Editions - Web Application Firewall - Alibaba Cloud Documentation Center

Web Application Firewall (WAF) 3.0 supports the subscription and pay-as-you-go billing methods. The billing methods and features that are supported vary based on the edition of WAF. This topic describes the features of different WAF 3.0 editions.

Overview

Different WAF 3.0 editions support different business scales, features, and billing methods for different business scales.

The following WAF 3.0 editions support the subscription billing method: Basic, Pro, Enterprise, and Ultimate. For more information, see Billing overview and Purchase a subscription WAF 3.0 instance.
All WAF 3.0 editions support the pay-as-you-go billing method. For more information, see Billing overview, Purchase a pay-as-you-go WAF 3.0 instance, and Manage bills.

Features

Feature	Description	Subscription Basic Edition	Subscription Pro Edition	Subscription Enterprise Edition	Subscription Ultimate Edition	Pay-as-you-go Edition
Business scale
Website scale	The size of the website based on which you can select a suitable WAF 3.0 edition.	Small-sized and personal websites that do not have specific security requirements.	Small- and medium-sized websites that do not have specific security requirements.	Medium-sized enterprise-grade websites that are accessible to the public and have high data security requirements.	Medium-sized enterprise-grade websites and large-sized enterprise-grade websites that have custom security requirements. Note If you want to use custom specifications for your WAF instance, contact your account manager or solution architect.	Websites whose workloads frequently fluctuate.
QPS	The number of HTTP/HTTPS requests per second.	Free QPS: up to 10 QPS. Extended QPS is not supported. Burstable QPS (pay-as-you-go) is not supported.	Free QPS: up to 2,000 QPS. Extended QPS: Chinese mainland: up to 8,000 QPS. Outside the Chinese mainland: up to 5,000 QPS. Burstable QPS: Chinese mainland: up to 60,000 QPS. Outside the Chinese mainland: up to 1,000 QPS.	Free QPS: up to 5,000 QPS. Extended QPS: Chinese mainland: up to 30,000 QPS. Outside the Chinese mainland: up to 5,000 QPS. Burstable QPS: Chinese mainland: up to 60,000 QPS. Outside the Chinese mainland: up to 1,000 QPS. If the maximum QPS of WAF 3.0 Enterprise Edition cannot meet your business requirements, contact your account manager or solution architect.	Free QPS: up to 10,000 QPS. Extended QPS: Chinese mainland: up to 30,000 QPS. Outside the Chinese mainland: up to 1,000 QPS. Burstable QPS: Chinese mainland: up to 60,000 QPS. Outside the Chinese mainland: up to 1,000 QPS. If the maximum QPS of WAF 3.0 Ultimate Edition cannot meet your business requirements, contact your account manager or solution architect.	Supported QPS: Chinese mainland: up to 100,000 QPS. Outside the Chinese mainland: up to 10,000 QPS. If the maximum QPS of pay-as-you-go WAF 3.0 cannot meet your business requirements, contact your account manager or solution architect.
Number of domain names	The number of domain names that can be added to WAF. The domain names include primary domain names, subdomains, and wildcard domains.	Free of charge for three domain names. Can be increased by up to 10 domain names.	Free of charge for five domain names. Can be increased by up to 500 domain names.	Free of charge for 10 domain names. Can be increased by up to 2,000 domain names.	Free of charge for 50 domain names. Can be increased by up to 5,000 domain names.	You can add up to 1,000 domain names to pay-as-you-go WAF 3.0.
Hybrid cloud protection nodes	The number of hybrid cloud protection nodes that you can deploy.	Not supported	Not supported	Free of charge for one hybrid cloud protection node. If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase two additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge.	Free of charge for one hybrid cloud protection node. If you purchase one additional hybrid cloud protection node, you can add 100 additional domain names to WAF free of charge. If you purchase two additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF free of charge.	Not supported
Protected objects	The protected objects that you can add to WAF, such as cloud service instances and domain names.	Up to 300 protected objects can be added.	Up to 600 protected objects can be added.	Up to 2,500 protected objects can be added.	Up to 10,000 protected objects can be added.	Up to 10,000 protected objects can be added.
Security
Asset center	The asset center feature that you can use to protect basic assets.	Not supported	Supported	Supported	Supported	Supported
Basic protection rules	The default basic protection rule groups of the basic protection rule module.	Supported	Supported	Supported	Supported	Supported
Basic protection rules	Custom rule groups of the basic protection rule module.	Not supported	Not supported	Up to 10 custom rule groups can be configured.	Up to 30 custom rule groups can be configured.	Up to 30 custom rule groups can be configured.
Whitelist	The whitelist module that allows requests that have specific characteristics.	Up to 20 templates can be configured. Up to 100 rules can be configured for a template.	Up to 20 templates can be configured. Up to 100 rules can be configured for a template.	Up to 20 templates can be configured. Up to 100 rules can be configured for a template.	Up to 50 templates can be configured. Up to 100 rules can be configured for a template.	Up to 50 templates can be configured. Up to 100 rules can be configured for a template.
IP address blacklist	The IP address blacklist module that blocks requests from specific IP addresses.	Not supported	Up to five templates can be configured. Up to 400 IP addresses can be added to a template.	Up to 10 templates can be configured. Up to 600 IP addresses can be added to a template.	Up to 20 templates can be configured. Up to 1,000 IP addresses can be added to a template.	Up to 20 templates can be configured. Up to 1,000 IP addresses can be added to a template.
Custom rules	The custom rule module that monitors, blocks, or verifies requests that meet custom protection rules.	Not supported	Up to 10 templates can be configured. Up to 100 rules can be configured for a template. The custom rule module has the following features: IP address or URL match is supported. JavaScript validation is supported. Each rule can match up to 100 IP addresses.	Up to 20 templates can be configured. Up to 200 rules can be configured for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.	Up to 50 templates can be configured. Up to 200 rules can be configured for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation and slider CAPTCHA verification are supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.	Up to 50 templates can be configured. Up to 200 rules can be configured for a template. The custom rule module has the following features: IP address or URL match, all header match, regular expression match, and body match are supported. JavaScript validation is supported. Each rule can match up to 100 IP addresses. Rate limiting is supported.
HTTP flood protection	The HTTP flood protection module that protects your services against common HTTP flood attacks in Prevention mode or Prevention-emergency mode.	Not supported	Up to five templates can be configured.	Up to 10 templates can be configured.	Up to 20 templates can be configured.	Up to 20 templates can be configured.
Scan protection	The scan protection module that supports high-frequency scanning blocking, directory traversal blocking, and scanner blocking.	Not supported	Up to five templates can be configured.	Up to 10 templates can be configured.	Up to 20 templates can be configured.	Up to 20 templates can be configured.
Website tamper-proofing	The website tamper-proofing module that locks web pages to prevent content tampering.	Not supported	Up to 10 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.	Up to 50 templates can be configured. Up to 50 rules can be configured for a template.	Up to 50 templates can be configured. Up to 50 rules can be configured for a template.
Region blacklist	The region blacklist module that blocks requests from specific regions.	Not supported	Not supported	Up to 10 templates can be configured.	Up to 20 templates can be configured.	Up to 20 templates can be configured.
Data leakage prevention	The data leakage prevention module that prevents leaks of sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers.	Not supported	Not supported	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.	Up to 20 templates can be configured. Up to 50 rules can be configured for a template.
Custom response	The custom response module that allows you to configure the custom block page that is returned by WAF to a client when WAF blocks a request that is sent from the client. You can specify the status code, response headers, and response body of the block page.	Not supported	Not supported	Up to 20 templates can be configured.	Up to 50 templates can be configured.	Up to 50 templates can be configured.
Bot management	The bot management module that allows you to configure anti-crawler rules for websites and apps.	Not supported	Supported and charges fees	Supported and charges fees	Supported and charges fees	Supported
Major event protection	The major event protection module that supports threat intelligence for major event protection, rule groups for major event protection, IP address blacklists for major event protection, and Shiro deserialization vulnerability prevention.	Not supported	Supported and charges fees	Supported and charges fees	Supported	Supported and charges fees
API security	The API security module that protects the available API assets of the services that are added to WAF and detects API vulnerabilities.	Not supported	Supported and charges fees	Supported and charges fees	Supported and charges fees	Supported
Anti-DDoS Origin Basic	The Anti-DDoS Origin Basic service that defends against DDoS attacks. For information about defense capabilities, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic.	Supported	Supported	Supported	Supported	Supported
Note A custom rule can block up to 20,000 IP addresses. If you enter more than 20,000 IP addresses to a custom rule, the custom rule may not take effect.
Access Note For information about the protection features of different access modes, see Access modes and protection features.
Cloud native mode	WAF protection for Application Load Balancer (ALB) instances WAF protection for Microservices Engine (MSE) instances WAF protection for custom domain names in Function Compute	Supported	Supported	Supported	Supported	Supported
Cloud native mode	WAF protection for Layer 7 Classic Load Balancer (CLB) instances WAF protection for Layer 4 CLB instances WAF protection for Elastic Compute Service (ECS) instances	Supported Up to 300 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 600 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 2,500 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.	Supported Up to 10,000 protected objects can be added to WAF. The number of traffic redirection ports that can be specified is the same as the number of protected objects that can be added to WAF.
CNAME record mode	The CNAME record mode in which you can add websites to WAF.	Supported	Supported	Supported	Supported	Supported
Hybrid cloud mode	The hybrid cloud mode in which you can add web services that are deployed across third-party clouds or data centers to WAF to manage web services in a centralized manner.	Not supported	Not supported	Supported	Supported	Not supported
Other features
Alert setting	The alert setting feature that allows you to use CloudMonitor and Simple Log Service to configure monitoring and alerting for WAF events and metrics.	Supported	Supported	Supported	Supported	Supported
Non-standard ports that are supported in CNAME record mode	The non-standard ports that are supported by WAF in CNAME record mode. Standard ports include ports 80, 8080, 443, and 8443.	Not supported	Not supported	Supported	Supported	Supported
IPv6	The IPv6 protection feature that detects and protects IPv6 traffic.	Not supported	Not supported	Supported only in the Chinese Mainland	Supported only in the Chinese Mainland	Supported only in the Chinese Mainland
Exclusive IP addresses	The exclusive IP address feature that allows you to use exclusive IP addresses to protect domain names.	Not supported	Supported and charges fees	Supported and charges fees	Supported and charges fees	Supported
Intelligent load balancing	The intelligent load balancing feature that allows you to deploy the origin server on multiple nodes and implement automatic disaster recovery and optimal routing.	Not supported	Supported and charges fees	Supported and charges fees	Supported and charges fees	Supported
Simple Log Service for WAF	The Simple Log Service for WAF feature that collects and stores all logs in Logstores, allows near-real-time query and analysis, and provides online reports.	Not supported	Supported and charges fees	Supported and charges fees	Supported and charges fees	Supported

Access modes and protection features

Feature	CNAME record mode	Cloud native mode (CLB and ECS)	Cloud native mode (ALB, MSE, and Function Compute)	Hybrid cloud reverse proxy mode	Hybrid cloud SDK-based traffic mirroring mode
Basic protection rules	Supported	Supported	Supported	Supported	Supported
Whitelist	Supported	Supported	Supported	Supported	Supported
IP address blacklist	Supported	Supported	Supported	Supported	Supported
Custom protection rules	Supported	Supported	Supported	Supported	Supported
HTTP flood protection	Supported	Supported	Supported	Supported	Supported
Scan protection	Supported	Supported	Supported	Supported	Supported
Region blacklist	Supported	Supported	Supported	Supported	Supported
Website tamper-proofing	Supported	Supported	Not supported	Not supported	Not supported
Data leakage prevention	Supported	Supported	Not supported	Supported	Not supported
Custom response	Supported	Supported	Supported	Not supported	Not supported
Bot management- automatic integration of Web SDK	Supported	Supported	Not supported	Supported	Not supported
Major event protection	Supported	Supported	Not supported	Supported	Not supported
API security	Supported	Supported	Not supported	Not supported	Not supported