Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features offered by different editions.
WAF plans and editions
WAF offers two subscription deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF instances are available in Pro, Enterprise, Ultimate, and Exclusive (sales suspended) editions, which vary by business scale and protection features. Hybrid Cloud WAF instances are available only in the Exclusive edition.

Edition specifications and use cases
The following table outlines the recommended use cases and specifications for each WAF edition. For medium-sized enterprise websites, we recommend the On-cloud WAF Business or On-cloud WAF Enterprise edition.
Specification | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (No longer available for purchase) | Hybrid Cloud WAF Exclusive |
Website scale | Designed for small to medium-sized websites with basic security needs. | Ideal for medium-sized enterprise websites and public services that require high standards of data security. | For medium- to large-scale enterprise websites or those with custom security requirements. | Tailored for large-scale enterprise websites that require highly customized security configurations to meet specific business needs. | For medium to large enterprises with on-premises services or web traffic that cannot be protected by On-cloud WAF. This edition provides the same high standard of web security as On-cloud WAF. |
peak queries per second (QPS) | 2,000 QPS | 5,000 QPS | Over 10,000 QPS | 5,000 QPS | 0 QPS (scalable) |
Number of nodes in an on-premises protection cluster and peak QPS | Not supported | Available for an additional fee. | Available for an additional fee. | Available for an additional fee. | 2 nodes, 10,000 QPS |
Maximum bandwidth (Mbit/s) for origin servers on Alibaba Cloud | 50 Mbps | 100 Mbps | 200 Mbps | 100 Mbps | 0 Mbps (scalable) |
Maximum bandwidth (Mbit/s) for origin servers outside Alibaba Cloud | 10 Mbps | 30 Mbps | 50 Mbps | 30 Mbps | |
Default number of protected second-level domains | 1 | 1 | 1 | 1,000 | 200 domains (of any level). The limit increases by 100 for each additional node. |
Total protected domains (includes wildcard domains) | 10 | 10 | 10 | 1,000 |
Features by edition (Chinese mainland)
The following table lists the features supported by different editions of subscription WAF instances. When you purchase an instance, you must select the Chinese mainland region.
Legend:
: Supported in the current version.
: Not supported in the current version.
: A value-added service that requires an additional fee. You can enable this service when purchasing a WAF instance or later using the upgrade feature.
Feature module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (No longer available for purchase) | Hybrid Cloud WAF Exclusive |
Website access | ||||||
Enables site-wide HTTPS protection with a single click. |
|
|
|
|
| |
Discovers and manages website assets, letting you add them to WAF for protection with a single click. |
|
|
|
|
| |
Directs traffic from your origin server, such as an SLB instance or an ECS instance, to WAF for protection. |
|
|
|
|
| |
Protects websites that use the HTTP/2 protocol. |
|
|
|
|
| |
Protects services on ports other than the standard 80, 8080, 443, and 8443. |
|
|
|
|
| |
Detects and protects against threats in IPv6 traffic. |
|
|
|
|
| |
Provides custom access and protection capabilities based on your business requirements. |
|
|
|
|
| |
Protects web traffic that is not routed through Alibaba Cloud. You can deploy a WAF protection cluster in your data center, on another |
|
|
|
|
| |
Provides automatic, multi-node, and multi-line scheduling and disaster recovery for your origin server. |
|
|
|
|
| |
Lets you enable exclusive IP protection for your domain names. |
|
|
|
|
| |
Website Protection | ||||||
Defends against common web attacks, such as SQL injection and Cross-Site Scripting (XSS). |
|
|
|
|
| |
Automatically updates protection rules for zero-day vulnerabilities. |
|
|
|
|
| |
Locks website pages to prevent malicious tampering. |
|
|
|
|
| |
Prevents sensitive data leakage, including personally identifiable information (PII) such as phone numbers, ID card numbers, and bank card numbers. |
|
|
|
|
| |
Defends against common HTTP flood attacks and provides built-in protection and an emergency mode. |
|
|
|
|
| |
Protects account-related endpoints, such as login and registration pages, from risks including dictionary attacks, brute-force attacks, spam registration, credential sniffing, and SMS abuse. |
|
|
|
|
| |
Blocks access from specified IP addresses and CIDR blocks. |
|
|
|
|
| |
Supports blocking by IP address, CIDR block, and geographic region. |
|
|
|
|
| |
Blocks high-frequency web attacks and path traversal attempts by using default rules. Also supports scanner blocking and collaborative defense. |
|
|
|
|
| |
Supports both default and custom rules to block high-frequency web attacks and path traversal attempts. Also supports scanner blocking and collaborative defense. |
|
|
|
|
| |
Supports access control list (ACL) rules based on basic fields such as IP, URL, Referer, User-Agent, and Params. |
|
|
|
|
| |
Supports ACL rules based on basic and advanced fields. Advanced fields include Cookie, Content-Type, Header, and Http-Method. |
|
|
|
|
| |
Supports rate limiting based on IP addresses and sessions to create custom HTTP flood protection rules. You can set precise match conditions and rate limits to accurately filter malicious requests. |
|
|
|
|
| |
Supports rate limiting based on custom fields, as well as IP addresses and sessions. |
|
|
|
|
| |
DDoS attack mitigation | Provides free DDoS attack mitigation. For more information about the mitigation capabilities, see Blackhole thresholds of Anti-DDoS Basic. |
|
|
|
|
|
Supports custom protection rule groups. |
|
|
|
|
| |
Builds a positive security model by analyzing your website traffic with deep learning. |
|
|
|
|
| |
Defends against bot-driven fraud on critical business endpoints, such as registration, login, promotion, and forum pages. |
|
|
|
|
| |
Whitelists legitimate search engine crawlers to grant them access. |
|
|
|
|
| |
Provides multi-dimensional bot threat intelligence rules based on dial-up IP addresses, data center IP addresses, malicious scanner IP addresses, and a real-time malicious bot library generated by a cloud-based model. You can use these rules to block malicious bot requests for an entire domain or specific paths. |
|
|
|
|
| |
Protects native apps by enabling trusted communication and blocking malicious bot scripts. It also identifies requests from proxies, emulators, and illegally signed apps. |
|
|
|
|
| |
Security analysis and support | ||||||
Lets you configure WAF event monitoring and threshold-based alert rules using CloudMonitor. |
|
|
|
|
| |
Collects and stores all WAF logs in Log Service, which provides near real-time querying, analysis, and online reports. |
|
|
|
|
| |
Editions and features (outside the Chinese mainland)
The following table describes the features supported by different editions of subscription WAF instances in regions outside the Chinese mainland.
Legend:
: Supported in the current version.
: Not supported in the current version.
: A value-added service that requires an additional fee. You can enable this service when purchasing a WAF instance or later using the upgrade feature.
Feature module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (No longer available) | Hybrid Cloud WAF Exclusive |
Website access | ||||||
Enables site-wide HTTPS protection with a single click. |
|
|
|
|
| |
Directs traffic from your origin server, such as an SLB instance or an ECS instance, to WAF for protection. |
|
|
|
|
| |
Protects websites that use the HTTP/2 protocol. |
|
|
|
|
| |
Protects services on ports other than 80, 8080, 443, and 8443. |
|
|
|
|
| |
Provides custom access and protection capabilities based on your business requirements. |
|
|
|
|
| |
Detects and protects against threats in IPv6 traffic. |
|
|
|
|
| |
Provides automatic scheduling and disaster recovery for your origin server by distributing traffic across multiple nodes and network lines. |
|
|
|
|
| |
Protects traffic not routed through the public Alibaba Cloud WAF service by letting you deploy a protection cluster in your on-premises data center |
|
|
|
|
| |
Enables protection for a domain name by using an exclusive IP address. |
|
|
|
|
| |
Website Protection | ||||||
Detects security risks on account-related endpoints, such as registration and login pages. These risks include credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS verification code abuse. |
|
|
|
|
| |
Defends against common web attacks, such as SQL injection and XSS. |
|
|
|
|
| |
Automatically updates protection rules for zero-day web vulnerabilities. |
|
|
|
|
| |
Defends against common HTTP flood attacks with a built-in protection mode and an emergency mode. |
|
|
|
|
| |
Blocks access from specified IP addresses and CIDR blocks. |
|
|
|
|
| |
Also blocks access from specified geographic locations. |
|
|
|
|
| |
Blocks high-frequency web attacks and directory traversal attempts by using default rules. It also supports scanner blocking and collaborative defense. |
|
|
|
|
| |
Lets you create custom rules to block high-frequency web attacks and directory traversal. |
|
|
|
|
| |
Basic access control: Creates access control list (ACL) rules based on basic fields such as IP, URL, Referer, User-Agent, and Params. |
|
|
|
|
| |
Advanced access control: Includes basic fields and supports advanced fields such as Cookie, Content-Type, Header, and Http-Method. |
|
|
|
|
| |
Lets you configure rate limiting policies (custom HTTP flood protection rules) to filter abnormal requests based on precise match conditions, with rate limits applied per IP address or session. |
|
|
|
|
| |
Extends rate limiting to include policies based on custom fields, in addition to IP addresses and sessions. |
|
|
|
|
| |
Locks website pages to prevent malicious content tampering. |
|
|
|
|
| |
Prevents the leakage of sensitive data, such as phone numbers, ID card numbers, and bank card numbers. |
|
|
|
|
| |
Lets you create and manage custom protection rule groups. |
|
|
|
|
| |
Uses deep learning to analyze your website traffic and proactively defend against threats. |
|
|
|
|
| |
Defends against bot-driven fraud on critical business endpoints, such as registration, login, promotion, and forum pages. |
|
|
|
|
| |
DDoS attack mitigation | Provides free DDoS attack mitigation. For more information about the protection capabilities, see Anti-DDoS Basic blackhole filtering thresholds. |
|
|
|
|
|
Maintains a whitelist of legitimate search engine crawlers to ensure they can access your domain. |
|
|
|
|
| |
Blocks malicious bots using threat intelligence rules derived from sources like dial-up IP pools, data centers, and malicious scanners. These rules can be applied to an entire domain or specific paths. |
|
|
|
|
| |
Protects native apps with features such as trusted communication and anti-bot scripting. It identifies and blocks requests from proxies, emulators, and illegally signed apps. |
|
|
|
|
| |
Security analysis and support | ||||||
Supports configuring WAF event monitoring and threshold-based alert rules via Cloud Monitor. |
|
|
|
|
| |
Supports collecting all WAF logs and storing them in Log Service, providing near real-time query and analysis, as well as online dashboard reporting. |
|
|
|
|
| |