Different subscription plans of Alibaba Cloud WAF are allocated a certain amount of bandwidth. If the allocated bandwidth of your WAF subscription does not suit your business requirements, you can purchase extra bandwidth.

What is a bandwidth limit for WAF?

WAF bandwidth indicates the normal business flow capacity of a WAF instance, in Mbps. 100 Mbps of bandwidth corresponds to 4,000 QPS, and so forth. QPS (Query Per Second) indicates the quantity of requests in one second. For example, an HTTP GET request is a query.
Note WAF bandwidth is calculated exclusively by WAF and has noting to do with the bandwidth or traffic limit of other Alibaba Cloud products such as CDN, SLB, and ECS.
Each WAF subscription has a certain bandwidth limit, and the higher plan has the larger bandwidth. Besides, when used to access origin servers inside Alibaba Cloud (such as ECS or SLB instances), the WAF subscription offers more bandwidth than is used to access non-Alibaba Cloud servers. For example, the WAF Business edition has a bandwidth limit of 100 Mbps (when the origin server is inside Alibaba Cloud) and 30 Mbps (when the origin server is outside Alibaba Cloud).

How to select bandwidth?

We recommend that you evaluate the normal business flow capacity of both the inbound and outbound traffic of all websites that you want to enable WAF protection before purchasing. Make sure that the bandwidth of your WAF subscription is larger than the total inbound flow capacity and total outbound flow capacity.
Note Generally, outbound traffic is greater than inbound traffic.
You can evaluate your business traffic by using ECS traffic statistics or other monitoring tools on your origin server.
Note The traffic here indicates your normal business traffic. For example, if you enable WAF protection for all your websites that provide external services, in the case of normal access (the websites are not attacked), WAF forwards traffic to the origin ECS. If the websites are attacked by HTTP flood attacks or DDoS attacks, WAF filters out corrupted traffic and passes valid traffic back to the origin ECS. Therefore, the inbound and outbound traffic you view on the ECS console is your normal business traffic. If the origin servers consist of multiple ECS instances, you must calculate the traffic sum of all corresponding ECS instances.


Suppose you want to configure three websites with WAF protection. The normal traffic in the outbound direction of each website does not exceed 10 Mbps, and the total traffic does not exceed 30 Mbps. In this case, you can subscribe to the WAF Business Edition (with a bandwidth limit of 30 Mbps).
Note You can also extend the default bandwidth by adding certain amount of extra bandwidth to your WAF subscription.

What happens if the bandwidth is exceeded?

If your normal business flow capacity exceeds the bandwidth limit of your WAF subscription, you will receive an alarming message on the WAF console, informing that all your business traffic forwarding configured in WAF will be affected.

Your websites may be subject to traffic restrictions or random packet loss, and your normal business may be unavailable, slow, or delayed for a certain period of time.

In this case, you can upgrade your WAF, or purchase extra bandwidth.

What is extra bandwidth?

If the business flow capacity of your website is high, you can purchase extra bandwidth to avoid exceeding the bandwidth limit.

For example, your current traffic requirement is 50 Mbps (non-Alibaba Cloud server), and you have purchased the WAF Business Edition ( the bandwidth limit is 30 Mbps), you can purchase an additional 20 Mbps of extra bandwidth to meet your business needs.

You can Upgrade WAF to increase the extra bandwidth to meet higher business requirement.
Note You can also add certain amount of extra bandwidth to your WAF subscription when purchasing WAF.