All Products
Search
Document Center

Web Application Firewall:WAF plans and editions

Last Updated:Jun 25, 2026

Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features offered by different editions.

WAF plans and editions

WAF offers two subscription deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF instances are available in Pro, Enterprise, Ultimate, and Exclusive (sales suspended) editions, which vary by business scale and protection features. Hybrid Cloud WAF instances are available only in the Exclusive edition.

版本说明-国际站

Edition specifications and use cases

The following table outlines the recommended use cases and specifications for each WAF edition. For medium-sized enterprise websites, we recommend the On-cloud WAF Business or On-cloud WAF Enterprise edition.

Specification

On-cloud WAF Pro

On-cloud WAF Business

On-cloud WAF Enterprise

On-cloud WAF Exclusive (No longer available for purchase)

Hybrid Cloud WAF Exclusive

Website scale

Designed for small to medium-sized websites with basic security needs.

Ideal for medium-sized enterprise websites and public services that require high standards of data security.

For medium- to large-scale enterprise websites or those with custom security requirements.

Tailored for large-scale enterprise websites that require highly customized security configurations to meet specific business needs.

For medium to large enterprises with on-premises services or web traffic that cannot be protected by On-cloud WAF. This edition provides the same high standard of web security as On-cloud WAF.

peak queries per second (QPS)

2,000 QPS

5,000 QPS

Over 10,000 QPS

5,000 QPS

0 QPS (scalable)

Number of nodes in an on-premises protection cluster and peak QPS

Not supported

Available for an additional fee.

Available for an additional fee.

Available for an additional fee.

2 nodes, 10,000 QPS

Maximum bandwidth (Mbit/s) for origin servers on Alibaba Cloud

50 Mbps

100 Mbps

200 Mbps

100 Mbps

0 Mbps (scalable)

Maximum bandwidth (Mbit/s) for origin servers outside Alibaba Cloud

10 Mbps

30 Mbps

50 Mbps

30 Mbps

Default number of protected second-level domains

1

1

1

1,000

200 domains (of any level). The limit increases by 100 for each additional node.

Total protected domains (includes wildcard domains)

10

10

10

1,000

Features by edition (Chinese mainland)

The following table lists the features supported by different editions of subscription WAF instances. When you purchase an instance, you must select the Chinese mainland region.

Legend:

  • Supported: Supported in the current version.

  • Not supported: Not supported in the current version.

  • Value-added servicePay-as-you-go: A value-added service that requires an additional fee. You can enable this service when purchasing a WAF instance or later using the upgrade feature.

Feature module

Description

On-cloud WAF Pro

On-cloud WAF Business

On-cloud WAF Enterprise

On-cloud WAF Exclusive (No longer available for purchase)

Hybrid Cloud WAF Exclusive

Website access

HTTPS protection

Enables site-wide HTTPS protection with a single click.

支持

支持

支持

支持

支持

Asset discovery

Discovers and manages website assets, letting you add them to WAF for protection with a single click.

支持

支持

支持

支持

支持

Transparent proxy mode

Directs traffic from your origin server, such as an SLB instance or an ECS instance, to WAF for protection.

支持

支持

支持

支持

不支持

HTTP/2 protection

Protects websites that use the HTTP/2 protocol.

不支持

支持

支持

支持

支持

Protection for non-standard ports

Protects services on ports other than the standard 80, 8080, 443, and 8443.

不支持

支持

支持

支持

支持

IPv6 protection

Detects and protects against threats in IPv6 traffic.

不支持

支持

支持

支持

支持

Exclusive cluster

Provides custom access and protection capabilities based on your business requirements.

不支持

不支持

不支持

支持

支持

On-premises protection cluster

Protects web traffic that is not routed through Alibaba Cloud. You can deploy a WAF protection cluster in your data center, on another

不支持

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

支持

Intelligent load balancing

Provides automatic, multi-node, and multi-line scheduling and disaster recovery for your origin server.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Exclusive IP address

Lets you enable exclusive IP protection for your domain names.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Website Protection

Protection rules engine

Defends against common web attacks, such as SQL injection and Cross-Site Scripting (XSS).

支持

支持

支持

支持

支持

Automatically updates protection rules for zero-day vulnerabilities.

支持

支持

支持

支持

支持

Website tamper-proofing

Locks website pages to prevent malicious tampering.

支持

支持

支持

支持

支持

Data leak prevention

Prevents sensitive data leakage, including personally identifiable information (PII) such as phone numbers, ID card numbers, and bank card numbers.

支持

支持

支持

支持

支持

HTTP flood protection

Defends against common HTTP flood attacks and provides built-in protection and an emergency mode.

支持

支持

支持

支持

支持

Account security

Protects account-related endpoints, such as login and registration pages, from risks including dictionary attacks, brute-force attacks, spam registration, credential sniffing, and SMS abuse.

支持

支持

支持

支持

支持

IP address blacklist

Blocks access from specified IP addresses and CIDR blocks.

支持

支持

支持

支持

支持

Supports blocking by IP address, CIDR block, and geographic region.

不支持

支持

支持

支持

支持

Scan protection

Blocks high-frequency web attacks and path traversal attempts by using default rules. Also supports scanner blocking and collaborative defense.

支持

支持

支持

支持

支持

Supports both default and custom rules to block high-frequency web attacks and path traversal attempts. Also supports scanner blocking and collaborative defense.

不支持

支持

支持

支持

支持

Custom protection policies

Supports access control list (ACL) rules based on basic fields such as IP, URL, Referer, User-Agent, and Params.

支持

支持

支持

支持

支持

Supports ACL rules based on basic and advanced fields. Advanced fields include Cookie, Content-Type, Header, and Http-Method.

不支持

支持

支持

支持

支持

Supports rate limiting based on IP addresses and sessions to create custom HTTP flood protection rules. You can set precise match conditions and rate limits to accurately filter malicious requests.

不支持

支持

支持

支持

支持

Supports rate limiting based on custom fields, as well as IP addresses and sessions.

不支持

不支持

支持

支持

支持

DDoS attack mitigation

Provides free DDoS attack mitigation. For more information about the mitigation capabilities, see Blackhole thresholds of Anti-DDoS Basic.

支持

支持

支持

支持

不支持

Custom protection rule groups

Supports custom protection rule groups.

不支持

支持

支持

支持

支持

Positive security model

Builds a positive security model by analyzing your website traffic with deep learning.

不支持

不支持

支持

支持

支持

Data risk control

Defends against bot-driven fraud on critical business endpoints, such as registration, login, promotion, and forum pages.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

不支持

Allowed crawlers

Whitelists legitimate search engine crawlers to grant them access.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Bot threat intelligence

Provides multi-dimensional bot threat intelligence rules based on dial-up IP addresses, data center IP addresses, malicious scanner IP addresses, and a real-time malicious bot library generated by a cloud-based model. You can use these rules to block malicious bot requests for an entire domain or specific paths.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Application protection

Protects native apps by enabling trusted communication and blocking malicious bot scripts. It also identifies requests from proxies, emulators, and illegally signed apps.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Security analysis and support

Alerts

Lets you configure WAF event monitoring and threshold-based alert rules using CloudMonitor.

支持

支持

支持

支持

支持

Log Service

Collects and stores all WAF logs in Log Service, which provides near real-time querying, analysis, and online reports.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Editions and features (outside the Chinese mainland)

The following table describes the features supported by different editions of subscription WAF instances in regions outside the Chinese mainland.

Legend:

  • Supported: Supported in the current version.

  • Not supported: Not supported in the current version.

  • Value-added servicePay-as-you-go: A value-added service that requires an additional fee. You can enable this service when purchasing a WAF instance or later using the upgrade feature.

Feature module

Description

On-cloud WAF Pro

On-cloud WAF Business

On-cloud WAF Enterprise

On-cloud WAF Exclusive (No longer available)

Hybrid Cloud WAF Exclusive

Website access

HTTPS security protection

Enables site-wide HTTPS protection with a single click.

支持

支持

支持

支持

支持

Transparent proxy mode

Directs traffic from your origin server, such as an SLB instance or an ECS instance, to WAF for protection.

支持

支持

支持

支持

不支持

HTTP/2 security protection

Protects websites that use the HTTP/2 protocol.

不支持

支持

支持

支持

支持

Protection for non-standard ports

Protects services on ports other than 80, 8080, 443, and 8443.

不支持

支持

支持

支持

支持

Exclusive cluster

Provides custom access and protection capabilities based on your business requirements.

不支持

不支持

不支持

支持

支持

IPv6 traffic protection

Detects and protects against threats in IPv6 traffic.

不支持

不支持

不支持

不支持

支持

Intelligent load balancing

Provides automatic scheduling and disaster recovery for your origin server by distributing traffic across multiple nodes and network lines.

不支持

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

On-premises protection cluster

Protects traffic not routed through the public Alibaba Cloud WAF service by letting you deploy a protection cluster in your on-premises data center

不支持

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

支持

Exclusive IP address

Enables protection for a domain name by using an exclusive IP address.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Website Protection

Account security

Detects security risks on account-related endpoints, such as registration and login pages. These risks include credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS verification code abuse.

支持

支持

支持

支持

支持

Protection rules engine

Defends against common web attacks, such as SQL injection and XSS.

支持

支持

支持

支持

支持

Automatically updates protection rules for zero-day web vulnerabilities.

支持

支持

支持

支持

支持

HTTP flood protection

Defends against common HTTP flood attacks with a built-in protection mode and an emergency mode.

支持

支持

支持

支持

支持

IP address blacklist

Blocks access from specified IP addresses and CIDR blocks.

支持

支持

支持

支持

支持

Also blocks access from specified geographic locations.

不支持

支持

支持

支持

支持

Scan protection

Blocks high-frequency web attacks and directory traversal attempts by using default rules. It also supports scanner blocking and collaborative defense.

支持

支持

支持

支持

支持

Lets you create custom rules to block high-frequency web attacks and directory traversal.

不支持

支持

支持

支持

支持

Custom protection policy

Basic access control: Creates access control list (ACL) rules based on basic fields such as IP, URL, Referer, User-Agent, and Params.

支持

支持

支持

支持

支持

Advanced access control: Includes basic fields and supports advanced fields such as Cookie, Content-Type, Header, and Http-Method.

不支持

支持

支持

支持

支持

Lets you configure rate limiting policies (custom HTTP flood protection rules) to filter abnormal requests based on precise match conditions, with rate limits applied per IP address or session.

不支持

支持

支持

支持

支持

Extends rate limiting to include policies based on custom fields, in addition to IP addresses and sessions.

不支持

不支持

支持

支持

支持

Website tamper-proofing

Locks website pages to prevent malicious content tampering.

不支持

支持

支持

支持

支持

Data leak prevention

Prevents the leakage of sensitive data, such as phone numbers, ID card numbers, and bank card numbers.

不支持

支持

支持

支持

支持

Custom protection rule groups

Lets you create and manage custom protection rule groups.

不支持

不支持

支持

支持

支持

Positive security model

Uses deep learning to analyze your website traffic and proactively defend against threats.

不支持

不支持

支持

支持

不支持

Data risk control

Defends against bot-driven fraud on critical business endpoints, such as registration, login, promotion, and forum pages.

不支持

不支持

不支持

不支持

不支持

DDoS attack mitigation

Provides free DDoS attack mitigation. For more information about the protection capabilities, see Anti-DDoS Basic blackhole filtering thresholds.

不支持

不支持

不支持

不支持

不支持

Allowed crawlers

Maintains a whitelist of legitimate search engine crawlers to ensure they can access your domain.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Bot threat intelligence

Blocks malicious bots using threat intelligence rules derived from sources like dial-up IP pools, data centers, and malicious scanners. These rules can be applied to an entire domain or specific paths.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Application protection

Protects native apps with features such as trusted communication and anti-bot scripting. It identifies and blocks requests from proxies, emulators, and illegally signed apps.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

Security analysis and support

Notifications

Supports configuring WAF event monitoring and threshold-based alert rules via Cloud Monitor.

支持

支持

支持

支持

支持

Log

Supports collecting all WAF logs and storing them in Log Service, providing near real-time query and analysis, as well as online dashboard reporting.

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go

增值服务Pay-as-you-go