A subscription WAF instance can protect only a limited amount of service bandwidth,
regardless of the WAF edition. To protect a larger amount of service bandwidth, you
can purchase extra bandwidth.
Limits on service bandwidth
The service bandwidth protected by a WAF instance refers to the bandwidth of normal
traffic that flows through all the domain names and websites protected by the WAF
instance. The bandwidth is measured in Mbit/s. A service bandwidth of 100 Mbit/s allows
4,000 queries per second. An HTTP GET request is considered as one query.
Note The service bandwidth protected by a WAF instance is independent of the bandwidth
or traffic limits on other Alibaba Cloud services, such as CDN, SLB, and ECS.
A subscription WAF instance can protect only a limited amount of service bandwidth.
In addition, the instance can protect a larger amount of bandwidth for origin servers
on Alibaba Cloud compared with third-party origin servers. The origin servers on Alibaba
Cloud can be ECS instances and SLB instances. For example, a WAF instance of the Business
edition can protect up to 100 Mbit/s of bandwidth for origin servers on Alibaba Cloud,
but can only protect up to 30 Mbit/s of bandwidth for third-party origin servers.
Specify service bandwidth
Before you purchase a WAF instance, you must estimate the peak inbound traffic and
peak outbound traffic of all the websites that you want to protect. Make sure that
you purchase sufficient bandwidth to cover the larger of the two peak traffic values.
Note In most cases, the outbound traffic is larger than the inbound traffic.
You can use the traffic statistics in the ECS console or other monitoring tools on
your origin servers to estimate your traffic.
Note The traffic described here refers to the normal traffic of your workloads. If no attacks
are detected in the traffic that is destined for the protected websites, WAF forwards
all traffic to origin servers. However, if attacks, such as HTTP flood and DDoS attacks,
are detected, WAF blocks the malicious traffic and forwards only the normal traffic
to origin servers. Therefore, the statistics on the inbound and outbound traffic of
ECS instances in the ECS console cover only normal traffic. If WAF protects multiple
ECS instances, the total traffic on all the instances must be estimated.
If you want to protect three websites, and the peak of normal outbound traffic of
each website is lower than 10 Mbit/s, you need only to purchase a WAF instance of
the Business edition. This is because the total traffic of the three websites is lower
than 30 Mbit/s, which is within the range of protection capability provided by the
Note You can purchase extra bandwidth to increase the limit of bandwidth that a WAF instance
Impacts when the service bandwidth is exceeded
If the normal traffic of your websites exceeds the limit of service bandwidth protected
by your WAF instance, the WAF console sends you alerts. The traffic forwarding of
all the protected websites may be affected.
In addition, throttling or packet loss may occur in this situation. As a result, your
websites may become slow or unavailable for a certain period.
To avoid the negative impacts, you must upgrade your WAF instance or purchase extra
Purchase extra bandwidth
If the bandwidth of the traffic that flows through the protected websites exceeds
the service bandwidth protected by your WAF instance, we recommend that you purchase
For example, your WAF instance of the Business edition can protect up to 30 Mbit/s
of bandwidth for third-party origin servers, but the total bandwidth of your website
is 50 Mbit/s. In this case, you must purchase another 20 Mbit/s of bandwidth to ensure
that your website can be accessed.
Alternatively, you can upgrade your WAF instance to protect a larger amount of bandwidth.
For more information, see Renewal and upgrade
Note You can also purchase extra bandwidth when you purchase your WAF instance.