This topic describes the relationship and differences between Web Application Firewall (WAF) 2.0 and WAF 3.0 and how to get started with WAF 2.0 and WAF 3.0.
What is WAF?
WAF identifies and filters out malicious traffic to websites and applications and forwards secure and normal traffic to origin servers. This helps protect the origin servers from intrusions, ensure the security of core data, and prevent server exceptions that are caused by attacks.
Relationship between WAF 2.0 and WAF 3.0
WAF 3.0 is a new version of WAF. Compared with WAF 2.0, WAF 3.0 provides different underlying architecture, specifications, configuration logic, and user experience. However, an Alibaba Cloud account cannot have a WAF 2.0 instance and a WAF 3.0 instance at the same time. If you purchased a WAF 2.0 instance, you are directed to the WAF 2.0 interface when you log on to the WAF console. If you purchased a WAF 3.0 instance, you are directed to the WAF 3.0 interface when you log on to the WAF console.
If you purchased a WAF 2.0 instance, you can still use, renew, and upgrade your WAF 2.0 instance. WAF 2.0 continues to provide service level agreement (SLA) guarantees.
If you purchased a WAF 2.0 instance and you want to use WAF 3.0, you can use the migration tool of Alibaba Cloud to migrate your WAF 2.0 instance to WAF 3.0. For more information, see Migrate a WAF 2.0 instance to WAF 3.0.
Differences between WAF 2.0 and WAF 3.0
Access modes
WAF 2.0 supports the CNAME record mode and transparent proxy mode. WAF 3.0 is integrated with cloud services, such as Application Load Balancer (ALB). You can add your web services to WAF by adding your cloud service instance to WAF. You can enable WAF protection for Internet-facing and internal-facing instances in cloud service consoles, such as the ALB console, without the need to modify DNS records or configure complex access and forwarding configurations. This helps improve business performance and stability.
Access modes | Working mechanism | WAF 3.0 | WAF 2.0 |
CNAME record mode |
| Supported | Supported |
Cloud native mode (formerly known as transparent proxy mode) |
| Supported | Supported |
Cloud native mode (new cloud native architecture) |
| Supported | Not supported |
Protection configuration
Feature | WAF 3.0 | WAF 2.0 |
Objects for which protection rules take effect | Protection rules take effect for protected objects or protected object groups.
| You can configure protection rules for only one domain name each time. If you add an instance to WAF in transparent proxy mode, separately add all domain names that are deployed on the instance to WAF before you configure protection rules for the domain names. If you do not separately add the domain names to WAF, only default protection rules can be applied to the domain names. You cannot modify the default protection rules. |
Implementation methods | You can create protection templates and configure protection rules for the protection templates to apply different protection rules to different protected objects. | You can configure protection rules for a specific domain name. |
Viewing methods |
| You can view the protection rules that are configured for a domain name. |
Management of default protection rules | By default, basic protection rules are enabled for new protected objects that are added to WAF 3.0. You can modify the protection actions in the basic protection rules. | By default, the protection rules engine is enabled for a domain name that is added to WAF. You cannot modify the protection action in the protection rules engine. You can specify a protection action only after you create a protection rule for the domain name. |
Specifications |
|
Billing methods
Subscription
Comparison item | WAF 3.0 | WAF 2.0 | |
Editions |
| Pro Edition, Business Edition, and Enterprise Edition. | |
Billable items | Traffic specifications | Traffic is measured only in queries per second (QPS). | Traffic is measured in QPS and bandwidth. |
Domain name specifications | The number of domain names refers to the number of all domain names that are added to WAF. | The number of domain names refers to the number of second-level domain names. | |
Hybrid cloud mode | If your WAF 3.0 instance is an Enterprise Edition or Ultimate Edition instance, you can add your web services to WAF in hybrid cloud mode. | Separately activate Hybrid Cloud WAF Exclusive Edition. |
Pay-as-you-go billing method
Comparison item | WAF 3.0 | WAF 2.0 |
Supported regions | Chinese mainland, outside the Chinese mainland | Chinese Mainland |
Billing units | WAF 3.0 uses security capacity units (SeCUs) as billing units. The unit price of a SeCU is USD 0.01. | N/A |
Billing rules |
| Before you use a feature, you must enable the feature. After you disable a feature, billing for the feature is automatically stopped. |
Get started with WAF
References | WAF 3.0 | WAF 2.0 | |
Learn about WAF | |||
Activate WAF | New WAF 2.0 instances can no longer be purchased. | ||
Access WAF |
| ||
Use WAF | View domain names | ||
Use WAF for protection |
|
| |
Configure monitoring and alerting | |||
View protection data | |||
API operations |