Web Application Firewall (WAF) 3.0 (WAF 3.0) was released in January 2022. WAF 3.0 is independent of WAF 2.0. WAF 3.0 allows you to add websites in CNAME record mode that is supported in WAF 2.0. WAF 3.0 is integrated into the cloud-native architecture of other cloud services, such as Application Load Balancer (ALB). This allows you to add websites in cloud native mode. WAF 3.0 provides more features and a new console that allows you to configure protection settings in an efficient manner. This improves the user experience

Benefits of WAF 3.0

WAF 3.0 provides the following benefits over WAF 2.0:
  • New cloud-native architecture

    WAF 3.0 is deeply integrated into the gateways of cloud services such as ALB and Microservice Engine (MSE) as an SDK module. The SDK module that is embedded in the gateways detects and protects traffic. During this process, WAF does not forward traffic. You can enable WAF in the ALB console in specific regions without the need to configure complex forwarding settings. For example, you do not need to change the DNS records or change the settings of certificates, ports, and back-to-origin algorithms. This helps improve service stability and performance and reduce access latency. For more information, see cloud-native architecture.

  • New protection configuration mode
    WAF 3.0 allows you to add cloud service instances or domain names as protected objects and create protected object groups. WAF 3.0 also allows you to create protection templates for protection modules. You can use the templates to configure protection rules for different protected objects. WAF 3.0 significantly improves the efficiency of protection configuration. You can perform the following operations:
    • Configure protection rules for multiple protected objects at a time by using protected object groups. You can configure a set of protection rules for a large number of protected objects that have similar protection requirements and apply the rules to the group that contains the protected objects with a few clicks. You can also configure custom protection rules for important protected objects.
    • Configure default protection templates. The predefined protection rules in the templates are applied to the protected objects that are newly added after the templates are applied.
    For more information, see Protection configuration overview.
  • Pay-as-you-go billing method (3.0)

    WAF 3.0 uses the pay-as-you-go billing method. This billing method uses security capacity units (SeCUs) as billing units. All fees are calculated based on SeCUs. This simplifies the calculation process and the billing logic. You are billed for SeCUs every hour. You can also purchase resource plans to offset SeCU usage based on your business requirements. For more information, see Pay-as-you-go billing method (3.0).

  • New features and improved user experience

    WAF 3.0 provides new features, such as the custom response feature. In WAF 3.0, the fees for the Log Service for WAF feature are included in the bills of Log Service. The Log Service for WAF feature allows you to specify the custom storage capacity and retention period of logs. WAF 3.0 also optimizes the configurations for adding services in CNAME record mode and for security reports and rule search. For more information about the custom response feature, see Custom response. For more information about the Log Service for WAF feature, see Overview of log management. For more information about configurations in CNAME record mode, see Add domain names to WAF in CNAME record mode. For more information about security reports, see Security reports.

Method to activate WAF 3.0 and applicable scope of WAF 3.0

WAF 3.0 is in public preview and can be activated by using one of the following methods:
  1. Submit an application to the WAF service team to join the public preview. You can also join the DingTalk group 34657699 to obtain more information about WAF 3.0.
  2. After the application is approved, purchase WAF 3.0 on the link provided by the WAF service team. You can also go to the ALB (Pay-As-You-Go) International Site buy page and purchase an ALB instance of the WAF Enabled edition. Alternatively, you can upgrade the edition of an existing ALB instance to the WAF Enabled edition. For more information, see Activate WAF 3.0.
    Notice The cloud native mode is available for all supported regions of ALB instances, except the China (Nanjing - Local Region) region and the regions of Alibaba Finance Cloud.

Are the WAF 2.0 instances that are being used affected by the release of WAF 3.0?

No, the WAF 2.0 instances that are being used are not affected. Each Alibaba Cloud account can purchase only one WAF instance. Alibaba Cloud continues to maintain WAF 2.0 instances.