WAF 3.0 was released in January 2022 and became generally available on October 31, 2022. WAF 2.0 is no longer available for new purchases. Existing WAF 2.0 instances continue to work — you can use, renew, and upgrade them, and their service level agreement (SLA) remains in effect.
What's new in WAF 3.0
WAF 3.0 introduces a cloud native architecture, a redesigned protection configuration model, a simplified billing system, and additional features.
Cloud native architecture
WAF 3.0 integrates directly as an SDK module into the gateways of cloud services — including Application Load Balancer (ALB) and Microservices Engine (MSE) — to detect threats and protect traffic. WAF does not forward traffic during protection.
For cloud services supported in cloud native mode, enabling WAF protection requires no changes to DNS records, certificate settings, ports, or back-to-origin configurations. This reduces access latency and improves stability.
For region availability in cloud native mode, see the "Limits" section in each integration topic:
CNAME record mode has no region restrictions.
For an overview of the cloud native architecture, see Cloud native architecture.
Protection configuration model
WAF 3.0 uses protected objects and protected object groups as the central organizing concept for protection settings.
Protected objects: Add cloud service instances or domain names as protected objects and apply protection templates per module.
Protected object groups: Group objects with similar requirements and apply a shared set of protection rules to all of them at once.
Default protection templates: Predefined rules automatically apply to new protected objects as you add them.
Custom rules: Override group rules for specific protected objects when needed.
For details, see Protection configuration overview.
Billing
WAF 3.0 supports subscription (prepaid) and pay-as-you-go billing. The billing unit is security capacity units (SeCUs). All charges — across protection features and traffic — are calculated in SeCUs, which simplifies cost tracking. Bills are generated hourly based on actual SeCU usage. To reduce costs for predictable workloads, purchase resource plans to offset SeCU usage fees.
For details, see Billing overview.
Additional features
Custom response: Configure custom block pages for specific protection modules. See Configure protection rules for the custom response module to configure custom block pages.
Log management: Simple Log Service fees for WAF are billed through Simple Log Service directly. Configure custom storage capacity and retention periods for WAF logs. See Overview of log management.
Optimized onboarding: Streamlined configurations for adding services in CNAME record mode. See Add a domain name to WAF.
Security reports: Improved rule search and reporting experience. See Security reports.
WAF 2.0 and WAF 3.0 coexistence
WAF 2.0 and WAF 3.0 differ in underlying architecture, specifications, configuration logic, and user experience. Because of these differences, an Alibaba Cloud account cannot have both a WAF 2.0 instance and a WAF 3.0 instance at the same time.
If you are currently using WAF 2.0:
Your existing instances continue to work. Use, renew, and upgrade them as needed.
The WAF 2.0 SLA remains in effect.
WAF 2.0 instances cannot be automatically upgraded to WAF 3.0.
To upgrade from WAF 2.0 to WAF 3.0, join DingTalk group 34657699 for technical support.