WAF 3.0 editions and features - Web Application Firewall

Web Application Firewall (WAF) 3.0 supports the subscription and pay-as-you-go billing methods. The features and billing methods that are supported by WAF instances vary based on the edition. You can select an edition based on your business requirements and deployment method. If you use a subscription WAF instance, you can upgrade the edition of the WAF instance. WAF 3.0 supports the following editions: Basic, Pro, Enterprise, and Ultimate. The editions are listed in ascending order based on the protection capabilities.

Overview

For more information about the billing rules and purchase methods of subscription and pay-as-you-go WAF 3.0 instances, see the following topics:

Subscription: Billing overview and Purchase a subscription WAF 3.0 instance.
Pay-as-you-go: Billing overview, Purchase a pay-as-you-go WAF 3.0 instance, and View bills.

Important

In WAF 3.0, traffic is measured only in queries per second (QPS). You do not need to pay attention to bandwidth limits in different editions. When you use WAF 3.0 to protect your web services, the service traffic is not affected by bandwidth limits.

Features

Feature	Description	Subscription Basic	Subscription Pro	Subscription Enterprise	Subscription Ultimate	Pay-as-you-go
Business scale
Website scale	The size of the website based on which you can select a WAF 3.0 edition.	Small-sized and personal websites that do not have special security requirements.	Small- and medium-sized websites that do not have special security requirements.	Medium-sized enterprise-grade websites that can be accessed by the public and have high data security requirements.	Medium- and large-sized enterprise-grade websites that have special security requirements. Note If you want to configure custom specifications for your WAF instance, contact your account manager or solution architect.	Websites whose workloads frequently fluctuate.
QPS	The number of HTTP or HTTPS requests per second. For more information about the extended QPS, see Upgrade a WAF instance. For more information about the burstable QPS (pay-as-you-go) feature, see Burstable QPS (pay-as-you-go).	Default QPS (free): 10. Extended QPS: not supported. Burstable QPS: not supported.	Default QPS (free): 2,000. Extended QPS (supported): Chinese mainland: 30,000. Outside the Chinese mainland: 5,000. Burstable QPS (supported): Chinese mainland: 60,000. Outside the Chinese mainland: 1,000. If your business requirements cannot be met after you purchase the extended QPS and enable the burstable QPS (pay-as-you-go) feature, contact your account manager or submit a ticket.	Default QPS (free): 5,000. Extended QPS (supported): Chinese mainland: 30,000. Outside the Chinese mainland: 5,000. Burstable QPS (supported): Chinese mainland: 60,000. Outside the Chinese mainland: 1,000. If your business requirements cannot be met after you purchase the extended QPS and enable the burstable QPS (pay-as-you-go) feature, contact your account manager or submit a ticket.	Default QPS (free): 10,000. Extended QPS (supported): Chinese mainland: 30,000. Outside the Chinese mainland: 1,000. Burstable QPS (supported): Chinese mainland: 60,000. Outside the Chinese mainland: 1,000. If your business requirements cannot be met after you purchase the extended QPS and enable the burstable QPS (pay-as-you-go) feature, contact your account manager or submit a ticket.	Maximum QPS: Chinese mainland: 100,000. Outside the Chinese mainland: 10,000. If the maximum QPS cannot meet your business requirements, contact your account manager.
Domain name quota	The number of domain names that you can add to WAF. The domain names include second-level domain names, subdomains, and wildcard domain names. For more information about how to increase the domain name quota, see Upgrade a WAF instance.	Default quota (free): 3. Additional quota (supported): 10.	Default quota (free): 5. Additional quota (supported): 500.	Default quota (free): 10. Additional quota (supported): 2,000.	Default quota (free): 50. Additional quota (supported): 5,000.	Up to 1,000 domain names can be added to a pay-as-you-go WAF 3.0 instance.
Hybrid cloud protection nodes	The number of hybrid cloud protection nodes that you can deploy. For more information about how to purchase additional quota for hybrid cloud protection nodes, see Upgrade a WAF instance.	Not supported.	Not supported.	Default quota (free): 1. Additional quota: 1. In this case, you can add 100 additional domain names to WAF free of charge. Additional quota: 2 or more. In this case, you can add 200 additional domain names to WAF free of charge.	Default quota (free): 1. Additional quota: 1. In this case, you can add 100 additional domain names to WAF free of charge. Additional quota: 2 or more. In this case, you can add 200 additional domain names to WAF free of charge.	Not supported.
Protected objects	The number of protected objects that you can add to WAF, such as cloud service instances and domain names.	You can add up to 300 protected objects.	You can add up to 600 protected objects.	You can add up to 2,500 protected objects.	You can add up to 10,000 protected objects.	You can add up to 10,000 protected objects.
Multi-account management	The feature that allows you to add cloud resources within other Alibaba Cloud accounts to WAF.	Not supported.	Not supported.	Up to 5 members are supported.	Up to 20 members are supported.	Not supported.
Security features Important Rule groups are no longer supported in the new version of the basic protection rule module. For more information, see Announcement of upgrading the basic protection rule module in WAF 3.0.
Asset center	The feature that allows you to manage assets.	Not supported.	Supported.	Supported.	Supported.	Supported.
Basic protection rule	Default rule groups of the basic protection rule module.	Supported.	Supported.	Supported.	Supported.	Supported.
	Custom rule groups of the basic protection rule module.	Not supported.	Not supported.	You can configure up to 10 custom rule groups.	You can configure up to 30 custom rule groups.	You can configure up to 30 custom rule groups.
	Custom protection templates of the basic protection rule module.	You can configure up to 3 custom templates.	You can configure up to 10 custom templates.	You can configure up to 20 custom templates.	You can configure up to 50 custom templates.	You can configure up to 20 custom templates.
Whitelist	The module that you can configure to allow requests with specific characteristics.	You can configure up to 20 templates. You can configure up to 100 rules for a template.	You can configure up to 20 templates. You can configure up to 100 rules for a template.	You can configure up to 20 templates. You can configure up to 100 rules for a template.	You can configure up to 50 templates. You can configure up to 100 rules for a template.	You can configure up to 50 templates. You can configure up to 100 rules for a template.
IP address blacklist	The module that you can configure to block requests from specific IP addresses.	Not supported.	You can configure up to 5 templates. You can add up to 400 IP addresses and 2 rules to a template.	You can configure up to 10 templates. You can add up to 600 IP addresses and 3 rules to a template.	You can configure up to 20 templates. You can add up to 1,000 IP addresses and 5 rules to a template.	You can configure up to 20 templates. You can add up to 1,000 IP addresses and 5 rules to a template.
Custom rule	The that you can configure to monitor, block, or verify requests. The requests match custom rules.	Not supported.	You can configure up to 10 templates. You can configure up to 100 rules for a template. The custom rule module has the following features: IP address or URL match is supported. JavaScript validation is supported. Each rule can match up to 100 IP addresses.	You can configure up to 20 templates. You can configure up to 200 rules for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.	You can configure up to 50 templates. You can configure up to 200 rules for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.	You can configure up to 50 templates. You can configure up to 200 rules for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.
HTTP flood protection	The module that you can configure to protect services against common HTTP flood attacks in Prevention mode or Prevention-emergency mode.	Not supported.	You can configure up to 5 templates.	You can configure up to 10 templates.	You can configure up to 20 templates.	You can configure up to 20 templates.
Scan protection	The module that supports high-frequency scanning blocking, directory traversal blocking, and scanner blocking.	Not supported.	You can configure up to 5 templates.	You can configure up to 10 templates.	You can configure up to 20 templates.	You can configure up to 20 templates.
Traffic spike throttling	The module that allows you to configure source regions, effective modes, and custom rules.	Not supported.	Supported with fees charged. You can configure up to 5 templates.	Supported with fees charged. You can configure up to 5 templates.	Supported with fees charged. You can configure up to 5 templates.	Not supported.
Website tamper-proofing	The module that you can configure to lock web pages to prevent content tampering.	Not supported.	You can configure up to 10 templates. You can configure up to 50 rules for a template.	You can configure up to 20 templates. You can configure up to 50 rules for a template.	You can configure up to 50 templates. You can configure up to 50 rules for a template.	You can configure up to 50 templates. You can configure up to 50 rules for a template.
Region blacklist	The module that you can configure to block requests from specific regions.	Not supported.	Not supported.	You can configure up to 10 templates.	You can configure up to 20 templates.	You can configure up to 20 templates.
Data leakage prevention	The module that you can configure to prevent leaks of sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers.	Not supported.	You can configure up to 10 templates. You can configure up to 50 rules for a template.	You can configure up to 20 templates. You can configure up to 50 rules for a template.	You can configure up to 20 templates. You can configure up to 50 rules for a template.	You can configure up to 20 templates. You can configure up to 50 rules for a template.
Custom response	The module that allows you to configure custom block pages that you want to return to clients when the requests of the clients are blocked. You can specify a custom status code, response header, and response body.	Not supported.	Not supported.	You can configure up to 20 templates.	You can configure up to 50 templates.	You can configure up to 50 templates.
Bot management	The module that allows you to configure anti-crawler rules for websites and applications.	Not supported.	Supported with fees charged.	Supported with fees charged.	Supported with fees charged.	Supported.
Major event protection	The feature that supports threat intelligence for major event protection, rule groups for major event protection, IP address blacklist for major event protection, and Shiro deserialization vulnerability prevention.	Not supported.	Supported with fees charged. You can use temporary upgrade to enable the feature.	Supported with fees charged. You can use temporary upgrade to enable the feature.	Supported.	Supported with fees charged. You can use temporary upgrade to enable the feature.
API security	The module that protects the available API assets of services added to WAF and detects API vulnerabilities.	Not supported.	Supported with fees charged.	Supported with fees charged.	Supported with fees charged.	Supported.
Anti-DDzoS Origin Basic and blackhole filtering	The DDoS attack mitigation capabilities provided by Anti-DDoS Origin Basic free of charge. For more information, see View the thresholds that trigger blackhole filtering in Anti-DDoS Basic.	Supported.	Supported.	Supported.	Supported	Supported
Note A custom rule can block up to 20,000 IP addresses. If you enter more than 20,000 IP addresses, the custom rule may not take effect.
Access modes Note For more information about the protection features that are supported by different access modes, see Access modes and protection features.
Cloud native mode	WAF protection for Application Load Balancer (ALB) instances WAF protection for Microservices Engine (MSE) instances WAF protection for custom domain names bound to web applications in Function Compute	Supported.	Supported.	Supported.	Supported.	Supported.
Cloud native mode	WAF protection for Layer 7 Classic Load Balancer (CLB) instances WAF protection for Layer 4 CLB instances WAF protection for Elastic Compute Service (ECS) instances	Supported. Up to 300 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 600 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 2,500 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.
CNAME record mode	The CNAME record mode. You can add websites to WAF.	Supported.	Supported.	Supported.	Supported.	Supported.
Hybrid cloud mode	The hybrid cloud mode. You can add web services that are deployed across third-party clouds or data centers to WAF to manage web services in a centralized manner.	Not supported.	Not supported.	Supported.	Supported.	Not supported.
Other features
Alert setting	The feature that allows you to use CloudMonitor and Simple Log Service to configure monitoring and alerting for WAF events and metrics.	Supported.	Supported.	Supported.	Supported.	Supported.
Non-standard ports that are supported in CNAME record mode	The non-standard ports that are supported by WAF in CNAME record mode. The standard ports include ports 80, 8080, 443, and 8443.	Not supported.	Not supported.	Supported.	Supported.	Supported.
IPv6 protection	The feature that monitors and protects IPv6 traffic.	Not supported.	Not supported.	Supported in the Chinese mainland. Not supported outside the Chinese mainland.	Supported in the Chinese mainland. Not supported outside the Chinese mainland.	Supported in the Chinese mainland. Not supported outside the Chinese mainland.
Exclusive IP address	The feature that allows you to use exclusive IP addresses to protect domain names. For more information about how to purchase additional exclusive IP addresses, see Upgrade a WAF instance.	Not supported.	Supported with fees charged.	Supported with fees charged.	Supported with fees charged.	Supported.
Intelligent load balancing	The feature that allows you to deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing.	Not supported.	Supported with fees charged.	Supported with fees charged.	Supported with fees charged.	Supported.
Simple Log Service for WAF	The feature that collects and stores all logs in Logstores, allows near-real-time query and analysis, and provides online reports.	Not supported.	Supported with fees charged.	Supported with fees charged.	Supported with fees charged.	Supported.
Rule library management	The feature that allows you to create custom rules of the basic protection rule module for hybrid cloud protected objects.	Not supported.	Not supported.	Supported.	Supported.	Not supported.

Access modes and protection features

Feature	CNAME record mode	Cloud native mode (NLB, CLB and ECS)	Cloud native mode (ALB, MSE, and Function Compute)	Hybrid cloud - reverse proxy mode	Hybrid cloud - SDK integration mode
Basic protection rule	Supported	Supported	Supported	Supported	Supported
Whitelist	Supported	Supported	Supported	Supported	Supported
IP address blacklist	Supported	Supported	Supported	Supported	Supported
Custom rule	Supported	Supported	Supported	Supported	Supported
HTTP flood protection	Supported	Supported	Supported	Supported	Supported
Scan protection	Supported	Supported	Supported	Supported	Supported
Region blacklist	Supported	Supported	Supported	Supported	Supported
Website tamper-proofing	Supported	Supported	Supported for ALB instances Not supported for MSE instances and custom domain names that are bound to web applications in Function Compute	Not supported	Not supported
Data leakage prevention	Supported	Supported	Not supported	Supported	Not supported
Custom response	Supported	Supported	Supported	Supported	Supported
Bot management - automatic integration of Web SDK	Supported	Supported	Not supported	Supported	Not supported
Major event protection	Supported	Supported	Not supported	Not supported	Not supported
API security	Supported	Supported	Supported for ALB instances Not supported for MSE instances and custom domain names that are bound to web applications in Function Compute	Supported	Supported
Traffic spike throttling	Supported	Supported	Not supported	Not supported	Not supported