A Web Application Firewall (WAF) instance provides a default service bandwidth to protect websites. Before you purchase a WAF instance, you must estimate the normal service traffic of the websites that you want to add to WAF. Then, you must select the WAF edition and the extra bandwidth that you need to purchase based on the estimated normal service traffic.

Service bandwidth

The service bandwidth refers to the peak bandwidth of normal service traffic that is supported by a WAF instance. The bandwidth is measured in Mbit/s. A service bandwidth of 100 Mbit/s allows for approximately 4,000 queries per second (QPS).

If you add multiple websites to a WAF instance, take note of the total peak bandwidth of normal service traffic of all the websites. Make sure that the total peak bandwidth is less than the limit of the service bandwidth of the WAF instance. If the total peak bandwidth exceeds the limit of the service bandwidth of the WAF instance, access to the websites is affected. For more information, see Impacts that are generated when the limit of the service bandwidth is exceeded.

The service bandwidth of a WAF instance consists of the default service bandwidth and the extra bandwidth that you purchase.

The following table describes the default service bandwidth and peak QPS for each edition of WAF.
WAF edition Default service bandwidth (The origin servers are deployed on Alibaba Cloud, such as ECS and SLB instances) Default service bandwidth (The origin servers are not deployed on Alibaba Cloud, such as servers on a third-party cloud or in data centers) Peak QPS
Pro 50 Mbit/s 10 Mbit/s 2,000 QPS
Business 100 Mbit/s 30 Mbit/s 5,000 QPS
Enterprise 200 Mbit/s 50 Mbit/s 10,000 QPS

If the default service bandwidth of a WAF instance cannot meet your website protection requirements, you must purchase extra bandwidth to increase the service bandwidth. For more information about how to purchase extra bandwidth, see Purchase extra bandwidth.

Estimate the required service bandwidth

The service bandwidth of a WAF instance must be greater than the total peak bandwidth of the normal service traffic of the websites that you want to add to the WAF instance.
Note You can estimate the normal service traffic of the websites based on the monitoring data of your Elastic Compute Service (ECS) instance or by using the monitoring tools that are installed on your origin server. For more information about the monitoring data, see Query monitoring information of an instance. You must estimate the normal service traffic based on the higher value of the peak outbound bandwidth and the peak inbound bandwidth. In most cases, the peak outbound bandwidth is higher than the peak inbound bandwidth.

If WAF protects websites that are deployed on multiple ECS instances, you must estimate the total peak bandwidth of all the ECS instances. For example, three websites are deployed on Alibaba Cloud and need to be protected by WAF. The peak bandwidth of each website is slightly less than 30 Mbit/s, and the total peak bandwidth is slightly less than 90 Mbit/s. In this case, you can purchase a WAF instance of the Business edition that provides the default service bandwidth of 100 Mbit/s to meet your business requirements. If you purchase a WAF instance of the Pro edition that provides the default service bandwidth of 50 Mbit/s, you must also purchase extra bandwidth.

Impacts that are generated when the limit of the service bandwidth is exceeded

If the normal service traffic of the websites exceeds the limit of the service bandwidth that is provided by the WAF instance, WAF lowers the priorities based on which network and computing resources are allocated to specific services. Issues such as throttling or packet loss may occur. As a result, the websites become slow or unavailable for a period of time. In this case, the service-level agreement (SLA) for WAF cannot be fulfilled.

To resolve the issues, you must upgrade the WAF instance or purchase extra bandwidth. For more information, see Solution that you can use when the limit of the service bandwidth is exceeded.

Method to check whether the limit of the service bandwidth is exceeded

If the normal service traffic of the websites exceeds the limit of the service bandwidth that is provided by the WAF instance, a message is displayed at the top of the Web Application Firewall console. Bandwidth or QPS exceededYou can click View Details to open the Details dialog box. You can also click Upgrade Now to go to the Upgrade/Downgrade page. On the Upgrade/Downgrade page, you can upgrade the WAF instance or purchase extra bandwidth to increase the service bandwidth of the WAF instance.
Note The normal service traffic supported by a WAF instance is independent of the bandwidth or traffic limits on other Alibaba Cloud services, such as Alibaba Cloud Content Delivery Network (CDN), Server Load Balancer (SLB), and ECS.
View Details

Solution that you can use when the limit of the service bandwidth is exceeded

If the service traffic of the websites that are protected by a WAF instance exceeds the limit of the default service bandwidth of the WAF instance, you must purchase extra bandwidthto prevent negative impacts.

For example, if you purchase a WAF instance that runs the Business edition and want to protect 150 Mbit/s of service traffic destined for origin servers that are deployed on Alibaba Cloud, you must purchase 50 Mbit/s of extra bandwidth to ensure normal access to the websites. The WAF instance that runs the Business edition provides the default service bandwidth of 100 Mbit/s for origin servers that are deployed on Alibaba Cloud.

You can purchase extra bandwidth by using the following methods:
  • You can purchase extra bandwidth when you purchase a WAF instance. For more information, see Purchase a WAF instance.
  • You can purchase extra bandwidth when you upgrade a WAF instance. For more information, see Renewal and upgrade.
Extra Bandwidth Package

Extra Bandwidth Package: You can specify this parameter to increase or decrease service bandwidth at an increment of 50 Mbit/s. You can specify a value from 0 to 5,000 Mbit/s.