Web Application Firewall (WAF) 3.0, which is independent of WAF 2.0, was released in January 2022 and commercialized on October 31, 2022. You can purchase subscription or pay-as-you-go WAF 3.0 instances based on your business requirements. You can no longer purchase new WAF 2.0 instances.

Note If you need to purchase new WAF 2.0 instances, join the DingTalk group 34657699 to obtain technical support.

Benefits of WAF 3.0

WAF 3.0 is integrated into the cloud-native architecture of other cloud services, such as Application Load Balancer (ALB), which allows you to add websites to WAF in cloud-native mode. WAF 3.0 provides additional features and a new console in which you can configure protection settings to improve efficiency and user experience.

WAF 3.0 provides the following advantages over WAF 2.0:
  • New cloud-native architecture

    WAF 3.0 is deeply integrated as an SDK module into the gateways of cloud services, such as ALB and Microservices Engine (MSE), to detect and protect traffic. During the protection process, WAF does not forward traffic. You can enable WAF in the console of a cloud service in any region without the need to change the DNS records or the settings of certificates, ports, and back-to-origin algorithms. This helps improve the stability and performance of your business and reduce access latency. For more information, see Cloud-native architecture.

  • New protection configuration mode
    WAF 3.0 allows you to add cloud service instances or domain names as protected objects and create protected object groups. WAF 3.0 also allows you to create protection rule templates for different protected objects in different protection modules. WAF 3.0 allows you to perform the following operations to significantly improve the efficiency of protection configuration:
    • Configure a set of protection rules for a large number of protected objects that have similar protection requirements with a few clicks. You can also configure custom protection rules for important protected objects.
    • Configure default protection templates. The predefined protection rules in the templates are applied to the protected objects that are added to WAF after the templates are created.
    For more information, see Protection configuration overview.
  • Support for the pay-as-you-go billing method

    WAF 3.0 supports the pay-as-you-go billing method. The billing unit is security capacity units (SeCUs). All fees are calculated based on SeCUs. This simplifies the calculation process and billing rules. Bills are generated on an hourly basis based on your SeCU usage. You can also purchase resource plans to offset SeCU usage fees based on your business requirements. For more information, see Pay-as-you-go billing method of WAF 3.0.

  • New features and improved user experience

    WAF 3.0 provides new features, such as the custom response feature. In WAF 3.0, the fees for the Log Service for WAF feature are included in the bills of Log Service. The Log Service for WAF feature allows you to specify the custom storage capacity and retention period for logs. WAF 3.0 also optimizes the configurations for adding services in CNAME record mode and for security reports and rule search. For more information about the custom response feature, see Configure the custom response module. For more information about the Log Service for WAF feature, see Overview of log management. For more information about the configurations in CNAME record mode, see Add a website in CNAME record mode. For more information about security reports, see Security reports.

Activation and applicable scope of WAF 3.0


For information about how to activate WAF 3.0, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

Applicable scope

You cannot use WAF 3.0 to protect ALB instances in all regions. Take note of the limits on regions when you add an ALB instance to WAF. For information about the limits of WAF protection for ALB instances, see Add an ALB instance to WAF.

What is the relationship between WAF 2.0 and WAF 3.0?

  • WAF 3.0 is different from WAF 2.0 in terms of underlying architecture, instance specifications, console configuration, and user experience. You cannot purchase a WAF 3.0 instance by using an Alibaba Cloud account to which a WAF 2.0 instance belongs.
  • You can still use, renew, and upgrade existing WAF 2.0 instances. The service level agreement (SLA) of WAF 2.0 is also guaranteed.
  • WAF 2.0 instances cannot be automatically migrated to WAF 3.0. If you want to migrate WAF 2.0 instances to WAF 3.0, join the DingTalk group 34657699 to obtain technical support.