WAF 3.0 comes in five editions. Use this page to compare their capabilities and choose the one that fits your traffic volume, deployment model, and security requirements.
This page covers features only. For pricing, see Subscription billing details and Pay-as-you-go billing details.
Choose an edition
| Edition | Best for | QPS limit |
|---|---|---|
| Basic | Small websites and development environments with predictable, low traffic | 10 QPS |
| Pro | Growing small-to-medium businesses with moderate traffic | 2,000 QPS |
| Enterprise | Large organizations needing hybrid cloud support, compliance features, and multi-account management | 5,000 QPS |
| Ultimate | Mission-critical applications requiring maximum scale, dedicated support, and premium threat intelligence | 10,000 QPS |
| Pay-as-you-go | Variable or unpredictable workloads, testing environments, or high-volume needs without long-term commitments | 30,000 QPS (Chinese mainland) |
Performance and capacity
WAF 3.0 measures throughput in Queries Per Second (QPS) rather than bandwidth, which gives more predictable performance for modern applications. Size your edition based on peak request volume — including API calls, page loads, and AJAX requests.
Domain limits apply per unique hostname or wildcard pattern. For example, example.com, api.example.com, and *.cdn.example.com each consume one domain slot.
| Feature | Basic | Pro | Enterprise | Ultimate | Pay-as-you-go |
|---|---|---|---|---|---|
| QPS limit | 10 | 2,000 | 5,000 | 10,000 | Chinese mainland: 30,000; Outside the Chinese mainland: 3,000 |
| Additional purchasable QPS | — | Chinese mainland: 30,000; Outside the Chinese mainland: 5,000 | Chinese mainland: 30,000; Outside the Chinese mainland: 5,000 | Chinese mainland: 30,000; Outside the Chinese mainland: 1,000 | — |
| Additional purchasable burstable QPS (pay-as-you-go) | — | Chinese mainland: 60,000; Outside the Chinese mainland: 1,000 | Chinese mainland: 60,000; Outside the Chinese mainland: 1,000 | Chinese mainland: 60,000; Outside the Chinese mainland: 1,000 | — |
| Max domain names | 3 | 5 | 10 | 50 | 1,000 |
| Additional purchasable domains | 10 | 500 | 2,000 | 5,000 | — |
| Hybrid cloud protection nodes | — | — | 1 | 1 | — |
| Complimentary domains for hybrid cloud nodes | — | — | 1 node: 100 free domains; 2+ nodes: 200 free domains | 1 node: 100 free domains; 2+ nodes: 200 free domains | — |
| Protected objects (cloud service instances and domains) | 300 | 600 | 2,500 | 10,000 | 10,000 |
| Protected object groups | 10 | 10 | 10 | 10 | 100 |
| Protected objects per group | 50 | 50 | 50 | 50 | 100 |
| Multi-account management | — | — | 5 accounts | 20 accounts (customizable) | — |
Deployment and integration
When you add ECS, SLB, and NLB instances in cloud-native mode, make sure that traffic redirection ports do not exceed your protected objects limit.
| Feature | Basic | Pro | Enterprise | Ultimate | Pay-as-you-go |
|---|---|---|---|---|---|
| Cloud-native mode | Supported | Supported | Supported | Supported | Supported |
| CNAME access | Supported | Supported | Supported | Supported | Supported |
| Hybrid cloud | — | — | Supported | Supported | — |
| CNAME access to non-standard ports | — | — | Supported | Supported | Paid add-on |
| IPv6 via CNAME access | — | — | Chinese mainland: Supported; Outside the Chinese mainland: — | Chinese mainland: Supported; Outside the Chinese mainland: — | Chinese mainland: Paid add-on; Outside the Chinese mainland: — |
| Dedicated IP address for domains added via proxy mode | — | Paid add-on | Paid add-on | Paid add-on | Paid add-on |
| Intelligent load balancing via CNAME access | — | Paid add-on | Paid add-on | Paid add-on | Paid add-on |
| Max upload file size configuration (default: 2 GB) | — | — | — | Supported | — |
Core security features
The updated web core protection rules no longer support rule groups. For details, see [Announcement] WAF 3.0 basic protection rule feature upgrade.
Custom rules can block a maximum of 20,000 IP addresses. Exceeding this limit may cause rules to stop taking effect.
| Feature | Basic | Pro | Enterprise | Ultimate | Pay-as-you-go |
|---|---|---|---|---|---|
| Default rule group for web core protection | Supported | Supported | Supported | Supported | Supported |
| Custom rule groups for web core protection | — | — | 10 | 30 | 30 |
| Custom protection templates for web core protection | 3 | 10 | 20 | 50 | 20 |
| Whitelist templates | 20 | 20 | 20 | 50 | 50 |
| Rules per whitelist template | 100 | 100 | 100 | 100 | 100 |
| IP blacklist templates | — | 5 | 10 | 20 | 20 |
| IPs and rules per IP blacklist template | — | 400 IPs, 2 rules | 600 IPs, 3 rules | 1,000 IPs, 5 rules | 1,000 IPs, 5 rules |
| Custom rule templates | — | 10 | 20 | 50 | 50 |
| Rules per custom rule template | — | 100 | 200 | 200 | 200 |
| Match fields for custom rules | — | IP, URL | IP, URL, all headers, regex, body | IP, URL, all headers, regex, body | IP, URL, all headers, regex, body |
| IP addresses per custom rule | — | 100 | 100 | 100 | 100 |
| Actions for custom rules | — | JavaScript validation | JS challenge, slider CAPTCHA verification | JS challenge, slider CAPTCHA verification | JS challenge, slider CAPTCHA verification |
| Rate limiting in custom rules | — | — | Supported | Supported | Supported |
| Webpage tamper-proofing templates | — | 10 | 20 | 50 | 50 |
| Rules per webpage tamper-proofing template | — | 50 | 50 | 50 | 50 |
| Data leakage prevention templates | — | 10 | 20 | 20 | 20 |
| Rules per data leakage prevention template | — | 50 | 50 | 50 | 50 |
| Geo-blocking templates | — | — | 10 | 20 | 20 |
| HTTP flood protection templates | — | 5 | 10 | 20 | 20 |
| Scanning protection templates | — | 5 | 10 | 20 | 20 |
| Custom response templates | — | — | 20 | 50 | 50 |
| Max protected objects and groups per protection template | 10 | 100 | 200 | 500 | 100 |
| DDoS basic protection and blackhole filtering | Supported | Supported | Supported | Supported | Supported |
Enhanced threat detection and intelligence
| Feature | Basic | Pro | Enterprise | Ultimate | Pay-as-you-go |
|---|---|---|---|---|---|
| Bot management | — | Paid add-on (up to 20 templates) | Paid add-on (up to 50 templates) | Paid add-on (up to 100 templates) | Paid add-on |
| Critical event protection | — | Available by temporarily upgrading | Available by temporarily upgrading | Included | Paid add-on |
| API security | — | Paid add-on | Paid add-on | Paid add-on | Paid add-on |
| Peak traffic throttling | — | Paid add-on | Paid add-on | Paid add-on | Paid add-on |
| Threat intelligence | — | — | Supported | Supported | Paid add-on |
| IP address book capacity | — | 3,000 IPs | 10,000 IPs | 50,000 IPs (customizable) | 3,000 IPs |
O&M and monitoring
| Feature | Basic | Pro | Enterprise | Ultimate | Pay-as-you-go |
|---|---|---|---|---|---|
| Asset center | — | Supported | Supported | Supported | Supported |
| Alert settings | Supported | Supported | Supported | Supported | Supported |
| Simple Log Service | — | Paid add-on | Paid add-on | Paid add-on | Supported |
| Rule library management | — | — | Supported | Supported | — |