Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features supported by different editions of subscription WAF instances.
WAF deployment plans and editions
In the subscription mode, WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. The Exclusive edition is unavailable for purchase now. Hybrid Cloud WAF supports only the Exclusive edition.
References
- Billing methods
- Best practices for WAF exclusive clusters
- Overview of Hybrid Cloud WAF
- Purchase a subscription WAF instanceImportant WAF Exclusive Edition is unavailable for purchase.
Editions and supported business scales
The following table lists the business scales supported by each WAF edition. For medium-sized enterprise websites, we recommend that you select the Business or Enterprise edition.
| Specification | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
|---|---|---|---|---|---|
| Website scale | Small-sized websites and medium-sized websites that do not have special security requirements | Medium-sized enterprise-grade websites that provide services over the Internet and have high data security requirements | Medium-sized enterprise-grade websites and large-sized enterprise-grade websites that have custom security requirements | Large-sized enterprise-grade websites that require business-specific configurations | Medium- and large-sized enterprise-grade websites whose traffic cannot be protected by On-cloud WAF and that require the same level of web protection capabilities as On-cloud WAF |
| Peak queries per second (QPS) | 2,000 QPS | 5,000 QPS | Higher than 10,000 QPS | 5,000 QPS | 0 QPS, and can be increased |
| Number of nodes in an on-premises protection cluster and peak QPS | Not supported | Supported with fees required | Supported with fees required | Supported with fees required | 2 nodes and 10,000 QPS |
| Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.) | 50 Mbit/s | 100 Mbit/s | 200 Mbit/s | 100 Mbit/s | 0 Mbit/s, and can be increased |
| Maximum bandwidth in Mbit/s (The origin server is not deployed on Alibaba Cloud.) | 10 Mbit/s | 30 Mbit/s | 50 Mbit/s | 30 Mbit/s | |
| Default number of second-level domains that can be protected | 1 | 1 | 1 | 1,000 | 200 (The domains are not limited to second-level domains. Each additional node can protect up to 100 domains.) |
| Default number of domains that can be protected in total (Wildcard domains are supported.) | 10 | 10 | 10 | 1,000 |
Editions and supported features in the Chinese mainland
The following table describes the features supported by each edition of subscription WAF instances in the Chinese mainland.
Symbol descriptions:
: indicates that the feature is supported by the edition. 
: indicates that the feature is not supported by the edition. 
: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
| Feature module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
|---|---|---|---|---|---|---|
| Website access | ||||||
| HTTPS protection | Allows you to configure HTTPS protection for websites with a few clicks. | | | | | |
| Asset discovery | Discovers and manages website assets. You can add assets to WAF with a few clicks. | | | | | |
| Transparent proxy mode | Redirects the traffic that is sent to origin servers to WAF. The origin servers can be Elastic Compute Service (ECS) instances or servers that are added to Server Load Balancer (SLB) instances. | | | | | |
| HTTP/2 protection | Protects websites that use HTTP/2. | | | | | |
| Custom port protection | Protects services that use custom ports apart from standard ports. The standard ports include 80, 8080, 443, and 8443. | | | | | |
| IPv6 traffic protection | Detects and protects IPv6 traffic. | | | | | |
| Exclusive cluster | Allows you to modify service access configurations and protection capabilities based on your business requirements. | | | | | |
| On-premises protection cluster deployment | Deploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud. | | | | | |
| Intelligent load balancing | Connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. | | | | | |
| Exclusive IP addresses | Provides exclusive IP addresses to protect specific domain names. | | | | | |
| Website protection | ||||||
| Protection rules engine | Protects your services against common web attacks such as SQL injection and cross-site scripting (XSS) attacks. | | | | | |
| Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities. | | | | | | |
| Website tamper-proofing | Locks web pages to prevent content tampering. | | | | | |
| Data leakage prevention | Prevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked. | | | | | |
| HTTP flood protection | Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. | | | | | |
| Account security | Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints. | | | | | |
| IP address blacklist | Blocks access requests that are sent from specific IP addresses or CIDR blocks. | | | | | |
| Blocks access requests that are sent from IP addresses in specific regions. | | | | | | |
| Scan protection | Blocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities. | | | | | |
| Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. | | | | | | |
| Custom protection policy | Supports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params. | | | | | |
| Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method. | | | | | | |
| Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules. | | | | | | |
| Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. | | | | | | |
| Anti-DDoS | Defends against DDoS attacks of up to 5 Gbit/s free of charge. | | | | | |
| Custom protection rule group | Allows you to configure custom protection rule groups. | | | | | |
| Positive security model | Provides positive defense capabilities based on the deep learning operations that are performed on website traffic. | | | | | |
| Data risk control | Protects critical website services against frauds. These services include registrations, logons, activities, and forums. | | | | | |
| Allowed crawlers | Maintains a whitelist that consists of authorized search engines. The crawlers of these search engines are allowed to access specified domain names. | | | | | |
| Bot threat intelligence | Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages related to your domain name or specific directories. | | | | | |
| App protection | Provides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. | | | | | |
| Security analysis and support | ||||||
| Alert setting | Allows you to configure event monitoring and alerting for WAF. | | | | | |
| Log Service for WAF | Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. | | | | | |
Editions and supported features outside the Chinese mainland
The following table describes the features supported by each edition of subscription WAF instances outside the Chinese mainland.
Symbol descriptions:
- : indicates that the feature is supported by the edition.
- : indicates that the feature is not supported by the edition.
- : indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
| Feature module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
|---|---|---|---|---|---|---|
| Website access | ||||||
| HTTPS protection | Allows you to configure HTTPS protection for websites with a few clicks. | | | | | |
| Transparent proxy mode | Redirects traffic that is sent to origin servers to WAF. The origin servers can be ECS instances or servers that are added to SLB instances. | | | | | |
| HTTP/2 protection | Protects websites that use HTTP/2. | | | | | |
| Custom port protection | Protects services that use custom ports apart from standard ports. The standard ports include 80, 8080, 443, and 8443. | | | | | |
| Exclusive cluster | Allows you to modify service access configurations and protection capabilities based on your business requirements. | | | | | |
| IPv6 traffic protection | Detects and protects IPv6 traffic. | | | | | |
| Intelligent load balancing | Connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. | | | | | |
| On-premises protection cluster deployment | Deploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud. | | | | | |
| Exclusive IP addresses | Provides exclusive IP addresses to protect specific domain names. | | | | | |
| Website protection | ||||||
| Account security | Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints. | | | | | |
| Protection rules engine | Protects your services against common web attacks such as SQL injection and XSS attacks. | | | | | |
| Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities. | | | | | | |
| HTTP flood protection | Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. | | | | | |
| Blacklist | Blocks access requests that are sent from specific IP addresses or CIDR blocks. | | | | | |
| Blocks access requests that are sent from IP addresses in specific regions. | | | | | | |
| Scan protection | Blocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities. | | | | | |
| Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. | | | | | | |
| Custom protection policy | Supports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params. | | | | | |
| Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method. | | | | | | |
| Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules. | | | | | | |
| Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. | | | | | | |
| Website tamper-proofing | Locks web pages to prevent content tampering. | | | | | |
| Data leak prevention | Prevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked. | | | | | |
| Custom protection rule group | Allows you to configure custom protection rule groups. | | | | | |
| Positive security model | Provides positive defense capabilities based on the deep learning operations that are performed on website traffic. | | | | | |
| Data risk control | Protects critical website services against frauds. These services include registrations, logons, activities, and forums. | | | | | |
| Anti-DDoS | Defends against DDoS attacks of up to 5 Gbit/s free of charge. | | | | | |
| Allowed crawlers | Maintains a whitelist that consists of authorized search engines. The crawlers of these search engines are allowed to access specified domain names. | | | | | |
| Bot threat intelligence | Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages related to your domain name or specific directories. | | | | | |
| App protection | Provides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. | | | | | |
| Security analysis and support | ||||||
| Alert setting | Allows you to configure event monitoring and alerting for WAF. | | | | | |
| Log Service for WAF | Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. | | | | | |