Advantages of WAF 3.0 over WAF 2.0

Web Application Firewall (WAF) 3.0 is a new version of WAF. This version provides improvements in access modes, protection configuration logic, and billing methods. This topic describes the advantages of WAF 3.0 over WAF 2.0.

Important

WAF 3.0 is different from WAF 2.0 in terms of its underlying architecture, specifications, configuration logic, and user experience. This is part of the reason why an Alibaba Cloud account cannot have both a WAF 2.0 instance and a WAF 3.0 instance at the same time. If you purchased a WAF 2.0 instance, you are directed to the WAF 2.0 interface when you log on to the WAF console. If you purchased a WAF 3.0 instance, you are directed to the WAF 3.0 interface when you log on to the WAF console.
WAF 2.0 instances cannot be automatically migrated to WAF 3.0. If you want to migrate a WAF 2.0 instance to WAF 3.0, join the DingTalk group (group ID: 34657699) for technical support.

Access modes

WAF supports the CNAME record and cloud native access modes.

Access modes	WAF 3.0	WAF 2.0
CNAME record (Figure 1)	Supported. To use this mode, you must update your CNAME record with your DNS provider to map your domain to the CNAME that is provided by WAF. This redirects traffic to WAF. WAF blocks malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster. For more information, see CNAME record mode.	Supported.
Cloud native (Figure 2)	Supported. To use this mode, you must add traffic redirection ports to WAF. This way, the gateways of the instances automatically learn the routes to redirect web service traffic to WAF. WAF blocks malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster. For more information, see Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF.	Supported.
Cloud native (Figure 3)	Supported. If your web services are added to Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute, we recommend that you use this mode. WAF 3.0 is deeply integrated as an SDK module into the gateways of cloud services to detect and protect traffic. WAF does not forward traffic to prevent compatibility and stability issues. You can protect cloud services by using WAF without the need to modify the DNS record or configure certificates, ports, or back-to-origin algorithms. This simplifies set-up procedures and reduces the impacts on your services. WAF 3.0 can provide services to all regions where cloud-native Alibaba Cloud services are supported. SDK-based traffic mirroring is also supported. In this mode, SDKs are deployed on a unified access gateway such as NGINX. This allows WAF to monitor inbound traffic and detect service traffic. Web services in multiple environments can be added to WAF 3.0 based on network environments and compliance requirements and can be managed in the WAF 3.0 console. For more information, see Enable WAF protection for an ALB instance, Enable WAF protection for an MSE instance, and Enable WAF protection for a custom domain name bound to a web application in Function Compute.	Not supported.

Protection configuration

Protection configuration	WAF 3.0	WAF 2.0
Configuration of a protection rule for multiple protected objects	Supported. You can add domain names or instances as protected objects to WAF 3.0. You can also add protected objects to a protected object group. You can configure a protection rule for a protected object group. The protection rule takes effect for all protected objects in the protected object group. You can also add a domain name on a cloud service instance that is added to WAF as a protected object and separately configure custom protection rules for the domain name.	Not supported. Protected objects of WAF 2.0 can be domain names. You can configure protection rules for only one protected object at a time. For example, if you want to configure the same protection rule for 100 domain names, you must perform the configuration 100 times.
Configuration of protection rules for instances that are added to WAF in transparent proxy mode	Supported. Instances that are added to WAF in cloud native mode automatically become protected objects of WAF. You can configure and modify protection rules for the instances.	Not supported. If an instance that is added to WAF in transparent proxy mode has 100 domain names, you must add all 100 domain names to WAF before you modify protection rules for the instance. If you do not add all domain names to WAF, only the default protection rules take effect for the domain names. You cannot modify the default protection rules.
Centralized query of protection rules	Supported. On the Protection Rules page in the WAF 3.0 console, you can view and manage the protection templates and protection rules of each protection module in the corresponding section. You can also view the protected objects or protected object groups to which the protection templates are applied. You can search for a protection rule by rule ID.	Not supported. You cannot query the protection rules that are configured for a domain name in a centralized manner.
Modification of default protection rules	Supported. You can modify default protection templates in WAF 3.0. If you want to monitor all requests that are sent to new protected objects of WAF 3.0, you can set the protection action in the default protection template to Monitor.	Not supported. You can configure protection rules for domain names only after the domain names are added to WAF 2.0.

The following features are supported by WAF 3.0, but not by WAF 2.0:

Custom response rules
Custom response rules allow you to configure the custom block page that is returned by WAF to a client when WAF blocks a request from the client. You can configure the status code, response headers, and response body of the block page. For more information, see Configure custom response rules to configure custom block pages.
Major event protection rules
The major event protection feature provides intelligent protection policies. You can obtain powerful security protection capabilities without the need to configure complex rules. For more information, see Major event protection.
Asset center
You can use the asset center feature to sort domain names in and outside Alibaba Cloud and assess risks based on the attack status of the domain names in the cloud. For more information, see Asset center.
Security reports
You can view the protection details of each protection module for security analysis by using security reports. For more information, see Security reports.
Whitelist module
You can manage whitelist rules in a centralized manner. For more information, see Configure whitelist rules to allow specific requests.

Billing methods

The following sections describe the improvements made to the subscription and pay-as-you-go billing methods of WAF 3.0.

Subscription

WAF 3.0 provides the Basic edition. The Basic edition is suitable for users whose applications do not have large service traffic.
Billing rules for billable items are simplified.
- Traffic is measured only in queries per second (QPS). Bits per second (bps) is no longer used. The burstable QPS (pay-as-you-go) feature is supported. The feature prevents WAF 3.0 instances from being added to a sandbox.
- In WAF 3.0, the number of domain names is the total number of primary domain names, subdomain names, and wildcard domain names. Additional domain names adhere to a tiered pricing schedule, in which discounts are applied to the portion of domain names in different tiers.

Hybrid Cloud WAF provides more editions.

Pay-as-you-go

All fees are calculated based on security capacity units (SeCUs). This simplifies the calculation process and billing rules. Resource plans are provided for SeCUs, in which you can obtain more savings based on the size of the plan.
The bills of a pay-as-you-go WAF 3.0 instance are generated every hour. When the configurations for a feature are deleted or the feature is disabled, the billing for the feature is automatically stopped.
WAF 3.0 supports the pay-as-you-go billing method.

References

Website configuration overview: describes the access modes that are supported by WAF 3.0 and the access procedures.
Protection configuration overview: describes the configurations that are supported by WAF 3.0 and the protection configuration procedures.
Subscription billing overview: describes the subscription billing method of WAF 3.0.
Pay-as-you-go billing overview: describes the pay-as-you-go billing method of WAF 3.0.