What plans and editions does WAF 2.0 support? - Web Application Firewall

Web Application Firewall (WAF) uses subscription billing. This page describes the available deployment plans, editions, and the features each edition supports. supports the subscription billing method. This topic describes the business scales and protection features offered by different editions.

WAF plans and editions

WAF offers two deployment plans:

On-cloud WAF: Available in Pro, Business, Enterprise, and Exclusive (sales suspended) editions.
Hybrid Cloud WAF: Available in the Exclusive edition only.

References:

Applicable business scales

The following table compares capacity and scale limits across editions. For medium-sized enterprise websites, Business or Enterprise is the typical choice.

Specification	On-cloud WAF Pro	On-cloud WAF Business	On-cloud WAF Enterprise	On-cloud WAF Exclusive (sales suspended)	Hybrid Cloud WAF Exclusive
Site scale	Small and medium-sized websites with no special security requirements.	Medium-sized enterprise websites or internet-facing services with high data security requirements.	Medium and large-sized enterprise websites with large business scale or special custom security requirements.	Large-sized enterprise websites with large business scale that require custom configurations based on business features.	Medium and large-sized enterprise websites with on-premises services and web traffic that cannot be protected by On-cloud WAF, requiring the same high-standard web security protection.
Peak concurrent requests (On-cloud WAF)	2,000 QPS	5,000 QPS	Over 10,000 QPS	5,000 QPS	0 QPS (extendable)
On-premises cluster nodes and peak concurrent requests	Not supported	Supported for a fee	Supported for a fee	Supported for a fee	2 protection nodes, 10,000 QPS
Service bandwidth (origin on Alibaba Cloud)	50 Mbps	100 Mbps	200 Mbps	100 Mbps	0 Mbps (extendable)
Service bandwidth (origin not on Alibaba Cloud)	10 Mbps	30 Mbps	50 Mbps	30 Mbps	—
Default protected root domain names	1	1	1	1,000	200 (regardless of domain level; +100 per additional node)
Default total protected domain names (wildcard domains supported)	10	10	10	1,000	—

Feature list by edition (Chinese mainland)

The following table lists features supported by each WAF edition for instances deployed in the Chinese mainland region.

Legend: Supported = included in the edition. Paid add-on = available for an additional fee. Not supported = unavailable.

Feature	Description	On-cloud WAF Pro	On-cloud WAF Business	On-cloud WAF Enterprise	On-cloud WAF Exclusive (sales suspended)	Hybrid Cloud WAF Exclusive

Editions and features (outside the Chinese mainland)

The following table describes the features supported by different editions of subscription WAF instances in regions outside the Chinese mainland.

Feature module	Description	On-cloud WAF Pro	On-cloud WAF Business	On-cloud WAF Enterprise	On-cloud WAF Exclusive (No longer available)	Hybrid Cloud WAF Exclusive
Website access
HTTPS security protection	Enables site-wide HTTPS protection with a single click.
Transparent proxy mode	Directs traffic from your origin server, such as an SLB instance or an ECS instance, to WAF for protection.
HTTP/2 security protection	Protects websites that use the HTTP/2 protocol.
Protection for non-standard ports	Protects services on ports other than 80, 8080, 443, and 8443.
Exclusive cluster	Provides custom access and protection capabilities based on your business requirements.
IPv6 traffic protection	Detects and protects against threats in IPv6 traffic.
Intelligent load balancing	Provides automatic scheduling and disaster recovery for your origin server by distributing traffic across multiple nodes and network lines.
On-premises protection cluster	Protects traffic not routed through the public Alibaba Cloud WAF service by letting you deploy a protection cluster in your on-premises data center
Exclusive IP address	Enables protection for a domain name by using an exclusive IP address.
Website Protection
Account security	Detects security risks on account-related endpoints, such as registration and login pages. These risks include credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS verification code abuse.
Protection rules engine	Defends against common web attacks, such as SQL injection and XSS.
Protection rules engine	Automatically updates protection rules for zero-day web vulnerabilities.
HTTP flood protection	Defends against common HTTP flood attacks with a built-in protection mode and an emergency mode.
IP address blacklist	Blocks access from specified IP addresses and CIDR blocks.
IP address blacklist	Also blocks access from specified geographic locations.
Scan protection	Blocks high-frequency web attacks and directory traversal attempts by using default rules. It also supports scanner blocking and collaborative defense.
Scan protection	Lets you create custom rules to block high-frequency web attacks and directory traversal.
Custom protection policy	Basic access control: Creates access control list (ACL) rules based on basic fields such as IP, URL, Referer, User-Agent, and Params.
	Advanced access control: Includes basic fields and supports advanced fields such as Cookie, Content-Type, Header, and Http-Method.
	Lets you configure rate limiting policies (custom HTTP flood protection rules) to filter abnormal requests based on precise match conditions, with rate limits applied per IP address or session.
	Extends rate limiting to include policies based on custom fields, in addition to IP addresses and sessions.
Website tamper-proofing	Locks website pages to prevent malicious content tampering.
Data leak prevention	Prevents the leakage of sensitive data, such as phone numbers, ID card numbers, and bank card numbers.
Custom protection rule groups	Lets you create and manage custom protection rule groups.
Positive security model	Uses deep learning to analyze your website traffic and proactively defend against threats.
Data risk control	Defends against bot-driven fraud on critical business endpoints, such as registration, login, promotion, and forum pages.
DDoS attack mitigation	Provides free DDoS attack mitigation. For more information about the protection capabilities, see Anti-DDoS Basic blackhole filtering thresholds.
Allowed crawlers	Maintains a whitelist of legitimate search engine crawlers to ensure they can access your domain.
Bot threat intelligence	Blocks malicious bots using threat intelligence rules derived from sources like dial-up IP pools, data centers, and malicious scanners. These rules can be applied to an entire domain or specific paths.
Application protection	Protects native apps with features such as trusted communication and anti-bot scripting. It identifies and blocks requests from proxies, emulators, and illegally signed apps.
Security analysis and support
告警设置	支持通过云监控服务配置WAF事件监控、阈值监控规则。
日志服务	支持采集WAF所有的日志信息并存储至日志服务中，提供准实时查询分析和在线报表展示等功能。

Feature list by edition (outside the Chinese mainland)

The following table lists features supported by each WAF edition for instances deployed outside the Chinese mainland.

Legend: Supported = included in the edition. Paid add-on = available for an additional fee. Not supported = unavailable.

Feature	Description	On-cloud WAF Pro	On-cloud WAF Business	On-cloud WAF Enterprise	On-cloud WAF Exclusive (sales suspended)	Hybrid Cloud WAF Exclusive