Pay-as-you-go is a billing method where you pay for resources after you use them. You can use resources on demand without making upfront payments. The system generates bills based on your actual usage and deducts fees from your Alibaba Cloud account balance at the end of each billing cycle. You can also purchase Security Capacity Unit (SeCU) resource plans to offset pay-as-you-go fees and reduce your costs. This topic describes the billing rules for pay-as-you-go Web Application Firewall (WAF).
Scenarios
Compared to the subscription billing method, the pay-as-you-go billing method is better suited for the following scenarios:
Services with fluctuating usage: If your resource usage is unpredictable, the pay-as-you-go billing method lets you pay based on your actual usage.
Temporary or bursty resource usage: If you have sudden and temporary fluctuations in resource demand, the pay-as-you-go method is recommended. It ensures resource availability for your services and can reduce your resource costs compared to a subscription instance with the same specifications.
Billing unit: SeCU
A Security Capacity Unit (SeCU) is a unified billing unit for pay-as-you-go WAF 3.0. The following rules apply:
The unit price of a SeCU is USD 0.01 (that is, 1 SeCU costs USD 0.01).
SeCUs are measured in one-hour intervals. For example, from 10:00:00 to 10:59:59.
SeCU usage is always rounded up to the next integer. For example, if you use 0.5 SeCU from 10:00:00 to 10:59:59, you are billed for 1 SeCU for that hour.
Billable items
For pay-as-you-go feature fees, billing for a protection rule begins as soon as it is configured. This applies regardless of whether a protected object exists, or the rule is enabled or disabled.
Major event support fee
The major event support feature is a prepaid service. The minimum subscription duration is 30 days. For more information about the billing for security protection during major events, see Major event support.
Major Event Support is a paid service that you can purchase after you activate a WAF 3.0 instance. Log on to the Web Application Firewall 3.0 console. Select the resource group and region where your instance is located. In the navigation pane on the left, choose Protection Configuration > Critical Event Protection to go to the page and activate the service.
The major event support feature is a separate subscription from the pay-as-you-go WAF 3.0 instance. This feature takes effect immediately after purchase and is valid for the Subscription Duration that you select. When the subscription expires, the protection automatically stops.
Total pay-as-you-go fees
Total pay-as-you-go fees consist of two parts: request processing fees and feature fees. The following sections describe the billable items. The WAF core protection rules have been upgraded. For more information, see [Notice] WAF 3.0 basic protection rule feature upgrade. New users should review the New billable items and details section. Existing users who have not upgraded their core protection rules should review the Old billable items and details section.
Both request processing fees and feature fees can be offset by SeCU resource plans. For more information about the offset rules, see SeCU resource plan overview.
To avoid high bills from excessive peak queries per second (QPS) during sudden traffic increases, such as from HTTP flood attacks, you can use pay-by-traffic protection. For more information about pay-by-traffic protection and its rules, see Pay-by-traffic protection.
If the actual peak QPS of a pay-as-you-go instance with pay-by-traffic protection enabled exceeds the specified threshold, the instance may be sandboxed.
WAF will release a new version of bot management on 2025-07-20 (UTC+8). After the upgrade, the new version will be billed in real time based on the new pricing. For more information about the upgrade, pricing adjustments, and changes, see [Notice] Announcement on major upgrade and service pricing adjustment of bot management.
New billable items and details
Billing details
Billing type | Billable item | Description | SeCU | |
Request processing fee: Hourly charges for requests processed. | Base traffic fee | Billed based on the total number of client requests processed per hour. This includes both legitimate and attack requests but excludes server responses. | 1 SeCU per 5,000 requests per hour Billed in increments of 5,000 requests. For details, see Billing examples. Includes whitelist costs. | |
Bot management | Billed based on the number of requests matching the protection targets per hour. Charges apply only when bot management is enabled. | 1 SeCU per 7,500 requests per hour Billed in increments of 7,500 requests. For details, see Billing examples. | ||
API security | Billed based on the number of requests matching the protection targets per hour. Charges apply only when API security is enabled. | 1 SeCU per 7,500 requests per hour Billed in increments of 7,500 requests. For details, see Billing examples. | ||
Peak QPS | Billed based on the maximum peak QPS reached within each hour. |
Billed in increments of 5 QPS. | ||
Fraud Detection (paid feature of bot management) | Billed based on the number of hits. | 1 SeC per hit per hour Note To use the Fraud Detection feature, you must enable Bot Management and Fraud Detection. For instructions, see Fraud Detection. | ||
Custom rule slider | Billed based on the number of calls. | 1 SeCU per 10 calls per hour Billed in increments of 10 calls. | ||
Feature fee: Hourly charges for specific features enabled. | WAF instance | Billing starts after a pay-as-you-go WAF instance is activated. | 0.5 SeCU per hour | |
Billed by number of configured rules Important Charges apply to all configured rules, regardless of their enabled/disabled status. To stop billing, you must delete the rule. | IP blacklist | Billed based on the number of configured IP blacklist rules. | 2 SeCU per rule per hour | |
Custom rules | Billed based on the number of configured custom rules. |
Note A rule is considered advanced if it meets any of the following:
| ||
Scan protection | Billed based on the number of configured scan protection rules. Each template contains 3 rules. | 10 SeCU per rule per hour | ||
HTTP flood protection | Billed based on the number of configured HTTP flood protection rules. | 2 SeCU per rule per hour | ||
Geo-blocking | Billed based on the number of configured geo-blocking rules. | 10 SeCU per rule per hour | ||
Custom responses | Billed based on the number of configured custom response rules. Each template contains 1 rule. | 10 SeCU per rule per hour | ||
Web tamper proofing | Billed based on the number of configured web tamper proofing rules. | 5 SeCU per rule per hour | ||
Data leak prevention | Billed based on the number of configured data leak prevention rules. | 5 SeCU per rule per hour | ||
Peak traffic throttling | Billed based on the number of configured peak traffic throttling rules. | 150 SeCU per rule per hour | ||
Advanced bot custom rules | Billed based on the number of configured advanced bot custom rules. | 15 SeCU per rule per hour | ||
Billed by usage count | Bot-Web or Bot-App protection template | Billed based on the number of configured Bot-Web and Bot-App protection templates, including enabled and disabled templates. |
| |
API security | Billed based on the number of protected objects for which API security is enabled. | 20 SeCU per protected object per hour | ||
Exclusive IP | Billed based on the number of domains with exclusive IP enabled. This is billed only for those domains added via CNAME. | 15 SeCU per exclusive IP per hour | ||
Number of domains added via CNAME | Billed based on the number of domain names added. Each domain, whether an exact match or a wildcard domain, is counted as a separate billable item. | Tiered pricing:
| ||
Billed by enable status | Non-standard port | Billed based on the number of enabled non-standard ports. | 25 SeCU per hour | |
Intelligent whitelisting engine | When core protection rules are configured, the intelligent whitelist is billed per enabled template. | 10 SeCU per template per hour | ||
Intelligent load balancing | Billed when the intelligent load balancer feature is enabled. | 50 SeCU per hour | ||
IPv6 | Billed when IPv6 support is enabled. | 50 SeCU per hour | ||
Asset center | Billed after the feature is enabled. | 1 SeCU per hour | ||
Web core protection rules Note Only one default template exists. | Default template: Billing starts after a protected object is added. Applies to both enabled and disabled states. | 3 SeCU per hour | ||
Custom template: Billed per template upon creation. Applies to both enabled and disabled states. | 3 SeCU per hour | |||
Other service billing items | Log service | Billed and invoiced uniformly through Alibaba Cloud Simple Log Service. | Not billed by WAF | |
Old billable items and details
Billing details
Billing type | Billable item | Description | SeCU | |
Request processing fee: The fee for requests within a one-hour period. | Basic traffic fee | Billed based on the number of business requests initiated by clients within a one-hour period. This includes normal and attack requests, but not server responses. | 1 SeCU per 5,000 requests per hour Note
| |
Bot management | Billed based on the number of requests that hit a protection object within a one-hour period. This is settled only when the bot management feature is enabled. | 1 SeCU per 7,500 requests per hour Note If the number of requests in a one-hour period is not an integer multiple of 7,500, the number is rounded up to the nearest multiple to calculate the SeCU usage. For more information, see Billing examples. | ||
API security | Billed based on the number of requests that hit a protection object within a one-hour period. This is settled only when the API security feature is enabled. | 1 SeCU per 7,500 requests per hour Note If the number of requests in a one-hour period is not an integer multiple of 7,500, the number is rounded up to the nearest multiple to calculate the SeCU usage. For more information, see Billing examples. | ||
Peak QPS | Billed hourly based on the peak QPS within a one-hour period. |
Note If the excess portion is less than 5 QPS, it is billed as 5 QPS. | ||
Fraud Detection (paid feature of bot management) | Billed based on the number of hits. | 1 SeCU per hit per hour Note To use the Fraud Detection feature, you must enable Bot Management and Fraud Detection. For more information about how to enable the feature, see Fraud Detection. | ||
Custom rule slider | Billed based on the number of invocations. | 1 SeCU per 10 invocations per hour Note If the number of invocations is less than 10, it is billed as 10. | ||
Feature fee: The fee for using different features within a one-hour period. | WAF instance | Billing starts after a pay-as-you-go WAF instance is activated. | 0.5 SeCU per rule per hour | |
Billed by number of configured protection rules Important Fees are still incurred for these rules even if they are disabled. If you do not want to incur fees for these rules, delete them. | IP blacklist | Billed based on the number of configured IP blacklist rules, including enabled and disabled rules. | 2 SeCU per rule per hour | |
Custom rules | Billed based on the number of configured custom rules, including enabled and disabled rules. |
Note A rule is considered an advanced rule if it meets one of the following conditions. Otherwise, it is a basic rule:
| ||
Scan protection | Billed based on the number of configured scan protection rules, including enabled and disabled rules. Each scan protection template contains 3 rules. | 10 SeCU per rule per hour | ||
HTTP flood protection | Billed based on the number of configured HTTP flood protection rules, including enabled and disabled rules. | 2 SeCU per rule per hour | ||
Location Blacklist | Billed based on the number of configured Location Blacklist rules, including enabled and disabled rules. | 10 SeCU per rule per hour | ||
Custom responses | Billed based on the number of configured custom response rules, including enabled and disabled rules. Each custom response template contains 1 rule. | 10 SeCU per rule per hour | ||
Web tamper proofing | Billed based on the number of configured web tamper proofing rules, including enabled and disabled rules. | 5 SeCU per rule per hour | ||
Data leak prevention | Billed based on the number of configured data leak prevention rules, including enabled and disabled rules. | 5 SeCU per rule per hour | ||
Peak traffic throttling | Billed based on the number of configured peak traffic throttling rules, including enabled and disabled rules. | 150 SeCU per rule per hour | ||
Advanced bot custom rules | Billed based on the number of configured advanced bot custom rules, including enabled and disabled rules. | 15 SeCU per rule per hour | ||
Bot-Web per Bot-App protection template | Billed based on the number of configured Bot-Web and Bot-App protection templates, including enabled and disabled templates. |
| ||
API security | Billed based on the number of protected objects for which API security is enabled. | 20 SeCU per protected object per hour | ||
Exclusive IP address | Billed based on the number of domain names with exclusive IP addresses enabled. This is settled only for CNAME connections. | 15 SeCU per exclusive IP address per hour | ||
Number of domain names connected using CNAME | Billed based on the number of connected domain names. This is settled only for CNAME connections. The actual number of connected domain names is used for calculation, regardless of whether they are primary or wildcard domain names. |
| ||
Billed by feature enablement status | Non-standard ports | Billed when non-standard ports are enabled. | 25 SeCU per hour | |
Intelligent whitelist | When configuring core protection rules, the intelligent whitelist is billed based on the enablement status of each template. |
| ||
Intelligent load balancing | Billed based on the enablement status of intelligent load balancing. |
| ||
IPv6 | Billed based on the enablement status of IPv6. |
| ||
Asset Center | Billed after the feature is enabled. |
| ||
Web core protection rules Note There is only one default template. | Default template: Billing starts after a protected object is added. This applies to both enabled and disabled states. |
| ||
Non-default template: Billed based on the number of templates after creation. This applies to both enabled and disabled states. | 3 SeCU per template per hour | |||
Other service billing items | Simple Log Service | Billed and settled uniformly by Alibaba Cloud Simple Log Service. | Not billed by WAF | |
Billing examples
Example 1
You add five domain names to WAF for protection using the canonical name (CNAME) connection type and configure two IP blacklist rules. In a full hour, the number of business requests is 0, and the peak queries per second (QPS) is 0.
In this scenario, the request processing fee for one full hour is 0 SeCU and the feature fee is 27.5 SeCU. The total cost is USD 0.275. The following table provides a detailed breakdown of the charges.
Billing type | Billable item | Unit price | SeCU (rounded up to the nearest hour) | Total cost (1 SeCU = USD 0.01) |
Request processing fee | Basic traffic fee | 1 SeCU per 5,000 requests | 0 SeCU | 0.01 × 0 = USD 0 |
Peak QPS | Peak QPS ≤ 1,000 QPS: 0 SeCU per hour | 0 SeCU | 0.01 × 0 = USD 0 | |
Feature fee | CNAME connection | Tiered pricing:
| 1 × 0 + 4 × 5 = 20 SeCU | 0.01 × 20 = USD 0.2 |
WAF instance | Billing starts after you enable a pay-as-you-go WAF instance. 0.5 SeCU per hour | 0.5 SeCU | 0.01 × 0.5 = USD 0.005 | |
IP blacklist | 2 SeCU per rule | 4 SeCU | 0.01 × 4 = USD 0.04 | |
Core web protection rules Note Billing starts after a protected object is added to the default template. | With a protected object: 3 SeCU per hour | 3 SeCU | 0.01 × 3 = USD 0.03 |
Example 2
You add 12 domain names to WAF for protection using the CNAME connection type. For two of the domain names, you enable exclusive IP addresses and intelligent load balancing. You also create one scan protection template. In a full hour, the number of business requests is 50,001, and the peak QPS is 4,000.
In this scenario, the request processing fee for the hour is 611 SeCU and the feature fee is 164.5 SeCU. The total cost is USD 7.755. The following table provides a detailed breakdown of the charges.
Billing type | Billable item | Unit price | SeCU (rounded up to the nearest hour) | Total cost (1 SeCU = USD 0.01) |
Request processing fee | Basic traffic fee | 1 SeCU per 5,000 requests | 11 SeCU | 0.01 × 11 = USD 0.11 |
Peak QPS | Peak QPS ≤ 1,000 QPS: 0 SeCU per hour > 1,000 QPS: 1 SeCU per 5 QPS per hour for the excess part | 600 SeCU | 0.01 × 600 = USD 6 | |
Feature fee | WAF instance | Billing starts after you enable a pay-as-you-go WAF instance. 0.5 SeCU per hour | 0.5 SeCU | 0.01 × 0.5 = USD 0.005 |
CNAME connection | Tiered pricing:
| 1 × 0 + 9 × 5 + 2 × 3 = 51 SeCU | 0.01 × 51 = USD 0.51 | |
Exclusive IP address | 15 SeCU each | 30 SeCU | 0.01 × 30 = USD 0.3 | |
Intelligent load balancing | Enabled: 50 SeCU per hour | 50 SeCU | 0.01 × 50 = USD 0.5 | |
Scan protection Note Each scan protection template includes three rules by default. | 10 SeCU per rule | 30 SeCU | 0.01 × 30 = USD 0.3 | |
Core web protection rules Note Billing starts after a protected object is added to the default template. | With a protected object: 3 SeCU per hour | 3 SeCU | 0.01 × 3 = USD 0.03 |
Example 3
You enable WAF protection for a Layer 7 Classic Load Balancer (CLB) (HTTP/HTTPS) instance using the cloud native mode (for example, in the US (Silicon Valley) region). You add the domain names from the CLB instance as protected objects in WAF. In addition to configuring core web protection rules, you also enable the bot management and HTTP flood protection features and configure their corresponding protection templates. You configure two HTTP flood protection rules, which are disabled. You configure one bot management template, which is enabled. When configuring the template, you also enable the Fraud Detection feature and configure its rules. In a full hour, the number of business requests is 4,200, and the peak QPS is 537. The bot management rules are hit 34 times, and the Fraud Detection rules are hit 3 times.
In this scenario, the request processing fee for one full hour is 5 SeCU and the feature fee is 57.5 SeCU. The total cost for the hour is USD 0.625. The following table provides a detailed breakdown of the charges.
Billing type | Billable item | Unit price | SeCU (rounded up to the nearest hour) | Total cost (1 SeCU = USD 0.01) |
Request processing fee | Basic traffic fee | 1 SeCU per 5,000 requests | 1 SeCU | 0.01 × 1 = USD 0.01 |
Peak QPS | Peak QPS ≤ 1,000 QPS: 0 SeCU per hour | 0 SeCU | 0.01 × 0 = USD 0 | |
Bot management | Billed based on the number of requests that hit a protected object in a full hour. 1 SeCU per 7,500 requests | 1 SeCU | 0.01 × 1 = USD 0.01 | |
Fraud Detection | Billed based on the number of hits. 1 SeCU per hit | 3 SeCU | 0.01 × 3 = USD 0.03 | |
Feature fee | WAF instance | Billing starts after you enable a pay-as-you-go WAF instance. 0.5 SeCU per hour | 0.5 SeCU | 0.01 × 0.5 = USD 0.005 |
Core web protection rules Note Billing starts after a protected object is added to the default template. | With a protected object: 3 SeCU per hour | 3 SeCU | 0.01 × 3 = USD 0.03 | |
Bot management | Billed based on the number of configured bot management templates, including both enabled and disabled templates. 50 SeCU per template | 50 SeCU | 0.01 × 50 = USD 0.5 | |
HTTP flood protection | Billed based on the number of configured HTTP flood protection rules, including both enabled and disabled rules. 2 SeCU per rule | 4 SeCU | 0.01 × 4 = USD 0.04 |
Example 4
You enable WAF protection for an Application Load Balancer (ALB) instance using the cloud native mode (for example, in the US (Silicon Valley) region). You also create two custom response templates that are applied to different protected objects. In a full hour, the number of business requests is 50,004, and the peak QPS is 5,997.
In this scenario, the request processing fee for the hour is 1011 SeCU, and the feature fee is 23.5 SeCU. The WAF-enabled ALB instance fee is USD 0.035 per hour, for a total cost of USD 10.38. The following table provides a detailed breakdown of the charges.
Billing type | Billable item | Unit price | SeCU (rounded up to the nearest hour) | Total cost (1 SeCU = USD 0.01) |
Request processing fee | Basic traffic fee | 1 SeCU per 5,000 requests | 11 SeCU | 0.01 × 11 = USD 0.11 |
Peak QPS | Peak QPS > 1,000 QPS: 1 SeCU per 5 QPS per hour for the excess part | 1000 SeCU | 0.01 × 1000 = USD 10 | |
Feature fee | WAF instance | Billing starts after you enable a pay-as-you-go WAF instance. 0.5 SeCU per hour | 0.5 SeCU | 0.01 × 0.5 = USD 0.005 |
Custom response | 10 SeCU per template | 20 SeCU | 0.01 × 20 = USD 0.2 | |
Core web protection rules Note Billing starts after a protected object is added to the default template. | With a protected object: 3 SeCU per hour | 3 SeCU | 0.01 × 3 = USD 0.03 | |
WAF-enabled ALB instance fee | USD 0.035 per hour. The actual price is subject to the price on the purchase page. | N/A | 0.035 × 1 = USD 0.035 | |
To estimate daily or long-term costs for pay-as-you-go WAF, calibrate your estimates based on the peaks and troughs of your actual business traffic. For example, if your business experiences high traffic from 06:00 to 18:00 daily and almost no traffic at other times, you can estimate your average daily pay-as-you-go cost based on the costs incurred during the active period. This provides a more accurate long-term cost estimate.
After you enable pay-as-you-go for WAF, your actual usage and fees are detailed in your Alibaba Cloud bill.
Billing cycle
Pay-as-you-go bills are settled daily based on UTC+8. A new billing cycle starts after each settlement.
Bills are settled in the early morning. Make any feature changes, such as adding a domain name or enabling a new protection feature, after 06:00 (UTC+8) each day. Changes made before this time might appear on the previous day's bill.
If your available credit (including your Alibaba Cloud account balance and coupons) is not enough to cover a pending bill, you will receive a low balance alert by text message or email.
Overdue payments
An overdue payment can affect your WAF service. Monitor your Expenses and Costs and resolve any overdue payments promptly. For more information, see Overdue payments.
If a payment is overdue, your service is at risk of suspension. The system sends renewal reminders to help you avoid service interruptions.
View bills
To view the actual usage and detailed costs for pay-as-you-go instances on the WAF 3.0 bill management page, see View bills.
References
To unsubscribe from a WAF 3.0 subscription instance or shut down a pay-as-you-go instance, see Unsubscription instructions.
To handle service anomalies caused by automated tools, such as scripts and emulators, see Bot management (Legacy).
For more information about features such as detecting API threats (such as unauthorized access, excessive exposure of sensitive data, and internal API leaks), reconstructing API anomalous activity using reports, reviewing outbound data, and tracing the source of Sensitive Data Leak Events, see API Security.
To query web access logs and attack mitigation logs for protected objects, see Log Management Overview.
For details about the advanced rules and Basic Policies for billing, see Match condition descriptions.