All Products
Search

This Product

    Web Application Firewall:Editions

    Document Center

    Web Application Firewall:Editions

    Last Updated:Nov 13, 2024

    Web Application Firewall (WAF) 3.0 supports the subscription and pay-as-you-go billing methods. The features and billing methods that are supported by WAF instances vary based on the edition. You can select an edition based on your business requirements and deployment method. If you use a subscription WAF instance, you can upgrade the edition of the WAF instance. WAF 3.0 supports the following editions: Basic, Pro, Enterprise, and Ultimate. The editions are listed in ascending order based on the protection capabilities.

    Overview

    For information about the billing rules and purchase methods of subscription and pay-as-you-go WAF 3.0 instances, see the following topics:

    Features

    Feature

    Description

    Subscription Basic Edition

    Subscription Pro Edition

    Subscription Enterprise Edition

    Subscription Ultimate Edition

    Pay-as-you-go Edition

    Business scale

    Website scale

    The size of the website based on which you can select a WAF 3.0 edition.

    Small-sized and personal websites that do not have special security requirements.

    Small- and medium-sized websites that do not have special security requirements.

    Medium-sized enterprise-grade websites that can be accessed by the public and have high data security requirements.

    Medium- and large-sized enterprise-grade websites that have special security requirements.

    Note

    If you want to configure custom specifications for your WAF instance, contact your account manager or solution architect.

    Websites whose workloads frequently fluctuate.

    QPS

    The number of HTTP or HTTPS requests per second.

    • Free of charge for a request rate of up to 10 QPS.

    • The QPS quota cannot be increased.

    • Burstable QPS (pay-as-you-go) is not supported.

    • Free of charge for a request rate of up to 2,000 QPS.

    • Maximum additional QPS quota:

      • Chinese mainland: 30,000 QPS.

      • Outside the Chinese mainland: 5,000 QPS.

    • Maximum burstable QPS quota:

      • Chinese mainland: 60,000 QPS.

      • Outside the Chinese mainland: 1,000 QPS.

    • Free of charge for a request rate of up to 5,000 QPS.

    • Maximum additional QPS quota:

      • Chinese mainland: 30,000 QPS.

      • Outside the Chinese mainland: 5,000 QPS.

    • Maximum burstable QPS quota:

      • Chinese mainland: 60,000 QPS.

      • Outside the Chinese mainland: 1,000 QPS.

    • If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.

    • Free of charge for a request rate of up to 10,000 QPS.

    • Maximum additional QPS quota:

      • Chinese mainland: 30,000 QPS.

      • Outside the Chinese mainland: 1,000 QPS.

    • Maximum burstable QPS quota:

      • Chinese mainland: 60,000 QPS.

      • Outside the Chinese mainland: 1,000 QPS.

    • If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.

    Maximum QPS quota:

    • Chinese mainland: 100,000 QPS.

    • Outside the Chinese mainland: 10,000 QPS.

    • If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.

    Number of domain names

    The number of domain names that you can add to WAF. The domain names include second-level domain names, subdomains, and wildcard domain names.

    For information about how to increase the domain name quota, see Upgrade a WAF instance.

    • Free of charge for three domain names.

    • The domain name quota can be increased by up to 10 domain names.

    • Free of charge for 5 domain names.

    • The domain name quota can be increased by up to 500 domain names.

    • Free of charge for 10 domain names.

    • The domain name quota can be increased by up to 2,000 domain names.

    • Free of charge for 50 domain names.

    • The domain name quota can be increased by up to 5,000 domain names.

    Up to 1,000 domain names can be added to a pay-as-you-go WAF 3.0 instance.

    Hybrid cloud protection nodes

    The number of hybrid cloud protection nodes that you can deploy.

    For information about how to purchase additional hybrid cloud protection nodes, see Upgrade a WAF instance.

    Not supported

    Not supported

    • Free of charge for one hybrid cloud protection node.

    • If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase multiple additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge.

    • Free of charge for one hybrid cloud protection node.

    • If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase multiple additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge.

    Not supported

    Protected objects

    The protected objects that you can add to WAF, such as cloud service instances and domain names.

    You can add up to 300 protected objects.

    You can add up to 600 protected objects.

    You can add up to 2,500 protected objects.

    You can add up to 10,000 protected objects.

    You can add up to 10,000 protected objects.

    Multi-account management

    The feature that allows you to add cloud resources within other Alibaba Cloud accounts to WAF.

    Not supported

    Not supported

    Up to 5 members are supported.

    Up to 20 members are supported.

    Not supported

    Security features

    Important

    The latest version of the Basic Protection Rule no longer supports rule groups. The rule groups function is upgraded to engine configuration function. For more information, see Upgrade announcement: WAF 3.0 basic protection rule function.

    Asset center

    The asset center feature that you can enable to manage assets.

    Not supported

    Supported

    Supported

    Supported

    Supported

    Basic protection rule

    The default basic protection rule group of the basic protection rule module.

    Supported

    Supported

    Supported

    Supported

    Supported

    Custom rule groups of the basic protection rule module.

    Not supported

    Not supported

    You can configure up to 10 custom rule groups.

    You can configure up to 30 custom rule groups.

    You can configure up to 30 custom rule groups.

    Custom protection templates of the basic protection rule module.

    You can configure up to 3 custom templates.

    You can configure up to 10 custom templates.

    You can configure up to 20 custom templates.

    You can configure up to 50 custom templates.

    You can configure up to 20 custom templates.

    Whitelist

    The whitelist module that allows requests that have specific characteristics.

    • You can configure up to 20 templates.

    • You can configure up to 100 rules for a template.

    • You can configure up to 20 templates.

    • You can configure up to 100 rules for a template.

    • You can configure up to 20 templates.

    • You can configure up to 100 rules for a template.

    • You can configure up to 50 templates.

    • You can configure up to 100 rules for a template.

    • You can configure up to 50 templates.

    • You can configure up to 100 rules for a template.

    IP address blacklist

    The IP address blacklist module that blocks requests from specific IP addresses.

    Not supported

    • You can configure up to 5 templates.

    • You can add up to 400 IP addresses and 2 rules to a template.

    • You can configure up to 10 templates.

    • You can add up to 600 IP addresses and 3 rules to a template.

    • You can configure up to 20 templates.

    • You can add up to 1,000 IP addresses and 5 rules to a template.

    • You can configure up to 20 templates.

    • You can add up to 1,000 IP addresses and 5 rules to a template.

    Custom rule

    The custom rule module that monitors, blocks, or verifies requests that match custom protection rules.

    Not supported

    • You can configure up to 10 templates.

    • You can configure up to 100 rules for a template.

    • The custom rule module has the following features:

      • IP address or URL match is supported.

      • JavaScript validation is supported.

      • Each rule can match up to 100 IP addresses.

    • You can configure up to 20 templates.

    • You can configure up to 200 rules for a template.

    • The custom rule module has the following features:

      • IP address or URL match, all header match, regular expression match, and body match are supported.

      • JavaScript validation and slider CAPTCHA verification are supported.

      • Each rule can match up to 100 IP addresses.

      • Rate limiting is supported.

    • You can configure up to 50 templates.

    • You can configure up to 200 rules for a template.

    • The custom rule module has the following features:

      • IP address or URL match, all header match, regular expression match, and body match are supported.

      • JavaScript validation and slider CAPTCHA verification are supported.

      • Each rule can match up to 100 IP addresses.

      • Rate limiting is supported.

    • You can configure up to 50 templates.

    • You can configure up to 200 rules for a template.

    • The custom rule module has the following features:

      • IP address or URL match, all header match, regular expression match, and body match are supported.

      • JavaScript validation and slider CAPTCHA verification are supported.

      • Each rule can match up to 100 IP addresses.

      • Rate limiting is supported.

    HTTP flood protection

    The HTTP flood protection module that protects services against common HTTP flood attacks in Prevention mode or Prevention-emergency mode.

    Not supported

    You can configure up to 5 templates.

    You can configure up to 10 templates.

    You can configure up to 20 templates.

    You can configure up to 20 templates.

    Scan protection

    The scan protection module that supports high-frequency scanning blocking, directory traversal blocking, and scanner blocking.

    Not supported

    You can configure up to 5 templates.

    You can configure up to 10 templates.

    You can configure up to 20 templates.

    You can configure up to 20 templates.

    Traffic Spike Throttling

    Traffic Spike Throttling supports custom rules and blocks requests from specific regions. The effective modes include permanent, fixed and recurring schedule. When selecting a fixed schedule, you can specify the time zone.

    Not supported

    You can configure up to 5 templates.

    You can configure up to 5 templates.

    You can configure up to 5 templates.

    Not supported

    Website tamper-proofing

    The website tamper-proofing module that locks web pages to prevent content tampering.

    Not supported

    • You can configure up to 10 templates.

    • You can configure up to 50 rules for a template.

    • You can configure up to 20 templates.

    • You can configure up to 50 rules for a template.

    • You can configure up to 50 templates.

    • You can configure up to 50 rules for a template.

    • You can configure up to 50 templates.

    • You can configure up to 50 rules for a template.

    Region blacklist

    The region blacklist module that blocks requests from specific regions.

    Not supported

    Not supported

    You can configure up to 10 templates.

    You can configure up to 20 templates.

    You can configure up to 20 templates.

    Data leakage prevention

    The data leakage prevention module that prevents leaks of sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers.

    Not supported

    • You can configure up to 10 templates.

    • You can configure up to 50 rules for a template.

    • You can configure up to 20 templates.

    • You can configure up to 50 rules for a template.

    • You can configure up to 20 templates.

    • You can configure up to 50 rules for a template.

    • You can configure up to 20 templates.

    • You can configure up to 50 rules for a template.

    Custom response

    The custom response module that allows you to configure the custom block page that is returned by WAF to a client when WAF blocks a request that is sent from the client. You can specify the status code, response headers, and response body of the block page.

    Not supported

    Not supported

    You can configure up to 20 templates.

    You can configure up to 50 templates.

    You can configure up to 50 templates.

    Bot management

    The bot management module that allows you to configure anti-crawler rules for websites and applications.

    Not supported

    Supported with fees charged.

    Supported with fees charged.

    Supported with fees charged.

    Supported

    Major event protection

    The major event protection module that supports threat intelligence for major event protection, rule groups for major event protection, IP address blacklist for major event protection, and Shiro deserialization vulnerability prevention.

    Not supported

    To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade.

    To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade.

    Supported

    To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade.

    API security

    The API security module that protects the available API assets of the services that are added to WAF and detects API vulnerabilities.

    Not supported

    Supported with fees charged.

    Supported with fees charged.

    Supported with fees charged.

    Supported

    Anti-DDoS Origin Basic and blackhole filtering

    The Anti-DDoS Origin Basic service that defends against DDoS attacks. This feature is free of charge. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic.

    Supported

    Supported

    Supported

    Supported

    Supported

    Note

    A custom rule can block up to 20,000 IP addresses. If you enter more than 20,000 IP addresses, the custom rule may not take effect.

    Access modes

    Note

    For information about the protection features that are supported by different access modes, see Access modes and protection features.

    Cloud native mode

    Supported

    Supported

    Supported

    Supported

    Supported

    Supported

    Up to 300 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.

    Supported

    Up to 600 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.

    Supported

    Up to 2,500 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.

    Supported

    Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.

    Supported

    Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.

    CNAME record mode

    The CNAME record mode in which you can add websites to WAF.

    Supported

    Supported

    Supported

    Supported

    Supported

    Hybrid cloud mode

    The hybrid cloud mode in which you can add web services that are deployed across third-party clouds or data centers to WAF to manage web services in a centralized manner.

    Not supported

    Not supported

    Supported

    Supported

    Not supported

    Other features

    Alert setting

    The alert setting feature that allows you to use CloudMonitor and Simple Log Service to configure monitoring and alerting for WAF events and metrics.

    Supported

    Supported

    Supported

    Supported

    Supported

    Non-standard ports that are supported in CNAME record mode

    The non-standard ports that are supported by WAF in CNAME record mode. The standard ports include ports 80, 8080, 443, and 8443.

    Not supported

    Not supported

    Supported

    Supported

    Supported

    IPv6

    The IPv6 protection feature that monitors and protects IPv6 traffic.

    Not supported

    Not supported

    • Supported in the Chinese mainland.

    • Not supported outside the Chinese mainland.

    • Supported in the Chinese mainland.

    • Not supported outside the Chinese mainland.

    • Supported in the Chinese mainland.

    • Not supported outside the Chinese mainland.

    Exclusive IP address

    The exclusive IP address feature that allows you to use exclusive IP addresses to protect domain names.

    For information about how to purchase additional exclusive IP addresses, see Upgrade a WAF instance.

    Not supported

    Supported with fees charged.

    Supported with fees charged.

    Supported with fees charged.

    Supported

    Intelligent load balancing

    The intelligent load balancing feature that allows you to deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing.

    Not supported

    Supported with fees charged.

    Supported with fees charged.

    Supported with fees charged.

    Supported

    Simple Log Service for WAF

    The Simple Log Service for WAF feature that collects and stores all logs in Logstores, allows near-real-time query and analysis, and provides online reports.

    Not supported

    Supported with fees charged.

    Supported with fees charged.

    Supported with fees charged.

    Supported

    Rule Libraries

    The Rule Libraries support basic protection for hybrid cloud by creating custom protection rules.

    Not supported

    Not supported

    Supported

    Supported

    Not supported

    Access modes and protection features

    Feature

    CNAME record mode

    Cloud native mode (NLB, CLB and ECS)

    Cloud native mode (ALB, MSE, and Function Compute)

    Hybrid cloud reverse proxy mode

    Hybrid cloud SDK-based traffic mirroring mode

    Basic protection rule

    Supported

    Supported

    Supported

    Supported

    Supported

    Whitelist

    Supported

    Supported

    Supported

    Supported

    Supported

    IP address blacklist

    Supported

    Supported

    Supported

    Supported

    Supported

    Custom rule

    Supported

    Supported

    Supported

    Supported

    Supported

    HTTP flood protection

    Supported

    Supported

    Supported

    Supported

    Supported

    Scan protection

    Supported

    Supported

    Supported

    Supported

    Supported

    Region blacklist

    Supported

    Supported

    Supported

    Supported

    Supported

    Website tamper-proofing

    Supported

    Supported

    • Supported for ALB instances

    • Not supported for MSE instances and custom domain names that are bound to web applications in Function Compute

    Not supported

    Not supported

    Data leakage prevention

    Supported

    Supported

    Not supported

    Supported

    Not supported

    Custom response

    Supported

    Supported

    Supported

    Supported

    Supported

    Bot management - automatic integration of Web SDK

    Supported

    Supported

    Not supported

    Supported

    Not supported

    Major event protection

    Supported

    Supported

    Not supported

    Not supported

    Not supported

    API security

    Supported

    Supported

    • Supported for ALB instances

    • Not supported for MSE instances and custom domain names that are bound to web applications in Function Compute

    Supported

    Supported

    Traffic Spike Throttling

    Supported

    Supported

    Not supported

    Not supported

    Not supported