A subscription WAF instance can protect only a limited amount of service bandwidth, regardless of the WAF edition. To protect a larger amount of service bandwidth, you can purchase extra bandwidth.

Limits on service bandwidth

The service bandwidth protected by a WAF instance refers to the bandwidth of normal traffic that flows through all the domain names and websites protected by the WAF instance. The bandwidth is measured in Mbit/s. A service bandwidth of 100 Mbit/s allows 4,000 queries per second. An HTTP GET request is considered as one query.
Note The service bandwidth protected by a WAF instance is independent of the bandwidth or traffic limits on other Alibaba Cloud services, such as CDN, SLB, and ECS.
A subscription WAF instance can protect only a limited amount of service bandwidth. In addition, the instance can protect a larger amount of bandwidth for origin servers on Alibaba Cloud compared with third-party origin servers. The origin servers on Alibaba Cloud can be ECS instances and SLB instances. For example, a WAF instance of the Business edition can protect up to 100 Mbit/s of bandwidth for origin servers on Alibaba Cloud, but can only protect up to 30 Mbit/s of bandwidth for third-party origin servers. Limits on service bandwidth

Specify service bandwidth

Before you purchase a WAF instance, you must estimate the peak inbound traffic and peak outbound traffic of all the websites that you want to protect. Make sure that you purchase sufficient bandwidth to cover the larger of the two peak traffic values.
Note In most cases, the outbound traffic is larger than the inbound traffic.
You can use the traffic statistics in the ECS console or other monitoring tools on your origin servers to estimate your traffic.
Note The traffic described here refers to the normal traffic of your workloads. If no attacks are detected in the traffic that is destined for the protected websites, WAF forwards all traffic to origin servers. However, if attacks, such as HTTP flood and DDoS attacks, are detected, WAF blocks the malicious traffic and forwards only the normal traffic to origin servers. Therefore, the statistics on the inbound and outbound traffic of ECS instances in the ECS console cover only normal traffic. If WAF protects multiple ECS instances, the total traffic on all the instances must be estimated.

Examples

If you want to protect three websites, and the peak of normal outbound traffic of each website is lower than 10 Mbit/s, you need only to purchase a WAF instance of the Business edition. This is because the total traffic of the three websites is lower than 30 Mbit/s, which is within the range of protection capability provided by the Business edition.
Note You can purchase extra bandwidth to increase the limit of bandwidth that a WAF instance protects.

Impacts when the service bandwidth is exceeded

If the normal traffic of your websites exceeds the limit of service bandwidth protected by your WAF instance, the WAF console sends you alerts. The traffic forwarding of all the protected websites may be affected.

In addition, throttling or packet loss may occur in this situation. As a result, your websites may become slow or unavailable for a certain period.

To avoid the negative impacts, you must upgrade your WAF instance or purchase extra bandwidth.

Purchase extra bandwidth

If the bandwidth of the traffic that flows through the protected websites exceeds the service bandwidth protected by your WAF instance, we recommend that you purchase extra bandwidth.

For example, your WAF instance of the Business edition can protect up to 30 Mbit/s of bandwidth for third-party origin servers, but the total bandwidth of your website is 50 Mbit/s. In this case, you must purchase another 20 Mbit/s of bandwidth to ensure that your website can be accessed.

Alternatively, you can upgrade your WAF instance to protect a larger amount of bandwidth. For more information, see Renewal and upgrade.
Note You can also purchase extra bandwidth when you purchase your WAF instance.
Extra bandwidth