All Products
Search
Document Center

Web Application Firewall:WAF deployment plans and editions

Last Updated:Mar 27, 2023

Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features supported by subscription WAF instances of different editions.

WAF deployment plans and editions

Subscription WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. The Exclusive edition is unavailable for purchase. Hybrid Cloud WAF supports only the Exclusive edition.

Editions and supported business scales

The following table describes the business scales supported by each WAF edition. For medium-sized enterprise websites, we recommend that you select the Business edition or Enterprise edition.

Specification

On-cloud WAF Pro

On-cloud WAF Business

On-cloud WAF Enterprise

On-cloud WAF Exclusive (unavailable for purchase)

Hybrid Cloud WAF Exclusive

Website scale

Small-sized websites and medium-sized websites that do not have special security requirements

Medium-sized enterprise-grade websites that are accessible to the public and have high data security requirements.

Medium-sized enterprise-grade websites and large-sized enterprise-grade websites that have custom security requirements.

Large-sized enterprise-grade websites that require business-specific configurations

Medium- and large-sized enterprise-grade websites whose traffic cannot be protected by On-cloud WAF and that require the same level of web protection capabilities as On-cloud WAF

Peak queries per second (QPS)

2,000 QPS

5,000 QPS

Higher than 10,000 QPS

5,000 QPS

0 QPS, and can be increased

Number of nodes in an on-premises protection cluster and peak QPS

Not supported

Supported with fees required

Supported with fees required

Supported with fees required

2 nodes and 10,000 QPS

Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.)

50 Mbit/s

100 Mbit/s

200 Mbit/s

100 Mbit/s

0 Mbit/s, and can be increased

Maximum bandwidth in Mbit/s (The origin server is not deployed on Alibaba Cloud.)

10 Mbit/s

30 Mbit/s

50 Mbit/s

30 Mbit/s

Default number of second-level domains that can be protected

1

1

1

1,000

200 (The domains are not limited to second-level domains. Each additional node can protect up to 100 domains.)

Default number of domains that can be protected in total (Wildcard domains are supported.)

10

10

10

1,000

Editions and supported features in the Chinese mainland

The following table describes the features supported by each subscription WAF edition in the Chinese mainland.

Symbol descriptions:

  • Supported: indicates that the feature is supported by the edition.

  • Not supported: indicates that the feature is not supported by the edition.

  • Value-added: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.

Function module

Description

On-cloud WAF Pro

On-cloud WAF Business

On-cloud WAF Enterprise

On-cloud WAF Exclusive (unavailable for purchase)

Hybrid Cloud WAF Exclusive

Website access

HTTPS protection

Allows you to configure HTTPS protection for websites with a few clicks.

SupportedSupportedSupportedSupportedSupported

Asset discovery

Discovers and manages website assets. You can add assets to WAF with a few clicks.

SupportedSupportedSupportedSupportedSupported

Transparent proxy mode

Redirects traffic that is sent to origin servers to WAF. The origin servers can be Elastic Compute Service (ECS) instances or servers that are added to Server Load Balancer (SLB) instances.

SupportedSupportedSupportedSupportedSupported

HTTP/2 protection

Protects websites that use HTTP/2.

Not supportedSupportedSupportedSupportedSupported

Protection for non-standard ports

Protects services that use custom ports other than standard ports. The standard ports include port 80, port 8080, port 443, and port 8443.

Not supportedSupportedSupportedSupportedSupported

IPv6 traffic protection

Detects and protects IPv6 traffic.

Not supportedSupportedSupportedSupportedSupported

Exclusive cluster

Allows you to modify service access configurations and protection capabilities based on your business requirements.

Not supportedNot supportedNot supportedSupportedSupported

On-premises protection cluster deployment

Deploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud.

Not supportedValue-addedValue-addedValue-addedSupported

Intelligent load balancing

Connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency.

Value-addedValue-addedValue-addedValue-addedValue-added

Exclusive IP address

Provides exclusive IP addresses to protect specific domain names.

Value-addedValue-addedValue-addedValue-addedValue-added

Website protection

Protection rules engine

Protects your services against common web attacks such as SQL injection and XSS attacks.

SupportedSupportedSupportedSupportedSupported

Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities.

SupportedSupportedSupportedSupportedSupported

Website tamper-proofing

Locks web pages to prevent content tampering.

SupportedSupportedSupportedSupportedSupported

Data leak prevention

Prevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked.

SupportedSupportedSupportedSupportedSupported

HTTP flood protection

Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode.

SupportedSupportedSupportedSupportedSupported

Account security

Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints.

SupportedSupportedSupportedSupportedSupported

IP address blacklist

Blocks access requests that are sent from specific IP addresses or CIDR blocks.

SupportedSupportedSupportedSupportedSupported

Blocks access requests that are sent from IP addresses in specific regions.

Not supportedSupportedSupportedSupportedSupported

Scan protection

Blocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities.

SupportedSupportedSupportedSupportedSupported

Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks.

Not supportedSupportedSupportedSupportedSupported

Custom protection policy

Supports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params.

SupportedSupportedSupportedSupportedSupported

Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method.

Not supportedSupportedSupportedSupportedSupported

Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules.

Not supportedSupportedSupportedSupportedSupported

Allows you to configure throttling policies based on IP addresses, sessions, and custom fields.

Not supportedNot supportedSupportedSupportedSupported

Anti-DDoS

Defends against DDoS attacks. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.

SupportedSupportedSupportedSupportedNot supported

Custom protection rule group

Allows you to configure custom protection rule groups.

Not supportedSupportedSupportedSupportedSupported

Positive security model

Provides positive defense capabilities based on the deep learning operations that are performed on website traffic.

Not supportedNot supportedSupportedSupportedSupported

Data risk control

Protects critical website services against frauds. These services include registrations, logons, activities, and forums.

Value-addedValue-addedValue-addedValue-addedNot supported

Allowed crawlers

Maintains a whitelist that consists of authorized search engines. The crawlers of the search engines are allowed to access specified domain names.

Value-addedValue-addedValue-addedValue-addedValue-added

Bot threat intelligence

Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents the crawlers from accessing all pages that are related to your domain name or specific directories.

Value-addedValue-addedValue-addedValue-addedValue-added

App protection

Provides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators.

Value-addedValue-addedValue-addedValue-addedValue-added

Security analysis and support

Alert setting

Allows you to configure event monitoring and alerting for WAF.

SupportedSupportedSupportedSupportedSupported

Log Service

Collects and stores all logs, enables near-real-time query and analysis, and provides online reports.

Value-addedValue-addedValue-addedValue-addedValue-added

Editions and supported features outside the Chinese mainland

The following table describes the features supported by each subscription WAF edition outside the Chinese mainland.

Symbol descriptions:

  • Supported: indicates that the feature is supported by the edition.

  • Not supported: indicates that the feature is not supported by the edition.

  • Value-added: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.

Function module

Description

On-cloud WAF Pro

On-cloud WAF Business

On-cloud WAF Enterprise

On-cloud WAF Exclusive (unavailable for purchase)

Hybrid Cloud WAF Exclusive

Website access

HTTPS protection

Allows you to configure HTTPS protection for websites with a few clicks.

SupportedSupportedSupportedSupportedSupported

Transparent proxy mode

Redirects traffic that is sent to origin servers to WAF. The origin servers can be ECS instances or servers that are added to SLB instances.

SupportedSupportedSupportedSupportedSupported

HTTP/2 protection

Protects websites that use HTTP/2.

Not supportedSupportedSupportedSupportedSupported

Protection for non-standard ports

Protects services that use custom ports other than standard ports. The standard ports include port 80, port 8080, port 443, and port 8443.

Not supportedSupportedSupportedSupportedSupported

Exclusive cluster

Allows you to modify service access configurations and protection capabilities based on your business requirements.

Not supportedNot supportedNot supportedSupportedSupported

IPv6 traffic protection

Detects and protects IPv6 traffic.

Not supportedNot supportedNot supportedNot supportedSupported

Intelligent load balancing

Connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency.

Not supportedValue-addedValue-addedValue-addedValue-added

On-premises protection cluster deployment

Deploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud.

Not supportedValue-addedValue-addedValue-addedSupported

Exclusive IP addresses

Provides exclusive IP addresses to protect specific domain names.

Value-addedValue-addedValue-addedValue-addedValue-added

Website protection

Account security

Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints.

SupportedSupportedSupportedSupportedSupported

Protection rules engine

Protects your services against common web attacks such as SQL injection and XSS attacks.

SupportedSupportedSupportedSupportedSupported

Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities.

SupportedSupportedSupportedSupportedSupported

HTTP flood protection

Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode.

SupportedSupportedSupportedSupportedSupported

IP address blacklist

Blocks access requests that are sent from specific IP addresses or CIDR blocks.

SupportedSupportedSupportedSupportedSupported

Blocks access requests that are sent from IP addresses in specific regions.

Not supportedNot supportedSupportedSupportedSupported

Scan protection

Blocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities.

SupportedSupportedSupportedSupportedSupported

Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks.

Not supportedSupportedSupportedSupportedSupported

Custom protection policy

Supports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params.

SupportedSupportedSupportedSupportedSupported

Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method.

Not supportedSupportedSupportedSupportedSupported

Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules.

Not supportedSupportedSupportedSupportedSupported

Allows you to configure throttling policies based on IP addresses, sessions, and custom fields.

Not supportedNot supportedSupportedSupportedSupported

Website tamper-proofing

Locks web pages to prevent content tampering.

Not supportedSupportedSupportedSupportedSupported

Data leak prevention

Prevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked.

Not supportedSupportedSupportedSupportedSupported

Custom protection rule group

Allows you to configure custom protection rule groups.

Not supportedNot supportedSupportedSupportedSupported

Positive security model

Provides positive defense capabilities based on the deep learning operations that are performed on website traffic.

Not supportedNot supportedSupportedSupportedNot supported

Data risk control

Protects critical website services against frauds. These services include registrations, logons, activities, and forums.

Not supportedNot supportedNot supportedNot supportedNot supported

Anti-DDoS

Defends against DDoS attacks. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.

Not supportedNot supportedNot supportedNot supportedNot supported

Allowed crawlers

Maintains a whitelist that consists of authorized search engines. The crawlers of the search engines are allowed to access specified domain names.

Value-addedValue-addedValue-addedValue-addedValue-added

Bot threat intelligence

Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents the crawlers from accessing all pages that are related to your domain name or specific directories.

Value-addedValue-addedValue-addedValue-addedValue-added

App protection

Provides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators.

Value-addedValue-addedValue-addedValue-addedValue-added

Security analysis and support

Alert setting

Allows you to configure event monitoring and alerting for WAF.

SupportedSupportedSupportedSupportedSupported

Log Service

Collects and stores all logs, enables near-real-time query and analysis, and provides online reports.

Value-addedValue-addedValue-addedValue-addedValue-added