Web Application Firewall (WAF) 3.0 is a new version of WAF. It was released in January 2022 and became generally available on October 31, 2022. You can purchase subscription or pay-as-you-go WAF 3.0 instances based on your business requirements. You can no longer purchase new WAF 2.0 instances on the WAF buy page.
If you want to purchase new WAF 2.0 instances, contact your account manager.
Benefits of WAF 3.0
WAF 3.0 supports the CNAME record mode and cloud native mode. It is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and a console that allows you to configure protection settings in a more efficient manner. This helps improve user experience.
WAF 3.0 provides the following advantages compared with WAF 2.0:
New cloud native architecture
WAF 3.0 is deeply integrated as an SDK module into the gateways of cloud services, such as ALB and Microservices Engine (MSE), to detect threats and protect traffic. During the protection process, WAF does not forward traffic. You can enable WAF protection in the console of a cloud service in a specific region without the need to change the DNS records or the settings of certificates, ports, and back-to-origin algorithms. This helps improve the stability and performance of your business and reduce access latency. For more information, see Cloud native architecture.
New protection configuration mode
WAF 3.0 allows you to add cloud service instances or domain names as protected objects and create protected object groups. WAF 3.0 also allows you to create protection rule templates for different protected objects in different protection modules. WAF 3.0 allows you to perform the following operations, which helps you configure protection in a more efficient manner:
Create protected object groups to apply a set of protection rules to multiple protected objects that have similar protection requirements. You can also configure custom protection rules for specific protected objects.
Configure default protection templates to apply predefined protection rules to new protected objects.
For more information, see Protection configuration overview.
Support for the pay-as-you-go billing method
WAF 3.0 supports the pay-as-you-go billing method. The billing unit is security capacity units (SeCUs). All fees are calculated based on SeCUs. This helps simplify the calculation process and billing rules. Bills are generated on an hourly basis based on your SeCU usage. You can purchase resource plans to offset SeCU usage fees based on your business requirements. For more information, see Pay-as-you-go billing method of WAF 3.0.
New features and improved user experience
WAF 3.0 provides new features, such as the custom response feature. In WAF 3.0, the fees of the Log Service for WAF feature are included in the bills of Simple Log Service. The Log Service for WAF feature allows you to specify a custom storage capacity and retention period for logs. WAF 3.0 also optimizes the configurations for adding services in CNAME record mode and the configurations for security reports and rule searches. For information about the custom response feature, see Configure the custom response module. For information about the Log Service for WAF feature, see Log Service for WAF. For information about the CNAME record mode, see CNAME record mode. For information about security reports, see Security reports.
Activation and applicable scope of WAF 3.0
Activation
For information about how to activate WAF 3.0, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Applicable scope
Cloud native mode: If you want to enable WAF protection for cloud services, you can add the cloud services to WAF in cloud native mode. You cannot enable WAF 3.0 protection for cloud services in all regions. For information about the limits on regions, see the Limits sections in the following topics: Add an ALB instance to WAF, Add an MSE instance to WAF, Add a custom domain name in Function Compute to WAF, Add a Layer 7 Classic Load Balancer (CLB) instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an Elastic Compute Service (ECS) instance to WAF.
CNAME record mode: You can add domain names in a specific region to WAF.
What is the relationship between WAF 2.0 and WAF 3.0?
WAF 3.0 is different from WAF 2.0 in terms of its underlying architecture, specifications, configuration logic, and user experience. This is one of the reasons why an Alibaba Cloud account cannot have both a WAF 2.0 instance and a WAF 3.0 instance at the same time.
You can continue to use, renew, and upgrade existing WAF 2.0 instances. The service level agreement (SLA) of WAF 2.0 is also guaranteed.
WAF 2.0 instances cannot be automatically migrated to WAF 3.0. If you want to migrate a WAF 2.0 instance to WAF 3.0, join the DingTalk group (group ID: 34657699) for technical support.