If you are using subscription-based WAF instances, you can choose from the following editions based on your needs.

Note We recommend that you choose either the Business or the Enterprise edition to meet different website business and security requirements.

Editions and applicable website scales

Service scale Pro Business Enterprise
Website scale Small and medium websites that do not have special security requirements for their business. Medium enterprise websites, websites with services available for all Internet users, and websites that have high requirements for data security. Medium and large enterprise websites with a large business scale or custom security requirements.
Peak request rate 2,000 QPS 5,000 QPS Higher than 10,000 QPS
Maximum bandwidth (origin servers are deployed on Alibaba Cloud) 50 Mbit/s 100 Mbit/s 200 Mbit/s
Maximum bandwidth (origin servers are not deployed on Alibaba Cloud) 10 Mbit/s 30 Mbit/s 50 Mbit/s

Features supported by each edition

Feature Reference Pro Business Enterprise
Enable HTTPS protection for a website HTTPS advanced settings
Protection for ports other than 80, 8080, 443, and 8443. Support for non-standard ports ×
Protection against common Web attacks, such as SQL injection and XSS attacks. Web application protection
Automatic update of protection rules against Web zero-day vulnerabilities
Custom rule groups Custom rule groups ×
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Protection against HTTP floods targeting Web services HTTP flood protection
Protection against HTTP floods targeting API services Custom HTTP flood protection ×
Access frequency control for URLs Custom HTTP flood protection ×
IP whitelist, IP blacklist, URL whitelist, and URL blacklist Configure a whitelists or blacklist
Advanced HTTP request control based on header fields including US and Referer Access control list
Targeted Web attack protection, for example, penetration tests. Access control list
Location-based IP blocking (block access requests from international regions) Blocked regions ×
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Webpage tamper-proofing Website tamper-proofing
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Malicious registration interception Data risk control
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Data masking, such as ID card, phone number, and bank card number. Data leakage prevention
Note WAF instances created in International regions must be upgraded to the Business or Enterprise edition.
Intelligent retrieval of access logs Log search ×
Note WAF instances created in International regions must be upgraded to the Enterprise edition.
Real-time log query and analysis service
Note The real-time log query and analysis service is a value-added service. To use this service, you must purchase the service first. For more information about pricing, see Billing methods.
Real-time log analysis
Data visualization
Note The data visualization service is a value-added service. To use this service, you must purchase the service first.
Data visualization