Web Application Firewall:The sandbox feature

Subscription WAF instances

The sandbox feature

Overview

If the peak QPS of a subscription WAF instance exceeds the QPS specifications of the WAF instance, the WAF instance may be added to a sandbox.

The QPS specifications of a subscription WAF instance include the QPS specifications provided by the WAF edition and additional QPS specifications and burstable QPS specifications that are purchased.

• If you disable the burstable QPS (pay-as-you-go) feature, the QPS specifications include the QPS specifications provided by the WAF edition and additional QPS specifications that are purchased.

• If you enable the burstable QPS (pay-as-you-go) feature, the QPS specifications include the QPS specifications provided by the WAF edition and additional QPS specifications and burstable QPS specifications that are purchased.

For information about the scenarios in which a WAF instance is added to a sandbox, see the Scenarios in which a WAF instance is added to a sandbox section in this topic.

Impacts

• If a WAF instance is added to a sandbox, the SLA is no longer guaranteed and service access exceptions may occur. The service access exceptions include but are not limited to packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing that is triggered due to DDoS attacks, and blackhole filtering.

• After a WAF instance is added to a sandbox, the burstable QPS (pay-as-you-go) feature takes effect. The bill for the feature is not generated until the WAF instance is removed from the sandbox.

• If your WAF instance is added to a sandbox, WAF sends a notification by email, text message, or internal message. In the upper part of the Overview page in the WAF console, you can also view the details of QPS resources that are excessively used.

Scenarios in which a WAF instance is added to a sandbox

• Number of QPS excess events

  If the peak QPS of a WAF instance exceeds the QPS specifications of the WAF instance for 5 minutes, this event is recorded as a QPS excess event. If multiple QPS excess events occur on the same day, only one QPS excess event is recorded. If four QPS events are recorded, the WAF instance is added to a sandbox.

  Note

  • If the peak QPS of a WAF instance exceeds the QPS specifications of the WAF instance for less than 5 minutes because of traffic spikes, the event is not recorded as a QPS excess event.

  • If the start time and the end time of a QPS excess event are not on the same day, such as from 23:55 to 00:10, WAF determines that the event occurs on the day when the event starts.

• QPS usage

  If the peak QPS of a WAF instance meets one of the conditions that are described in the following table, the WAF instance is immediately added to a sandbox.

  Instance	QPS specifications	Description
  WAF instances that reside in the Chinese mainland	≤ 20,000 QPS	If the peak QPS of a WAF instance exceeds 100,000 QPS, the WAF instance is added to a sandbox.
  	> 20,000 QPS	If the peak QPS of a WAF instance exceeds the QPS specifications of the WAF instance by five times, the WAF instance is added to a sandbox.
  WAF instances that reside outside the Chinese mainland	≤ 2,000 QPS	If the peak QPS of a WAF instance exceeds 10,000 QPS, the WAF instance is added to a sandbox.
  	> 2,000 QPS	If the peak QPS of a WAF instance exceeds the QPS specifications of the WAF instance by five times, the WAF instance is added to a sandbox.

View the details of QPS excess events

When the peak QPS of your WAF instance exceeds the QPS specifications of your WAF instance, a notification is displayed in the top banner section of the Overview page (labeled as 1 in the following figure) in the Web Application Firewall 3.0.

• Click View Details to view the details of the QPS excess events that occurred in the previous 30 days.

• On the Overview page, click the Traffic tab. In the QPS section (labeled as 2 in the following figure), view the peak-value chart and average-value chart for your QPS usage.

Remove a WAF instance from a sandbox

A subscription WAF instance that is added to a sandbox cannot be automatically removed from the sandbox even if the current peak QPS of the WAF instance does not exceed the QPS specifications. To remove the WAF instance from the sandbox, you must upgrade the QPS specifications. If your WAF instance is re-added to a sandbox after you upgrade the QPS specifications, you must upgrade the QPS specifications again.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

2. In the top banner section of the Overview page, click Upgrade Now. You can also click Upgrade in the upper right corner of the Overview page.

3. On the Upgrade/Downgrade page, upgrade the edition of your WAF instance and purchase additional QPS specifications or burstable QPS specifications to upgrade the QPS specifications of your WAF instance.

   Note

   You can also go to the Web Application Firewall buy page to upgrade the edition of your WAF instance and purchase additional QPS specifications or burstable QPS specifications to upgrade the QPS specifications of your WAF instance.

   After you upgrade the QPS specifications of your WAF instance, the status of your WAF instance changes to Sandbox Removed or Excess Removed and the number of QPS excess events is cleared.

Pay-as-you-go WAF instances

The sandbox feature

Overview

If the peak QPS of a pay-as-you-go WAF instance exceeds the specified threshold value for traffic billing protection, the WAF instance may be added to a sandbox.

You can specify the threshold value for traffic billing protection based on your service traffic.

Impacts

• If a WAF instance is added to a sandbox, the SLA is no longer guaranteed and service access exceptions may occur. The service access exceptions include but are not limited to packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing that is triggered due to DDoS attacks, and blackhole filtering.

• If your WAF instance is added to a sandbox, WAF does not charge you fees that are generated in the current hour. Hourly bills are generated only after the WAF instance is removed from the sandbox.

• If your WAF instance is added to a sandbox, WAF sends a notification by email, text message, or internal message. You can also view the information about traffic billing protection in the upper part of the Overview page in the WAF console.

View sandbox details

When the peak QPS of your pay-as-you-go WAF instance exceeds the specified threshold value for traffic billing protection of your WAF instance, a notification is displayed in the top banner section of the Overview page (labeled as 1 in the preceding figure) in the Web Application Firewall 3.0.

Click View Traffic Protection Details to view the details of traffic billing protection in the previous 30 days.

Remove a WAF instance from a sandbox

When the peak QPS of your pay-as-you-go WAF instance is lower than the specified threshold value for traffic billing protection of your WAF instance, the WAF instance is automatically removed from the sandbox.

To remove a pay-as-you-go WAF instance from a sandbox, perform the following operations:

• In the top banner section on the Overview page (labeled as 1 in the preceding figure), click Modify Threshold to change the threshold value for traffic billing protection.

• In the Protected Assets section of the Overview page (labeled as 2 in the preceding figure), click Modify Traffic Protection Threshold to change the threshold value for traffic billing protection. For more information, see Traffic billing protection.