Relationship between WAF 2.0 and WAF 3.0, differences, and quick start - Web Application Firewall

This topic describes the relationship between Web Application Firewall (WAF) 2.0 and WAF 3.0, their differences, and how to get started with WAF.

What is WAF?

WAF protects your websites and applications by detecting and blocking malicious service traffic. WAF inspects and filters all incoming traffic, forwarding only legitimate requests to the origin server. This process prevents issues, such as performance degradation caused by malicious intrusions, and ensures the security of your services and data.

Relationship between WAF 2.0 and WAF 3.0

WAF 3.0 is the latest generation of WAF and an upgrade to WAF 2.0. The two versions have different underlying architectures, editions, console configurations, and user experiences. Therefore, they cannot coexist under the same Alibaba Cloud account ID. If you purchased a WAF 2.0 instance, you log on to the WAF 2.0 console. If you purchased a WAF 3.0 instance, you log on to the WAF 3.0 console.

The release of WAF 3.0 does not affect users who have purchased and are using WAF 2.0. WAF 2.0 instances can still be used, renewed, or upgraded. The Service-Level Agreement (SLA) for WAF 2.0 remains in effect.
If you have a WAF 2.0 instance and want to upgrade to WAF 3.0, you can use the self-service migration tool to automatically migrate your WAF 2.0 instance to WAF 3.0. For more information, see Upgrade a WAF 2.0 instance to WAF 3.0.

Differences between WAF 2.0 and WAF 3.0

Connection types

WAF 2.0 supports canonical name (CNAME) and transparent proxy modes. WAF 3.0 adds a cloud native mode that integrates with cloud products, such as Application Load Balancer (ALB), in a cloud-native architecture. In the consoles of cloud products such as ALB, you can enable WAF security protection for your instances, including internal instances, with a single click. This eliminates the need for complex connection and forwarding configurations, such as modifying DNS records or configuring certificates, ports, and back-to-origin algorithms. This approach improves service performance and stability, and reduces access latency.

Connection type	Principle	WAF 3.0	WAF 2.0
CNAME mode	You add a domain name and point its DNS record to the CNAME address of WAF. This redirects the web traffic of the domain name to WAF. WAF blocks attack requests and forwards normal service requests to the origin server. In this process, WAF acts as a reverse proxy cluster that both forwards traffic and provides detection and protection.	Supported	Supported
Cloud native mode (formerly transparent proxy mode)	You add traffic redirection ports to WAF. This causes the cloud product gateway to automatically change its routing and redirect web traffic to WAF. WAF blocks attack requests and forwards normal service requests to the origin server. In this process, WAF acts as a reverse proxy cluster that both forwards traffic and provides detection and protection.	Supported Note In WAF 3.0, the cloud native mode for CLB and ECS is the transparent proxy mode.	Supported
Cloud native mode (new cloud-native architecture)	WAF is integrated into the gateway of a cloud product as a modular software development kit (SDK). The embedded SDK fetches traffic for detection and protection. In this process, WAF does not forward traffic. This avoids compatibility and stability issues caused by an extra forwarding layer.	Supported	Not supported

Mitigation settings

Feature	WAF 3.0	WAF 2.0
Applicable objects	In WAF 3.0, you can configure mitigation policies for protected objects or protected object groups. A protected object can be a domain name or a cloud product instance that is added to WAF. You can add multiple protected objects to a protected object group to apply mitigation policies to them in a batch.	In WAF 2.0, you can configure protection rules only for a single domain name. If you add an instance to WAF in transparent proxy mode, you must add each domain name of the instance to WAF separately to configure protection rules. Otherwise, all traffic is protected only by the default protection rules, which you cannot modify.
Implementation	You create protection templates and add protection rules to the templates. You can then apply these templates to different protected objects.	You directly create protection rules for a specific domain name.
Viewing method	You can view all protection rules that apply to a protected object or a protected object group. You can view all protection rules within a protection module. You can search for protection rules by rule ID.	You can view all protection rules that apply to a single domain name.
Managing default protection rules	When you add a new protected object to WAF 3.0, basic protection is enabled by default. You can change the action of the default protection rule to Block or Allow.	When you add a new domain name to WAF 2.0, the Protection Rules Engine is enabled by default, but you cannot change the action of the default protection rules. You can specify a protection action only after you create custom protection rules for the domain name.
Protection specifications	For information about the number of protected objects supported by each edition, see Protected objects. For information about the supported protection modules and the number of protection rules supported by each module, see Security features.	For information about the number of domain names that can be protected by each edition, see Default number of protectable primary domain names and Default total number of protectable domain names. For information about the supported protection modules and the number of protection rules supported by each module, see Overview.

Billing methods

Subscription

Difference		WAF 3.0	WAF 2.0
Editions		Supports Basic, Pro, Enterprise, and Ultimate editions. The new Basic Edition is suitable for users with low traffic.	Supports Pro, Enterprise, and Ultimate editions.
Billable items	Traffic specifications	Unified as queries per second (QPS). You do not need to consider bandwidth.	Supports both QPS and bandwidth, which require conversion.
	Domain name specifications	Does not distinguish between primary domain names and subdomains. Fees are settled based on the number of connected domain names.	Distinguishes between primary domain names and subdomains.
	Hybrid cloud connection	You can use the hybrid cloud connection feature after you purchase the Enterprise or Ultimate edition.	You must separately purchase the Hybrid Cloud WAF Exclusive edition.

Pay-as-you-go

Difference	WAF 3.0	WAF 2.0
Supported regions	The Chinese mainland, outside the Chinese mainland	The Chinese mainland
Metering unit	The unified metering unit is Security Capacity Unit (SeCU). 1 SeCU is billed at USD 0.01.	None.
Aggregation Method	Billed on an hourly basis. You can use features directly without enabling them separately. Billing starts after you use a feature. Billing automatically stops when you delete a configuration or disable a feature. No manual switching is required.	You can use a feature only after you enable it. Billing starts after you enable a feature and stops after you disable it.

Get started with WAF

References		WAF 3.0	WAF 2.0
Learn about WAF		What is Web Application Firewall 3.0? Editions and features Billing Connection types Mitigation settings	What is Web Application Firewall 2.0? Editions and features Billing Connection types Mitigation settings
Activate WAF		Purchase a subscription WAF 3.0 instance Activate pay-as-you-go for WAF 3.0	New purchases are not supported
Connect to WAF		Cloud native mode Enable WAF protection for an ALB instance Enable WAF protection for an MSE cloud-native gateway instance Enable WAF protection for a Function Compute function Enable WAF protection for a CLB instance Enable WAF protection for an ECS instance CNAME mode Enable WAF protection for a website in CNAME mode	Transparent proxy mode (ALB, Layer 7 SLB, Layer 4 SLB, and ECS) CNAME mode Add a domain name Change the DNS record of a domain name
Use WAF	View domain name assets	Asset Center	Asset Discovery
	Use WAF for protection	Configure protected objects and protected object groups Configure protection rules Web core protection rules and rule groups Whitelist rules IP blacklist rules Custom rules Scan protection Custom response rules HTTP flood protection rules Location Blacklist rules Web tamper-proofing rules Data leakage prevention rules Major event support Bot management	Protection Rules Engine Whitelists Website whitelists Web intrusion protection whitelists Data security whitelists Bot management whitelists Access control or rate limiting whitelists IP blacklist Custom mitigation policies Scan protection HTTP flood protection Website tamper-proofing Data leakage prevention Proactive defense Account security Bot management
	Configure monitoring and alerting	Configure CloudMonitor notifications Configure Simple Log Service	Configure CloudMonitor notifications Configure Simple Log Service
	View protection data	Security reports Log Search	Security reports Log Search
API operations		WAF 3.0 API reference	WAF 2.0 API reference