CDN integrates Web Application Firewall (WAF) capabilities to filter out malicious requests and reroute secure requests to servers. CDN WAF can help protect Web servers against intrusions, secure core data, and prevent server performance exceptions caused by attacks. This topic describes WAF protection, scenarios, billing methods, and setting methods.


WAF is applicable only to CDN nodes in mainland China. Before enabling WAF protection, you must confirm the region of the domain name. For more information about how to change the region of a domain name, see Modify basic information.

Background information

CDN WAF is the integration of WAF capabilities into CDN to protect CDN nodes. For more information about WAF protection, see What is Alibaba Cloud WAF?.

CDN WAF is applicable to industries such as finance, e-commerce, O2O, Internet Plus, games, government, and insurance. It protects your website against unexpected loss caused by attacks when you use CDN to accelerate your website.

CDN WAF can provide the following capabilities:
  • Prevents leaks of core data on your website caused by injection attacks.
  • Prevents trojans from being uploaded, which may tamper with your Web pages and safeguards the credibility of your website.
  • Provides virtual patches that enable quick fix for newly discovered vulnerabilities.
When you enable CDN WAF for a domain name, CDN WAF will detect all requests for the domain name, count the number of requests by account, and then charge fees. The following table describes CDN WAF billing rules.
Requests per hour Fees
1 to 20,000 CNY 0.4 ( a fixed fee)
20,001 to 500,000 CNY 0.2 per 10,000 requests
500,001 to 5,000,000 CNY 0.18 per 10,000 requests
Over 5,000,000 CNY 0.15 per 10,000 requests
For example, user A enabled the CDN WAF feature for a domain name and user B enabled the CDN WAF feature for another domain name at 10:20, February 28, 2019. The following table describes all the fees incurred.
User Requests between 10:20 and 11:20 Bill (CNY) received at 11:21
A 15,000 0.4
B 350,000 7 (350,000/10,000 × 0.2)


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the left-side navigation pane of the specified domain name, click Security Settings.
  5. On the WAF page, turn on WAF Configuration.
  6. Click Modify.
  7. Configure Web Application Protection and HTTP ACL Policy as prompted.
    Project Parameter Description
    Web Application Protection Status The Web Application Protection switch.
    Mode The following two Web application protection modes are supported:
    • Block

      An attack is blocked after it is detected.

    • Report

      An alert is sent after an attack is detected. However, the attack is not blocked.

    Mode of Protection Policy The following Web application protection policies are used:
    • Loose Rule Group

      If many normal requests are blocked when you set Mode of Protection Policy to Medium Rule Group, we recommend you select Loose Rule Group. The loose rule group has the least false positives but the most false negatives.

    • Medium Rule Group

      The medium rule group is used by default.

    • Strict Rule Group

      If you require stricter protection against path traversal, SQL injections, and command execution attacks, we recommend that you select Strict Rule Group.

    When a protection rule is found to block normal requests, you can adjust the mode of protection policy. The loose rule group has the least false positives but the most false negatives.

    HTTP ACL Policy Status The HTTP ACL Policy switch.
    Rules A default rule is provided. You can click Settings to add a rule, and modify the default rule. Up to three conditions are allowed in each custom rule. The conditions are in the logical AND relationship. A rule is matched only when all the three conditions are satisfied.