The pay-as-you-go billing method allows you to pay for resources after you use the resources. You are charged based on your resource usage. Fees are deducted from the balance of your Alibaba Cloud account after bills are generated at the end of each billing cycle. If you use a pay-as-you-go Web Application Firewall (WAF) 3.0 instance, you are charged based on security capacity units (SeCUs). You can purchase SeCU resource plans to offset fees and reduce costs. This topic describes the billing rules of pay-as-you-go WAF 3.0 instances.
Scenarios
The pay-as-you-go billing method is more suitable than the subscription billing method for the following scenarios:
Frequently changing protection resource usage: If your protection resource usage is unpredictable, we recommend that you select the pay-as-you-go billing method.
Temporary and sudden protection resource usage: In this scenario, you can select the pay-as-you-go billing method to ensure the availability of protection resources and improve cost efficiency.
SeCUs
WAF 3.0 uses SeCUs as billing units. SeCUs have the following attributes:
The unit price of each SeCU is USD 0.01.
SeCU usage is measured on an hourly basis. For example, SeCU usage is measured for the period from 10:00:00 to 10:59:59.
SeCU usage is rounded up to the nearest integer. For example, if only 0.5 SeCU is used from 10:00:00 to 10:59:59, you are charged for 1 SeCU for the hour.
Billable items
The prices of products and services may change. Refer to your Alibaba Cloud bill for the final amount.
If you enable WAF protection for an Application Load Balancer (ALB) instance, both WAF and ALB charge you fees. For more information about the billing rules of WAF-enabled ALB instances, see Activate and manage WAF-enabled ALB instances.
Major event protection fees
If you enable the major event protection feature, you are charged based on the subscription period of the feature. The subscription period is 30 days or longer. For more information about the major event protection feature and fees for the feature, see Major event protection.
To enable the major event protection feature, perform the following steps: Log on to the WAF 3.0 console and select the resource group and region in which your WAF instance is deployed. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events. On the Protection for Major Events page, enable the major event protection feature.
The major event protection feature takes effect immediately after you enable it. The validity period of the feature is the subscription period that you specify when you enable the feature. After the validity period ends, the major event protection feature stops protecting your services.
Pay-as-you-go WAF instance fees
If you purchase a pay-as-you-go WAF instance, you are charged request processing fees and feature fees.
SeCUs can be used to offset request processing fees and feature fees. For more information about the offset rules, see SeCU resource plans.
The traffic billing protection feature is supported only for pay-as-you-go WAF 3.0 instances. When the feature is enabled, if traffic spikes occur, the instance is added to a sandbox to prevent costs from exceeding your budget. For more information about the traffic billing protection feature, see Traffic billing protection.
If the actual service traffic exceeds the threshold value for traffic billing protection, the WAF instance may be added to a sandbox.
Billable items
Billing details
Fee | Billable item | Description | Unit price | |
Request processing fees: fees for request processing within an hour. | Basic traffic fee | You are charged the basic traffic fee based on the number of requests within an hour. The requests include both normal requests and malicious requests, but not server responses. | 1 SeCU per 5,000 requests Note
| |
Bot management | If you enable the bot management feature, you are charged based on the number of requests that match bot management rules within an hour. Otherwise, you are not charged. | 1 SeCU per 10,000 requests Note If the number of requests within an hour is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples. | ||
API security | If you enable the API security feature, you are charged based on the number of requests that match API security rules. Otherwise, you are not charged. | 1 SeCU per 10,000 requests Note If the number of requests is not a multiple of 10,000, it is rounded up to the nearest multiple of 10,000. For more information, see Billing examples. | ||
Peak QPS | You are charged based on the peak QPS within an hour. |
Note If the excess portion is less than 5 QPS, it is calculated as 5 QPS. | ||
Fraud detection (fee-based bot management feature) | You are charged based on the number of times that fraud detection rules are matched. | 1 SeCU per time Note The fraud detection feature can take effect only after the bot management and fraud detection features are enabled. For more information, see Fraud detection. | ||
Slider CAPTCHA verification in custom rules | You are charged based on the number of verifications performed. | 1 SeCU per 10 verifications per hour Note The number of verifications is rounded up to the nearest multiple of 10. | ||
Feature fees: fees for different features within an hour. | Billed based on the number of configured protection rules Important If these rules are disabled, charges are still incurred. To avoid charges for these rules, delete the rules. | IP address blacklist | You are charged based on the number of configured IP address blacklist rules, including enabled and disabled rules. | 2 SeCUs per rule |
Custom rules | You are charged based on the number of configured custom rules, including enabled and disabled rules. |
Note Rules that meet one of the following conditions are advanced rules, and the others are basic rules:
| ||
Scan protection | You are charged based on the number of configured scan protection rules, including enabled and disabled rules. Each scan protection template contains three scan protection rules. | 1 SeCU per rule | ||
HTTP flood protection | You are charged based on the number of configured HTTP flood protection rules, including enabled and disabled rules. | 2 SeCUs per rule | ||
Region blacklist | You are charged based on the number of configured region blacklist rules, including enabled and disabled rules. | 3 SeCUs per rule | ||
Custom response | You are charged based on the number of configured custom response rules, including enabled and disabled rules. Each custom response template contains one rule. | 10 SeCUs per rule | ||
Website tamper-proofing | You are charged based on the number of configured website tamper-proofing rules, including enabled and disabled rules. | 5 SeCUs per rule | ||
Data leakage prevention | You are charged based on the number of configured data leakage prevention rules, including enabled and disabled rules. | 5 SeCUs per rule | ||
Billed based on resource usage | Protection rule groups | You are charged based on the number of configured rule groups, including rule groups that are associated with protection templates and rule groups that are not associated with protection templates. You can configure up to 99 protection rule groups. Note You are not charged for the three built-in rule groups. | 2 SeCUs per rule group | |
Bot management | You are charged based on the number of configured bot management templates, including enabled and disabled templates. | 50 SeCUs per template | ||
API security | You are charged based on the number of protected objects for which API security is enabled. | 20 SeCUs per protected object | ||
Exclusive IP addresses | You are charged based on the number of domain names for which exclusive IP addresses are enabled. You are charged only after you add the domain names to WAF in CNAME record mode. | 15 SeCUs per exclusive IP address | ||
Number of domain names added to WAF in CNAME record mode | You are charged based on the number of domain names that you add to WAF in CNAME record mode, including second-level domain names and their subdomain names and exact-match and wildcard domain names. |
| ||
Billed based on the feature status | Non-standard ports | You are charged only after you enable non-standard ports. | 25 SeCUs per hour | |
Intelligent whitelist | You are charged based on the status of the intelligent whitelist feature for each basic protection rule template. |
| ||
Intelligent load balancing | You are charged based on the status of the intelligent load balancing feature. |
| ||
IPv6 protection | You are charged based on the status of IPv6 protection. |
| ||
Protocol compliance | You are charged based on the status of protocol compliance. |
| ||
Asset center | You are charged based on the status of asset center. |
| ||
Basic protection rules | You are charged for basic protection rules only after you add protected objects to WAF. |
| ||
Billed by other cloud services | Simple Log Service | You are billed and invoiced by Alibaba Cloud Simple Log Service. | These charges are not billed by WAF. | |
Billing examples
Example 1
You added five domain names to WAF in CNAME record mode and configured two IP address blacklist rules. Within an hour, no requests are sent to your domain names and the peak QPS is 0 QPS.
In this scenario, the request processing fee is 0 SeCU and the feature fee is 12 SeCUs. The total fee is USD 0.13. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU usage (SeCU usage within an hour is rounded up to the nearest integer.) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic fee | 1 SeCU per 5,000 requests | 0 SeCU | 0.01 × 0 = USD 0 |
Peak QPS | Peak QPS ≤ 5,000 QPS: 0 SeCU per hour | 0 SeCU | 0.01 × 0 = USD 0 | |
Feature fees | CNAME record mode | One domain name: 0 SeCU More than one domain name: 2 SeCUs for each additional domain name | 8 SeCU | 0.01 × 8 = USD 0.08 |
IP address blacklist | 2 SeCUs per IP address blacklist rule | 4 SeCU | 0.01 × 4 = USD 0.04 | |
Basic protection rules Note You are charged for basic protection rules only after you add protected objects to WAF. | Protected objects are added to WAF: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 |
Example 2
You added 12 domain names to WAF in CNAME record mode, enabled exclusive IP addresses and intelligent load balancing for two domain names, and created one scan protection template. Within an hour, 50,001 requests are sent to your domain names and the peak QPS is 4,000 QPS.
In this scenario, the request processing fee for this hour is 11 SeCUs, the feature fee is 106 SeCUs, and the total fee is USD 1.17. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU (SeCU usage within an hour is rounded up to the nearest integer.) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic fee | 1 SeCU per 5,000 requests | 11 SeCU | 0.01 × 11= USD 0.11 |
Peak QPS | Peak QPS ≤ 5,000 QPS: 0 SeCU per hour | 0 SeCU | 0.01 × 0 = USD 0 | |
Feature fees | CNAME record mode | One domain name: 0 SeCU More than one domain name: 2 SeCUs per additional domain name | 22 SeCU | 0.01 × 22 = USD 0.22 |
Exclusive IP addresses | 15 SeCUs per domain name | 30 SeCU | 0.01 × 30 = USD 0.3 | |
Intelligent load balancing | Enabled: 50 SeCUs per hour | 50 SeCU | 0.01 × 50 = USD 0.5 | |
Scan protection Note Each scan protection template contains three rules. | 1 SeCU per rule | 3 SeCU | 0.01 × 3 = USD 0.03 | |
Basic protection rules Note You are charged for basic protection rules only after you add protected objects to WAF. | Protected objects are added to WAF: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 |
Example 3
You added a Layer 7 Classic Load Balancer (CLB) instance in the US (Silicon Valley) region to WAF in cloud native mode and added domain names hosted on the CLB instance to WAF as protected objects. You configured basic protection rules and enabled bot management and HTTP flood protection for the CLB instance. You configured two HTTP flood protection rules and one bot management template. The HTTP flood protection rules are disabled and the bot management template is enabled. You also enabled fraud detection and configured corresponding rules. Within an hour, 4,200 requests are sent to your domain names, the peak QPS is 537 QPS, bot management rules are matched 34 times, and fraud detection rules are matched 3 times.
In this scenario, the request processing fee is 35 SeCUs and the feature fee is 58 SeCUs. The feature fee includes the fee for basic protection rules and the bot management feature. The total fee is USD 0.93. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU (SeCU usage within an hour is rounded up to the nearest integer.) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic fee | 1 SeCU per 5,000 requests | 1 SeCU | 0.01 × 0 = USD 0.01 |
Peak QPS | Peak QPS ≤ 5,000 QPS: 0 SeCU per hour | 0 SeCU | 0.01 × 0 = USD 0 | |
Bot management | You are charged based on the number of requests that match bot management rules within an hour. | 34 SeCU | 0.01 × 34 = USD 0.34 | |
Feature fees | Basic protection rules Note You are charged for basic protection rules only after you add protected objects to WAF. | Protected objects are added to WAF: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 |
Bot management | You are charged based on the number of configured bot management templates, including enabled and disabled templates. | 50 SeCU | 0.01 × 50 = USD 0.5 | |
Fraud detection | You are charged based on the number of times that fraud detection rules are matched. 1 SeCU per time | 3 SeCU | 0.01 × 3 = USD 0.03 | |
HTTP flood protection | You are charged based on the number of configured HTTP flood protection rules, including enabled and disabled rules. 2 SeCUs per rule | 4 SeCU | 0.01 × 4 = USD 0.04 |
Example 4
You enabled WAF protection for an ALB instance in the US (Silicon Valley) region and configured two custom response templates. The custom response templates apply to different protected objects. Within an hour, 50,004 requests are sent to your domain names and the peak QPS is 5,997 QPS.
In this scenario, the request processing fee is 211 SeCUs, the feature fee is 21 SeCUs, and the WAF-enabled ALB instance fee is USD 0.035 per hour. The total fee is USD 2.355. The following table describes the billing details.
Fee | Billable item | Unit price | SeCU (SeCU usage within an hour is rounded up to the nearest integer.) | Total fee (1 SeCU = USD 0.01) |
Request processing fees | Basic traffic fee | 1 SeCU per 5,000 requests | 11 SeCU | 0.01 × 11 = USD 0.11 |
Peak QPS | Peak QPS > 5,000 QPS: 1 SeCU per 5 QPS per hour for the portion exceeding 5,000 QPS | 200 SeCU | 0.01 × 200 = USD 2 | |
Feature fees | Custom response | 10 SeCUs per rule | 20 SeCU | 0.01 × 20 = USD 0.2 |
Basic protection rules Note You are charged for basic protection rules only after you add protected objects to WAF. | Protected objects are added to WAF: 1 SeCU per hour | 1 SeCU | 0.01 × 1 = USD 0.01 | |
WAF-enabled ALB instance fee | USD 0.035 per hour. Refer to the buy page for the actual price. | / | 0.035 × 1 = USD 0.035 | |
If you need to estimate the cost for pay-as-you-go WAF instances on a daily basis or for a longer period, we recommend that you adjust the cost estimation based on the actual traffic fluctuations over time. For example, if your business experiences higher traffic from 6:00 to 18:00 daily and minimal requests during the remaining hours, we recommend that you estimate the cost incurred during the active hours as the average daily cost. This approach provides a more accurate long-term cost estimate.
After you purchase a pay-as-you-go WAF instance, refer to your Alibaba Cloud bill for the actual usage and fees.
Billing cycle
Fees are calculated on a daily basis (UTC+8). After fees are calculated, a new billing cycle begins.
Fees for pay-as-you-go WAF instances are calculated each day before 06:00. If you want to change the specifications of a pay-as-you-go WAF instance, we recommend that you perform the change after 06:00.
If the available balance in your Alibaba Cloud account, including account balance and vouchers, is less than the outstanding bill, you are notified by text message or email.
Overdue payments
If your Alibaba Cloud account has an overdue payment, the use of WAF is affected. We recommend that you check whether your account has an overdue payment in the Expenses and Costs console and add funds to your account at the earliest opportunity. For more information about how to check your outstanding balance and view the details of the overdue amount, see Overdue payments.
Alibaba Cloud notifies you before your payment becomes overdue. To prevent business interruptions, we recommend that you add funds to your account at the earliest opportunity.
Query bills
For more information about how to view the resource usage and fees for pay-as-you-go WAF 3.0 instances on the Bills page, see View bills.
References
For more information about how to unsubscribe from a subscription WAF 3.0 instance or release a pay-as-you-go WAF 3.0 instance, see Refund policy.
For more information about how to handle business anomalies caused by automated tools, such as scripts and simulators, see Enable and configure the bot management module.
For more information about how to detect API risks, such as unauthorized access, excessive exposure of sensitive data, or internal interface leaks, reconstruct API anomaly events through reports, review outbound data, and trace sensitive data leakage events, see API security.
For more information about how to query the traffic of protected objects and view attack prevention logs, see Overview of log management.
For more information about advanced and basic rules, see Match conditions.