This topic describes different deployment plans and editions supported by Web Application Firewall (WAF). This topic also describes the business scales and protection features supported by different WAF editions.
WAF deployment plans and editions
In subscription mode, WAF provides two deployment plans: On-cloud WAF and Hybrid Cloud WAF. On-cloud WAF supports the following editions: Pro, Business, Enterprise, and Exclusive. If you want to purchase an On-cloud WAF instance of the Exclusive edition, you must submit a ticket. Hybrid Cloud WAF supports only the Exclusive edition.
References
- Billing method
- Best practices for WAF exclusive clusters
- Overview of Hybrid Cloud WAF
- Purchase a WAF instanceNotice If you want to purchase an On-cloud WAF instance of the Exclusive edition, you must submit a ticket.
Editions and supported business scales
The following table lists the business scales supported by each edition. We recommend that you choose the Business or Enterprise edition for medium-sized enterprise websites.
| Business specification | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive | Hybrid Cloud WAF Exclusive |
|---|---|---|---|---|---|
| Website scale | Small- and medium-sized websites that do not have special security requirements | Medium-sized enterprise-grade websites that provide services to all Internet users and have high data security requirements | Medium- and large-sized enterprise-grade websites that have custom security requirements | Large-sized enterprise-grade websites that require business-specific configurations | Medium- and large-sized enterprise-grade websites whose traffic cannot be protected by On-cloud WAF and that require the web protection capabilities of On-cloud WAF |
| Peak queries per second (QPS) | 2,000 | 5,000 | Higher than 10,000 | 5,000 | 0
Scalable |
| Number of nodes in an on-premises protection cluster and peak QPS | Not supported | Supported. Fees are charged. | Supported. Fees are charged. | Supported. Fees are charged. | 2 and 10,000 |
| Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.) | 50 | 100 | 200 | 100 | 0
Scalable |
| Maximum bandwidth, in Mbit/s (The origin server is not deployed on Alibaba Cloud.) | 10 | 30 | 50 | 30 | |
| Default number of second-level domains that can be protected | 1 | 1 | 1 | 1,000 | 200 (The domains are not limited to second-level domains. Each additional node can protect 100 more domains.) |
| Default number of domains that can be protected in total (Wildcard domains are supported.) | 10 | 10 | 10 | 1,000 |
Editions and supported features (in the Chinese mainland)
The following table describes the features supported by each edition of WAF in the Chinese mainland. WAF instances use the subscription billing method.
Symbol descriptions:
- √: indicates that the feature is supported by the edition.
- ×: indicates that the feature is not supported by the edition.
- ○: indicates that the feature is a value-added capability. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
| Feature | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive | Hybrid Cloud WAF Exclusive |
|---|---|---|---|---|---|---|
| Website access | ||||||
| HTTPS protection | Allows you to implement HTTPS protection for websites with a few clicks. | ✓ | ✓ | ✓ | ✓ | ✓ |
| HTTP/2 protection | Protects websites that use HTTP/2. | × | ✓ | ✓ | ✓ | ✓ |
| Non-standard port protection | Protects traffic on ports other than standard ports 80, 8080, 443, and 8443. | × | ✓ | ✓ | ✓ | ✓ |
| IPv6 traffic protection | Detects and protects IPv6 traffic. | × | ✓ | ✓ | ✓ | ✓ |
| Intelligent load balancing | Connects to multiple Server Load Balancer (SLB) service nodes to implement automatic disaster recovery and optimal routing with low latency. | ○ | ○ | ○ | ○ | ○ |
| Exclusive IP address | Provides exclusive IP addresses to protect specific domain names. | ○ | ○ | ○ | ○ | ○ |
| Exclusive cluster | Allows you to customize service access and protection capabilities based on business requirements. | × | × | × | ✓ | √ |
| On-premises protection cluster deployment | Deploys WAF protection clusters in data centers to protect web traffic that does not pass through Alibaba Cloud. | × | ○ | ○ | ○ | ✓ |
| Website protection | ||||||
| Protection rules engine | Protects your services against common web attacks, such as SQL injection and XSS attacks. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Enables automatic update of protection rules against web zero-day vulnerabilities. | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Custom protection rule group | Allows you to customize protection rule groups. | × | ✓ | ✓ | ✓ | ✓ |
| Deep learning engine | Detects web zero-day vulnerabilities. | × | ✓ | ✓ | ✓ | × |
| Positive security model | Provides positive defense capabilities based on deep learning of website traffic. | × | × | ✓ | ✓ | ✓ |
| Website tamper-proofing | Locks web pages to prevent content tampering. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Data leak prevention | Prevents the leak of sensitive data, such as ID card numbers, mobile numbers, and bank card numbers. | ✓ | ✓ | ✓ | ✓ | √ |
| HTTP flood protection | Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Blacklist | Blocks access requests from specific IP addresses or CIDR blocks. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Blocks access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions. | × | ✓ | ✓ | ✓ | ✓ | |
| Scan protection | Blocks the IP addresses of scanners and blocks the IP addresses from which high-frequency web attacks and path traversal are initiated by using the default rules. This feature provides collaborative defense. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Supports the above protection capabilities and allows you to customize rules to block high-frequency web attacks and path traversal. | × | ✓ | ✓ | ✓ | ✓ | |
| Custom protection policy | Supports access control list (ACL)-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Supports ACL-based access control by using basic fields and advanced fields. The advanced fields include Cookie, Content-Type, Header, and Http-Method. | × | ✓ | ✓ | ✓ | ✓ | |
| Allows you to configure throttling policies based on IP addresses and sessions. You can customize HTTP flood protection rules by adding match conditions and configuring throttling policies. | × | ✓ | ✓ | ✓ | ✓ | |
| Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. | × | × | ✓ | ✓ | ✓ | |
| Data risk control | Protects crucial website services, such as registrations, logons, activities, and forums, against frauds. | ○ | ○ | ○ | ○ | × |
| Allowed crawlers | Maintains a whitelist that consists of authorized search engines. The crawlers of these search engines are allowed to access specified domain names. | ○ | ○ | ○ | ○ | ○ |
| Bot threat intelligence | Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages under your domain name or specific directories. | ○ | ○ | ○ | ○ | ○ |
| App protection | Provides secure connectivity and anti-bot protection for native apps. This feature can identify requests from proxy servers and emulators and requests with invalid signatures. | ○ | ○ | ○ | ○ | ○ |
| Account security | Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints, such as registration and logon endpoints. | ✓ | ✓ | ✓ | ✓ | ✓ |
| DDoS mitigation | Defends against DDoS attacks of up to 5 Gbit/s free of charge. | ✓ | ✓ | ✓ | ✓ | × |
| Security analysis and support | ||||||
| Alert setting | Allows you to configure event monitoring and alerting for WAF. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Log Service for WAF | Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. | x | ○ | ○ | ○ | ○ |
Editions and supported features (outside the Chinese mainland)
The following table describes the features supported by each edition of WAF outside the Chinese mainland. WAF instances use the subscription billing method.
Symbol descriptions:
- √: indicates that the feature is supported by the edition.
- ×: indicates that the feature is not supported by the edition.
- ○: indicates that the feature is a value-added capability. If you want to enable the feature, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
| Feature | Description | On-cloud WAF Pro | On-cloud WAF Business | On-cloud WAF Enterprise | On-cloud WAF Exclusive | Hybrid Cloud WAF Exclusive |
|---|---|---|---|---|---|---|
| Website access | ||||||
| HTTPS protection | Allows you to implement HTTPS protection for websites with a few clicks. | ✓ | ✓ | ✓ | ✓ | ✓ |
| HTTP/2 protection | Protects websites that use HTTP/2. | × | ✓ | ✓ | ✓ | ✓ |
| Non-standard port protection | Protects traffic on ports other than standard ports 80, 8080, 443, and 8443. | × | ✓ | ✓ | ✓ | ✓ |
| IPv6 traffic protection | Detects and protects IPv6 traffic. | × | × | × | × | ✓ |
| Intelligent load balancing | Connects to multiple Server Load Balancer (SLB) service nodes to implement automatic disaster recovery and optimal routing with low latency. | × | ○ | ○ | ○ | ○ |
| Exclusive IP address | Provides exclusive IP addresses to protect specific domain names. | ○ | ○ | ○ | ○ | ○ |
| Exclusive cluster | Allows you to customize service access and protection capabilities based on business requirements. | × | × | × | ✓ | ✓ |
| On-premises protection cluster deployment | Deploys WAF protection clusters in data centers to protect web traffic that does not pass through Alibaba Cloud. | × | ○ | ○ | ○ | ✓ |
| Website protection | ||||||
| Protection rules engine | Protects your services against common web attacks, such as SQL injection and XSS attacks. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Enables automatic update of protection rules against web zero-day vulnerabilities. | ✓ | ✓ | ✓ | ✓ | √ | |
| Custom protection rule group | Allows you to customize protection rule groups. | × | × | ✓ | ✓ | ✓ |
| Deep learning engine | Detects web zero-day vulnerabilities. | × | × | × | × | × |
| Positive security model | Provides positive defense capabilities based on deep learning of website traffic. | × | × | ✓ | ✓ | × |
| Website tamper-proofing | Locks web pages to prevent content tampering. | × | ✓ | ✓ | ✓ | ✓ |
| Data leak prevention | Prevents the leak of sensitive data, such as ID card numbers, mobile numbers, and bank card numbers. | × | ✓ | ✓ | ✓ | ✓ |
| HTTP flood protection | Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Blacklist | Blocks access requests from specific IP addresses or CIDR blocks. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Blocks access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions. | × | × | ✓ | ✓ | ✓ | |
| Scan protection | Blocks the IP addresses of scanners and blocks the IP addresses from which high-frequency web attacks and path traversal are initiated by using the default rules. This feature provides collaborative defense. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Supports the above protection capabilities and allows you to customize rules to block high-frequency web attacks and path traversal. | × | ✓ | ✓ | ✓ | ✓ | |
| Custom protection policy | Supports access control list (ACL)-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params. | ✓ | ✓ | ✓ | ✓ | ✓ |
| Supports ACL-based access control by using basic fields and advanced fields. The advanced fields include Cookie, Content-Type, Header, and Http-Method. | × | ✓ | ✓ | ✓ | ✓ | |
| Allows you to configure throttling policies based on IP addresses and sessions. You can customize HTTP flood protection rules by adding match conditions and configuring throttling policies. | × | ✓ | ✓ | ✓ | √ | |
| Allows you to configure throttling policies based on IP addresses, sessions, and custom fields. | × | × | ✓ | ✓ | √ | |
| Data risk control | Protects crucial website services, such as registrations, logons, activities, and forums, against frauds. | × | × | × | × | × |
| Allowed crawlers | Maintains a whitelist that consists of authorized search engines. The crawlers of these search engines are allowed to access specified domain names. | ○ | ○ | ○ | ○ | ○ |
| Bot threat intelligence | Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents these crawlers from accessing all pages under your domain name or specific directories. | ○ | ○ | ○ | ○ | ○ |
| App protection | Provides secure connectivity and anti-bot protection for native apps. This feature can identify requests from proxy servers and emulators and requests with invalid signatures. | ○ | ○ | ○ | ○ | ○ |
| Account security | Detects dictionary attacks, brute-force attacks, spam user registrations, weak passwords, and SMS flood attacks on service endpoints, such as registration and logon endpoints. | ✓ | ✓ | ✓ | ✓ | √ |
| DDoS mitigation | Defends against DDoS attacks of up to 5 Gbit/s free of charge. | × | × | × | × | × |
| Security analysis and support | ||||||
| Alert setting | Allows you to configure event monitoring and alerting for WAF. | ✓ | ✓ | ✓ | ✓ | √ |
| Log Service for WAF | Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. | × | ○ | ○ | ○ | ○ |