ESA combines edge WAF capabilities with configurable rules for fine-grained scrubbing and management of origin-bound traffic.
What is WAF
A Web Application Firewall (WAF) filters and monitors HTTP traffic between your application and the internet. It identifies malicious patterns and forwards only legitimate requests to your origin, preventing attacks that degrade performance or disrupt services.
ESA delivers WAF protection across 3,200 global PoPs, securing websites at the network edge.
Requests blocked by WAF rules are not billed and do not count against your plan's quota.
Feature categories
Feature | Description |
Smart Rate Limiting enhances Rate Limiting Rules by using the ESA AI engine. This feature simplifies rate limit configuration for users new to web security. It eliminates the need to manually analyze site traffic, identify abnormal request patterns, and define rate limiting rules. Instead, you can simply enable smart rate limiting and select a protection level. The feature automatically trains a baseline from your site's traffic patterns over the past seven days and sets the rate limit threshold accordingly. This data is updated daily. | |
ESA leverages Alibaba Cloud's network-wide threat intelligence to challenge or block suspicious requests, preventing financial losses from resource abuse. | |
To create a custom access control policy for your site, configure custom rules. These rules let you define match conditions for incoming requests and apply an action, such as | |
Rate limiting in Edge Security Acceleration (ESA) lets you control requests that match specific features. For example, if a client IP accesses your site at a high frequency, you can use this feature to apply a slider challenge or block the IP for a specified period after a threshold is exceeded. | |
Managed rules are intelligent built-in ESA protection rules that defend against OWASP attacks and the latest origin server vulnerabilities, including SQL injection, XSS, code execution, CRLF, remote file inclusion, and WebShell. Enable protection without manual rule configuration or updates. | |
The scan protection feature identifies the behavior and signatures of automated scanners to block large-scale scanning attempts against your website. It blocks an attack source or adds it to a blacklist. This reduces the risk of intrusions and minimizes unwanted traffic from malicious scans. | |
Whitelist rules let specific requests bypass all or selected WAF protection modules, preventing false positives from internal services or known partners. | |
Create security policies based on IP address, ASN, and geographic region. Rules apply to both HTTP (Layer 7) and Layer 4 proxy traffic. |
Execution order
WAF evaluates rules in this order: IP access rules → whitelist rules → security level → scan protection rules → managed rules → custom rules → smart rate limiting → rate limiting rules → bot management rules → abuse prevention.
A request passes through the rules in sequence until a rule blocks it or a whitelist rule allows it.
Feature availability by plan
Feature category | Detailed feature | Free (0 CNY/month) | Basic (9.9 CNY/month) | Standard (375 CNY/month) | Advanced (3600 CNY/month) | Enterprise (contact sales for custom pricing) |
5 | 10 | 50 | 100 | 100 | ||
1 | 1 | 3 | 5 | 10 | ||
Rate limiting - Statistical duration enumeration | 10 seconds |
|
|
|
| |
Rate limiting - Duration enumeration | 10 seconds |
|
|
|
| |
Rate limiting - Features | Client IP |
|
|
|
| |
Rate limiting - Apply to cached requests | ||||||
50 | 200 | 300 | 400 | 400 | ||
1 | 2 | 3 | 5 | 10 | ||
Supports Basic Policies | Supports Basic Policies | Supports all rules | Supports all rules | Supports all rules | ||
5 | 10 | 20 | ||||
Strict CAPTCHA | ||||||
Account-level quota. Default rule limit is 10. | ||||||
DDoS alerting | ||||||
Layer 4 proxy (including Layer 4 DDoS protection) | ||||||