Pay-as-you-go is a postpaid billing method that lets you use resources as needed without making an upfront purchase. The system generates a bill based on your actual usage for each billing cycle and deducts the corresponding amount from your account. This topic describes the billing rules for WAF pay-as-you-go instances.
Billing model
WAF 3.0 introduces the Security Capacity Unit (SeCU) as the unified metering unit for pay-as-you-go billing. All billable items consume SeCUs on an hourly basis and are billed according to the following rules:
Unit price: The unit price of SeCU is USD 0.01, meaning 1 SeCU costs USD 0.01.
Measurement interval: SeCU usage is measured in hourly intervals, for example, from 10:00:00 to 10:59:59.
Rounding rule: SeCU usage is rounded up to the nearest integer. For example, if you use 0.1 SeCU in an hour, you are billed for 1 SeCU during that measurement period.
Hourly cost = Total SeCUs consumed by all billable items × Unit price.
Billable items
The billable items for WAF pay-as-you-go instances are categorized into base traffic, access features, and protection features.
WAF instance and traffic fees
Billable item | SeCU | Description |
WAF instance | 0.5 SeCU/hour | Billing for a WAF pay-as-you-go instance starts immediately after activation, regardless of whether you configure access or protection settings. Note Only this billable item uses exact SeCU usage without rounding up. All other items follow the rounding-up rule. |
Base traffic fee | 1 SeCU per 5,000 requests/hour | Number of business requests initiated by clients within a full hour, including both normal and attack requests. Server-side responses are not counted. Note
|
QPS peak |
| Billed hourly based on the maximum QPS peak within a full hour. Note If the excess is less than 5 QPS, it is billed as 5 QPS. |
Resource access feature fees
Billable item | SeCU | Description |
Number of domains accessed via CNAME | Tiered pricing (progressive segments):
| For CNAME access, billing is based on the number of domains actually connected, regardless of whether they are root domains or wildcard domains. |
CNAME access: exclusive IP | 15 SeCU/exclusive IP/hour | For CNAME access, billing is based on the number of domains with exclusive IPs enabled. |
CNAME access: non-standard ports |
| For CNAME access, enabling any non-standard port other than 80, 8080, 443, or 8443 counts as enabling this feature. |
CNAME access: intelligent load balancing |
| For CNAME access, configuring intelligent load balancing for any domain counts as enabling this feature. |
CNAME access: IPv6 |
| For CNAME access, configuring IPv6 for any domain counts as enabling this feature. |
Asset center |
| Billed after enabling the asset center feature. |
Web core protection feature fees
Billable item | SeCU | Description |
Web core protection rules |
|
|
Web core protection rules: intelligent allowlist engine |
| Billed based on the number of Web core protection rule templates with the intelligent allowlist feature enabled. |
IP blacklist | 2 SeCU/rule/hour | Billed based on the number of IP blacklist rules, regardless of whether they are enabled or disabled. |
Custom rules |
| Billed based on the number of custom protection rules, regardless of whether they are enabled or disabled. Note A rule is classified as advanced if it meets any of the following conditions. All other rules are basic:
|
Custom rules: slider action | 1 SeCU per 10 invocations/hour | Billed based on the number of invocations. If fewer than 10 invocations occur, they are billed as 10. |
Scan protection | 10 SeCU/rule/hour | Billed based on the number of scan protection rules, regardless of whether they are enabled or disabled. Each scan protection template includes exactly 3 rules. |
CC protection | 2 SeCU/rule/hour | Billed based on the number of CC protection rules, regardless of whether they are enabled or disabled. |
Geo-blocking | 10 SeCU/rule/hour | Billed based on the number of geo-blocking rules, regardless of whether they are enabled or disabled. |
Custom response | 10 SeCU/rule/hour | Billed based on the number of custom response rules, regardless of whether they are enabled or disabled. Each custom response template includes exactly 1 rule. |
Web tamper proofing | 5 SeCU/rule/hour | Billed based on the number of web tamper-proofing rules, regardless of whether they are enabled or disabled. |
Information leakage prevention | 5 SeCU/rule/hour | Billed based on the number of information leakage prevention rules, regardless of whether they are enabled or disabled. |
Peak traffic throttling | 150 SeCU/rule/hour | Billed based on the number of peak traffic throttling rules, regardless of whether they are enabled or disabled. |
Threat intelligence | 50 SeCU/template/hour | Billed based on the number of threat intelligence protection templates, regardless of whether they are enabled or disabled. |
Advanced protection feature fees
Billable item | SeCU | Description |
Bot management |
| Billed based on the number of configured Bot-Web and Bot-App protection templates, regardless of whether they are enabled or disabled. Note This section describes billing for the new version of Bot management. For more information, see [Announcement] Bot management version upgrade and service pricing adjustment. |
Bot management: request processing fee | 1 SeCU per 7,500 requests/hour | Number of requests that hit a protected object within a full hour. Note If the request count is not a multiple of 7,500, SeCUs are rounded up. For more information, see Billing examples. |
Bot management: Fraud Detection | 1 SeCU per hit/hour | Billed based on the number of hits. |
Bot management: advanced custom rules | 15 SeCU/rule/hour | Billed based on the number of Bot management advanced custom rules, regardless of whether they are enabled or disabled. |
API security | 20 SeCU/protected object/hour | Billed based on the number of protected objects with API security enabled. |
API security: request processing fee | 1 SeCU per 7,500 requests/hour | Number of requests that hit a protected object within a full hour. Note If the request count is not a multiple of 7,500, SeCUs are rounded up. For more information, see Billing examples. |
Other fees
Billable item | Description |
Simple Log Service | Billed and invoiced by Simple Log Service. No fees are charged on the WAF side. |
Major event support | WAF pay-as-you-go supports major event support, which uses a subscription billing method. Minimum purchase period is 30 days. For more information, see Major event support. |
Billing examples
Example 1
You added five domain names to WAF for protection using CNAME access and configured two IP blacklist rules. During a one-hour period, your business received 0 requests and the queries per second (QPS) peaked at 0.
In this scenario, you consumed 27.5 SeCUs in one hour, for a total cost of USD 0.275. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = USD 0.01) |
Base traffic fee | 1 SeCU per 5,000 requests/hour | 0 SeCU | 0.01*0=0 USD |
QPS peak | QPS peak ≤1,000 QPS, 0 SeCU/hour | 0 SeCU | 0.01*0=0 USD |
CNAME access domain count | Tiered pricing:
| 1*0+4*5=20 SeCU | 0.01*20=0.2 USD |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.01*0.5=0.005 USD |
IP blacklist | 2 SeCU/rule/hour | 4 SeCU | 0.01*4=0.04 USD |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.01*3=0.03 USD |
Example 2
You added 12 domain names to WAF for protection using CNAME access. For two of the domain names, you enabled exclusive IPs and intelligent load balancing. You also created one scan protection template. During a one-hour period, your business received 50,001 requests and the QPS peaked at 4,000.
In this scenario, you consumed 775.5 SeCUs in one hour, for a total cost of USD 7.755. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = USD 0.01) |
Base traffic fee | 1 SeCU per 5,000 requests/hour | 11 SeCU | 0.01*11=0.11 USD |
QPS peak | QPS peak ≤1,000 QPS, 0 SeCU/hour >1,000 QPS, excess priced at 1 SeCU per 5 QPS/hour | 600 SeCU | 0.01*600=6 USD |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.01*0.5=0.005 USD |
CNAME access domain count | Tiered pricing:
| 1*0+9*5+2*3=51 SeCU | 0.01*51=0.51 USD |
CNAME access: exclusive IP | 15 SeCU/exclusive IP/hour | 30 SeCU | 0.01*30=0.3 USD |
CNAME access: intelligent load balancing | Enabled: 50 SeCU/hour | 50 SeCU | 0.01*50=0.5 USD |
Scan protection Note Each scan protection template includes exactly 3 rules. | 10 SeCU/rule/hour | 30 SeCU | 0.01*30=0.3 USD |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.01*3=0.03 USD |
Example 3
You enabled WAF protection for a Layer 7 Classic Load Balancer (CLB) instance that uses HTTP/HTTPS using the cloud native mode (for example, in the US (Silicon Valley) region). In addition to configuring Web core protection rules, you enabled Bot management and CC protection, and set up the corresponding protection templates. Specifically, you configured two CC protection rules (disabled) and one Bot management template (enabled) with Fraud Detection enabled. During a one-hour period, your business received 4,200 total requests and the QPS peaked at 537. The Bot management rule was hit 34 times, and the Fraud Detection rule was hit 3 times.
In this scenario, you consumed 62.5 SeCUs in one hour, for a total cost of USD 0.625. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = USD 0.01) |
Base traffic fee | 1 SeCU per 5,000 requests/hour | 1 SeCU | 0.01*1=0.01 USD |
QPS peak | QPS peak ≤1,000 QPS, 0 SeCU/hour | 0 SeCU | 0.01*0=0 USD |
Bot management: request processing fee | Billed based on the number of requests that hit a protected object within a full hour. 1 SeCU per 7,500 requests | 1 SeCU | 0.01*1=0.01 USD |
Bot management: Fraud Detection | Billed based on the number of hits. 1 SeCU per hit/hour | 3 SeCU | 0.01*3=0.03 USD |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.01*0.5=0.005 USD |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.01*3=0.03 USD |
Bot management | Billed based on the number of configured Bot-Web protection templates, regardless of whether they are enabled or disabled. Bot-Web template: 50 SeCU/template/hour | 50 SeCU | 0.01*50=0.5 USD |
CC protection | Billed based on the number of CC protection rules, regardless of whether they are enabled or disabled. 2 SeCU/rule/hour | 4 SeCU | 0.01*4=0.04 USD |
Example 4
You enabled WAF protection for an Application Load Balancer (ALB) instance using the cloud native mode (for example, in the US (Silicon Valley) region) and created two custom response templates that are applied to different protected objects. During a one-hour period, your business received 50,004 requests and the QPS peaked at 5,997.
In this scenario, you consumed 1,034.5 SeCUs in one hour. The WAF-enhanced ALB instance fee is USD 0.035 per hour, for a total cost of USD 10.38. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = USD 0.01) |
Base traffic fee | 1 SeCU per 5,000 requests/hour | 11 SeCU | 0.01*11=0.11 USD |
QPS peak | QPS peak >1,000 QPS, excess priced at 1 SeCU per 5 QPS/hour | 1,000 SeCU | 0.01*1000=10 USD |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.01*0.5=0.005 USD |
Custom response | 10 SeCU/rule/hour | 20 SeCU | 0.01*20=0.2 USD |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.01*3=0.03 USD |
WAF-enhanced ALB instance fee | USD 0.035/hour, actual prices are subject to the purchase page. | / | 0.035*1=0.035 USD |
After you activate the pay-as-you-go billing method for WAF, your actual usage and charges appear on your Alibaba Cloud bill.
Billing cycle
Pay-as-you-go fees are settled daily based on the UTC+8 time zone. A new billing cycle begins after the settlement is complete.
Pay-as-you-go billing typically occurs overnight. If you plan to modify your configuration, such as adding domain names or enabling new protection features, we recommend that you make the changes after 06:00 (UTC+8) each day. Otherwise, the charges for the modification may be included in the bill for the previous day.
If your available account balance, which includes your Alibaba Cloud account balance and vouchers, is insufficient to cover the pending bill amount, you will receive a text message or email notification.
Overdue payments
Overdue payments may affect your use of WAF services. Monitor your Expenses and Costs and resolve overdue payments promptly. For more information about how to check your overdue balance and handle overdue payments, see Overdue payments.
If you have an overdue payment, your WAF service may be suspended. The system notifies you to make a payment promptly to avoid service disruption.
Bill inquiry
For more information about how to view the actual usage and detailed charges for your WAF 3.0 pay-as-you-go instance, see View bills.
FAQ
WAF pay-as-you-go costs are high. How can I optimize costs?
To control WAF pay-as-you-go costs and avoid unexpectedly high charges, you can take the following optimization measures:
Enable features only as needed: Some features incur fees when they are enabled. Enable only the features that you need as needed. Avoid enabling multiple features indiscriminately or creating an excessive number of protection rules.
API security: Enable this feature only if your business has API endpoints.
Bot management: This feature protects against automated scripts and crawlers. Keep this feature disabled if your business does not require this type of protection.
Web core protection: Modules such as scan protection and geo-blocking are billed as soon as you create protection rules. Make sure that you understand the functionality of each module before you configure it. Promptly delete protection templates that you no longer use.
CNAME access: Advanced options such as non-standard ports, IPv6, and exclusive IPs incur extra fees. For example, if you add only one domain name, you do not need to enable an exclusive IP.
Set a traffic billing protection threshold: If you want to prioritize cost control over business continuity, you can configure this threshold to limit the peak QPS that WAF can handle. This prevents cost spikes that are caused by volumetric attacks.
Use a subscription billing method: If your monthly SeCU consumption is high and you cannot reduce your configurations due to business requirements, you can purchase a prepaid SeCU resource plan or a subscription WAF instance to benefit from a lower unit price.
Why am I being charged even though I haven’t configured WAF or connected any resources?
The pay-as-you-go billing method for WAF includes instance fees and other feature fees in addition to request processing fees. Therefore, you are charged immediately after you activate the WAF service, even if no traffic is processed.
If you no longer want to use WAF, you must remove all protected resources. After you remove the last resource, the console displays a page that prompts you to shut down WAF to stop billing.
How do I shut down WAF to stop billing?
If you no longer want to use WAF and want to stop billing, you can follow these steps to shut down your WAF instance.
Before you shut down WAF, make sure that the DNS records of the domain names that are added to WAF are changed to direct traffic to their origin servers.
After you shut down WAF, all configurations of the domain names are deleted. Requests that are sent to the WAF instance are not forwarded. This makes your websites inaccessible.
Go to the Overview page. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of your WAF instance.
If the following interface appears, click Go to Console in the upper-right corner. Otherwise, skip this step.
On the right side of the page, click Shut Down WAF. In the confirmation dialog box that appears, check the relevant items and click OK.
Why am I still being charged after shutting down WAF?
You may still be charged after you shut down WAF for the following reasons:
The shutdown operation was not correctly performed: You may have only removed the protected resources or disabled WAF protection. Make sure that you perform the steps that are described in How do I shut down WAF to stop billing?.
Billing delay: Pay-as-you-go bills for WAF are generated on the next day. For example, if you shut down WAF on October 2, the bill for October 2 is generated on October 3. No new bills are generated from October 3 onward.
The region is not switched correctly: If you purchased WAF for Outside Chinese Mainland, switch the region in the top menu bar on the Overview page before you perform other operations.
