Web Application Firewall (WAF) protects against web attacks such as SQL injection, cross-site scripting (XSS), CC attacks, and malicious bots. This topic describes how to purchase a WAF 3.0 subscription instance.
If you have a WAF 2.0 instance and want to use WAF 3.0, perform one of the following operations:
If you have running services on your WAF 2.0 instance: Use the migration tool to upgrade a WAF 2.0 instance to WAF 3.0.
If you do not have running services on your WAF 2.0 instance: Release the WAF 2.0 instance and then purchase a new instance by following the steps in this topic.
Select an edition
Subscription WAF is available in four editions: Basic, Pro, Enterprise, and Ultimate. Select an edition based on your business and security needs. For a detailed comparison of the editions, see Version guide.
Edition | Basic | Pro | Enterprise | Ultimate | |
Scenarios | Small or personal websites with no special security requirements. | Small and medium-sized websites with no special security requirements. | Medium-sized enterprise websites or public-facing services with high security standards. | Medium to large-sized enterprise websites with large-scale services or custom security requirements. | |
Included features | Peak QPS | 10 QPS | 2,000 QPS | 5,000 QPS | 10,000 QPS |
Number of supported domain names | 3 | 5 | 10 | 50 | |
Protected ports | Standard ports: 80, 8080, 443, and 8443 | Standard ports: 80, 8080, 443, and 8443 | Standard and non-standard ports | Standard and non-standard ports | |
Hybrid cloud nodes | 1 | 1 | |||
Protection for major events | Available as a paid add-on | Available as a paid add-on | |||
Paid add-on features | Advanced security features such as Simple Log Service, exclusive IP addresses, bot management, and API security | ||||
Domain extension | Up to 10 | Up to 500 | Up to 2,000 | Up to 5,000 | |
Extra QPS | |||||
Purchase a WAF instance
Go to the Web Application Firewall 3.0 (Subscription) buy page.
Set Billing Method to Subscription and configure the following parameters.
Purchase a Basic instance
Parameter
Description
Edition
Select the edition that you chose in the previous step.
Region
Specifies the location of WAF protection nodes. This affects access latency and data compliance.
If your website server is in the Chinese mainland, select Chinese Mainland. Otherwise, select Outside Chinese Mainland.
Extra Domains
If the number of domain names that you need to protect exceeds the quota of the selected edition, purchase this add-on.
Service-linked Role
To provide services such as traffic access control and monitoring, WAF needs to access your cloud resources. Click Create Service-linked Role. The system automatically creates the AliyunServiceRoleForWaf role. Do not modify this role.
Subscription Duration
Select the subscription duration for the WAF 3.0 instance and specify whether to enable Auto-renewal.
NoteTo conduct a proof of concept (POC) test, submit a request to your business manager and set Subscription Duration to 7-day POC.
Purchase a Pro, Enterprise, or Ultimate instance
Parameter
Description
Edition
Select the edition that you chose in the previous step.
Region
Specifies the location of WAF protection nodes. This affects access latency and data compliance.
If your website server is in the Chinese mainland, select Chinese Mainland. Otherwise, select Outside Chinese Mainland.
API Security
If your services involve numerous API calls and require protection against sensitive data leakage or malicious attacks, enable this module.
Bot Management - Web Protection
To protect your web services from malicious bot traffic, such as data scraping, spam registration, or marketing fraud, enable this module. This applies to webpages and H5 pages that are accessed through browsers, including H5 pages in apps.
Bot Management - App Protection
To protect your app services from malicious bot traffic, such as data scraping, spam registration, or marketing fraud, enable this module. This applies to native apps that are developed for iOS or Android, but not to H5 pages in apps.
Fraud Detection
If you have enabled a bot management module, you can enable this feature. It uses the WAF built-in mobile number reputation database to prevent behaviors such as fraudulent registrations and marketing fraud.
Peak Traffic Throttling
For scenarios such as sales promotions, enable this feature to ensure service stability by allowing only a fixed QPS or a specific percentage of traffic to reach your server.
Extra QPS
If the peak QPS of your traffic exceeds the quota of the selected edition, purchase this add-on.
Elastic Pay-as-you-go QPS
Configure this feature if your peak traffic might exceed your purchased QPS quota. Overage traffic is billed on a pay-as-you-go basis. This helps you effectively respond to sudden volumetric attacks and prevents your WAF instance from being sandboxed and its protection disabled due to exceeding the QPS limit.
Extra Domains
If the number of domain names that you need to protect exceeds the quota of the selected edition, purchase this add-on.
Exclusive IP Address
In the CNAME connection type, domains of the same WAF instance share an IP address by default. If any domain is targeted by a volumetric DDoS attack, the IP address will be subject to blackhole filtering, interrupting access to all domains. Configure an exclusive IP address for a critical domain to prevent service disruptions caused by blackhole filtering events.
Intelligent Load Balancing
Use this feature in CNAME connection type scenarios that require automatic disaster recovery, high availability, and low-latency access.
Simple Log Service
Use this feature to meet security compliance requirements, such as MLPS, or to perform in-depth security analytics.
Log Storage Capacity
Select the maximum log storage capacity for Simple Log Service, starting from 3 TB. The unit is TB.
Purchase storage capacity based on your business needs. If the capacity limit is reached, WAF stops writing new logs.
Multi-cloud/Hybrid-cloud Protection Extension Nodes
If your services are deployed on third-party public clouds, private clouds, or on-premises data centers, you can use the hybrid cloud connection type. This type centralizes protection for all your cloud and on-premises services in WAF. To use the hybrid cloud connection type, contact your business manager.
Service-linked Role
To provide services such as traffic access control and monitoring, WAF needs to access your cloud resources. Click Create Service-linked Role. The system automatically creates the AliyunServiceRoleForWaf role. Do not modify this role.
Subscription Duration
Select the subscription duration for the WAF 3.0 instance and specify whether to enable Auto-renewal.
NoteTo conduct a proof of concept (POC) test, submit a request to your business manager and set Subscription Duration to 7-day POC.
Click Buy Now and complete the payment.
Next steps
After you purchase the instance, you can perform the following steps to use WAF 3.0:
Add your services to WAF 3.0. For more information, see Connection overview.
Configure mitigation policies for the protected objects in WAF 3.0. For more information, see Overview of mitigation settings.
View protection data. For more information, see View security reports.