WAF 3.0 editions and features - Web Application Firewall

Web Application Firewall (WAF) 3.0 supports the subscription and pay-as-you-go billing methods. Different editions provide different protection capabilities. You can select an edition based on your business requirements and the deployment method. If you use a subscription WAF instance, you can upgrade the edition of the WAF instance. WAF 3.0 supports the following editions: Basic, Pro, Enterprise, and Ultimate. The editions are listed in ascending order based on protection capabilities.

Overview

For information about the billing rules and purchase methods of subscription and pay-as-you-go WAF 3.0 instances, see the following topics:

Subscription: Billing overview and Purchase a subscription WAF 3.0 instance.
Pay-as-you-go: Billing overview, Purchase a pay-as-you-go WAF 3.0 instance, and View bills.

Features

Feature	Description	Subscription Basic Edition	Subscription Pro Edition	Subscription Enterprise Edition	Subscription Ultimate Edition	Pay-as-you-go Edition
Business scale
Website scale	The size of the website based on which you can select a WAF 3.0 edition.	Small-sized and personal websites that do not have specific security requirements.	Small- and medium-sized websites that do not have specific security requirements.	Medium-sized enterprise-grade websites that can be accessed by the public and have high data security requirements.	Medium- and large-sized enterprise-grade websites that have custom security requirements. Note If you want to configure custom specifications for your WAF instance, contact your account manager or solution architect.	Websites whose workloads frequently fluctuate.
QPS	The number of HTTP/HTTPS requests per second. For information about how to increase the queries per second (QPS) quota, see Upgrade a WAF instance. For information about the burstable QPS (pay-as-you-go) feature, see Burstable QPS (pay-as-you-go).	Free of charge for a request rate of up to 10 QPS. The QPS quota cannot be increased. Burstable QPS (pay-as-you-go) is not supported.	Free of charge for a request rate of up to 2,000 QPS. Maximum additional QPS quota: Chinese mainland: 30,000 QPS. Outside the Chinese mainland: 5,000 QPS. Maximum burstable QPS quota: Chinese mainland: 60,000 QPS. Outside the Chinese mainland: 1,000 QPS.	Free of charge for a request rate of up to 5,000 QPS. Maximum additional QPS quota: Chinese mainland: 30,000 QPS. Outside the Chinese mainland: 5,000 QPS. Maximum burstable QPS quota: Chinese mainland: 60,000 QPS. Outside the Chinese mainland: 1,000 QPS. If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.	Free of charge for a request rate of up to 10,000 QPS. Maximum additional QPS quota: Chinese mainland: 30,000 QPS. Outside the Chinese mainland: 1,000 QPS. Maximum burstable QPS quota: Chinese mainland: 60,000 QPS. Outside the Chinese mainland: 1,000 QPS. If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.	Maximum QPS quota: Chinese mainland: 100,000 QPS. Outside the Chinese mainland: 10,000 QPS. If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.
Number of domain names	The number of domain names that can be added to WAF. The domain names include second-level domain names, subdomains, and wildcard domain names. For information about how to increase the domain name quota, see Upgrade a WAF instance.	Free of charge for three domain names. The domain name quota can be increased by up to 10 domain names.	Free of charge for five domain names. The domain name quota can be increased by up to 500 domain names.	Free of charge for 10 domain names. The domain name quota can be increased by up to 2,000 domain names.	Free of charge for 50 domain names. The domain name quota can be increased by up to 5,000 domain names.	Up to 1,000 domain names can be added to a pay-as-you-go WAF 3.0 instance.
Hybrid cloud protection nodes	The number of hybrid cloud protection nodes that you can deploy. For information about how to purchase additional hybrid cloud protection nodes, see Upgrade a WAF instance.	Not supported	Not supported	Free of charge for one hybrid cloud protection node. If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase two or more additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge.	Free of charge for one hybrid cloud protection node. If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase two or more additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge.	Not supported
Protected objects	The protected objects that you can add to WAF, such as cloud service instances and domain names.	Up to 300 protected objects can be added.	Up to 600 protected objects can be added.	Up to 2,500 protected objects can be added.	Up to 10,000 protected objects can be added.	Up to 10,000 protected objects can be added.
Multi-account management	The feature that allows you to add cloud resources within other Alibaba Cloud accounts to WAF.	Not supported	Not supported	Up to five members are supported.	Up to 20 members are supported.	Not supported
Security features
Asset center	The asset center feature that you can enable to manage assets.	Not supported	Supported	Supported	Supported	Supported
Basic protection rules	The default basic protection rule group of the basic protection rule module.	Supported	Supported	Supported	Supported	Supported
Basic protection rules	Custom rule groups of the basic protection rule module.	Not supported	Not supported	Up to 10 custom rule groups can be configured.	Up to 30 custom rule groups can be configured.	Up to 30 custom rule groups can be configured.
Whitelist	The whitelist module that allows requests that have specific characteristics.	Up to 20 templates can be configured. Up to 100 rules can be configured for a template.	Up to 20 templates can be configured. Up to 100 rules can be configured for a template.	Up to 20 templates can be configured. Up to 100 rules can be configured for a template.	Up to 50 templates can be configured. Up to 100 rules can be configured for a template.	Up to 50 templates can be configured. Up to 100 rules can be configured for a template.
IP address blacklist	The IP address blacklist module that blocks requests from specific IP addresses.	Not supported	Up to five templates can be configured. Up to 400 IP addresses can be added to a template.	Up to 10 templates can be configured. Up to 600 IP addresses can be added to a template.	Up to 20 templates can be configured. Up to 1,000 IP addresses can be added to a template.	Up to 20 templates can be configured. Up to 1,000 IP addresses can be added to a template.
Custom rules	The custom rule module that monitors, blocks, or verifies requests that match custom protection rules.	Not supported	Up to 10 templates can be configured. Up to 100 rules can be configured for a template. The custom rule module has the following features: IP address or URL match is supported. JavaScript validation is supported. Each rule can match up to 100 IP addresses.	Up to 20 templates can be configured. Up to 200 rules can be configured for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.	Up to 50 templates can be configured. Up to 200 rules can be configured for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.	Up to 50 templates can be configured. Up to 200 rules can be configured for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.
HTTP flood protection	The HTTP flood protection module that protects services against common HTTP flood attacks in Prevention mode or Prevention-emergency mode.	Not supported	Up to five templates can be configured.	Up to 10 templates can be configured.	Up to 20 templates can be configured.	Up to 20 templates can be configured.
Scan protection	The scan protection module that supports high-frequency scanning blocking, directory traversal blocking, and scanner blocking.	Not supported	Up to five templates can be configured.	Up to 10 templates can be configured.	Up to 20 templates can be configured.	Up to 20 templates can be configured.
Website tamper-proofing	The website tamper-proofing module that locks web pages to prevent content tampering.	Not supported	Up to 10 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.	Up to 50 templates can be configured. Up to 50 rules can be configured for a template.	Up to 50 templates can be configured. Up to 50 rules can be configured for a template.
Region blacklist	The region blacklist module that blocks requests from specific regions.	Not supported	Not supported	Up to 10 templates can be configured.	Up to 20 templates can be configured.	Up to 20 templates can be configured.
Data leakage prevention	The data leakage prevention module that prevents leaks of sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers.	Not supported	Up to 10 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.
Custom response	The custom response module that allows you to configure the custom block page that is returned by WAF to a client when WAF blocks a request that is sent from the client. You can specify the status code, response headers, and response body of the block page.	Not supported	Not supported	Up to 20 templates can be configured.	Up to 50 templates can be configured.	Up to 50 templates can be configured.
Bot management	The bot management module that allows you to configure anti-crawler rules for websites and apps.	Not supported	Supported with fees charged	Supported with fees charged	Supported with fees charged	Supported
Major event protection	The major event protection module that supports threat intelligence for major event protection, rule groups for major event protection, IP address blacklist for major event protection, and Shiro deserialization vulnerability prevention.	Not supported	To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade.	To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade.	Supported	To enable the major event protection feature, temporarily upgrade the edition of your WAF instance. You are charged for the upgrade.
API security	The API security module that protects the available API assets of the services that are added to WAF and detects API vulnerabilities.	Not supported	Supported with fees charged	Supported with fees charged	Supported with fees charged	Supported
Anti-DDoS Origin Basic and blackhole filtering	The Anti-DDoS Origin Basic service that defends against DDoS attacks. For information about defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.	Supported	Supported	Supported	Supported	Supported
Note A custom rule can block up to 20,000 IP addresses. If you enter more than 20,000 IP addresses, the custom rule may not take effect.
Access modes Note For information about the protection features that are supported by different access modes, see Access modes and protection features.
Cloud native mode	WAF protection for Application Load Balancer (ALB) instances WAF protection for Microservices Engine (MSE) instances WAF protection for custom domain names bound to web applications in Function Compute	Supported	Supported	Supported	Supported	Supported
Cloud native mode	WAF protection for Layer 7 Classic Load Balancer (CLB) instances WAF protection for Layer 4 CLB instances WAF protection for Elastic Compute Service (ECS) instances	Supported. Up to 300 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 600 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 2,500 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported. Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.
CNAME record mode	The CNAME record mode in which you can add websites to WAF.	Supported	Supported	Supported	Supported	Supported
Hybrid cloud mode	The hybrid cloud mode in which you can add web services that are deployed across third-party clouds or data centers to WAF to manage web services in a centralized manner.	Not supported	Not supported	Supported	Supported	Not supported
Other features
Alert setting	The alert setting feature that allows you to use CloudMonitor and Simple Log Service to configure monitoring and alerting for WAF events and metrics.	Supported	Supported	Supported	Supported	Supported
Non-standard ports that are supported in CNAME record mode	The non-standard ports that are supported by WAF in CNAME record mode. Standard ports include ports 80, 8080, 443, and 8443.	Not supported	Not supported	Supported	Supported	Supported
IPv6	The IPv6 protection feature that monitors and protects IPv6 traffic.	Not supported	Not supported	Supported in the Chinese mainland Not supported outside the Chinese mainland	Supported in the Chinese mainland Not supported outside the Chinese mainland	Supported in the Chinese mainland Not supported outside the Chinese mainland
Exclusive IP addresses	The exclusive IP address feature that allows you to use exclusive IP addresses to protect domain names. For information about how to purchase additional exclusive IP addresses, see Upgrade a WAF instance.	Not supported	Supported with fees charged	Supported with fees charged	Supported with fees charged	Supported
Intelligent load balancing	The intelligent load balancing feature that allows you to deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing.	Not supported	Supported with fees charged	Supported with fees charged	Supported with fees charged	Supported
Simple Log Service for WAF	The Simple Log Service for WAF feature that collects and stores all logs in Logstores, allows near-real-time query and analysis, and provides online reports.	Not supported	Supported with fees charged	Supported with fees charged	Supported with fees charged	Supported

Access modes and protection features

Feature	Add a website in CNAME record mode	Cloud native mode (CLB and ECS)	Cloud native mode (ALB, MSE, and Function Compute)	Hybrid cloud reverse proxy mode	Hybrid cloud SDK-based traffic mirroring mode
Basic protection rule	Supported	Supported	Supported	Supported	Supported
Whitelist	Supported	Supported	Supported	Supported	Supported
IP address blacklist	Supported	Supported	Supported	Supported	Supported
Custom rule	Supported	Supported	Supported	Supported	Supported
HTTP flood protection	Supported	Supported	Supported	Supported	Supported
Scan protection	Supported	Supported	Supported	Supported	Supported
Region blacklist	Supported	Supported	Supported	Supported	Supported
Website tamper-proofing	Supported	Supported	Supported for ALB instances Not supported for MSE instances and custom domain names that are bound to web applications in Function Compute	Not supported	Not supported
Data leakage prevention	Supported	Supported	Not supported	Supported	Not supported
Custom response	Supported	Supported	Supported	Not supported	Not supported
Bot management - automatic integration of Web SDK	Supported	Supported	Not supported	Supported	Not supported
Major event protection	Supported	Supported	Not supported	Supported	Not supported
API security	Supported	Supported	Supported for ALB instances Not supported for MSE instances and custom domain names that are bound to web applications in Function Compute	Not supported	Not supported