All Products
Search

This Product

    Web Application Firewall:Upgrade a WAF 2.0 instance to WAF 3.0

    Document Center

    Web Application Firewall:Upgrade a WAF 2.0 instance to WAF 3.0

    Last Updated:Jul 18, 2024

    If you use a Web Application Firewall (WAF) 2.0 instance, you can use the self-service upgrade tool that is provided by Alibaba Cloud to upgrade the WAF 2.0 instance to WAF 3.0 in the WAF 2.0 console. This topic describes the limits, instructions, and procedure for the upgrade.

    Important

    The self-service upgrade tool is in canary release.

    • If WAF3.0 Upgrade Portal is displayed in the left-side navigation pane of the WAF 2.0 console, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0.

    • If WAF3.0 Upgrade Portal is not displayed in the left-side navigation pane of the WAF 2.0 console and you want to upgrade your WAF 2.0 instance to WAF 3.0, submit an upgrade application to your account manager.

    Limits

    The WAF 2.0 instance that you want to upgrade to WAF 3.0 must meet the following requirements:

    • The WAF 2.0 instance is a Hybrid Cloud Exclusive Edition instance, or your web services are added to the WAF 2.0 instance in CNAME record mode or transparent proxy mode. If your web services are added to the WAF 2.0 instance in transparent proxy mode, your origin server must be deployed on a Layer 7 Classic Load Balancer (CLB), Layer 4 CLB, or Elastic Compute Service (ECS) instance.

      Note

      If your origin server is deployed on an Application Load Balancer (ALB) instance, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations for the ALB instance. For more information, see Can I upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode?

    • Alibaba Cloud performs operations such as asset synchronization from 00:00 to 03:00 every day. We recommend that you do not upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode during this period.

    • The edition of the WAF 2.0 instance is Subscription Pro Edition, Subscription Business Edition, Subscription Enterprise Edition, or Hybrid Cloud Exclusive Edition.

    • The data visualization feature is disabled for the WAF 2.0 instance and no customized features are enabled for the WAF 2.0 instance.

    • The WAF 2.0 instance does not expire in the next 15 days.

    • The WAF 2.0 instance belongs to an Alibaba Cloud account that does not have overdue payments.

      To view the details of the account, move the pointer over the profile picture in the upper-right corner of the WAF 2.0 console.image.png

    Instructions

    Impacts on business

    You can upgrade a WAF 2.0 instance to WAF 3.0 without service interruptions.

    Note

    After the upgrade, the CNAME provided by the WAF 2.0 instance and the configured back-to-origin addresses remain unchanged. On the CNAME Record tab of the Website Configuration page in the WAF 3.0 console, you can view the domain names, CNAMEs assigned to the domain names, and origin server addresses.

    Upgrade methods

    • One-click Upgrade

      After the upgrade starts, the system checks whether your configurations meet the upgrade requirements. If your configurations meet the upgrade requirements, the system creates a WAF 3.0 instance and upgrades all forwarding configurations and protection configurations to the WAF 3.0 instance.

      Use scenario: A small number of domain names are added to your WAF 2.0 instance and you want to upgrade this instance to WAF 3.0 with a few clicks.

    • Rule Upgrade

      After the upgrade starts, the system checks whether the protection rules that you selected can be upgraded. If the protection rules can be upgraded, the system creates a WAF 3.0 instance and upgrades the protection rules to WAF 3.0. The protection performance of the protection rules is not affected. You must manually upgrade the forwarding configurations of the specified domain names, create protection templates, add protection rules to the templates, and then associate the templates with protected objects.

      Use scenario: You want the protection rules to be automatically upgraded but you want to manually batch upgrade forwarding configurations and view traffic statistics.

    • Manual Batch Upgrade

      After the upgrade starts, the system creates a WAF 3.0 instance, configures default protection rules, but does not upgrade forwarding configurations or protection configurations. You must manually upgrade the forwarding configurations of the specified domain names, create protection templates, add protection rules to the templates, and then associate the templates with protected objects.

      Use scenario: A large number of domain names are added to your WAF 2.0 instance or complex protection rules are configured. You want to manually batch upgrade forwarding configurations and protection configurations and view traffic statistics.

    Amount of time required for the upgrade

    The upgrade requires approximately 15 minutes to complete. During the upgrade, a WAF 3.0 instance is created and forwarding configurations and protection configurations are upgraded.

    Compared with the manual batch upgrade and rule upgrade methods, the one-click upgrade method requires more time to complete because of complex prechecks.

    Upgrade window

    • Upgrade window duration

      After you select an upgrade method, you can perform upgrade operations within a 15-day upgrade window. After you click Confirm Upgrade Completion, you cannot perform upgrade operations.

      You can view the remaining duration of the upgrade window on the Upgrade Tool page.image

    • Operations that can be performed

      • View traffic statistics.

      • Batch upgrade domain names.

      • Switch between the WAF 2.0 console and the WAF 3.0 console.

      • Configure protection rules in the WAF 3.0 console and check whether the new WAF 3.0 instance protects your web services as expected.

      • Roll back to WAF 2.0.

      • Confirm that the upgrade is complete or cancel the upgrade task.

    • Operations that cannot be performed

      • Renew, upgrade, downgrade, or unsubscribe from your WAF instance in the WAF console or Alibaba Cloud Expenses and Cost. If you perform the preceding operations on your WAF instance, the instance may be released and fees may fail to be refunded.

      • Enable or disable the website tamper-proofing or data leakage prevention feature.

      • You cannot modify the forwarding configurations on the Website Access page in the WAF 2.0 console or the Website Configuration page in the WAF 3.0 console.

    • Usage notes

      • If you create an alert rule for the new WAF 3.0 instance within the upgrade window, you receive alerts only in the WAF 2.0 console.

      • If you do not click Confirm Upgrade Completion within the upgrade window, the new WAF 3.0 instance and the corresponding configurations are rolled back to WAF 2.0 and deleted.

      • After the upgrade is complete, you can use your WAF instance only in the WAF 3.0 console. Make sure that you do not need to perform upgrade operations before you click Confirm Upgrade Completion.

    Comparison between WAF 2.0 and WAF 3.0

    Editions and features

    If the edition of your WAF 2.0 instance is Subscription Pro Edition, the new WAF 3.0 instance runs Subscription Pro Edition. If the edition of your WAF 2.0 instance is Subscription Business Edition, the new WAF 3.0 instance runs Subscription Enterprise Edition. If the edition of your WAF 2.0 instance is Subscription Enterprise Edition, the new WAF 3.0 instance runs Subscription Ultimate Edition. The WAF 2.0 instance and the WAF 3.0 instance use the same billing method. WAF 3.0 enhances the features of WAF 2.0 and adds new features.

    • Subscription WAF 3.0 Pro Edition instances do not support the intelligent rule hosting feature of the protection rules engine and the slider CAPTCHA verification feature in custom rules. To use the preceding features, upgrade the WAF 3.0 instance from Pro Edition to Enterprise Edition or Ultimate Edition. For more information, see Upgrade or downgrade a WAF instance.

    • WAF 3.0 provides the following features that are not supported by WAF 2.0: protection templates, custom response rules, major event protection, and the advanced asset center. After the upgrade is complete, you can enable these features based on your business requirements. For more information, see Configure custom response rules to configure custom block pages, Major event protection, and Asset center.

    • Hybrid Cloud Exclusive Edition is not supported in WAF 3.0. A WAF 2.0 Hybrid Cloud Exclusive Edition instance can be upgraded only to a subscription WAF 3.0 Ultimate Edition instance.

      The following table describes the changes in instance specifications before and after the upgrade.

      Scenario

      Before the upgrade

      After the upgrade

      Scenario 1

      Your WAF 2.0 instance runs Hybrid Cloud Exclusive Edition and you did not purchase additional quotas for protection nodes or domain names. This edition provides a quota of 2 protection nodes and 200 domain names.

      The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, 1 additional protection node, and 200 domain names.

      Scenario 2

      Your WAF 2.0 instance runs Hybrid Cloud Exclusive Edition and you purchased an additional quota of x protection nodes. This edition provides a quota of 2 protection nodes and 200 domain names.

      The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, 1 additional protection node, x additional protection nodes, and 200 domain names.

      Scenario 3

      Your WAF 2.0 instance runs Enterprise Edition and you purchased an additional quota of x protection nodes.

      The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, x additional protection nodes, and 200 domain names.

      Scenario 4

      Your WAF 2.0 instance runs Business Edition and you purchased an additional quota of x protection nodes.

      The new WAF 3.0 instance runs Enterprise Edition and provides a quota of 1 default protection node, x additional protection nodes, and 200 domain names.

    Fees

    Note

    You are not charged for the upgrade operations.

    The total fees for your instance may change due to the differences between the editions and the features supported by WAF 2.0 and WAF 3.0. You can view the changes in fees when you renew your instance. For information about WAF 3.0 pricing, visit the WAF 3.0 buy page.

    Important

    • After your WAF 2.0 instance is upgraded to WAF 3.0, you cannot apply for a refund if you unsubscribe from or downgrade your WAF instance before you renew the instance.

    • If you downgrade your WAF instance, you are charged for your WAF instance based on its specifications after the downgrade.

    Sandbox, burstable QPS (pay-as-you-go), and traffic billing protection

    Sandbox is a special mechanism of WAF 3.0. If the peak queries per second (QPS) of a subscription WAF 3.0 instance exceeds the QPS quota, the WAF instance may be added to a sandbox. After a WAF instance is added to a sandbox, the service level agreement (SLA) is no longer guaranteed. In this case, service access exceptions may occur, such as packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing due to DDoS attacks, and blackhole filtering. For more information, see Introduction to sandboxes.

    Note

    The system does not add the instance to a sandbox within the upgrade window.

    • Subscription instances

      If the QPS of the WAF instance exceeds the sum of the QPS quota provided by the current edition and the additional QPS quota that you purchase, the instance may be added to a sandbox. For more information, see Burstable QPS (pay-as-you-go).

      After the upgrade is complete, the QPS of the WAF instance may exceed the QPS quota that is provided by the current edition. If the quota is exceeded, the instance may be added to a sandbox.

      To prevent the WAF instance from being added to a sandbox, you can upgrade the edition, purchase an additional QPS quota, or enable the burstable QPS (pay-as-you-go) feature.

    • Pay-as-you-go instances

      If the peak QPS of a pay-as-you-go WAF instance of an hour exceeds the specified threshold for traffic billing protection, the WAF instance is added to a sandbox to prevent high costs and bills are not generated for the hour. For more information, see Traffic billing protection.

      The following section describes the maximum thresholds for traffic billing protection that are supported by pay-as-you-go WAF instances. By default, the threshold for traffic billing protection of a pay-as-you-go WAF instance is set to the maximum value.

      • Chinese mainland: 100,000 QPS.

      • Outside the Chinese mainland: 10,000 QPS.

      • If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.

      If the peak QPS of the WAF instance is less than or equal to the specified threshold for traffic billing protection, the WAF instance is removed from the sandbox. You can change the threshold for traffic billing protection based on your business requirements.

    Simple Log Service

    • After the one-click upgrade starts, the system creates a Logstore for the new WAF 3.0 instance. The Logstore of the WAF 2.0 instance is retained.

      Important

      • If you use the manual batch upgrade or rule upgrade method, no Logstore is automatically created for the new WAF 3.0 instance. To use Simple Log Service, you must manually enable the Simple Log Service for WAF feature after the upgrade.

      • Within the upgrade window, you can view the Logstore of your WAF 2.0 instance in the WAF 2.0 console. After the upgrade is complete, you can view the Logstore of your WAF 2.0 instance only in the Simple Log Service console. For more information, see Query and analyze logs.

    • When the retention period elapses, the logs that are stored in the Logstore of the WAF 2.0 instance are deleted. The logs that have the earliest expiration date are deleted first. If you want to retain WAF 2.0 logs, back up the logs at the earliest opportunity. For more information, see Download logs.

    • By default, WAF 3.0 logs are stored for 180 days. You can change the storage period in the Simple Log Service console.

    Required reconfiguration operations

    After the upgrade is complete, you must reconfigure API operations, Terraform, resource groups, monitoring and alerting, and the Simple Log Service for WAF feature. You must also grant Resource Access Management (RAM) users permissions on API operations, renew your WAF instance at the earliest opportunity, and troubleshoot issues caused by the product code change. For more information, see What to do next.

    Upgrade process

    image

    • After you upgrade a domain name that is added to WAF 2.0 in transparent proxy mode to WAF 3.0, the cloud service instance on which the domain name is hosted becomes a custom protected object of WAF 3.0 that is added to WAF 3.0 in cloud native mode.

    • After you upgrade a WAF 2.0 Hybrid Cloud Exclusive instance to WAF 3.0, a protected object is automatically created for traffic that is protected by the WAF 2.0 instance and is added to WAF 3.0 in hybrid cloud reverse proxy mode.

    Procedure

    Important

    • Before you upgrade a WAF 2.0 instance to WAF 3.0, disable auto-renewal for the WAF 2.0 instance to prevent repeated auto-renewals.

    • If your WAF 2.0 instance expires within the upgrade window, we recommend that you manually renew your instance for one month to prevent instance expiration.

    1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the lower part of the left-side navigation pane, click WAF3.0 Upgrade Portal.

      • If your WAF 2.0 instance meets the requirements that are described in the "Limits" section of this topic, read the instructions and click I understand the upgrade instructions and agree to proceed with the upgrade. in the Upgrade Instructions panel.

      • If your instance does not meet the requirements that are described in the "Limits" section of this topic, the Error message appears. You can fix the error based on the error message. If you have questions, join the DingTalk group (group ID: 34657699) for technical support.

    3. If a domain name is added to WAF 2.0 in transparent proxy mode, bind the domain name to the corresponding cloud service.

      image.png

    4. On the Upgrade Tool page, select an upgrade method. You can select One-click Upgrade, Rule Upgrade, or Manual Batch Upgrade. Then, click Start Migration.

      Important

      If you select Rule Upgrade, you can select one or more protection rule modules that you want to upgrade.

      You can select the protection rules that you want to upgrade only on the Upgrade Tools page.

      image.png

    5. In the Note message, click OK.

      Important

      After you click OK, the upgrade window starts. The upgrade requires approximately 15 minutes to complete. Do not close or refresh the current page during this period.

    6. In the The WAF 3.0 instance is created. message, click OK.

      • Switch to the WAF 3.0 console and check whether the automatic upgrade of configuration items is complete. For information about the automatically upgraded configuration items, see Upgrade process.

      • Switch to the WAF 2.0 console. On the Upgrade Tools page, check the upgrade status of domain names.

        One-click upgrade

        If the upgrade status of all domain names is Upgraded, all configurations of the domain names are automatically upgraded to WAF 3.0.image.png

        Note

        If the upgrade fails, the WAF instance is rolled back to WAF 2.0. In the Rollback Completed dialog box, you can view the cause of the upgrade failure.

        Rule upgrade and manual batch upgrade

        If the upgrade status of a domain name is Not Upgraded, specific configurations of the domain name are not automatically upgraded to WAF 3.0. You must manually upgrade the configurations.image.png

    7. Manual upgrade configurations. This operation is required only if you select the Rule Upgrade or Manual Batch Upgrade method.

      Rule upgrade

      • Upgrade the forwarding configurations of domain names

        • To upgrade the forwarding configurations of a domain name, find the domain name and click Upgrade to WAF 3.0 in the Actions column.

        • To upgrade the forwarding configurations of multiple domain names at the same time, select the domain names in the domain name list and click Batch Upgrade to WAF 3.0 below the list.

          If the upgrade is successful, the upgrade status of the domain names is changed to Upgraded.image

      • Associate protection templates with protected objects

        1. In the left-side navigation pane, click Switch to WAF 3.0.

        2. In the WAF 3.0 console, associate the upgraded protection templates with protected objects.

          In the left-side navigation pane, choose Protection Configuration > Protection Rules. Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

          Note

          If you want to associate a bot management rule with protected objects, choose Protection Configuration > Scenario-specific Protection > Bot Management in the left-side navigation pane. Find the bot management rule that you want to associate with specific protected objects and click the image.png icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

      Manual batch upgrade

      • Upgrade the forwarding configurations of domain names

        • To upgrade the forwarding configurations of a domain name, find the domain name and click Upgrade to WAF 3.0 in the Actions column.

        • To upgrade the forwarding configurations of multiple domain names at the same time, select the domain names in the domain name list and click Batch Upgrade to WAF 3.0 below the list.

          If the upgrade is successful, the upgrade status of the domain names is changed to Upgraded.image

      • Create protection templates and protection rules

        Switch to the WAF 3.0 console and create protection templates and protection rules. For more information, see Protection configuration.

      • Associate protection templates with protected objects

        1. In the left-side navigation pane, click Switch to WAF 3.0.

        2. In the WAF 3.0 console, associate the upgraded protection templates with protected objects.

          In the left-side navigation pane, choose Protection Configuration > Protection Rules. Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

          Note

          If you want to associate a bot management rule with protected objects, choose Protection Configuration > Scenario-specific Protection > Bot Management in the left-side navigation pane. Find the bot management rule that you want to associate with specific protected objects and click the image.png icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

    8. Switch to the WAF 3.0 console and check whether the upgraded configurations are effective and whether your business runs as expected.

      If the upgraded configurations are ineffective or your business does not run as expected, find the upgraded domain name and click Roll Back to WAF 2.0 in the Actions column to roll back the domain name and the corresponding configurations. You can also select multiple domain names and click Batch Roll Back to WAF 2.0 to roll back the domain names and configurations to WAF 2.0 at the same time.

      Note

      After the configurations of the domain names that were upgraded by using the one-click upgrade method are rolled back to WAF 2.0, you can click Upgrade to WAF 3.0 in the Actions column on the Upgrade Tools page to re-upgrade the configurations to WAF 3.0. Only the forwarding configurations of the domain names are upgraded to WAF 3.0. After the upgrade is complete, configure protection rules for the domain names.

    9. Click Confirm Upgrade Completion.

      After the upgrade is complete, your WAF 2.0 instance is released and you can use the new WAF 3.0 instance in the WAF 3.0 console.

      Important

      Click Confirm Upgrade Completion within the upgrade window. If you do not click Confirm Upgrade Completion within the upgrade window period, the upgraded domain names and configurations are rolled back to WAF 2.0. If you re-upgrade your WAF 2.0 instance to WAF 3.0, the upgrade process restarts.

    What to do next

    After the upgrade is complete, you must perform the following operations before you can use WAF 3.0:

    • Configure API operations

      WAF 3.0 provides new API operations. You must configure the API operations. For more information, see List of operations by function.

    • Grant permissions to RAM users

      You must grant RAM users permissions on different API operations. For more information, see RAM authorization.

    • Reconfigure Terraform

      You must reconfigure Terraform. For more information, see Terraform Registry (domain) and Terraform Registry (instance).

    • Reconfigure resource groups

      Resource groups cannot be upgraded. You must reconfigure resource groups. For more information, see Add a domain name to WAF.

    • Use CloudMonitor to reconfigure monitoring and alerting

      You must reconfigure monitoring and alerting for security events and service metrics. For more information, see Configure CloudMonitor notifications.

    • Reconfigure log settings

      To reconfigure log settings, perform the following operations:

    • Operations triggered by the product code change

      After the upgrade is complete, the product code of the WAF instance is changed. If you have questions that are related to the preceding change, contact your account manager.

    FAQ

    Can I upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode?

    Yes, you can upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode. If your origin server is deployed on a Layer 7 CLB, Layer 4 CLB, or ECS instance and the instance is added to WAF 2.0 in transparent proxy mode, you can use the self-service upgrade tool to upgrade the WAF 2.0 instance to WAF 3.0. If your origin server is deployed on an ALB instance and the instance is added to WAF 2.0 in transparent proxy mode, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations for the ALB instance. You can upgrade the WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations. To disable traffic redirection and delete the access configurations, perform the following steps:

    1. On the Servers tab of the Website Access page, find the port that is added to WAF 2.0 in transparent proxy mode and click Disable Traffic Redirection in the Actions column.image

    2. On the Domain Names tab, find the domain name and click Delete in the Actions column.image

    3. Upgrade the WAF 2.0 instance. For more information, see the "Upgrade process" section of this topic.

    4. Add the upgraded instance to WAF 3.0. For more information, see Cloud native mode.

    Can I upgrade a WAF 2.0 Exclusive Edition instance to WAF 3.0?

    No, you cannot upgrade a WAF 2.0 Exclusive Edition instance to WAF 3.0. WAF 3.0 does not support Exclusive Edition.

    Am I charged for upgrade operations?

    No, you are not charged for upgrade operations. If you use a subscription WAF instance, you are charged only if you renew your WAF instance.

    Can I upgrade a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance?

    No, you cannot upgrade a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance.

    Can I upgrade a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance?

    No, you cannot upgrade a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance. However, you can upgrade a WAF 2.0 Pro Edition instance to a WAF 3.0 Pro Edition instance. If you want to use a WAF 3.0 Enterprise Edition instance, you can upgrade the edition of the new WAF 3.0 instance. For more information, see Upgrade or downgrade a WAF instance.

    Can I add a domain name to my WAF 2.0 instance within the upgrade window period and then resume the upgrade task?

    No, you cannot add a domain name to your WAF 2.0 instance within the upgrade window and then resume the upgrade task. You cannot add, remove, or modify domain names on the Website Access page within the upgrade window. Before you add a domain name to the WAF 2.0 instance that is being upgraded, you must cancel the upgrade task. Then, you must restart the upgrade task for the WAF 2.0 instance.

    Note

    After you cancel the upgrade task, the system deletes the new WAF 3.0 instance and the corresponding configurations and terminates the upgrade process.

    References