Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features supported by different editions of subscription WAF instances.

WAF deployment plans and editions

In the subscription mode, WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. The Exclusive edition is unavailable for purchase now. Hybrid Cloud WAF supports only the Exclusive edition.

Editions and supported business scales

The following table lists the business scales supported by each WAF edition. For medium-sized enterprise websites, we recommend that you select the Business or Enterprise edition.

SpecificationOn-cloud WAF ProOn-cloud WAF BusinessOn-cloud WAF EnterpriseOn-cloud WAF Exclusive (unavailable for purchase)Hybrid Cloud WAF Exclusive
Website scaleSmall-sized websites and medium-sized websites that do not have special security requirements Medium-sized enterprise-grade websites that provide services over the Internet and have high data security requirements Medium-sized enterprise-grade websites and large-sized enterprise-grade websites that have custom security requirements Large-sized enterprise-grade websites that require business-specific configurations Medium- and large-sized enterprise-grade websites whose traffic cannot be protected by On-cloud WAF and that require the same level of web protection capabilities as On-cloud WAF
Peak queries per second (QPS)2,000 QPS5,000 QPSHigher than 10,000 QPS5,000 QPS0 QPS, and can be increased
Number of nodes in an on-premises protection cluster and peak QPSNot supportedSupported with fees requiredSupported with fees requiredSupported with fees required2 nodes and 10,000 QPS
Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.)50 Mbit/s100 Mbit/s200 Mbit/s100 Mbit/s0 Mbit/s, and can be increased
Maximum bandwidth in Mbit/s (The origin server is not deployed on Alibaba Cloud.)10 Mbit/s30 Mbit/s50 Mbit/s30 Mbit/s
Default number of second-level domains that can be protected1111,000200 (The domains are not limited to second-level domains. Each additional node can protect up to 100 domains.)
Default number of domains that can be protected in total (Wildcard domains are supported.)1010101,000

Editions and supported features in the Chinese mainland

The following table describes the features supported by each edition of subscription WAF instances in the Chinese mainland.

Symbol descriptions:
  • Supported: indicates that the feature is supported by the edition.
  • Not supported: indicates that the feature is not supported by the edition.
  • Value-added: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Feature moduleDescriptionOn-cloud WAF ProOn-cloud WAF BusinessOn-cloud WAF EnterpriseOn-cloud WAF Exclusive (unavailable for purchase)Hybrid Cloud WAF Exclusive
Website access
HTTPS protectionAllows you to configure HTTPS protection for websites with a few clicks. SupportedSupportedSupportedSupportedSupported
Asset discoveryDiscovers and manages website assets. You can add assets to WAF with a few clicks. SupportedSupportedSupportedSupportedSupported
Transparent proxy modeRedirects the traffic that is sent to origin servers to WAF. The origin servers can be Elastic Compute Service (ECS) instances or servers that are added to Server Load Balancer (SLB) instances. SupportedSupportedSupportedSupportedSupported
HTTP/2 protectionProtects websites that use HTTP/2.Not supportedSupportedSupportedSupportedSupported
Custom port protectionProtects services that use custom ports apart from standard ports. The standard ports include 80, 8080, 443, and 8443. Not supportedSupportedSupportedSupportedSupported
IPv6 traffic protectionDetects and protects IPv6 traffic. Not supportedSupportedSupportedSupportedSupported
Exclusive clusterAllows you to modify service access configurations and protection capabilities based on your business requirements. Not supportedNot supportedNot supportedSupportedSupported
On-premises protection cluster deploymentDeploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud. Not supportedValue-addedValue-addedValue-addedSupported
Intelligent load balancingConnects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. Value-addedValue-addedValue-addedValue-addedValue-added
Exclusive IP addressesProvides exclusive IP addresses to protect specific domain names. Value-addedValue-addedValue-addedValue-addedValue-added
Website protection
Protection rules engineProtects your services against common web attacks such as SQL injection and cross-site scripting (XSS) attacks. SupportedSupportedSupportedSupportedSupported
Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities. SupportedSupportedSupportedSupportedSupported
Website tamper-proofingLocks web pages to prevent content tampering. SupportedSupportedSupportedSupportedSupported
Data leakage preventionPrevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked. SupportedSupportedSupportedSupportedSupported
HTTP flood protectionProtects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. SupportedSupportedSupportedSupportedSupported
Account securityDetects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints. SupportedSupportedSupportedSupportedSupported
IP address blacklistBlocks access requests that are sent from specific IP addresses or CIDR blocks. SupportedSupportedSupportedSupportedSupported
Blocks access requests that are sent from IP addresses in specific regions. Not supportedSupportedSupportedSupportedSupported
Scan protectionBlocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities. SupportedSupportedSupportedSupportedSupported
Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. Not supportedSupportedSupportedSupportedSupported
Custom protection policySupports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params. SupportedSupportedSupportedSupportedSupported
Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method. Not supportedSupportedSupportedSupportedSupported
Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules. Not supportedSupportedSupportedSupportedSupported
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. Not supportedNot supportedSupportedSupportedSupported
Anti-DDoSDefends against DDoS attacks of up to 5 Gbit/s free of charge. SupportedSupportedSupportedSupportedNot supported
Custom protection rule groupAllows you to configure custom protection rule groups. Not supportedSupportedSupportedSupportedSupported
Positive security modelProvides positive defense capabilities based on the deep learning operations that are performed on website traffic. Not supportedNot supportedSupportedSupportedSupported
Data risk controlProtects critical website services against frauds. These services include registrations, logons, activities, and forums. Value-addedValue-addedValue-addedValue-addedNot supported
Allowed crawlersMaintains a whitelist that consists of authorized search engines. The crawlers of these search engines are allowed to access specified domain names. Value-addedValue-addedValue-addedValue-addedValue-added
Bot threat intelligenceProvides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages related to your domain name or specific directories. Value-addedValue-addedValue-addedValue-addedValue-added
App protectionProvides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. Value-addedValue-addedValue-addedValue-addedValue-added
Security analysis and support
Alert settingAllows you to configure event monitoring and alerting for WAF. SupportedSupportedSupportedSupportedSupported
Log Service for WAFCollects and stores all logs, enables near-real-time query and analysis, and provides online reports. Value-addedValue-addedValue-addedValue-addedValue-added

Editions and supported features outside the Chinese mainland

The following table describes the features supported by each edition of subscription WAF instances outside the Chinese mainland.

Symbol descriptions:
  • Supported: indicates that the feature is supported by the edition.
  • Not supported: indicates that the feature is not supported by the edition.
  • Value-added: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Feature moduleDescriptionOn-cloud WAF ProOn-cloud WAF BusinessOn-cloud WAF EnterpriseOn-cloud WAF Exclusive (unavailable for purchase)Hybrid Cloud WAF Exclusive
Website access
HTTPS protectionAllows you to configure HTTPS protection for websites with a few clicks. SupportedSupportedSupportedSupportedSupported
Transparent proxy modeRedirects traffic that is sent to origin servers to WAF. The origin servers can be ECS instances or servers that are added to SLB instances. SupportedSupportedSupportedSupportedSupported
HTTP/2 protectionProtects websites that use HTTP/2.Not supportedSupportedSupportedSupportedSupported
Custom port protectionProtects services that use custom ports apart from standard ports. The standard ports include 80, 8080, 443, and 8443. Not supportedSupportedSupportedSupportedSupported
Exclusive clusterAllows you to modify service access configurations and protection capabilities based on your business requirements. Not supportedNot supportedNot supportedSupportedSupported
IPv6 traffic protectionDetects and protects IPv6 traffic. Not supportedNot supportedNot supportedNot supportedSupported
Intelligent load balancingConnects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. Not supportedValue-addedValue-addedValue-addedValue-added
On-premises protection cluster deploymentDeploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud. Not supportedValue-addedValue-addedValue-addedSupported
Exclusive IP addressesProvides exclusive IP addresses to protect specific domain names. Value-addedValue-addedValue-addedValue-addedValue-added
Website protection
Account securityDetects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints. SupportedSupportedSupportedSupportedSupported
Protection rules engineProtects your services against common web attacks such as SQL injection and XSS attacks. SupportedSupportedSupportedSupportedSupported
Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities. SupportedSupportedSupportedSupportedSupported
HTTP flood protectionProtects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. SupportedSupportedSupportedSupportedSupported
BlacklistBlocks access requests that are sent from specific IP addresses or CIDR blocks. SupportedSupportedSupportedSupportedSupported
Blocks access requests that are sent from IP addresses in specific regions. Not supportedNot supportedSupportedSupportedSupported
Scan protectionBlocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities. SupportedSupportedSupportedSupportedSupported
Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. Not supportedSupportedSupportedSupportedSupported
Custom protection policySupports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params. SupportedSupportedSupportedSupportedSupported
Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method. Not supportedSupportedSupportedSupportedSupported
Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules. Not supportedSupportedSupportedSupportedSupported
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. Not supportedNot supportedSupportedSupportedSupported
Website tamper-proofingLocks web pages to prevent content tampering. Not supportedSupportedSupportedSupportedSupported
Data leak preventionPrevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked. Not supportedSupportedSupportedSupportedSupported
Custom protection rule groupAllows you to configure custom protection rule groups. Not supportedNot supportedSupportedSupportedSupported
Positive security modelProvides positive defense capabilities based on the deep learning operations that are performed on website traffic. Not supportedNot supportedSupportedSupportedNot supported
Data risk controlProtects critical website services against frauds. These services include registrations, logons, activities, and forums. Not supportedNot supportedNot supportedNot supportedNot supported
Anti-DDoSDefends against DDoS attacks of up to 5 Gbit/s free of charge. Not supportedNot supportedNot supportedNot supportedNot supported
Allowed crawlersMaintains a whitelist that consists of authorized search engines. The crawlers of these search engines are allowed to access specified domain names. Value-addedValue-addedValue-addedValue-addedValue-added
Bot threat intelligenceProvides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages related to your domain name or specific directories. Value-addedValue-addedValue-addedValue-addedValue-added
App protectionProvides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. Value-addedValue-addedValue-addedValue-addedValue-added
Security analysis and support
Alert settingAllows you to configure event monitoring and alerting for WAF. SupportedSupportedSupportedSupportedSupported
Log Service for WAFCollects and stores all logs, enables near-real-time query and analysis, and provides online reports. Value-addedValue-addedValue-addedValue-addedValue-added