro Edition instance? Can I upgrade a WAF 2.0 Pro instance to a WAF 3.0 Enterprise Edition instance?
No, you cannot upgrade a WAF 2.0 Business instance to a WAF 3.0 Pro Edition instance or upgrade a WAF 2.0 Pro instance to a WAF 3.0 Enterprise Edition instance. You can upgrade a WAF 2.0 Pro instance only to a WAF 3.0 Pro Edition instance. If you want to use a WAF 3.0 Enterprise Edition instance, you can upgrade the edition of the new WAF 3.0 instance. For more information, see Upgrade or downgrade a WAF instance.
Can I add a domain name to my WAF 2.0 instance within the upgrade window and then resume the upgrade?
No, you cannot add a domain name to your WAF 2.0 instance within the upgrade window and then resume the upgrade. You cannot add, remove, or modify domain names on the Website Access page within the upgrade window. If you need to add a domain name to the WAF 2.0 instance within the upgrade window, you must cancel the upgrade and add the domain name. Then, restart the upgrade for the WAF 2.0 instance.
After you cancel the upgrade, the system deletes the new WAF 3.0 instance and its configurations and terminates the upgrade process.
References
For more information about the editions and billing of WAF 2.0, see WAF deployment plans and editions and Billing rules.
For more information about the editions and billing of WAF 3.0, see Editions, Billing overview of subscription WAF instances, Billing overview of pay-as-you-go WAF instances, Upgrade or downgrade a WAF instance, Renewal policy, and Refund policy.
For more information about the differences in billing, access methods, and features between WAF 2.0 and WAF 3.0, see Compare WAF 3.0 with WAF 2.0.