When a WAF instance's actual peak queries per second (QPS) exceeds its capacity limit, the instance enters a sandbox state and the service-level agreement (SLA) is no longer guaranteed. This topic explains what triggers the sandbox, what effects it has, and how to remove the instance from the sandbox.
How it works
The trigger conditions and exit behavior differ between subscription and pay-as-you-go instances:
| Subscription instance | Pay-as-you-go instance | |
|---|---|---|
| Sandbox trigger | Peak QPS exceeds the current QPS specification (by overuse event count or absolute threshold) | Peak QPS within an hour exceeds the Traffic Billing Protection Threshold |
| Exit behavior | Not automatic — must upgrade the QPS specification | Automatic if peak QPS in the next hour drops below the threshold |
| Billing during sandbox | No pay-as-you-go charges from the day the instance enters the sandbox through the day it exits | Billing for that hour is zero until the sandbox is removed |
Subscription instances
QPS specification
The current QPS specification for a subscription instance is the sum of the components you have purchased or enabled:
| Components purchased or enabled | Current QPS specification |
|---|---|
| No add-ons | Base QPS |
| Extended QPS only | Base QPS + Extended QPS |
| Burst QPS (Pay-As-You-Go) only | Base QPS + pay-as-you-go QPS |
| Both Extended QPS and Burst QPS (Pay-As-You-Go) | Base QPS + Extended QPS + pay-as-you-go QPS |
Sandbox trigger conditions
An instance enters a sandbox if either of the following conditions is met.
Condition 1: Overuse event count
WAF monitors peak QPS from the previous hour. An overuse event occurs when peak QPS exceeds the current specification threshold for 5 consecutive minutes. The instance enters a sandbox after 4 overuse events.
Counting rules:
Multiple overuse events within a single day count as one event.
A spike lasting less than 5 minutes is not counted as an overuse event.
If an overuse period spans two days (for example, 23:55 to 00:10), WAF counts it based on the start time.
Condition 2: Absolute QPS threshold
Regardless of the overuse event count, an instance enters a sandbox immediately if peak QPS exceeds the following thresholds for 5 consecutive minutes:
| Instance | Purchased QPS specification | Sandbox threshold |
|---|---|---|
| Chinese mainland | ≤ 20,000 QPS | > 100,000 QPS |
| Chinese mainland | > 20,000 QPS | > 5× the purchased QPS |
| Outside the Chinese mainland | ≤ 2,000 QPS | > 10,000 QPS |
| Outside the Chinese mainland | > 2,000 QPS | > 5× the purchased QPS |
What happens in a sandbox
In sandbox state, WAF stops guaranteeing quality of service (QoS) for traffic processing. Protected objects may experience any of the following issues:
The product SLA is not guaranteed when an instance's actual QPS exceeds its purchased specification or when the instance is in a sandbox. Protected objects may experience packet loss, rate limiting, connection limiting, protection failures, abnormal log or report data, access timeouts, or DDoS traffic scrubbing and blackhole filtering.
WAF notifies you by email, text message, or internal message when the instance enters a sandbox. Overuse information also appears in the banner at the top of the console page.
After an instance enters the sandbox and pay-as-you-go billing is enabled, you are not charged for pay-as-you-go QPS usage from the day the instance enters the sandbox through the day it exits.
You can enable pay-as-you-go QPS to prevent your instance from entering a sandbox due to QPS overuse. For more information, see Pay-as-you-go.
View QPS overuse details
When QPS is overused, a notification appears in the banner at the top of the Web Application Firewall 3.0 consoleWeb Application Firewall 3.0 console.
Click View Details to see QPS overuse details for the last 30 days.
On the Overview page, click the Traffic tab and check the QPS section to view actual usage in the peak or mean graph.
Remove a subscription instance from the sandbox
The sandbox state is not automatically removed, even if QPS drops back within the current specification. To exit the sandbox, upgrade the QPS specification.
Log in to the Web Application Firewall 3.0 consoleWeb Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
In the notification banner at the top of the page, click Upgrade Now. Alternatively, click Upgrade your instance. in the upper-right corner.
In the Upgrade Now panel, increase the QPS specification by upgrading the Version, purchasing Additional QPS, or enabling Burst QPS (Pay-As-You-Go).
You can also go to the WAF purchase page to upgrade the Version, purchase Additional QPS, or enable Burstable QPS (Pay-as-you-go).
After the upgrade is complete, the sandbox state is automatically removed, the instance state changes to Sandbox Removed or Overuse Removed, and the QPS overuse count resets to zero. If the instance re-enters the sandbox after an upgrade, upgrade the QPS specification again.
Pay-as-you-go instances
Sandbox trigger condition
A pay-as-you-go instance enters a sandbox when peak QPS within an hour exceeds the Traffic Billing Protection Threshold. When this happens, a notification appears in the banner at the top of the Web Application Firewall 3.0 consoleWeb Application Firewall 3.0 console.
Click Traffic Billing Protection Details to view hourly traffic protection details for the last 30 days.
What happens in a sandbox
The product SLA is not guaranteed when an instance's actual QPS exceeds the Traffic Billing Protection Threshold or when the instance is in a sandbox. Protected objects may experience packet loss, rate limiting, connection limiting, protection failures, abnormal log or report data, access timeouts, or DDoS traffic scrubbing and blackhole filtering.
During the sandbox period, billing for that hour is zero until the sandbox is removed. WAF notifies you by email, text message, or internal message when the instance enters a sandbox.
Remove a pay-as-you-go instance from the sandbox
A pay-as-you-go instance is automatically removed from the sandbox if peak QPS in the next hour falls below the Traffic Billing Protection Threshold.
If the sandbox state persists, lower the threshold to match your actual traffic:
In the banner at the top of the page, click Modify Threshold.
Or, on the Overview page, click Modify Traffic Protection Threshold in the Instance Basic Information section. For detailed steps, see Traffic billing protection.Overview page
What's next
To check the QPS specifications for your purchased edition, see Version Guide.
To view business security and traffic data, see Overview.
To learn about pay-as-you-go QPS billing and how to enable it, see Pay-as-you-go.
To learn about traffic billing protection and how to configure the threshold, see Traffic billing protection.