Web Application Firewall (WAF) supports the subscription billing method. This topic describes the business scales and protection features supported by subscription WAF instances of different editions.
WAF deployment plans and editions
Subscription WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. The Exclusive edition is unavailable for purchase. Hybrid Cloud WAF supports only the Exclusive edition.
Editions and supported business scales
The following table describes the business scales supported by each WAF edition. For medium-sized enterprise websites, we recommend that you select the Business edition or Enterprise edition.
Specification | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
Website scale | Small-sized websites and medium-sized websites that do not have special security requirements | Medium-sized enterprise-grade websites that are accessible to the public and have high data security requirements. | Medium-sized enterprise-grade websites and large-sized enterprise-grade websites that have custom security requirements. | Large-sized enterprise-grade websites that require business-specific configurations | Medium- and large-sized enterprise-grade websites whose traffic cannot be protected by On-cloud WAF and that require the same level of web protection capabilities as On-cloud WAF |
Peak queries per second (QPS) | 2,000 QPS | 5,000 QPS | Higher than 10,000 QPS | 5,000 QPS | 0 QPS, and can be increased |
Number of nodes in an on-premises protection cluster and peak QPS | Not supported | Supported with fees required | Supported with fees required | Supported with fees required | 2 nodes and 10,000 QPS |
Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.) | 50 Mbit/s | 100 Mbit/s | 200 Mbit/s | 100 Mbit/s | 0 Mbit/s, and can be increased |
Maximum bandwidth in Mbit/s (The origin server is not deployed on Alibaba Cloud.) | 10 Mbit/s | 30 Mbit/s | 50 Mbit/s | 30 Mbit/s | |
Default number of second-level domains that can be protected | 1 | 1 | 1 | 1,000 | 200 (The domains are not limited to second-level domains. Each additional node can protect up to 100 domains.) |
Default number of domains that can be protected in total (Wildcard domains are supported.) | 10 | 10 | 10 | 1,000 |
Editions and supported features in the Chinese mainland
The following table describes the features supported by each subscription WAF edition in the Chinese mainland.
Symbol descriptions:
: indicates that the feature is supported by the edition. 
: indicates that the feature is not supported by the edition. 
: indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Function module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
Website access | ||||||
Allows you to configure HTTPS protection for websites with a few clicks. | | | | | | |
Discovers and manages website assets. You can add assets to WAF with a few clicks. | | | | | | |
Redirects traffic that is sent to origin servers to WAF. The origin servers can be Elastic Compute Service (ECS) instances or servers that are added to Server Load Balancer (SLB) instances. | | | | | | |
Protects websites that use HTTP/2. | | | | | | |
Protects services that use custom ports other than standard ports. The standard ports include port 80, port 8080, port 443, and port 8443. | | | | | | |
Detects and protects IPv6 traffic. | | | | | | |
Allows you to modify service access configurations and protection capabilities based on your business requirements. | | | | | | |
Deploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud. | | | | | | |
Connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. | | | | | | |
Provides exclusive IP addresses to protect specific domain names. | | | | | | |
Website protection | ||||||
Protects your services against common web attacks such as SQL injection and XSS attacks. | | | | | | |
Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities. | | | | | | |
Locks web pages to prevent content tampering. | | | | | | |
Prevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked. | | | | | | |
Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. | | | | | | |
Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints. | | | | | | |
Blocks access requests that are sent from specific IP addresses or CIDR blocks. | | | | | | |
Blocks access requests that are sent from IP addresses in specific regions. | | | | | | |
Blocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities. | | | | | | |
Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. | | | | | | |
Supports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params. | | | | | | |
Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method. | | | | | | |
Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules. | | | | | | |
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. | | | | | | |
Anti-DDoS | Defends against DDoS attacks. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. | | | | | |
Allows you to configure custom protection rule groups. | | | | | | |
Provides positive defense capabilities based on the deep learning operations that are performed on website traffic. | | | | | | |
Protects critical website services against frauds. These services include registrations, logons, activities, and forums. | | | | | | |
Maintains a whitelist that consists of authorized search engines. The crawlers of the search engines are allowed to access specified domain names. | | | | | | |
Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents the crawlers from accessing all pages that are related to your domain name or specific directories. | | | | | | |
Provides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. | | | | | | |
Security analysis and support | ||||||
Allows you to configure event monitoring and alerting for WAF. | | | | | | |
Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. | | | | | | |
Editions and supported features outside the Chinese mainland
The following table describes the features supported by each subscription WAF edition outside the Chinese mainland.
Symbol descriptions:
- : indicates that the feature is supported by the edition.
- : indicates that the feature is not supported by the edition.
- : indicates that the feature is a value-added service. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
Function module | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive (unavailable for purchase) | Hybrid Cloud WAF Exclusive |
Website access | ||||||
Allows you to configure HTTPS protection for websites with a few clicks. | | | | | | |
Redirects traffic that is sent to origin servers to WAF. The origin servers can be ECS instances or servers that are added to SLB instances. | | | | | | |
Protects websites that use HTTP/2. | | | | | | |
Protects services that use custom ports other than standard ports. The standard ports include port 80, port 8080, port 443, and port 8443. | | | | | | |
Allows you to modify service access configurations and protection capabilities based on your business requirements. | | | | | | |
Detects and protects IPv6 traffic. | | | | | | |
Connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. | | | | | | |
Deploys WAF protection clusters in data centers to protect web traffic that is not sent to Alibaba Cloud. | | | | | | |
Provides exclusive IP addresses to protect specific domain names. | | | | | | |
Website protection | ||||||
Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints such as registration endpoints and logon endpoints. | | | | | | |
Protects your services against common web attacks such as SQL injection and XSS attacks. | | | | | | |
Enables automatic updates of protection rules that are configured for web zero-day vulnerabilities. | | | | | | |
Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. | | | | | | |
Blocks access requests that are sent from specific IP addresses or CIDR blocks. | | | | | | |
Blocks access requests that are sent from IP addresses in specific regions. | | | | | | |
Blocks the IP addresses of scanners and the IP addresses from which high-frequency web attacks or path traversal attacks are initiated. This feature provides collaborative defense capabilities. | | | | | | |
Allows you to configure custom rules to block high-frequency web attacks and path traversal attacks. | | | | | | |
Supports ACL-based access control by using basic fields such as IP, URL, Referer, User-Agent, and Params. | | | | | | |
Supports ACL-based access control by using advanced fields such as Cookie, Content-Type, Header, and Http-Method. | | | | | | |
Allows you to configure throttling policies based on IP addresses and sessions. You can add match conditions and configure throttling policies to modify HTTP flood protection rules. | | | | | | |
Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. | | | | | | |
Locks web pages to prevent content tampering. | | | | | | |
Prevents sensitive data such as ID card numbers, mobile phone numbers, and bank card numbers from being leaked. | | | | | | |
Allows you to configure custom protection rule groups. | | | | | | |
Provides positive defense capabilities based on the deep learning operations that are performed on website traffic. | | | | | | |
Protects critical website services against frauds. These services include registrations, logons, activities, and forums. | | | | | | |
Anti-DDoS | Defends against DDoS attacks. For information about the defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. | | | | | |
Maintains a whitelist that consists of authorized search engines. The crawlers of the search engines are allowed to access specified domain names. | | | | | | |
Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents the crawlers from accessing all pages that are related to your domain name or specific directories. | | | | | | |
Provides secure connections and anti-bot protection for native apps. This feature can identify requests that contain invalid signatures and requests that are sent from proxy servers and emulators. | | | | | | |
Security analysis and support | ||||||
Allows you to configure event monitoring and alerting for WAF. | | | | | | |
Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. | | | | | | |