All Products
Document Center

Web Application Firewall:Purchase a pay-as-you-go WAF 3.0 instance

Last Updated:May 31, 2023

To get started with Web Application Firewall (WAF) 3.0, you must purchase a WAF 3.0 instance. WAF 3.0 supports the subscription and pay-as-you-go billing methods. This topic describes how to purchase a pay-as-you-go WAF 3.0 instance.

Purchase instructions

The pay-as-you-go billing method allows you to use resources before you pay for the resources. You are charged based on your resource usage. Fees are deducted from the balance of your Alibaba Cloud account after bills are generated at the end of each billing cycle.

For more information about pay-as-you-go WAF instances, see the following documents:


Make sure that your Alibaba Cloud account does not have a WAF instance. If your Alibaba Cloud account has a WAF 2.0 instance, you must release the WAF 2.0 instance before you purchase a WAF 3.0 instance. For information about how to release a WAF 2.0 instance, see Terminate the WAF instance.


After a WAF 2.0 instance is released, all configurations of the websites that are added to the instance are deleted. If a request is still redirected to the instance, the request cannot be forwarded to the origin server and the website cannot be accessed. Before you release the instance, make sure that the Domain Name System (DNS) records map the domain names that are added to the instance to the IP addresses of the origin servers. For information about how to modify DNS records, see Modify a DNS record.


  1. Go to the Web Application Firewall 3.0 (Pay-as-you-go) buy page.

  2. Set the Billing Method parameter to Pay-as-you-go. Then, configure the other parameters based on your business requirements. The following table describes the parameters.




    Select the region where the WAF 3.0 instance resides. Valid values: Chinese Mainland and Outside Chinese Mainland.


    Select the version of the WAF 3.0 instance. By default, the value is set to Pay-as-you-go 3.0. You do not need to configure this parameter.

    Traffic Billing Protection Threshold

    Specify a threshold value for traffic billing protection.

    The following section describes the maximum threshold values that are supported by a pay-as-you-go WAF instance for traffic billing protection. By default, the threshold value for traffic billing protection of a pay-as-you-go WAF instance is set to the maximum value.

    • Chinese mainland: 100,000 QPS.

    • Outside the Chinese mainland: 10,000 QPS.

    If the peak QPS bound for a WAF instance exceeds the specified threshold value for traffic billing protection, the WAF instance is added to a sandbox. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to a sandbox.


    If a WAF instance is added to a sandbox, the Service Level Agreement (SLA) is no longer guaranteed and service access exceptions may occur. The service access exceptions include but are not limited to packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing that is triggered by DDoS attacks, and blackhole filtering. To prevent service access exceptions, we recommend that you change the threshold value for traffic billing protection at the earliest opportunity. For more information, see The sandbox feature.

    For more information about the traffic billing protection feature, see Traffic billing protection.

  3. After you confirm the configurations, click Buy Now and complete the payment.

Related operations

  • If you purchase a pay-as-you-go WAF 3.0 instance, you can also purchase a security capacity unit (SeCU) resource plan on the WAF 3.0 SeCU Resource Plan buy page to offset fees and reduce costs. For more information, see SeCU resource plan.

  • If you no longer require a WAF 3.0 instance, you can release the WAF 3.0 instance. For more information, see Terminate the WAF service.

What to do next

After you purchase a WAF 3.0 instance, perform the following operations to use WAF 3.0 to protect your services:

  1. Add your services to WAF 3.0. For more information, see Website configuration overview.

  2. Configure protection policies for protected objects that are added to WAF 3.0. For more information, see Protection configuration overview.

  3. View protection data. For more information, see View security reports.