Web Application Firewall (WAF)

Protects your websites and web servers based on the intelligent computing capabilities of Alibaba Cloud Security.

An Outstanding Cloud WAF Service Provider
around the Globe

Located at the network egress or ingress, Alibaba Cloud WAF combines the smart protection engine, expert protection rules, proactive defense and detection engine, and cloud threat intelligence capability to identify Web attacks and malicious Web requests in real time.

WAF also provides real-time defense based on predefined protection policies to ensure the security and availability of websites and applications. In addition to Web servers hosted on Alibaba Cloud, WAF can also protect websites hosted on your infrastructure.

Learn more >

Alibaba Cloud WAF Benefits

Professional, Stable, and End-to-end Solution to the Major Security Pain Points of Web Applications

Professional: provides Alibaba Cloud-developed rules, AI-based deep learning, and proactive protection rules, and allows you to create custom rules.
Stable: enables multi-line and multi-node disaster recovery and intelligent routing, protects services that have millions of QPS, and enables millisecond-level responses.
Timely: automatically detects and defends against the latest web vulnerabilities, including zero-day vulnerabilities first exposed by Alibaba Cloud, within hours.
Comprehensive: delivers end-to-end protection against vulnerabilities, web attacks, and bot traffic, ensures data and account security, and meets the requirements of security O&M.
Compliant: complies with the requirements of classified protection and PCI DSS, and boosts security compliance construction for enterprises.
Exclusive threat intelligence: provides exclusive network-wide threat intelligence, which is accumulated and updated from the real service scenarios of Alibaba Cloud.

The Only Chinese Vendor That Receives Full Recognition for Web Application Firewalls

Recognized by international authorities:WAF is recognized by Gartner, Forrester, IDC, and Frost & Sullivan.
Recognized by the market: A report of Frost & Sullivan shows that Alibaba Cloud WAF ranks first in the cloud WAF market in Greater China.
Extensive experience: WAF protects core services of Alibaba Cloud and accumulates a large amount of attack and defense experience from Tmall and Taobao Double 11 events over the years.

Multi-scenario Deployment and Flexible Access

Multi-scenario deployment: You can deploy WAF in the cloud or deploy protection clusters in your data centers to meet the requirements of different scenarios, such as public clouds, hybrid clouds, and data centers. Both Alibaba Cloud and third-party clouds are supported. WAF delivers the same protection capabilities for services in the cloud and in data centers.
Flexible access: You can connect Alibaba Cloud SLB, CDN, and ECS to WAF with a few clicks, and quickly configure the DNS records for your services that are deployed in data centers.

Alibaba Cloud WAF Features

Web Intrusion Prevention

Automatic Vulnerability Prevention

Automatically detects and defends against the latest web vulnerabilities, including zero-day vulnerabilities first exposed by Alibaba Cloud, within hours. You do not need to manually patch the vulnerabilities.

Multi-dimensional Dynamic Protection

Provides Alibaba Cloud-developed rules, AI-based deep learning, and proactive protection rules, and dedicated network-wide threat intelligence that is constantly updated to fully protect your services.

Anti-scanning and Anti-detection

Automatically blocks traffic based on the characteristics and behavior of scanning and detection, network-wide threat intelligence, and deep learning algorithms to prevent attackers from discovering system vulnerabilities.

Custom Protection Rules

Allows you to create custom protection rules based on your business requirements.

Traffic Control and Bot Management

Flexible Traffic Management

Supports custom combination of all HTTP headers and body characteristics to implement access control and throttling for specific scenarios.

Mitigation Against HTTP Flood Attacks

Mitigates HTTP flood attacks by using the default protection policies at different levels, custom protection policies, throttling policies, CAPTCHA verification, and blocking policies.

Accurate Bot Identification

Accurately identifies bots and automatically responds to bot mutations based on AI technology and multi-dimensional data, such as fingerprints, behavior, characteristics, and intelligence.

All-scenario Protection

Blocks web bots from accessing applications, such as websites, HTML5 pages, apps, and mini programs. This helps enterprises prevent and control service risks such as fraud and promotion abuse.

Diversified Methods to Handle Bot Traffic

Provides different methods to handle traffic based on actual scenarios. The methods include blocking, CAPTCHA verification, throttling, and spoofing.

Scenario-specific Configuration Wizard

Provides guidelines for scenario-specific configurations. This way, new users can quickly get started with Alibaba Cloud best practices.

Data Security Protection

API Security Protection

Proactively discovers APIs of the earlier versions, APIs that lack the authentication mechanism, and APIs that cause risks such as excessive data exposure and sensitive data leaks.

Data Leak Prevention

Detects and prevents sensitive data leaks. Sensitive data includes certificate numbers, bank card numbers, mobile phone numbers, and sensitive words.

Web Tamper Proofing

Locks and caches the content of important pages. This way, users can view the original content of pages regardless of whether the pages are tampered with.

Account Risk Detection

Automatically identifies common account risks such as dictionary attacks, brute-force attacks, and weak passwords.

Security O&M and Compliance

Secure Access

Enables you to protect HTTPS services with a few clicks, provides end-to-end IPv6 support, and ensures intelligent load balancing, high availability in and off the cloud, and fast disaster recovery.

Full Access Logs

Records and stores full web access logs. You can execute SQL statements to query and analyze the logs in real time. You can also create custom alert rules.

Automatic Asset Identification

Discovers unprotected domain names based on the big data in the cloud. This helps shrink the attack surface.

Hybrid Cloud Deployment

Provides protection for services that are deployed in data centers.

Compliance with Classified Protection Requirements

Complies with the requirements of classified protection in various industries.

WAF Editions

WAF is available in all regions in mainland China. WAF is also available in the following regions: China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), US (Silicon Valley), Australia (Sydney), Germany (Frankfurt), India (Mumbai), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo).

Alibaba Cloud WAF

The Pro edition is suitable for small and medium-sized web applications that are deployed on Alibaba Cloud or whose service traffic will be forwarded to Alibaba Cloud.

Pro

  • Web applications that are deployed on Alibaba Cloud or third-party clouds and have no special security requirements
  • Peak QPS: 2,000
  • Maximum bandwidth
    The origin server is deployed on Alibaba Cloud: 50 Mbit/s
    The origin server is not deployed on Alibaba Cloud: 10 Mbit/s

Buy Now

Alibaba Cloud WAF

The Business edition is suitable for medium-sized web applications, such as websites, that are deployed on Alibaba Cloud or whose service traffic will be forwarded to Alibaba Cloud.

Business

  • Web applications that are deployed on Alibaba Cloud or third-party clouds and demand high-level data security
  • Peak QPS: 5,000
  • Maximum bandwidth
    The origin server is deployed on Alibaba Cloud: 100 Mbit/s
    The origin server is not deployed on Alibaba Cloud: 30 Mbit/s

Buy Now

Hybrid Cloud WAF

The Hybrid Cloud Exclusive edition is suitable for web applications that cannot forward traffic to Alibaba Cloud and require protection clusters to be deployed in data centers.

Hybrid Cloud Exclusive

  • Delivers the same protection capabilities for services in the cloud and in data centers.
  • Allows online scaling and provides flexible and stable services.



Buy Now

Alibaba Cloud WAF Scenarios

Security Capabilities Required for Migrating Web Applications to the Cloud

Automatically fixes zero-day vulnerabilities on your web applications. You do not need to manually patch and fix the vulnerabilities. WAF prevents your web applications such as websites, HTML5 pages, apps, and mini programs from being attacked and against virus intrusion in an efficient manner. WAF mitigates attacks such as trojans, web tampering, malicious bots, data leaks, and HTTP flood attacks.

Scenarios

  • Prevents common web attacks, such as SQL injections, XSS attacks, webshell uploads, directory traversals, and backdoors.

    Prevents attackers from using zombie servers to launch HTTP flood attacks.

    Automatically fixes zero-day vulnerabilities at the earliest opportunity by using virtual patching. This avoids code rewrite, which is difficult and time-consuming.

    Proactively discovers APIs of the earlier versions, and APIs that lack the authentication mechanism and throttling policies. This helps reduce data leak risks.

    Automatically blocks unauthorized scanning and detection activities.

Related Services

Prevention of Fraud and Promotion Abuse

Business operations may generate volumetric traffic, which affects system availability. In addition, promotion abuses always occur. These all affect and even have negative impacts on the business operations. Alibaba Cloud provides you with a complete solution to handle risks on business operations. The solution is based on years of experience on business operations.

Scenarios

  • Ensures system stability during business operations and prevents issues such as website freezing and system failures caused by bot traffic.

    Prevents promotion abuse and fraud to ensure that real customers benefit from promotions.

    Mitigates data crawling and avoids excessive bandwidth fees caused by data crawling.

Hybrid Cloud WAF Solution

Deploys protection clusters in data centers to protect web services that are deployed across public clouds and data centers. Both Alibaba Cloud and third-party clouds are supported. You can use the Alibaba Cloud WAF console to control and perform O&M on the services.

Scenarios

  • Services that are latency-sensitive, require high availability, and demand zone-disaster recovery, geo-disaster recovery, and centralized protection across multiple network environments.

    Web services that cannot be deployed on Alibaba Cloud or protected by WAF.

    Web services that are deployed in the private network of the cloud or data centers.

Related Services

Product Updates

      More updates >

      Alibaba Cloud WAF Customers

      "Most of the China Digital Strategy is built and operated on Alibaba Cloud. Against this backdrop, Shiseido uses extensive services provided by Alibaba Cloud to meet the requirements of the new market. Furthermore, with the increasing focus on security recently, we have been working closely with Alibaba Cloud to comply with security standards."

      Keisuke Fujii, ICT Vice President, SHISEIDO China

      Shiseido uses Alibaba Cloud’s reliable and high-performance elastic computing services and Web Application Firewall (WAF) to adapt to the requirements of the new market and comply with security standards.

      "We need Alibaba Cloud to continue to give us the support and assistance in fixing our issues."

      Strikingly is an online platform for building websites and a graduate from the Y Combinator seed accelerator. Strikingly allows users - with little or no development experience - to create mobile optimized websites within minutes. The company takes a mobile-first approach, allowing users to create websites that are enhanced for viewing across all devices including desktops, tablets, and smartphones.

      “One of the things we have found working with Alibaba Cloud is that they are extremely transparent and this has built a lot of trust."

      DataVisor is the leading fraud detection solution utilizing unsupervised machine learning to identify fraudulent transactions, spam and abuse, identity theft, application fraud, insider abuse, money laundering and more.

      "Dubai Parks and Resorts is the Middle East’s largest integrated leisure and theme park destination located in Dubai. They use Alibaba Cloud so that they can handle seasonal traffic."

      Dubai Parks and Resorts is the Middle East’s largest integrated leisure and theme park destination located in Dubai. Spread over 25 million square feet, it features more than 100 rides and attractions, and consists of three theme parks: MOTIONGATE™ Dubai, Bollywood Parks™ Dubai and LEGOLAND Dubai, and one water park: LEGOLAND Water Park.

      End-to-end Enterprise Security in the Cloud

      Meets the requirements of data security, platform security, and the security of your new applications or migrated applications. WAF allows you to view and understand the security posture of your services in a convenient manner.

      Learn More