WAF 3.0 editions and features - Web Application Firewall

Web Application Firewall (WAF) 3.0 supports both subscription and pay-as-you-go billing methods. The features and billing methods available vary based on the edition of your WAF instance. You can select an edition and deployment method according to your needs. If you use a subscription WAF instance, you can upgrade its edition as needed. WAF 3.0 offers the following editions in ascending order of protection capabilities: Basic, Pro, Enterprise, and Ultimate.

Overview

For more information about the billing rules and activation methods of subscription and pay-as-you-go WAF 3.0 instances, see the following topics:

Subscription: Billing overview and Purchase a subscription WAF 3.0 instance.
Pay-as-you-go: Billing overview, Purchase a pay-as-you-go WAF 3.0 instance, and View bills.

Important

In WAF 3.0, traffic is measured only in queries per second (QPS). You do not need to pay attention to bandwidth limits in different editions. When you use WAF 3.0 to protect your web services, the service traffic is not affected by bandwidth limits.

Features

Feature	Description	Subscription Basic	Subscription Pro	Subscription Enterprise	Subscription Ultimate	Pay-as-you-go
Business scale
Website scale	The website scale based on which you can select a suitable WAF 3.0 edition.	Small-sized and personal websites that do not have special security requirements	Small- and medium-sized websites that do not have special security requirements	Medium-sized enterprise-grade websites that can be accessed by the public and have high data security requirements.	Medium- and large-sized enterprise-grade websites that have special security requirements. Note If you want to configure custom specifications for your WAF instance, contact your account manager or solution architect.	Websites whose workloads fluctuate.
QPS	The number of HTTP or HTTPS requests per second. For more information about the extended QPS, see Upgrade QPS specifications. For more information about the burstable QPS, see Enable burstable QPS (pay-as-you-go).	Free of charge for a request rate of up to 10 QPS The QPS quota cannot be increased Burstable QPS is not supported	Free of charge for a request rate of up to 2,000 QPS Extended QPS: Chinese mainland: 30,000 QPS Outside the Chinese mainland: 5,000 QPS Burstable QPS: Chinese mainland: 60,000 QPS Outside the Chinese mainland: 1,000 QPS If the extended QPS and burstable QPS do not meet your needs, contact your account manager or submit a ticket.	Free of charge for a request rate of up to 5,000 QPS Extended QPS: Chinese mainland: 30,000 QPS Outside the Chinese mainland: 5,000 QPS Burstable QPS: Chinese mainland: 60,000 QPS Outside the Chinese mainland: 1,000 QPS If the extended QPS and burstable QPS do not meet your needs, contact your account manager or submit a ticket.	Free of charge for a request rate of up to 10,000 QPS Extended QPS: Chinese mainland: 30,000 QPS Outside the Chinese mainland: 1,000 QPS Burstable QPS: Chinese mainland: 60,000 QPS Outside the Chinese mainland: 1,000 QPS If the extended QPS and burstable QPS do not meet your needs, contact your account manager or submit a ticket.	Maximum supported specifications: Chinese mainland: 30,000 QPS Outside the Chinese mainland: 3,000 QPS If the maximum QPS cannot meet your needs, contact your account manager or submit a .
Domain names	The number of domain names that you can add to WAF. The domain names include primary domain names, subdomains, and wildcard domain names. Each domain name is counted as one domain name. For more information about how to increase the domain name quota, see Upgrade domain name quota.	Free of charge for three domain names The domain name quota can be increased by up to 10 domain names	Free of charge for five domain names The domain name quota can be increased by up to 500 domain names	Free of charge for 10 domain names The domain name quota can be increased by up to 2,000 domain names	Free of charge for 50 domain names The domain name quota can be increased by up to 5,000 domain names	You can add up to 1,000 domain names to a pay-as-you-go WAF 3.0 instance
Hybrid cloud protection nodes	The number of hybrid cloud protection nodes that you can deploy. For more information about how to purchase additional quota for hybrid cloud protection nodes, see Upgrade node specifications.	Not supported	Not supported	Free of charge for one node If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase two or more additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge	Free of charge for one node If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase two or more additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge	Not supported
Protected objects	The cloud service instances and domain names that are added to WAF.	Up to 300 protected objects	Up to 600 protected objects	Up to 2,500 protected objects	Up to 10,000 protected objects	Up to 10,000 protected objects
Protected object groups	A protected object group is a group of protected objects. A protected object group is a unit for which WAF protection rules take effect.	Up to 10 protected object groups.	Up to 10 protected object groups.	Up to 10 protected object groups.	Up to 10 protected object groups.	Up to 100 protected object groups.
Protected object groups		Each protected object group can contain up to 50 protected objects.	Each protected object group can contain up to 50 protected objects.	Each protected object group can contain up to 50 protected objects.	Each protected object group can contain up to 50 protected objects.	Each protected object group can contain up to 100 protected objects.
Multi-account management	The feature that lets you add cloud resources within other Alibaba Cloud accounts to WAF.	Not supported	Not supported	Up to 5 member accounts	Up to 20 member accounts	Not supported
Security features Important Rule groups are no longer supported in the new version of the core protection rule module. For more information, see Announcement of upgrading the basic protection rule module in WAF 3.0.
Asset center	Supports basic asset management.	Not supported	Supported	Supported	Supported	Supported
Core protection rule	Supports official default rule groups.	Supported	Supported	Supported	Supported	Supported
	The custom rule groups of the basic protection rule module.	Not supported	Not supported	Up to 10 custom rule groups	Up to 30 custom rule groups	Up to 30 custom rule groups
	Custom protection templates	Up to 3 templates	Up to 10 templates	Up to 20 templates	Up to 50 templates	Up to 20 templates
Whitelist	The whitelist module that allows requests that have specific characteristics.	Up to 20 templates Up to 100 rules for a template	Up to 20 templates Up to 100 rules for a template	Up to 20 templates Up to 100 rules for a template	Up to 50 templates Up to 100 rules for a template	Up to 50 templates Up to 100 rules for a template
IP blacklist	The IP address blacklist module that blocks requests from specific IP addresses.	Not supported	Up to 5 templates You can add up to 400 IP addresses and 2 rules to a template	Up to 10 templates You can add up to 600 IP addresses and 3 rules to a template	Up to 20 templates You can add up to 1,000 IP addresses and 5 rules to a template	Up to 20 templates You can add up to 1,000 IP addresses and 5 rules to a template
Custom rule	The custom rule module that monitors, blocks, or verifies requests that match custom protection rules.	Not supported	Up to 10 templates Up to 100 rules for a template The custom rule module has the following features: IP address or URL match JavaScript verification Each rule can match up to 100 IP addresses	Up to 20 templates Up to 200 rules for a template The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match JavaScript validation and slider CAPTCHA verification Each rule can match up to 100 IP addresses Rate limiting is supported	Up to 50 templates Up to 200 rules for a template Supported capabilities: IP address or URL match, all header match, regular expression match, and body match JavaScript validation and slider CAPTCHA verification Each rule can match up to 100 IP addresses Rate limiting is supported	Up to 50 templates Up to 200 rules for a template Supported features: IP address or URL match, all header match, regular expression match, and body match JavaScript validation and slider CAPTCHA verification Each rule can match up to 100 IP addresses Rate limiting is supported
HTTP flood protection	The HTTP flood protection module that protects services against common HTTP flood attacks in Prevention mode or Prevention-emergency mode.	Not supported	Up to 5 templates	Up to 10 templates	Up to 20 templates	Up to 20 templates
Scan protection	The scan protection module that supports high-frequency scanning blocking, directory traversal blocking, and scanner blocking.	Not supported	Up to 5 templates	Up to 10 templates	Up to 20 templates	Up to 20 templates
Peak traffic throttling	Supports region blocking, effective time zones, and custom rules	Not supported	Up to 5 templates (fee-based)	Up to 5 templates (fee-based)	Up to 5 templates (fee-based)	Up to 5 templates (fee-based)
Website tamper-proofing	The website tamper-proofing module that locks web pages to prevent content tampering.	Not supported	Up to 10 templates Up to 50 rules for a template	Up to 20 templates Up to 50 rules for a template	Up to 50 templates Up to 50 rules for a template	Up to 50 templates Up to 50 rules for a template
Location Blacklist	The region blacklist module that blocks requests from specific regions.	Not supported	Not supported	Up to 10 templates	Up to 20 templates	Up to 20 templates
Data leakage prevention	The data leakage prevention module that prevents leaks of sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers.	Not supported	Up to 10 templates Up to 50 rules for a template	Up to 20 templates Up to 50 rules for a template	Up to 20 templates Up to 50 rules for a template	Up to 20 templates Up to 50 rules for a template
Custom response	The custom response module that lets you configure the custom block page that WAF returns to the client when WAF blocks a request from the client. You can configure the status code, the response headers, and the response body of the block page.	Not supported	Not supported	Up to 20 templates	Up to 50 templates	Up to 50 templates
Bot management	The bot management module that lets you configure anti-crawler rules for websites and applications.	Not supported	Up to 20 templates	Up to 50 templates	Up to 100 templates	Supported
Major event protection	The major event protection module that supports threat intelligence for major event protection, rule groups for major event protection, IP address blacklist for major event protection, and Shiro deserialization vulnerability prevention.	Not supported	You can enable paid support through a temporary upgrade.	To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade	Supported	To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade
API security	The API security module that protects the available API assets of the services that are added to WAF and detects API vulnerabilities.	Not supported	Fee-based	Fee-based	Fee-based	Supported
Anti-DDoS Origin Basic and blackhole filtering	The Anti-DDoS feature that defends against DDoS attacks. For more information about the defense capabilities, see thresholds that trigger blackhole filtering in Anti-DDoS Basic.	Supported	Supported	Supported	Supported	Supported
Note A custom rule can block up to 20,000 IP addresses. If you enter more than 20,000 IP addresses in a custom rule, the custom rule may not take effect. Maximum number of protected objects and protected object groups that can be added to a protection template: Ultimate Edition: 10. Pro Edition: 100. Enterprise Edition: 200. Ultimate Edition: 500. Pay-as-you-go Edition: 100.
Access modes Note For more information about the protection features that are supported by different access modes, see Access modes and protection features.
Cloud native mode	WAF protection for Application Load Balancer (ALB) instances WAF protection for Microservices Engine (MSE) instances WAF protection for custom domain names bound to web applications in Function Compute	Supported	Supported	Supported	Supported	Supported
Cloud native mode	WAF protection for Classic Load Balancer (CLB) instances WAF protection for Elastic Compute Service (ECS) instances	Supported Up to 300 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 600 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 2,500 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.
CNAME record mode	The CNAME record mode in which you can add websites to WAF.	Supported	Supported	Supported	Supported	Supported
Hybrid cloud mode	The hybrid cloud mode in which you can add web services that are deployed across third-party clouds or data centers to WAF to manage web services in a centralized manner.	Not supported	Not supported	Supported	Supported	Not supported
Other features
Alert setting	The alert setting feature that lets you use CloudMonitor and Simple Log Service to configure monitoring and alerting for WAF events and metrics.	Supported	Supported	Supported	Supported	Supported
Non-standard ports that are supported in CNAME record mode	The non-standard ports that are supported by WAF in CNAME record mode. The standard ports include ports 80, 8080, 443, and 8443.	Not supported	Not supported	Supported	Supported	Supported
IPv6 protection	The IPv6 protection feature that monitors and protects IPv6-based requests.	Not supported	Not supported	Supported in the Chinese mainland Not supported outside the Chinese mainland	Supported in the Chinese mainland Not supported outside the Chinese mainland	Supported in the Chinese mainland Not supported outside the Chinese mainland
Exclusive IP address	The exclusive IP address feature that lets you use exclusive IP addresses to protect domain names. For more information about how to purchase additional exclusive IP addresses, see Upgrade exclusive IP address specifications.	Not supported	Fee-based	Fee-based	Fee-based	Supported
Intelligent load balancing	The intelligent load balancing feature that lets you deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing.	Not supported	Fee-based	Fee-based	Fee-based	Supported
Simple Log Service for WAF	The Simple Log Service for WAF feature that collects and stores all logs in Logstores, allows near-real-time query and analysis, and provides online reports.	Not supported	Fee-based	Fee-based	Fee-based	Supported
Rule library management	Allows you to create custom protection rules to provide basic protection for hybrid cloud protected objects.	Not supported	Not supported	Supported	Supported	Not supported

Access modes and protection features

Feature	CNAME record mode	Cloud native mode (NLB, CLB, and ECS)	Cloud native mode (ALB, MSE, and Function Compute)	Hybrid cloud - reverse proxy mode	Hybrid cloud - SDK integration mode
Core protection rule	Supported	Supported	Supported	Supported	Supported
Whitelist	Supported	Supported	Supported	Supported	Supported
IP blacklist	Supported	Supported	Supported	Supported	Supported
Custom rule	Supported	Supported	Supported	Supported	Supported
HTTP flood protection	Supported	Supported	Supported	Supported	Supported
Scan protection	Supported	Supported	Supported	Supported	Supported
Location Blacklist	Supported	Supported	Supported	Supported	Supported
Website tamper-proofing	Supported	Supported	Supported for ALB instances MSE, FC: Not supported	Not supported	Not supported
Data leakage prevention	Supported	Supported	Not supported	Supported	Not supported
Custom response	Supported	Supported	Supported	Supported	Supported
Bot management - automatic integration of Web SDK	Supported	Supported	Not supported	Supported	Supported
Major event protection	Supported	Supported	Not supported	Not supported	Not supported
API security	Supported	Supported	Supported for ALB instances MSE, FC: Not supported	Supported	Supported
Peak traffic throttling	Supported	Supported	Not supported	Not supported	Supported