Activate a pay-as-you-go Web Application Firewall (WAF) 3.0 instance for flexible web protection. This guide details the setup, key parameters, and a critical billing notice: charges start immediately upon activation, regardless of configuration.
Usage notes
Ensure you have no active WAF instances on your Alibaba Cloud account. If you have an active WAF 2.0 instance and want to use WAF 3.0, do one of the following:
Your WAF 2.0 instance is protecting active services: Use the migration tool to upgrade your WAF 2.0 instance to WAF 3.0.
Your WAF 2.0 instance has no active services: Terminate the WAF 2.0 service and then activate a new instance.
Activate a pay-as-you-go WAF instance
The pay-as-you-go WAF service incurs both request processing fees and feature fees (such as the fee for the WAF instance itself). Therefore, billing starts immediately after you activate the WAF service, regardless of whether you configure it. For more information about billing rules, see Billing overview.
Go to the Web Application Firewall 3.0 (Pay-as-you-go) buy page.
Set Product Type to Web Application Firewall 3.0, set Billing Method to Pay-as-you-go, and then complete the following configurations.
Parameter
Description
Region
Determines the location of WAF protection nodes, which affects access latency and data compliance.
If your website server is in the Chinese mainland, select Chinese Mainland. Otherwise, select Outside Chinese Mainland.
Version
The default value is Pay-as-you-go 3.0. No configuration is required.
Traffic Billing Protection Threshold
To prevent high costs from queries per second (QPS) surges caused by high-volume attacks, set a Traffic Billing Protection Threshold to limit the peak QPS that WAF can handle.
If the actual peak QPS of your service exceeds this threshold within an hour, the WAF instance enters a sandbox mode. The Service-Level Agreement (SLA) is no longer guaranteed, and your services may experience access issues. For more information, see Traffic billing protection.
To prioritize service protection, keep the default maximum threshold.
To prioritize cost control, lower this threshold as needed.
Price reference: In addition to the basic traffic fee, if the peak QPS exceeds 1,000, the excess traffic is charged at an additional rate of USD 0.01 per 5 QPS per hour. For example, if the peak QPS is 1,500, the extra hourly fee is USD 1.
Service-linked Role
To provide services such as traffic access control and monitoring analysis, WAF needs to access your cloud service resources. Click Create Service-linked Role. The system automatically creates the AliyunServiceRoleForWaf role. You do not need to manually modify this role.
Click Buy Now and complete the order.
(Optional) If your website traffic and protection feature usage is stable for at least one month, and you do not have extremely low traffic or only need WAF for a short-term trial, purchase a SeCU resource plan to further reduce your pay-as-you-go costs.
Get started
After you activate the instance, follow these steps to start using WAF 3.0:
Cost optimization suggestions
To control costs and avoid unexpected charges for your pay-as-you-go WAF instance, consider these optimizations:
Enable features as needed: Some features incur extra fees when enabled. To avoid enabling multiple features or creating numerous protection rules indiscriminately, enable features selectively.
API Security: Enable this feature only if your services use APIs.
Bot management: Use this feature to protect against automated scripts, crawlers, and other machine traffic. If your business does not require this type of protection, keep it disabled.
Web core protection: Modules such as Scan Protection and Geo-blocking incur charges after you create protection rules. Understand the functionality of each module before you configure them. If you do not need a module, delete its protection template promptly.
CNAME record mode: Advanced options such as configuring non-standard ports, enabling IPv6, or using exclusive IP addresses incur extra charges. For example, if you add only a single domain name, you do not need to enable an exclusive IP address.
Set a traffic billing protection threshold: If cost control is a higher priority than business continuity, you can configure this threshold to limit the peak QPS that WAF can process and prevent cost spikes from high-volume attacks.
Use the subscription model: If your monthly Security Capacity Units (SeCUs) consumption is high and you cannot reduce the configuration because of business requirements, purchase a subscription-based SeCU resource plan or a subscription WAF instance for a lower unit price.
FAQ
Why am I being charged even though I have not configured WAF or added any assets?
The pay-as-you-go WAF service incurs both request processing fees and feature fees (such as the fee for the WAF instance itself). Therefore, billing starts immediately after you activate the WAF service, regardless of whether you configure it.
What is a SeCU? How do I view my daily WAF consumption?
SeCU introduction: The total cost of a pay-as-you-go WAF 3.0 instance consists of request processing fees and feature fees. Both are measured in SeCUs. The unit price of a SeCU is USD 0.01. For more information about how SeCUs are calculated, see Pay-as-you-go billing.
View consumption: In the WAF console, in the navigation pane on the left, choose to view your daily SeCU consumption for the last seven days. You can click View Billing Details to view the consumption of specific billable items. To view SeCU consumption from more than seven days ago, see Bill details (new console)与 Billing details (legacy console) for details.
What is a SeCU resource plan? How do I use it?
A SeCU resource plan is a cost optimization solution for pay-as-you-go WAF 3.0. After you purchase a pay-as-you-go WAF instance, purchase a SeCU resource plan to offset the total fees generated by the instance. This subscription-based plan takes effect immediately after purchase and requires no configuration. For more information, see SeCU resource plan.
How do I terminate WAF to stop billing?
If you no longer plan to use WAF and want to stop billing, follow these steps to terminate the WAF instance.
Before you terminate the WAF instance, ensure that the DNS records for the domain names added to WAF are updated to point to their origin servers.
After the WAF instance is terminated, all website domain name configurations are cleared. If requests are still sent to the WAF instance, they cannot be forwarded, and website access will fail.
Go to the Overview page. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance.
If the following interface appears, click Go to Console in the upper-right corner. If not, skip this step.
In the right-side area of the page, click Terminate WAF Service. In the dialog box that appears, select the checkboxes and click OK.
Why am I still being charged after terminating WAF?
If you are still being charged after terminating WAF, it may be for one of the following reasons:
Incomplete termination operation: You may have only removed the asset or disabled the WAF protection switch. Follow the steps in How do I terminate WAF to stop billing? to terminate the instance correctly.
Billing generation delay: Bills for pay-as-you-go WAF are generated on the following day. For example, if you terminate the WAF service on October 2, the bill for October 2 will be generated on October 3. No new bills will be generated from October 3 onwards.
Incorrect region switching: If you purchased a WAF instance for the Outside Chinese Mainland region, you must switch the region in the top menu bar of the Overview page before you terminate the WAF service.
