Web Application Firewall (WAF) 3.0 is a new version of WAF. This version provides improvements in access modes, protection configuration logic, and billing methods. This topic describes the advantages of WAF 3.0 over WAF 2.0.
WAF 3.0 is different from WAF 2.0 in terms of its underlying architecture, specifications, configuration logic, and user experience. This is part of the reason why an Alibaba Cloud account cannot have both a WAF 2.0 instance and a WAF 3.0 instance at the same time. If you purchased a WAF 2.0 instance, you are directed to the WAF 2.0 interface when you log on to the WAF console. If you purchased a WAF 3.0 instance, you are directed to the WAF 3.0 interface when you log on to the WAF console.
WAF 2.0 instances cannot be automatically migrated to WAF 3.0. If you want to migrate a WAF 2.0 instance to WAF 3.0, join the DingTalk group (group ID: 34657699) for technical support.
Access modes
WAF supports the CNAME record and cloud native access modes.
Access modes | WAF 3.0 | WAF 2.0 |
CNAME record (Figure 1) | Supported.
For more information, see CNAME record mode. | Supported. |
Cloud native (Figure 2) | Supported.
For more information, see Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF. | Supported. |
Cloud native (Figure 3) | Supported. If your web services are added to Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute, we recommend that you use this mode.
For more information, see Enable WAF protection for an ALB instance, Enable WAF protection for an MSE instance, and Enable WAF protection for a custom domain name bound to a web application in Function Compute. | Not supported. |
Protection configuration
Protection configuration | WAF 3.0 | WAF 2.0 |
Configuration of a protection rule for multiple protected objects | Supported. You can add domain names or instances as protected objects to WAF 3.0. You can also add protected objects to a protected object group.
| Not supported. Protected objects of WAF 2.0 can be domain names. You can configure protection rules for only one protected object at a time. For example, if you want to configure the same protection rule for 100 domain names, you must perform the configuration 100 times. |
Configuration of protection rules for instances that are added to WAF in transparent proxy mode | Supported. Instances that are added to WAF in cloud native mode automatically become protected objects of WAF. You can configure and modify protection rules for the instances. | Not supported. If an instance that is added to WAF in transparent proxy mode has 100 domain names, you must add all 100 domain names to WAF before you modify protection rules for the instance. If you do not add all domain names to WAF, only the default protection rules take effect for the domain names. You cannot modify the default protection rules. |
Centralized query of protection rules | Supported. On the Protection Rules page in the WAF 3.0 console, you can view and manage the protection templates and protection rules of each protection module in the corresponding section. You can also view the protected objects or protected object groups to which the protection templates are applied. You can search for a protection rule by rule ID. | Not supported. You cannot query the protection rules that are configured for a domain name in a centralized manner. |
Modification of default protection rules | Supported. You can modify default protection templates in WAF 3.0. If you want to monitor all requests that are sent to new protected objects of WAF 3.0, you can set the protection action in the default protection template to Monitor. | Not supported. You can configure protection rules for domain names only after the domain names are added to WAF 2.0. |
Advantages of WAF 3.0 over WAF 2.0
The following features are supported by WAF 3.0, but not by WAF 2.0:
Custom response rules
Custom response rules allow you to configure the custom block page that is returned by WAF to a client when WAF blocks a request from the client. You can configure the status code, response headers, and response body of the block page. For more information, see Configure custom response rules to configure custom block pages.
Major event protection rules
The major event protection feature provides intelligent protection policies. You can obtain powerful security protection capabilities without the need to configure complex rules. For more information, see Major event protection.
Asset center
You can use the asset center feature to sort domain names in and outside Alibaba Cloud and assess risks based on the attack status of the domain names in the cloud. For more information, see Asset center.
Security reports
You can view the protection details of each protection module for security analysis by using security reports. For more information, see Security reports.
Whitelist module
You can manage whitelist rules in a centralized manner. For more information, see Configure whitelist rules to allow specific requests.
Billing methods
The following sections describe the improvements made to the subscription and pay-as-you-go billing methods of WAF 3.0.
Subscription
WAF 3.0 provides the Basic edition. The Basic edition is suitable for users whose applications do not have large service traffic.
Billing rules for billable items are simplified.
Traffic is measured only in queries per second (QPS). Bits per second (bps) is no longer used. The burstable QPS (pay-as-you-go) feature is supported. The feature prevents WAF 3.0 instances from being added to a sandbox.
In WAF 3.0, the number of domain names is the total number of primary domain names, subdomain names, and wildcard domain names. Additional domain names adhere to a tiered pricing schedule, in which discounts are applied to the portion of domain names in different tiers.
Hybrid Cloud WAF provides more editions.
Pay-as-you-go
All fees are calculated based on security capacity units (SeCUs). This simplifies the calculation process and billing rules. Resource plans are provided for SeCUs, in which you can obtain more savings based on the size of the plan.
The bills of a pay-as-you-go WAF 3.0 instance are generated every hour. When the configurations for a feature are deleted or the feature is disabled, the billing for the feature is automatically stopped.
WAF 3.0 supports the pay-as-you-go billing method.
References
Website configuration overview: describes the access modes that are supported by WAF 3.0 and the access procedures.
Protection configuration overview: describes the configurations that are supported by WAF 3.0 and the protection configuration procedures.
Subscription billing overview: describes the subscription billing method of WAF 3.0.
Pay-as-you-go billing overview: describes the pay-as-you-go billing method of WAF 3.0.