This topic describes different deployment plans and editions supported by Web Application Firewall (WAF). This topic also describes the business scales and protection features supported by different WAF editions.

WAF deployment plans and editions

In subscription mode, WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. If you want to purchase an On-cloud WAF instance of the Exclusive edition, you must submit a ticket. Hybrid Cloud WAF supports only the Exclusive edition.

References:

Editions and supported business scales

The following table lists the business scales supported by each edition. We recommend that you choose the Business or Enterprise edition for medium-sized enterprise websites.

Business specification On-cloud WAF Pro On-cloud WAF Business On-cloud WAF Enterprise On-cloud WAF Exclusive Hybrid Cloud WAF Exclusive
Website scale Small- and medium-sized websites that do not have special security requirements Medium-sized enterprise-grade websites that provide services to all Internet users and have high data security requirements Medium- and large-sized enterprise-grade websites that have custom security requirements Large-sized enterprise-grade websites that require business-specific configurations Medium- and large-sized enterprise-grade websites whose traffic cannot be protected by On-cloud WAF and that require the web protection capabilities of On-cloud WAF
Peak queries per second (QPS) 2,000 5,000 Higher than 10,000 5,000 0

Scalable

Number of nodes in an on-premises protection cluster and peak QPS Not supported Supported. Fees are charged. Supported. Fees are charged. Supported. Fees are charged. 2 and 10,000
Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.) 50 100 200 100 0

Scalable

Maximum bandwidth, in Mbit/s (The origin server is not deployed on Alibaba Cloud.) 10 30 50 30
Default number of second-level domains that can be protected 1 1 1 1,000 200 (The domains are not limited to second-level domains. Each additional protection node can protect 100 more domains.)
Default number of domains that can be protected in total (Wildcard domains are supported.) 10 10 10 1,000

Editions and supported features (in mainland China)

The following table describes the features supported by each edition of WAF in mainland China. A WAF instance uses the subscription billing method.

Symbol descriptions:
  • √: indicates that the feature is supported by the edition.
  • ×: indicates that the feature is not supported by the edition.
  • ○: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Feature Description On-cloud WAF Pro On-cloud WAF Business On-cloud WAF Enterprise On-cloud WAF Exclusive Hybrid Cloud WAF Exclusive
Website access
HTTPS protection Allows you to implement HTTPS protection for websites with a few clicks.
HTTP/2 protection Protects websites that use HTTP/2. ×
Non-standard port protection Protects traffic on ports other than standard ports 80, 8080, 443, and 8443. ×
IPv6 traffic protection Detects and protects IPv6 traffic. × ×
Intelligent load balancing Connects to multiple Server Load Balancer (SLB) service nodes to implement automatic disaster recovery and optimal routing with low latency.
Exclusive IP address Provides exclusive IP addresses to protect specific domain names.
Exclusive cluster Allows you to customize service access and protection capabilities based on business requirements. × × ×
On-premises protection cluster deployment Deploys WAF protection clusters in data centers to protect web traffic that does not pass through Alibaba Cloud. ×
Website protection
Protection Rules Engine Protects your services against common web attacks, such as SQL injection and XSS attacks.
Enables automatic update of protection rules against web zero-day vulnerabilities.
Custom protection rule group Allows you to customize protection rule groups. ×
Big Data Deep Learning Engine Detects web zero-day vulnerabilities. × ×
Positive security model Provides positive defense capabilities based on deep learning of website traffic. × ×
Website tamper-proofing Locks web pages to prevent content tampering.
Data leak prevention Prevents the leak of sensitive data, such as ID card numbers, mobile numbers, and bank card numbers.
HTTP flood protection Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode.
Blacklist Blocks access requests from specific IP addresses or CIDR blocks.
Blocks access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions. ×
Scan protection Blocks the IP addresses of scanning tools and the IP addresses from which web attacks and path traversal are frequently initiated. This feature provides collaborative defense. Default rules are used to block the first type of IP address.
Supports the above protection capabilities and allows you to customize blocking rules for high-frequency web attacks and path traversal. ×
Custom protection policy Supports Access Control List (ACL)-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params.
Supports ACL-based access control by using basic fields and advanced fields. The advanced fields include Cookie, Content-Type, Header, and Http-Method. ×
Allows you to configure throttling policies based on IP addresses and sessions. You can customize HTTP flood protection rules by adding match conditions and configuring throttling policies. ×
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. × ×
Data risk control Protects crucial website services, such as registrations, logons, activities, and forums, against fraud. ×
Allowed crawlers Maintains a whitelist that consists of authorized search engines, such as Google, Bing, Baidu, Sogou, and Yandex. The crawlers of these search engines are allowed to access specified domain names.
Bot threat intelligence Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages under your domain name or specific directories.
App protection Provides secure connectivity and anti-bot protection for native apps. This feature can identify requests from proxy servers and emulators and requests with invalid signatures.
Account security Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints, such as registration and logon endpoints.
DDoS mitigation Defends against DDoS attacks of up to 5 Gbit/s free of charge. ×
Security analysis and support
Alert setting Allows you to configure event monitoring and alerting for WAF.
Log Service for WAF Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. x

Editions and supported features (outside mainland China)

The following table describes the features supported by each edition of WAF outside mainland China. A WAF instance uses the subscription billing method.

Symbol descriptions:
  • √: indicates that the feature is supported by the edition.
  • ×: indicates that the feature is not supported by the edition.
  • ○: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Feature Description On-cloud WAF Pro On-cloud WAF Business On-cloud WAF Enterprise On-cloud WAF Exclusive Hybrid Cloud WAF Exclusive
Website access
HTTPS protection Allows you to implement HTTPS protection for websites with a few clicks.
HTTP/2 protection Protects websites that use HTTP/2. ×
Non-standard port protection Protects traffic on ports other than standard ports 80, 8080, 443, and 8443. ×
IPv6 traffic protection Detects and protects IPv6 traffic. × × × × ×
Intelligent load balancing Connects to multiple SLB service nodes to implement automatic disaster recovery and optimal routing with low latency. ×
Exclusive IP address Provides exclusive IP addresses to protect specific domain names.
Exclusive cluster Allows you to customize service access and protection capabilities based on business requirements. × × ×
On-premises protection cluster deployment Deploys WAF protection clusters in data centers to protect web traffic that does not pass through Alibaba Cloud. ×
Website protection
Protection Rules Engine Protects your services against common web attacks, such as SQL injection and XSS attacks.
Enables automatic update of protection rules against web zero-day vulnerabilities.
Custom protection rule group Allows you to customize protection rule groups. × ×
Big Data Deep Learning Engine Detects web zero-day vulnerabilities. × × × × ×
Positive security model Provides positive defense capabilities based on deep learning of website traffic. × × ×
Website tamper-proofing Locks web pages to prevent content tampering.
Data leak prevention Prevents the leak of sensitive data, such as ID card numbers, mobile numbers, and bank card numbers. ×
HTTP flood protection Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode.
Blacklist Blocks access requests from specific IP addresses or CIDR blocks.
Blocks access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions. × ×
Scan protection Blocks the IP addresses of scanning tools and the IP addresses from which web attacks and path traversal are frequently initiated. This feature provides collaborative defense. Default rules are used to block the first type of IP address.
Supports the above protection capabilities and allows you to customize blocking rules for high-frequency web attacks and path traversal. ×
Custom protection policy Supports ACL-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params.
Supports ACL-based access control by using basic fields and advanced fields. The advanced fields include Cookie, Content-Type, Header, and Http-Method. ×
Allows you to configure throttling policies based on IP addresses and sessions. You can customize HTTP flood protection rules by adding match conditions and configuring throttling policies. ×
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. × ×
Data risk control Protects crucial website services, such as registrations, logons, activities, and forums, against fraud. × × × × ×
Allowed crawlers Maintains a whitelist that consists of authorized search engines, such as Google, Bing, Baidu, Sogou, and Yandex. The crawlers of these search engines are allowed to access specified domain names.
Bot threat intelligence Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages under your domain name or specific directories.
App protection Provides secure connectivity and anti-bot protection for native apps. This feature can identify requests from proxy servers and emulators and requests with invalid signatures.
Account security Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints, such as registration and logon endpoints.
DDoS mitigation Defends against DDoS attacks of up to 5 Gbit/s free of charge. × × × × ×
Security analysis and support
Alert setting Allows you to configure event monitoring and alerting for WAF.
Log Service for WAF Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. ×