All Products
Search
Document Center

Web Application Firewall:Upgrade a WAF 2.0 instance to WAF 3.0

Last Updated:Jun 24, 2026

Web Application Firewall (WAF) provides a self-service tool in the console to upgrade WAF 2.0 instances to WAF 3.0. This topic covers the prerequisites, post-upgrade changes, and upgrade procedure.

Important

The self-service upgrade tool is being rolled out in batches. Follow the steps below to upgrade:

  • Direct upgrade: If the WAF3.0 Upgrade Portal button is displayed at the bottom of the left navigation pane in the Web Application Firewall console, click it to perform a self-service upgrade.

  • Apply for upgrade: If the button is not displayed and you need to upgrade urgently, contact your account manager to submit an upgrade application.

Prerequisites

  • Instances that use transparent proxy mode for Application Load Balancer (ALB) cannot be directly upgraded. If you have such instances, disable traffic redirection, delete the domain name configuration, and then perform a self-service upgrade. For more information, see the FAQ section below.

  • Alibaba Cloud synchronizes cloud product assets daily from 00:00 to 03:00. Avoid upgrading instances that use transparent proxy mode during this window.

  • The instance edition is a subscription Pro, Enterprise, or Ultimate edition, a Hybrid Cloud WAF Exclusive edition.

  • The instance does not use the data visualization service or have custom features enabled.

  • The instance will not expire within 15 days, and your account has no overdue payments.

  • The upgrade operation requires full WAF permissions (AliyunYundunWAFFullAccess).

Before you upgrade

Impact on services

  • Business continuity: The upgrade is smooth and does not cause service interruptions. After the upgrade, the CNAME address provided by WAF 2.0 and the configured origin URLs remain unchanged. View the related information in the CNAME access list.

  • Upgrade duration: The upgrade takes approximately 15 minutes. The one-click full upgrade method usually takes longer than the manual batch upgrade method because it includes a comprehensive system precheck.

Changes after the upgrade

Edition, specification, and supported capabilities

After the upgrade, the billing method and edition of subscription Pro, Enterprise, and Ultimate editions, remain unchanged. WAF 3.0 integrates and optimizes WAF 2.0 features. The key changes are listed below. For detailed edition comparisons in WAF 3.0, see Editions.

  • WAF 3.0 subscription Pro Edition no longer supports the intelligent rule hosting feature in the Protection Rules Engine or the slider verification feature in custom rules. If you need these features after the upgrade, upgrade the instance to the Enterprise Edition or Ultimate Edition. For more information, see Upgrade an instance.

  • WAF 3.0 introduces new features such as protection template configuration, custom response rules, critical event protection, and an advanced asset center. After the upgrade, configure these features based on your business needs. For more information, see Protection configuration overview.

  • WAF 3.0 no longer supports the Hybrid Cloud WAF Exclusive edition. Therefore, the Hybrid Cloud WAF Exclusive edition is upgraded to the subscription Ultimate Edition.

    The specifications after the upgrade are as follows:

    Scenario

    Before upgrade

    After upgrade

    Scenario 1

    WAF 2.0 Hybrid Cloud WAF edition (includes 2 nodes + 200 domains)

    WAF 3.0 Ultimate Edition (1 default node) + 1 extra node + 200 domains

    Scenario 2

    WAF 2.0 Hybrid Cloud WAF edition (includes 2 nodes + 200 domains) + X paid extra nodes

    WAF 3.0 Ultimate Edition (1 default node) + 1 extra node + X extra nodes + 200 domains

    Scenario 3

    WAF 2.0 Ultimate Edition + X paid extra nodes

    WAF 3.0 Ultimate Edition (1 default node) + X hybrid cloud extra nodes + 200 domains

    Scenario 4

    WAF 2.0 Enterprise Edition + X paid extra nodes

    WAF 3.0 Enterprise Edition (1 default node) + X hybrid cloud extra nodes + 200 domains

Fee changes

The upgrade operation itself does not incur any fees. However, due to changes in specifications and supported capabilities after the upgrade, the fees for your WAF 3.0 instance may change even if you do not use any additional features. The changes take effect at the first renewal after the upgrade.

For detailed pricing of WAF 3.0 subscription and pay-as-you-go instances, see Billing guide and Billing details.

Important
  • After the instance is upgraded to WAF 3.0, if you unsubscribe from or downgrade the instance before the first renewal, WAF does not refund the corresponding amount.

  • If you downgrade the instance, WAF charges fees based on the downgraded specifications at the next renewal.

Log service changes

  • After a one-click upgrade, the system automatically creates a Logstore for WAF 3.0 while retaining the WAF 2.0 Logstore.

    Important
    • After the migration, the WAF 3.0 log service records only required fields. If you selected optional fields in WAF 2.0, reselect them in the WAF 3.0 console.

    • During the upgrade window, you can still view the WAF 2.0 Logstore in the WAF 2.0 console. After the upgrade, go to the Simple Log Service (SLS) console to view the WAF 2.0 Logstore. For more information, see Query and analysis quick start.

  • Logs in the WAF 2.0 Logstore are cleared in chronological order (oldest first) after their retention period expires. Back up logs promptly if you need to keep them. For more information, see Download logs.

  • The default log retention period for the WAF 3.0 Logstore is 180 days. To modify this setting, go to the Simple Log Service console.

Upgrade process

image

Description of connected object upgrades:

  • When you upgrade a domain name that uses transparent proxy mode, WAF upgrades the traffic from the redirection ports of the bound cloud product instances (Layer 7 SLB, Layer 4 SLB, or ECS) to the corresponding cloud product integration. WAF also adds the instances as protected objects and the domain name as a custom protected object.

  • When you upgrade traffic for a hybrid cloud integration, WAF reconfigures the traffic to use hybrid cloud reverse proxy mode by default and generates a protected object.

Canary release:

  • When you select manual batch upgrade, you can enable the canary release feature for domain names. Canary release routes a portion of traffic to WAF 3.0. Choose the proportion of traffic to route to the new version, gradually increasing it until all traffic is directed to WAF 3.0.

  • Supported canary release proportions are: 1%, 5%, 10%, 20%, 30%, 50%, 70%, 90%, and 100%. Custom proportions are not supported. You can only increase the canary release proportion (for example, from 10% to 20%), not decrease it.

Note

Data leakage prevention (DLP) does not support canary release. When a migration task is active, DLP hit records are logged in WAF 3.0.

Procedure

Log on to the Web Application Firewall console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance. At the bottom of the left navigation pane, click WAF3.0 Upgrade Portal.

  • If your instance meets the upgrade requirements, review and select the acknowledgment in the Upgrade Instructions panel, then click I understand the upgrade instructions and agree to proceed with the upgrade. to go to the Upgrade Tool page to start the upgrade.

  • If your instance does not meet the upgrade requirements, WAF displays an Error prompt. Follow the instructions in the prompt to resolve the issue.

Step 1: Bind traffic (transparent proxy mode only)

If you have domain names that use transparent proxy mode, the Bind Traffic to Cloud Service page appears. You must bind the domain name to the corresponding cloud product (ECS, CLB (TCP), or CLB (HTTP/HTTPS)). If you are not sure which cloud product type your domain name corresponds to, follow these steps to confirm:

  1. Use Network Diagnostic Analysis, select Network Diagnostic Analysis, enter the domain name, and find and copy the public IP address from the DNS service provider analysis results section.

  2. Go to the ECS console - Instances and the Classic Load Balancer (CLB) console. Select the region and resource group, and find the instance corresponding to the public IP address you copied.

    • If it is an ECS instance, select ECS.

    • If it is a CLB instance with a TCP listener, select CLB(TCP).

    • If it is a CLB instance with an HTTP or HTTPS listener, select CLB(HTTP/HTTPS).

  3. After making your selection, click Continue Upgrade.

Step 2: Upgrade precheck

The upgrade precheck tool verifies whether the current instance meets the upgrade conditions. After the initial check, view the most recent check time and result on the upgrade tool page. If the check fails, fix the reported issue based on the on-page instructions, then return to this page to rerun the check.

The precheck evaluates factors such as instance expiration time, rule count, and access method to determine whether the instance meets upgrade requirements. After the check passes, the page displays the supported upgrade methods, including One-click full upgrade, Manual batch upgrade: rule migration, and Manual batch upgrade: no rule migration. To refresh the check results, click Recheck.

Step 3: Select an upgrade method

The upgrade tool provides three upgrade methods. Select the one that suits your needs:

Migration method

One-click full upgrade

Manual batch upgrade: rule migration

Manual batch upgrade: no rule migration

Applicable scenarios

  • Few domain names with simple rules. Complete the upgrade with one click.

  • After the upgrade, the protection template uses the system default configuration.

  • Requires batch upgrade and traffic observation.

  • The system automatically upgrades the protection rules.

  • Many domain names or complex rules. Requires batch upgrade and traffic observation.

  • After the upgrade, you customize the protection template configuration.

Upgrade mode

The system prechecks whether full upgrade is supported. If the check passes, it automatically creates a WAF 3.0 instance and upgrades both the forwarding configuration and protection rules to WAF 3.0.

The system prechecks whether the selected protection modules support upgrade. If the check passes, it automatically creates a WAF 3.0 instance and upgrades the protection rules. You must manually upgrade the forwarding configuration.

The system automatically creates a WAF 3.0 instance but does not perform any automatic upgrade. You must manually upgrade the forwarding configuration and reconfigure non-default protection rules in the WAF 3.0 console.

  1. On the Upgrade Tool page, select One-click Upgrade, Rule-incorporated Manual Batch Upgrade, or Rule-free Manual Batch Upgrade, and click Start Migration.

    Important

    If you select Rule-incorporated Manual Batch Upgrade, you must select the protection rules to upgrade. Multiple selections are supported. You can only select the rules to upgrade on the current page. Carefully evaluate your business requirements before starting the migration.

  2. In the dialog box that appears, click OK. The instance starts the automatic upgrade, which takes approximately 15 minutes. Keep the current page open and do not refresh it.

    Note

    If the upgrade fails, the instance automatically rolls back to WAF 2.0. View the failure reason in the Rollback Completed dialog box.

  3. After WAF completes the automatic upgrade, click OK in the The WAF 3.0 instance is created. dialog box to enter the upgrade window.

Step 4: Complete the migration within the upgrade window

The upgrade window is the entire period during which upgrade operations are allowed, lasting 15 days in total. View the remaining time on the Upgrade Tools page.

Notes on the upgrade window

  • Allowed operations

    • View service traffic.

    • Upgrade domain names in batches.

    • Switch between the WAF 2.0 and WAF 3.0 consoles.

    • Add protection configurations in the WAF 3.0 console to verify whether the protection for the upgraded instance is effective.

    • Roll back to WAF 2.0.

    • Confirm upgrade completion or abandon the upgrade.

  • Disallowed operations

    • Do not perform renewal, upgrade, downgrade, or unsubscribe operations in the WAF console or the Billing Management console. Otherwise, the instance might be released or fee refunds might fail.

    • Do not enable or disable the protection switches for web tamper proofing or sensitive information leakage prevention.

    • Do not modify the forwarding configurations for WAF 2.0 or WAF 3.0. This includes adding, deleting, or modifying configurations in WAF 2.0 Website Access and WAF 3.0 Onboarding.

  • Operations that require attention

    • During the upgrade window, if you add a new alert in WAF 3.0 and the alert is triggered, you receive the alert notification only in WAF 2.0.

    • During the upgrade window, if you add a new protection configuration rule in WAF 2.0, the rule is not synchronized to WAF 3.0.

    • If the upgrade window expires without you confirming the upgrade completion, the instance and its configurations automatically roll back to WAF 2.0. The upgraded WAF 3.0 instance is released, and the protection configurations created during the window are deleted.

    • After the upgrade is complete, security protection is available only in the WAF 3.0 console. Click Confirm Upgrade Completion only after you confirm that no further upgrade operations are needed.

Perform operations based on the selected upgrade method:

One-click full upgrade

  1. If you selected One-click Upgrade in the previous step, the Upgrade Status for all domain names and servers on the Upgrade Tools page is Not Upgraded, indicating that all configurations for domain names and cloud product instances connected to WAF have been automatically upgraded to WAF 3.0. On the Upgrade Tool page, the Domain Name List shows the access type and upgrade status of each domain name. After the upgrade is complete, the status displays as Upgraded.

  2. Verify that the service traffic for each connected object is normal. Check whether the ratio of HTTP 200 status codes in the logs has significant fluctuations, or whether the QPS has sudden spikes or drops. If you have enabled the WAF 3.0 log service, refer to Query logs for investigation.

  3. Click Switch to WAF 3.0 in the lower-left corner of the page and perform the following checks:

    1. In the left-side navigation pane, click Onboarding to check the asset onboarding status.

    2. In the left-side navigation pane, choose Protection Config > Core Web Protection, and verify that the protection template and its protected objects meet your business requirements.

  4. After you confirm that everything is normal, go to the Upgrade Tools page and click Confirm Upgrade Completion. The WAF 2.0 instance is released. You must then use the WAF 3.0 console for security protection.

    Note
    • If you find that the service is not working correctly, go to the Upgrade Tools page. In the Actions column for the affected object, click Roll Back to WAF 2.0 to roll back the domain name or server to WAF 2.0.

    • After rolling back to WAF 2.0, you can later return to the upgrade tool page and click Upgrade to WAF 3.0 in the Actions column for the target object to upgrade to WAF 3.0. In this case, the system upgrades only the forwarding configuration for that object. You must manually associate the corresponding protection policy template with the object.

    • In extreme cases, if the service is still abnormal after the rollback, click Cancel Upgrade in the upper-right corner of the page to abandon the upgrade and revert all configurations to their pre-upgrade state.

Manual batch upgrade: rule migration

  1. If you selected Rule-incorporated Manual Batch Upgrade in the previous step, the Upgrade Status for all domain names and servers on the Upgrade Tools page is Not Upgraded, and you must proceed with the manual upgrade.

  2. Select one or more domain names or cloud product instances to manually upgrade until all domain names and cloud product instances show Upgraded. The following two upgrade methods are supported:

    • Direct upgrade: In the Actions column, click Canary Release. In the dialog box that appears, click OK.

    • Canary upgrade: In the Actions column, click Canary Release and select the proportion of traffic to route to the new version, gradually increasing it until all traffic is directed to WAF 3.0. When the canary upgrade progress reaches 100%, the upgrade status changes to Upgraded.

  3. Verify that the service traffic for each connected object is normal. Check whether the ratio of HTTP 200 status codes in the logs has significant fluctuations, or whether the QPS has sudden spikes or drops. If you have enabled the WAF 3.0 log service, refer to Query logs for investigation.

    Note
    • If you find that the service is not working correctly, go to the Upgrade Tools page. In the Actions column for the affected object, click Roll Back to WAF 2.0 to roll back the domain name or server to WAF 2.0.

    • After rolling back to WAF 2.0, you can later return to the upgrade tool page and click Upgrade to WAF 3.0 in the Actions column for the target object to upgrade to WAF 3.0. In this case, the system upgrades only the forwarding configuration for that object. You must manually associate the corresponding protection policy template with the object.

    • In extreme cases, if the service is still abnormal after the rollback, click Cancel Upgrade in the upper-right corner of the page to abandon the upgrade and revert all configurations to their pre-upgrade state.

  4. After all domain names and cloud product instances are upgraded, and you confirm that the service traffic and protection configurations meet your expectations, go to the Upgrade Tools page and click Confirm Upgrade Completion. The WAF 2.0 instance is released. You must then use the WAF 3.0 console for security protection.

Manual batch upgrade: no rule migration

  1. If you selected Rule-free Manual Batch Upgrade in the previous step, the Upgrade Status for all domain names and servers on the Upgrade Tools page is Not Upgraded, and you must proceed with the manual upgrade.

  2. Select one or more domain names or cloud product instances to manually upgrade until all domain names and cloud product instances show Upgraded. The following two upgrade methods are supported:

    • Direct upgrade: In the Actions column, click Upgrade to WAF 3.0. In the dialog box that appears, click OK.

    • Canary upgrade: In the Actions column, click Canary Release and select the proportion of traffic to route to the new version, gradually increasing it until all traffic is directed to WAF 3.0. When the canary upgrade progress reaches 100%, the upgrade status changes to Upgraded.

  3. Verify that the service traffic for each connected object is normal. Check whether the ratio of HTTP 200 status codes in the logs has significant fluctuations, or whether the QPS has sudden spikes or drops. If you have enabled the WAF 3.0 log service, refer to Query logs for investigation.

    Note
    • If you find that the service is not working correctly, go to the Upgrade Tools page. In the Actions column for the affected object, click Roll Back to WAF 2.0 to roll back the domain name or server to WAF 2.0.

    • After rolling back to WAF 2.0, you can later return to the upgrade tool page and click Upgrade to WAF 3.0 in the Actions column for the target object to upgrade to WAF 3.0. In this case, the system upgrades only the forwarding configuration for that object. You must manually associate the corresponding protection policy template with the object.

    • In extreme cases, if the service is still abnormal after the rollback, click Cancel Upgrade in the upper-right corner of the page to abandon the upgrade and revert all configurations to their pre-upgrade state.

  4. Click Switch to WAF 3.0 in the lower-left corner of the page. Refer to the WAF 2.0 protection configurations to create WAF 3.0 protection templates and rules, and configure the corresponding protected objects. For more information, see Protection configuration overview.

  5. After all domain names and cloud product instances are upgraded, and you confirm that the service traffic and protection configurations meet your expectations, go to the Upgrade Tools page and click Confirm Upgrade Completion. The WAF 2.0 instance is released. You must then use the WAF 3.0 console for security protection.

Important

Confirm the upgrade promptly after completion. If you do not click Confirm Upgrade Completion before the 15-day upgrade window expires, the instance and its configurations roll back to WAF 2.0. The automatically created WAF 3.0 instance is released, and the protection configurations created during the window are deleted. If you still need to upgrade, you must start the process over.

What's next

After the upgrade, if you previously configured the following services in WAF 2.0, perform additional operations in WAF 3.0:

  • Configure the log service

    Reconfigure the following information for the log service:

    • Configure log fields, storage type, collection status for protected objects, log storage duration, and log capacity. For more information, see Log management overview.

    • Enable or disable the log service. For more information, see Enable or disable log service.

  • Configure CloudMonitor and alerts

    WAF 3.0 uses new event and metric monitoring items that require reconfiguration. For more information, see Configure CloudMonitor notifications.

  • Configure RAM permissions

    Reconfigure RAM permissions for OpenAPI operation-level permission management. For more information, see RAM authorization.

  • Configure Terraform

    Terraform must be reconfigured. For more information, see Terraform Registry (domain name) and Terraform Registry (instance).

  • Configure OpenAPI

    WAF 3.0 uses new OpenAPI operations. For more information, see API overview.

  • Configure resource groups

    Resource groups do not support upgrade and must be reconfigured. For more information, see Add a domain to WAF via CNAME.

  • Operations triggered by product code changes

    After the upgrade, the product code for WAF changes. If your instance requires commercial changes due to this, contact your account manager.

FAQ

Can instances with transparent proxy traffic redirection be upgraded?

Yes. WAF supports self-service upgrades for transparent proxy instances (Layer 7 SLB, Layer 4 SLB, and ECS) to WAF 3.0. However, transparent proxy (ALB) traffic does not support self-service upgrades. First disable ALB traffic redirection, delete the domain name configuration, and then proceed with the upgrade. Follow the steps below:

  1. Go to Asset Center > Website Access page. On the Servers tab, in the Actions column for the instance port, click Disable Traffic Redirection.

  2. On the Domain Names tab, in the Actions column for the domain name, click Delete.

  3. Upgrade the WAF instance. For more information, see Upgrade operations.

  4. Reconnect ALB traffic to WAF 3.0. For more information, see Cloud native mode.

Can exclusive edition instances be upgraded?

Yes. Contact your account manager for details.

Are any fees incurred during the upgrade?

No. After the upgrade is complete, subscription instances incur fees at the next renewal. For more information, see Fee changes.

Can a WAF 2.0 Enterprise Edition be upgraded to a WAF 3.0 Pro Edition, or a WAF 2.0 Pro Edition be upgraded to WAF 3.0 Enterprise Edition?

No. Subscription instances only support same-edition upgrades. A WAF 2.0 Pro Edition can only be upgraded to a WAF 3.0 Pro Edition. To use the Enterprise Edition, upgrade to the Enterprise Edition after completing the initial upgrade. For more information, see Upgrade an instance.

Can I add a new domain name in WAF 2.0 during the upgrade window and then continue the upgrade?

No. During the upgrade window, Website Access is grayed out and does not support adding new domain names, deleting existing ones, or modifying any forwarding configurations for connected domain names. If you need to add a domain name to WAF 2.0 during the upgrade window, abandon the upgrade first, add the domain name, and then restart the upgrade process.

Note

After you abandon the upgrade, the system deletes the WAF 3.0 instance and its configurations, and exits the upgrade process.