All Products
Search
Document Center

Web Application Firewall:Announcement on changes to the billing and implementation of pay-as-you-go WAF instances

Last Updated:Nov 29, 2024

Dear Alibaba Cloud users, Alibaba Cloud plans to adjust the billing rules of pay-as-you-go Web Application Firewall (WAF) instances. Thank you for your understanding and support.

Period

The changes are planned to take effect at 00:00:00 on December 10, 2024 (UTC+8). The actual effective time shall prevail.

Content

  1. If users of pay-as-you-go WAF 2.0 and WAF 3.0 instances do not add domain names or cloud service assets to the instances, the instances are released.

  2. The basic web protection module is renamed the core web protection module.

  3. The maximum threshold value for traffic billing protection is changed. If you want to specify a higher threshold value, contact your account manager or solution architect.

    • Chinese mainland: 30,000 queries per second (QPS).

    • Outside the Chinese mainland: 3,000 QPS.

  4. The billable items for hourly billing are changed.

Impact

The changes do not affect bills that are already generated. Subsequent bills are generated based on the new billable items. Thank you for your understanding and support.

  • Added billable items:

    • WAF instance: After you purchase a pay-as-you-go WAF instance, you are charged for this billable item. Unit price: 0.5 security capacity units (SeCUs) per hour.

    • Peak traffic throttling: You can specify a request percentage or QPS threshold for specific URLs or regions to create a rule to trigger throttling. You can configure the settings for traffic surge scenarios, such as promotions, to ensure the availability and stability of origin servers. Unit price: 150 SeCUs per rule-hour.

  • Adjusted billable items:

    Billable item

    Before

    After

    Core web protection - protection template

    Note

    You are charged for default protection templates after you add protected objects to WAF. You are charged for protection templates regardless of whether the templates are enabled.

    1 SeCU per hour

    3 SeCUs per template-hour

    Scan protection

    1 SeCU per rule-hour

    10 SeCUs per rule-hour

    Peak QPS

    Note

    If the portion exceeding the default limit is less than 5 QPS, it is calculated as 5 QPS.

    • Peak QPS ≤ 5,000: 0 SeCUs per hour

    • Peak QPS > 5,000: 1 SeCU per 5 QPS per hour for the portion exceeding 5,000 QPS

    • Peak QPS ≤ 1,000: 0 SeCUs per hour

    • Peak QPS > 1,000: 1 SeCU per 5 QPS per hour for the portion exceeding 1,000 QPS

    Custom rule

    • Basic rules: 1 SeCU per rule-hour

    • Advance rules: 2 SeCUs per rule-hour

    Note

    Rules that meet one of the following conditions are advanced rules, and the others are basic rules:

    • The rule type is throttling.

    • The following match fields are used: Body and Body Parameter.

    • The following logical operators are used: regular expression match and regular expression mismatch.

    • The following advanced parameters are configured: Canary Release and Effective Mode.

    • Basic rules: 2 SeCUs per rule-hour

    • Advance rules: 5 SeCUs per rule-hour

    Note

    Rules that meet one of the following conditions are advanced rules, and the others are basic rules:

    • The rule type is throttling.

    • The following match fields are used: URI, IP, Referer, UA, QueryString, URI Path, QueryString Parameter, and Host.

    • The following logical operators are used: regular expression match and regular expression mismatch.

    • The following advanced parameters are configured: Canary Release and Effective Mode.

    Region blacklist

    3 SeCUs per rule-hour

    10 SeCUs per rule-hour

    Bot management

    1 SeCU per 10,000 requests

    Note

    If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000.

    1 SeCU per 7,500 requests

    Note

    If the number of requests within an hour is not a multiple of 7,500, it is rounded up to the nearest multiple of 7,500.

    API security

    1 SeCU per 10,000 requests

    Note

    If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000.

    1 SeCU per 7,500 requests

    Note

    If the number of requests within an hour is not a multiple of 7,500, it is rounded up to the nearest multiple of 7,500.

    Domain names added in CNAME record mode

    • One domain name: 0 SeCUs

    • More than one domain name: 2 SeCUs per additional domain name-hour

    Tiered pricing:

    • One domain name: 0 SeCUs

    • 2 to 10 domain names: 5 SeCUs per additional domain name-hour

    • 11 to 100 domain names: 3 SeCUs per additional domain name-hour

    • More than 100 domain names: 1 SeCU per additional domain name-hour