If the business traffic to the sites you want to protect is high, you can purchase extended bandwidth to avoid exceeding WAF’s bandwidth limit. For example, your current traffic requirement is 50 Mbps (non-Alibaba Cloud server), and you have purchased WAF Business Edition (with a bandwidth limit of 30 Mbps), you can purchase an additional 20 Mbps of extended bandwidth to meet your business needs.
The bandwidth of WAF indicates a normal business traffic in each WAF instance (which may contain multiple domain names/sites) measured in bps. Certain bandwidth restraints are applied by default to different versions of WAF that you have purchased.
Origins inside Alibaba Cloud (such as ECS or SLB) may enjoy a higher bandwidth. For example, in the Business Edition, bandwidth limit for an Alibaba Cloud origin is 100 Mbps, and that for a non-Alibaba Cloud server (such as a server in an IDC data center) is 30 Mbps. In addition, the bandwidth is calculated only by WAF, and has no relationship with the bandwidth or traffic limits of other Alibaba Cloud products such as CDN, SLB, and ECS.
Note: 100 Mbps bandwidth corresponds to 4,000 QPS, and so forth. QPS (Query Per Second) indicates the quantity of requests in one second. An HTTP GET request is counted as a query.
If your normal business traffic exceeds the bandwidth limit of the WAF subscription you have purchased, the WAF console sends you a message, and all your business traffic forwarding is affected. Your sites may be subject to traffic restrictions or random packet loss, and your normal business may be unavailable, slow, or delayed for a certain period of time.
In this case, you can upgrade your WAF, or purchase an additional bandwidth extension package.
We recommend that you evaluate the peak value of total traffic of all sites that you want to configure under the WAF protection, in both the inbound and outbound directions, before purchasing WAF. Make sure that the bandwidth limit of the WAF subscription you want to purchase is higher than the total peak traffic in both the inbound and outbound directions (generally, the outbound traffic is higher).
Evaluate your business traffic by using ECS traffic statistics or other monitoring tools on your website server.
Note: The traffic here indicates your normal business traffic. For example, if you connect external access traffic of all sites to WAF, in the case of normal access (the sites are not attacked), WAF forwards traffic to the origin ECS. If the site is attacked (by HTTP flood attack or DDoS attack), WAF filters out corrupted traffic, and then passes valid traffic back to the origin ECS. Therefore, the traffic of your origin in the inbound and outbound directions that you can view in the ECS console is your normal business traffic. If you have multiple origins, you must calculate the total traffic of all origins.
Assume that you want to use WAF to protect three sites, with the normal outbound business traffic peak of each site not more than 10 Mbps, and the total not more than 30 Mbps. You can subscribe to the WAF Business Edition (with a bandwidth limit of 30 Mbps).