3.0 supports the subscription and pay-as-you-go billing methods. The features and billing methods of WAF instances vary based on the WAF edition. This topic describes the features of different WAF 3.0 editions.

Overview

The subscription and pay-as-you-go billing methods are applied to different WAF editions based on the business scale and features.

Features

Feature Description Subscription Basic Edition Subscription Pro Edition Subscription Business Edition Subscription Enterprise Edition Pay-as-you-go Edition
Business scale
Website scale You can select a proper edition based on your website scale and business requirements. Small-sized and personal websites that do not have special security requirements Small- and medium-sized websites that do not have special security requirements Medium-sized enterprise-grade websites that provide services to Internet users and have high data security requirements Medium- and large-sized enterprise-grade websites that have custom security requirements If the maximum specification of the Enterprise edition cannot meet your business requirements, . Websites whose workloads fluctuate
Peak QPS The number of HTTP/HTTPS requests per second.
  • Free of charge for a request rate of 10 QPS or less
  • Extended QPS is not supported.
  • Burstable QPS is not supported.
  • Free of charge for a request rate of 2,000 QPS or less
  • Extended QPS is supported:
    • 3,000 QPS in the Chinese mainland
    • 2,000 QPS outside the Chinese mainland
  • Burstable QPS is supported:
    • 3,000 QPS in the Chinese mainland
    • 2,000 QPS outside the Chinese mainland
  • Free of charge for a request rate of 5,000 QPS or less
  • Extended QPS is supported:
    • 4,000 QPS in the Chinese mainland
    • 3,000 QPS outside the Chinese mainland
  • Burstable QPS is supported:
    • 4,000 QPS in the Chinese mainland
    • 3,000 QPS outside the Chinese mainland
  • Free of charge for a request rate of 10,000 QPS or less
  • Extended QPS is supported:
    • 50,000 QPS in the Chinese mainland
    • 1,000 QPS outside the Chinese mainland
  • Burstable QPS is supported:
    • 40,000 QPS in the Chinese mainland
    • 1,000 QPS outside the Chinese mainland
Maximum specification:
  • 100,000 QPS in the Chinese mainland
  • 10,000 QPS outside the Chinese mainland
  • If the specification cannot meet your business requirements, .
Number of domain names The number of domain names that can be added to WAF.
  • Free of charge for three domain names
  • Can be increased by up to 10 domain names
  • Free of charge for five domain names
  • Can be increased by up to 500 domain names
  • Free of charge for 10 domain names
  • Can be increased by up to 2,000 domain names
  • Free of charge for 50 domain names
  • Can be increased by up to 5,000 domain names
You are charged based on the number of domain names that are added to WAF.
Protected objects The cloud service instances and domain names that are added to WAF. Supports up to 300 protected objects Supports up to 600 protected objects Supports up to 2,500 protected objects Supports up to 20,000 protected objects Supported
Security
Asset center Supports the asset center feature. Not supported Supported Supported Supported Supported
Basic protection rules Supports the default protection rule group. Supported Supported Supported Supported Supported
Supports custom protection rule groups. Not supported Not supported Supports up to 10 custom rule groups Supports up to 30 custom rule groups Supported
Whitelist Allows requests that meet the match conditions specified in whitelist templates.
  • Supports up to 20 templates
  • Supports up to 100 rules for each template
  • Supports up to 20 templates
  • Supports up to 100 rules for each template
  • Supports up to 20 templates
  • Supports up to 100 rules for each template
  • Supports up to 50 templates
  • Supports up to 100 rules for each template
Supported
IP address blacklist Blocks requests from specific IP addresses. Not supported
  • Supports up to five templates
  • Supports up to 400 IP addresses for each template
  • Supports up to 10 templates
  • Supports up to 600 IP addresses for each template
  • Supports up to 20 templates
  • Supports up to 1,000 IP addresses for each template
Supported
Custom protection rules Monitors, blocks, or uses JavaScript to verify requests that meet the custom protection rule. Not supported
  • Supports up to 10 templates
  • Supports up to 100 rules for each template
  • Supported capabilities:
    • IP address or URL match
    • JavaScript verification
    • Up to 100 IP addresses for each rule
  • Supports up to 20 templates
  • Supports up to 200 rules for each template
  • Supported capabilities:
    • IP address or URL match and all header match
    • JavaScript verification and slider CAPTCHA verification
    • Up to 100 IP addresses for each rule
    • QPS limits
  • Supports up to 50 templates
  • Supports up to 200 rules for each template
  • Supported capabilities:
    • IP address or URL match, all header match, regular expression match, and body match
    • JavaScript verification and slider CAPTCHA verification
    • Up to 100 IP addresses for each rule
    • QPS limits
Supported
HTTP flood protection Protects your services against common HTTP flood attacks in Prevention or Prevention-emergency mode. Not supported Supports up to five templates Supports up to 10 templates Supports up to 20 templates Supported
Scan protection Supports high-frequency scanning blocking, directory traversal blocking, and scanner blocking. Not supported Supports up to five templates Supports up to 10 templates Supports up to 20 templates Supported
Website tamper-proofing Locks web pages to prevent content tampering. Not supported Supports up to 10 templates
  • Supports up to 20 templates
  • Supports up to 50 rules for each template
  • Supports up to 50 templates
  • Supports up to 50 rules for each template
Supported
Region blacklist Blocks requests from specific regions. Not supported Not supported Supports up to 10 templates Supports up to 20 templates Supported
Data leakage prevention Prevents the leak of sensitive data, such as ID card numbers, mobile phone numbers, and bank card numbers. Not supported Not supported
  • Supports up to 20 templates
  • Supports up to 50 rules for each template
  • Supports up to 20 templates
  • Supports up to 50 rules for each template
Supported
Custom response Allows you to configure the custom block page that WAF returns to the client when WAF blocks a request from the client. You can configure the status code, the response headers, and the response body of the block page. Not supported Not supported
  • Supports up to 20 templates
  • Supports up to 100 rules for each template
  • Supports up to 50 templates
  • Supports up to 100 rules for each template
Supported
Bot management Allows you to configure anti-crawler rules for websites and apps. Not supported Supported with fees required Supported with fees required Supported with fees required Supported
Other features
Website access Cloud-native mode: Web services that are deployed on Application Load Balancer (ALB) instances or Microservices Engine (MSE) instances can be added to WAF. Supported Supported Supported Supported Supported
CNAME record mode: Websites can be added to WAF in CNAME record mode. Supported Supported Supported Supported Supported
Configure WAF alerting You can use CloudMonitor and Log Service to configure monitoring and alerting for WAF metrics and attacks on the protected objects of WAF. Supported Supported Supported Supported Supported
Custom ports that are supported by the CNAME record mode Protects services that use custom ports apart from standard ports. The standard ports include 80, 8080, 443, and 8443. Not supported Not supported Supported Supported Supported
IPv6 Detects and protects IPv6 traffic.
Note This feature is not supported in WAF 3.0.
Not supported Not supported Supported Supported Supported
Enable an exclusive IP address Assigns exclusive IP addresses to protect domain names that are added to WAF in CNAME record mode. Not supported Supported with fees required Supported with fees required Supported with fees required Supported
Use the intelligent load balancing feature Connects to multiple Server Load Balancer (SLB) service nodes to implement automatic disaster recovery and optimal routing with low latency. Not supported Supported with fees required Supported with fees required Supported with fees required Supported
Log Service for WAF Collects and stores all logs in Logstores, enables near-real-time query and analysis, and provides online reports. Not supported Supported with fees required Supported with fees required Supported with fees required Supported