Relationship and differences between WAF 2.0 and WAF 3.0, get started with WAF - Web Application Firewall

This topic describes the relationship and differences between Web Application Firewall (WAF) 2.0 and WAF 3.0 and how to get started with WAF 2.0 and WAF 3.0.

What is WAF?

WAF identifies and filters out malicious traffic to websites and applications and forwards secure and normal traffic to origin servers. This helps protect the origin servers from intrusions, ensure the security of core data, and prevent server exceptions that are caused by attacks.

Relationship between WAF 2.0 and WAF 3.0

WAF 3.0 is a new version of WAF. Compared with WAF 2.0, WAF 3.0 provides different underlying architecture, specifications, configuration logic, and user experience. However, an Alibaba Cloud account cannot have a WAF 2.0 instance and a WAF 3.0 instance at the same time. If you purchased a WAF 2.0 instance, you are directed to the WAF 2.0 interface when you log on to the WAF console. If you purchased a WAF 3.0 instance, you are directed to the WAF 3.0 interface when you log on to the WAF console.

If you purchased a WAF 2.0 instance, you can still use, renew, and upgrade your WAF 2.0 instance. WAF 2.0 continues to provide service level agreement (SLA) guarantees.
If you purchased a WAF 2.0 instance and you want to use WAF 3.0, you can use the migration tool of Alibaba Cloud to migrate your WAF 2.0 instance to WAF 3.0. For more information, see Migrate a WAF 2.0 instance to WAF 3.0.

Differences between WAF 2.0 and WAF 3.0

Access modes

WAF 2.0 supports the CNAME record mode and transparent proxy mode. WAF 3.0 is integrated with cloud services, such as Application Load Balancer (ALB). You can add your web services to WAF by adding your cloud service instance to WAF. You can enable WAF protection for Internet-facing and internal-facing instances in cloud service consoles, such as the ALB console, without the need to modify DNS records or configure complex access and forwarding configurations. This helps improve business performance and stability.

Access modes	Working mechanism	WAF 3.0	WAF 2.0
CNAME record mode	WAF blocks attacks and forwards normal requests to the origin server as a reverse proxy cluster. WAF detects and forwards requests.	Supported	Supported
Cloud native mode (formerly known as transparent proxy mode)	WAF blocks attacks and forwards normal requests to the origin server as a reverse proxy cluster. WAF detects and forwards requests.	Supported	Supported
Cloud native mode (new cloud native architecture)	WAF is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. WAF does not forward traffic. This prevents compatibility and stability issues.	Supported	Not supported

Protection configuration

Feature	WAF 3.0	WAF 2.0
Objects for which protection rules take effect	Protection rules take effect for protected objects or protected object groups. Protected objects can be domain names or cloud service instances that are added to WAF 3.0. You can add multiple protected objects to a protected object group. If you configure a protection rule for the protected object group, the protection rule takes effect for all protected objects in the protected object group.	You can configure protection rules for only one domain name each time. If you add an instance to WAF in transparent proxy mode, separately add all domain names that are deployed on the instance to WAF before you configure protection rules for the domain names. If you do not separately add the domain names to WAF, only default protection rules can be applied to the domain names. You cannot modify the default protection rules.
Implementation methods	You can create protection templates and configure protection rules for the protection templates to apply different protection rules to different protected objects.	You can configure protection rules for a specific domain name.
Viewing methods	You can view the protection rules that are configured for a protected object or a protected object group. You can view the protection rules of a protection module. You can search for protection rules by rule ID.	You can view the protection rules that are configured for a domain name.
Management of default protection rules	By default, basic protection rules are enabled for new protected objects that are added to WAF 3.0. You can modify the protection actions in the basic protection rules.	By default, the protection rules engine is enabled for a domain name that is added to WAF. You cannot modify the protection action in the protection rules engine. You can specify a protection action only after you create a protection rule for the domain name.
Specifications	For information about the number of supported protected objects of each edition, see Editions. For information about the supported protection modules and the number of supported protection rules of each module, see Editions.	For information about the number of domain names that can be protected by each WAF edition, see Default number of second-level domains that can be protected and Default number of domains that can be protected in total. For information about the supported protection modules and the number of supported protection rules of each module, see Overview.

Billing methods

Subscription

Comparison item		WAF 3.0	WAF 2.0
Editions		Basic Edition, Pro Edition, Enterprise Edition, and Ultimate Edition. Basic Edition is suitable for customers who do not have large traffic.	Pro Edition, Business Edition, and Enterprise Edition.
Billable items	Traffic specifications	Traffic is measured only in queries per second (QPS).	Traffic is measured in QPS and bandwidth.
	Domain name specifications	The number of domain names refers to the number of all domain names that are added to WAF.	The number of domain names refers to the number of second-level domain names.
	Hybrid cloud mode	If your WAF 3.0 instance is an Enterprise Edition or Ultimate Edition instance, you can add your web services to WAF in hybrid cloud mode.	Separately activate Hybrid Cloud WAF Exclusive Edition.

Pay-as-you-go billing method

Comparison item	WAF 3.0	WAF 2.0
Supported regions	Chinese mainland, outside the Chinese mainland	Chinese Mainland
Billing units	WAF 3.0 uses security capacity units (SeCUs) as billing units. The unit price of a SeCU is USD 0.01.	N/A
Billing rules	The fees of a pay-as-you-go WAF 3.0 instance are generated every hour. You are charged for using the features. You can use the features without the need to enable the features. After you delete configurations or disable features, billing for the configurations or features is automatically stopped.	Before you use a feature, you must enable the feature. After you disable a feature, billing for the feature is automatically stopped.

Get started with WAF

References		WAF 3.0	WAF 2.0
Learn about WAF		What is WAF 3.0? WAF 3.0 editions Billing overview Supported access modes Protection configuration overview	What is WAF 2.0? WAF 2.0 editions Billing overview Supported access modes Protection configuration overview
Activate WAF		Purchase a subscription WAF 3.0 instance Purchase a pay-as-you-go WAF 3.0 instance	New WAF 2.0 instances can no longer be purchased.
Access WAF		Cloud native mode Add an ALB instance to WAF Add an MSE instance to WAF Add a custom domain name in Function Compute to WAF Add a Layer 7 CLB instance to WAF Add a Layer 4 CLB instance to WAF Add an ECS instance to WAF CNAME record mode Add a domain name to WAF Modify a DNS record	Transparent proxy mode CNAME record mode Add a domain name to WAF Modify a DNS record
Use WAF	View domain names	Asset center	Asset Discovery
	Use WAF for protection	Configure protected objects and protected object groups Configure protection rules Basic protection rules Whitelist rules IP address blacklist rules Custom rules Scan protection rules Custom response rules HTTP flood protection rules Region blacklist rules Website tamper-proofing rules Data leakage prevention rules Major event protection Bot management	Protection rules engine Whitelist Website whitelist Web intrusion prevention whitelist Data security whitelist Bot management whitelist Access control or throttling whitelist IP address blacklist Custom protection policies Scan protection HTTP flood protection Website tamper-proofing Data leak prevention Positive security model Account security Bot management
	Configure monitoring and alerting	Configure CloudMonitor notifications Use Simple Log Service to configure monitoring and alerting	Configure CloudMonitor notifications Create alert rules for different types of events by using the alerting feature of Simple Log Service for WAF
	View protection data	Security reports Query logs	Security reports Query logs
API operations		WAF 3.0 API operations	WAF 2.0 API operations