Web Application Firewall:Introduction to sandboxes

Subscription WAF instances

Sandboxes

Overview

If the actual peak QPS of a WAF instance exceeds the total QPS quota, the WAF instance may enter the sandbox mode.

The total QPS quota is equal to the sum of the QPS quota provided by the edition, the additional QPS quota that you purchased, and the burstable QPS (pay-as-you-go) quota.

• If the burstable QPS (pay-as-you-go) feature is disabled, the total QPS quota is equal to the sum of the QPS quota provided by the edition and the additional QPS quota that you purchased.

• If the burstable QPS (pay-as-you-go) feature is enabled, the total QPS quota is equal to the sum of the QPS quota provided by the edition, the additional QPS quota that you purchased, and the burstable QPS (pay-as-you-go) quota.

If the actual peak QPS of a WAF instance exceeds the total QPS quota, the WAF instance may be added to a sandbox. For information about the conditions that may cause a WAF instance to enter the sandbox mode, see Conditions.

Impacts

• If a WAF instance is added to a sandbox, the SLA is no longer guaranteed. In this case, service access exceptions may occur. Service access exceptions include but are not limited to packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing due to DDoS attacks, and blackhole filtering.

• After a WAF instance is added to a sandbox, the burstable QPS (pay-as-you-go) feature takes effect. The bill for the feature is not generated until the WAF instance is removed from the sandbox.

• If your WAF instance is added to a sandbox, the system sends a notification by email, text message, or internal message. In the top banner section of the WAF console, you can view the details of excessively used QPS resources.

Conditions

• Number of QPS excess events

  If the peak QPS of a WAF instance in the previous hour is higher than the total QPS quota of the WAF instance for 5 minutes, the event is recorded as a QPS excess event. If multiple QPS excess events occur on the same day, only one QPS excess event is recorded. After four QPS events are recorded, the WAF instance is added to a sandbox.

  Note

  • If the peak QPS of a WAF instance in the previous hour is higher than the total QPS quota of the WAF instance for less than 5 minutes because of traffic spikes, the event is not recorded as a QPS excess event.

  • If the start time and end time of a QPS excess event are not on the same day, such as from 23:55 to 00:10, WAF determines that the event occurs on the day when the event starts.

• QPS usage

  If the peak QPS of a WAF instance meets one of the conditions that are described in the following table, the WAF instance is immediately added to a sandbox.

  Instance	Total QPS quota	Description
  WAF instances in the Chinese mainland	≤ 20,000 QPS	If the peak QPS of a WAF instance exceeds 100,000 QPS, the WAF instance is added to a sandbox.
  	> 20,000 QPS	If the peak QPS of a WAF instance exceeds the total QPS quota of the WAF instance by five times, the WAF instance is added to a sandbox.
  WAF instances outside the Chinese mainland	≤ 2,000 QPS	If the peak QPS of a WAF instance exceeds 10,000 QPS, the WAF instance is added to a sandbox.
  	> 2,000 QPS	If the peak QPS of a WAF instance exceeds the total QPS quota of the WAF instance by five times, the WAF instance is added to a sandbox.

View the details of QPS excess events

When the peak QPS of your WAF instance exceeds the total QPS quota of your WAF instance, a notification is displayed in the top banner section of the WAF 3.0 console (labeled as 1 in the following figure).

• Click View Details to view the details of the QPS excess events that occurred in the previous 30 days.

• On the Overview page, click the Traffic tab. In the QPS section (labeled as 2 in the following figure), view the peak-value chart and average-value chart for your QPS usage.

Remove a WAF instance from a sandbox

A subscription WAF instance that is added to a sandbox cannot be automatically removed from the sandbox even if the actual peak QPS of the WAF instance does not exceed the total QPS quota. To remove the WAF instance from the sandbox, increase the QPS quota. If your WAF instance is re-added to a sandbox after you increase the QPS quota, you must increase the QPS quota again.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

2. In the top banner section, click Upgrade Now. You can also click Upgrade in the upper right corner.

3. In the Upgrade Now panel, you can upgrade the edition of your WAF instance, purchase additional QPS quota, or enable the burstable QPS (pay-as-you-go) feature to increase the QPS quota.

   Note

   You can also go to the WAF buy page to upgrade the edition of your WAF instance and purchase additional QPS quota or enable the burstable QPS (pay-as-you-go) feature.

   After you increase the QPS quota, the status of your WAF instance changes to Sandbox Removed or Excess Removed and the number of QPS excess events is reset.

Pay-as-you-go WAF instances

Sandboxes

Overview

If the peak QPS of a pay-as-you-go WAF instance exceeds the specified threshold value for traffic billing protection, the WAF instance may be added to a sandbox.

If the peak QPS in an hour exceeds the threshold for traffic billing protection, the WAF instance is added to a sandbox.

You can specify the threshold for traffic billing protection based on your service traffic.

The following section describes the maximum threshold values that are supported by a pay-as-you-go WAF instance for traffic billing protection. By default, the threshold value for traffic billing protection of a pay-as-you-go WAF instance is set to the maximum value.

• Chinese mainland: 100,000 QPS.

• Outside the Chinese mainland: 10,000 QPS.

Impacts

• If your WAF instance is added to a sandbox, the SLA is no longer guaranteed. In this case, service access exceptions may occur. Service access exceptions include but are not limited to packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing due to DDoS attacks, and blackhole filtering.

• After a pay-as-you-go WAF instance is added to the sandbox, the hourly bill for the WAF instance is not generated until the WAF instance is removed from the sandbox.

• If your WAF instance is added to a sandbox, the system sends a notification by email, text message, or internal message. You can view information about traffic billing protection in the top banner section of the WAF console.

View sandbox details

If the peak QPS in an hour is higher than the threshold for traffic billing protection, a notification is displayed in the top banner section of the WAF 3.0 console (labeled as 1 in the following figure).

Click View Traffic Protection Details to view the details of traffic billing protection in the previous 30 days.

Remove a WAF instance from a sandbox

If the peak QPS of a pay-as-you-go WAF instance is lower than the specified threshold for traffic billing protection, the WAF instance is automatically removed from the sandbox.

To manually remove a pay-as-you-go WAF instance from a sandbox, perform the following operations:

• In the top banner section (labeled as 1 in the preceding figure), click Modify Threshold to change the threshold for traffic billing protection.

• On the Overview page, click Modify Traffic Protection Threshold to modify the threshold for traffic billing protection. For more information, see Specify a threshold value for traffic billing protection.