If the actual peak queries per second (QPS) of a subscription Web Application Firewall (WAF) instance exceeds the total QPS quota or the actual peak QPS of a pay-as-you-go WAF instance exceeds the specified threshold for traffic billing protection, the WAF instance may be added to the sandbox. If a WAF instance is added to the sandbox, the service level agreement (SLA) is no longer guaranteed. This topic provides an overview of the sandbox feature and describes how to remove a WAF instance from the sandbox.
Introduction
The sandbox is an abnormal state that a WAF instance can enter when the actual peak QPS of the WAF instance exceeds the total QPS quota.
How the sandbox feature works for subscription WAF instances
Subscription WAF instances support the following QPS specifications: QPS Specifications Supported by WAF, Extended QPS, and Burstable QPS (pay-as-you-go).
If Extended QPS is not purchased and the burstable QPS (pay-as-you-go) feature is disabled, Total QPS Quota is equivalent to QPS Specifications Supported by WAF.
If Extended QPS is purchased and the burstable QPS (pay-as-you-go) feature is disabled, Total QPS Quota is equivalent to QPS Specifications Supported by WAF plus Extended QPS.
If Extended QPS is not purchased and the burstable QPS (pay-as-you-go) feature is enabled, Total QPS Quota is equivalent to QPS Specifications Supported by WAF plus Burstable QPS (pay-as-you-go).
If Extended QPS is purchased and the burstable QPS (pay-as-you-go) feature is enabled, Total QPS Quota is equivalent to QPS Specifications Supported by WAF plus Extended QPS plus Burstable QPS (pay-as-you-go).
Conditions for a WAF instance to enter the sandbox
If a WAF instance meets one of the following conditions, the WAF instance is added to the sandbox:
Number of QPS excess events
The system measures the peak QPS of a WAF instance in the previous hour at each point in time. If the peak QPS of a WAF instance is higher than the total QPS quota of the WAF instance for consecutive 5 minutes, the system considers that a QPS excess event occurs. If multiple QPS excess events occur on the same day, the system counts only one QPS excess event. The fourth time the event is counted, the WAF instance is added to the sandbox.
NoteIf the peak QPS of a WAF instance exceeds the total QPS quota for less than 5 minutes due to a traffic spike, the system does not count this as a QPS excess event.
If the start time and end time of a QPS excess event are not on the same day, such as from 23:55 to 00:10, the system counts this as a QPS excess event.
QPS usage
If the peak QPS of a WAF instance meets one of the conditions described in the following table, the WAF instance is immediately added to the sandbox.
Instance
Total QPS quota
Description
WAF instances in the Chinese mainland
Less than or equal to 20,000
If the peak QPS of a WAF instance exceeds 100,000, the WAF instance is added to the sandbox.
Greater than 20,000
If the peak QPS of a WAF instance exceeds the total QPS quota of the WAF instance by five times, the WAF instance is added to the sandbox.
WAF instances outside the Chinese mainland
Less than or equal to 2,000
If the peak QPS of a WAF instance exceeds 10,000, the WAF instance is added to the sandbox.
Greater than 2,000
If the peak QPS of a WAF instance exceeds the total QPS quota of the WAF instance by five times, the WAF instance is added to the sandbox.
Impacts on instances
If a WAF instance is added to the sandbox, the SLA is no longer guaranteed. In this case, the protected objects of the WAF instance may encounter service access exceptions, including packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing due to DDoS attacks, and blackhole filtering.
After your WAF instance is added to the sandbox, you can enable the burstable QPS (pay-as-you-go) feature. The bill for the feature is not generated until the WAF instance is removed from the sandbox.
If your WAF instance is added to the sandbox, the system sends a notification by email, text message, or internal message. In the top banner section of the WAF console, you can view the details of QPS excess events.
You can enable the burstable QPS (pay-as-you-go) feature to prevent your WAF instance from being added to the sandbox. For more information, see Burstable QPS (pay-as-you-go).
View details of QPS excess events
You can view the notification for QPS excess events in the top banner section of the WAF 3.0 console .
Click View Details to view the details of the QPS excess events in the previous 30 days.
On the Overview page, click the Traffic tab. In the QPS section, view the peak-value chart and average-value chart for your QPS usage.
If multiple QPS excess events occur in an hour, the peak QPS that is displayed in the Excess Details dialog box is the maximum QPS value in the hour.
If the peak QPS exceeds the total QPS quota for consecutive 5 minutes, the system counts this as one QPS excess event.
If your WAF instance is in the Excess or Sandbox state, you can increase the QPS quota of your WAF instance. After you increase the QPS quota, the status of your WAF instance changes to Sandbox Removed or Excess Removed.
Remove a WAF instance from the sandbox
A subscription WAF instance that is added to the sandbox cannot be automatically removed from the sandbox even if the actual peak QPS of the WAF instance falls below the total QPS quota. To remove the WAF instance from the sandbox, you must increase the QPS quota. If your WAF instance is re-added to the sandbox after you increase the QPS quota, you must increase the QPS quota again.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the top banner section, click Upgrade Now. You can also click Upgrade in the upper-right corner.
In the Upgrade Now panel, upgrade the edition of your WAF instance, purchase additional QPS quota, or enable the burstable QPS (pay-as-you-go) feature to increase the QPS quota.
NoteYou can also go to the WAF buy page to upgrade the edition of your WAF instance, purchase additional QPS quota, or enable the burstable QPS (pay-as-you-go) feature.
After you increase the QPS quota, the status of your WAF instance changes to Sandbox Removed or Excess Removed. The number of QPS excess events is reset to 0.
How the sandbox feature works for pay-as-you-go WAF instances
The system determines whether to add a pay-as-you-go WAF instance to the sandbox based on the Traffic Billing Protection Threshold parameter. If the peak QPS of the WAF instance is higher than the threshold in an hour, the WAF instance is added to the sandbox.
If you specified a value for the Traffic Billing Protection Threshold parameter when you purchased a pay-as-you-go WAF instance and you want to adjust the threshold, you can go to the WAF console and click Modify Traffic Protection Threshold to modify the parameter based on your actual QPS.
The following section describes the maximum threshold values that are supported by a pay-as-you-go WAF instance for traffic billing protection. By default, the threshold value for traffic billing protection of a pay-as-you-go WAF instance is set to the maximum value.
For a WAF instance in the Chinese mainland, the maximum value allowed for the parameter is 100000.
For a WAF instance outside the Chinese mainland, the maximum value allowed for the parameter is 10000.
Conditions for a WAF instance to enter the sandbox
If the peak QPS is higher than the value of the Traffic Billing Protection Threshold parameter in an hour, a notification is displayed in the top banner section of the WAF 3.0 console .
You can click Traffic Billing Protection Details to view the details of traffic billing protection in the previous 30 days.
Impacts on instances
If a WAF instance is added to the sandbox, the SLA is no longer guaranteed. In this case, the protected objects of the WAF instance may encounter service access exceptions, including packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing due to DDoS attacks, and blackhole filtering.
After your pay-as-you-go WAF instance is added to the sandbox, the hourly bill for the WAF instance is not generated until the WAF instance is removed from the sandbox.
If your WAF instance is added to the sandbox, the system sends a notification by email, text message, or internal message. You can view information about traffic billing protection in the top banner section of the WAF console.
Remove a WAF instance from the sandbox
If the peak QPS of a pay-as-you-go WAF instance falls below the value of the Traffic Billing Protection Threshold parameter, the WAF instance is automatically removed from the sandbox.
To manually remove a pay-as-you-go WAF instance from the sandbox, perform the following operations:
In the top banner section (labeled as 1 in the preceding figure), click Modify Threshold to change the value of the Traffic Billing Protection Threshold parameter.
On the Overview page, click Modify Traffic Protection Threshold to change the value of Traffic Billing Protection Threshold parameter. For more information, see Specify a threshold for traffic billing protection.
References
For more information about the QPS specifications supported by the edition of your WAF instance, see Editions.
For more information about how to view service security data and service traffic data, see Overview.
For more information about the billing methods and scenarios of the burstable QPS (pay-as-you-go) feature, see Burstable QPS (pay-as-you-go).
For more information about the traffic billing protection feature and how to adjust the threshold for traffic billing protection, see Traffic billing protection.