Subscription is a prepaid billing method that offers a greater discount than the pay-as-you-go option, which helps reduce your web application protection costs. This billing method is ideal if your resource usage is stable and predictable, or if your web services require long-term protection. This topic describes the billing rules for subscription Web Application Firewall (WAF) instances.
Scenarios
The subscription billing method is a better option than the pay-as-you-go billing method in the following scenarios:
Your resource usage is stable and predictable:
If you can predict stable resource needs for a specific period, you can select a subscription plan with a resource quota that is higher than your actual usage. This can reduce your costs compared to the pay-as-you-go method.
If your queries per second (QPS) rate is relatively stable, you can select the subscription billing method and enable the burstable QPS value-added service. This can reduce your costs compared to the pay-as-you-go method. In this mode, only requests that exceed the QPS quota of your subscription plan are billed on a pay-as-you-go basis.
Your web services require long-term WAF protection: If your web services require long-term protection, you can purchase a WAF subscription for a longer duration based on your business needs. This can reduce your protection costs compared to the pay-as-you-go method.
You have complex management or hybrid cloud access scenarios: The multi-account management feature and hybrid cloud access are supported only by subscription WAF instances of the Enterprise and Ultimate editions.
Billable items
Product and service prices are subject to change. For the actual prices, refer to your bill in the Alibaba Cloud console.
If you enable WAF protection for an Application Load Balancer (ALB) instance, you are charged for both WAF and the ALB instance. For more information, see Enable WAF protection for an ALB instance.
You cannot unsubscribe from your subscription instance through the console if you purchase a major event support package or enable the Multi-cloud/hybrid-cloud Protection, Bot Management - Web Protection, Bot Management - App Protection, or API Security value-added service.
Major event support fees
You are charged for the major event support feature based on the subscription duration. The minimum subscription duration is 30 days. For more information about security protection for major events and its billing, see Major event support.
The major event support feature is a paid service that you can enable after you purchase a WAF 3.0 instance. To enable the feature, log on to the WAF 3.0 console, select the resource group and region of your instance, and then, in the navigation pane on the left, choose .
The major event support feature is activated immediately upon purchase, regardless of when you purchased the instance. The validity period of the feature is the Subscription Duration that you specify when you enable the feature. After the validity period expires, the feature automatically stops protecting your services.
Subscription instance fees
The billing for a WAF subscription consists of basic service fees (mandatory) and value-added service fees (optional).
Basic service fees (required): These are the fees for the edition, specifications, and subscription duration that you select when you purchase the subscription instance.
Value-added service fees (optional, billed separately): In addition to basic services, you can select one or more value-added services as needed. All value-added services are subscription-based, except for burstable QPS and Fraud Detection. Burstable QPS and Fraud Detection are pay-as-you-go and billed based on monthly usage.
The following figure shows the billable items of a subscription instance.
Billing details
Basic service fees
For more information about the basic and value-added services supported by each subscription edition, see Version Guide.
Subscription edition | Unit price |
Basic Edition | USD 140/month |
Pro | USD 556/month |
Enterprise | USD 1,400/month |
Ultimate | USD 4,260/month |
Value-added service fees (subscription)
The Pro, Enterprise, and Ultimate editions offer a one-time free trial for Bot Management - Web Protection, Bot Management - App Protection, and API Security.
The free trial is valid for seven days after activation. After the trial ends, if you do not purchase the paid version, the protection configurations for the feature are automatically deleted. To retain the data from the trial period and continue using the protection configurations, you must purchase the feature before the trial ends.
WAF will launch a new version of bot management on July 20, 2025 (UTC+8). Existing users who have subscribed to the previous version of bot management can renew their subscription at the original price. For more information about the upgrade, pricing adjustments, and impacts of the new bot management version, see [Notice] Announcement on Major Version Upgrade and Service Pricing Adjustment of Bot Management.
Billable item | Basic Edition | Pro | Enterprise | Ultimate | |
Billed based on enabling status | Bot management - Web protection | Not supported |
|
|
|
Bot management - App protection | Not supported |
| |||
API security | Not supported | USD 720/month | USD 1,440/month | USD 2,880/month | |
Intelligent load balancing | Not supported | USD 150/month | |||
Peak traffic throttling | Not supported | USD 1,200/month | |||
Billed based on service configuration | Additional domain name | Tiered pricing based on the cumulative number of purchased domain names:
Note
For more information about the limits on the additional domain name quota, see Version Guide. | |||
Exclusive IP address | Not supported | USD 30 per IP address-month | |||
Additional QPS quota | Not supported | The Chinese mainland:
Outside the Chinese mainland:
Note
| |||
Simple Log Service | Not supported | The unit price of log storage capacity is USD 75 per TB-month Important After you enable the Simple Log Service for WAF feature, a minimum log storage capacity of 3 TB is purchased by default. You cannot scale in the log storage capacity to less than 3 TB. | |||
Additional multi-cloud/hybrid-cloud protection nodes | Not supported | Not supported | Tiered pricing based on the number of protection nodes purchased:
Note If you want to use WAF to protect services that are deployed in multicloud environments, on-premises data centers, internal networks, or Apsara Stack, but you cannot add the services to On-cloud WAF using a CNAME record and want to use on-premises WAF for protection, you can purchase additional multi-cloud/hybrid-cloud protection nodes. In reverse proxy mode, a single protection node supports up to 5,000 QPS for HTTP or 3,000 QPS for HTTPS. In SDK integration mode, a single protection node supports up to 15,000 QPS for HTTP/HTTPS. You can add more nodes to scale out the protection capability. | ||
Value-added service fees (pay-as-you-go)
Billable item | Basic Edition | Pro | Enterprise | Ultimate |
Fraud Detection (paid feature of bot management) | Not supported | You are charged if you configure rules and traffic hits the rules. Unit price: USD 0.007 per hit. Note You are not charged if you enable Fraud Detection but do not configure rules, or if you configure rules but no traffic hits the rules. For more information about the billing of the Fraud Detection feature, see Fraud Detection. | ||
Burstable QPS | Not supported | For more information about the billing of burstable QPS, see Burstable QPS. | ||
The pay-as-you-go feature may cause overdue payments for your account. Overdue payments can affect your use of Web Application Firewall. We recommend that you monitor your expenses and costs, and handle overdue payments promptly. For more information about how to handle overdue payments and their impacts, see Overdue payments.
Billing cycles
The billing cycle for subscription resources is the same as the subscription duration of the order and is based on UTC+8. A billing cycle starts at the exact time the resource is purchased or renewed and ends at 00:00:00 on the day after the expiration date.
Fees for pay-as-you-go value-added services are settled daily (UTC+8). A new billing cycle begins after the settlement is complete.
Subscription billing cycles measured in years or months refer to calendar years and calendar months.
The billing cycle for the major event support feature starts when you enable it and ends at the revert time you select during activation.
Pay-as-you-go fees are typically settled in the early morning. If you want to make configuration changes, such as adding a domain name or enabling a new protection feature, we recommend that you make them after 06:00 (UTC+8) each day. Otherwise, the changes might be included in the bill for the previous day.
If your available balance, including your Alibaba Cloud account balance and vouchers, is less than the amount of a pending bill, you will receive a low balance notification by text message or email.
Instance expiration
When your subscription instance expires, the protection service stops automatically. The following rules apply:
You will receive text message or email reminders 15, 7, 3, and 1 day before your instance expires. These reminders prompt you to renew the instance immediately.
If you do not renew the instance before it expires, the protection service stops upon expiration.
After the instance expires, your configurations in WAF 3.0 are retained for 15 days.
If you renew the instance within these 15 days, you can continue to use your existing configurations. If you do not renew the instance within this period, your WAF 3.0 configurations are released. You must then purchase a new instance and reconfigure WAF 3.0 to continue using the service.
Failure to renew on time may result in service suspension. The system sends renewal reminders. If you require continuous protection, renew your instance promptly to avoid service disruptions.
View bills
You can view the billing details of subscription instances, value-added services, and the actual usage of pay-as-you-go features on the WAF 3.0 bill management page. For more information, see View bills.
References
For more information about how to change your subscription edition, see Upgrade and downgrade.
For more information about instance renewal, see Renewal policy.
For more information about changing the billing method and unsubscribing from an instance, see Unsubscription rules.
For more information about value-added services, see Hybrid cloud access, Bot management, API security, Major event support, Burstable QPS, Exclusive IP addresses, and Simple Log Service.
If you require short-term WAF protection or want a more flexible billing method, see Pay-as-you-go billing of WAF 3.0.