Pay-as-you-go is a postpaid billing method that lets you use resources as needed without making an upfront purchase. The system generates a bill based on your actual usage for each billing cycle and deducts the corresponding amount from your account. This topic describes the billing rules for WAF pay-as-you-go instances.
Billing model
WAF 3.0 introduces the Security Capacity Unit (SeCU) as the unified metering unit for pay-as-you-go billing. All billable items consume SeCUs on an hourly basis and are billed according to the following rules:
Unit price: The unit price of SeCU is CNY 0.05, meaning 1 SeCU costs CNY 0.05.
Measurement interval: SeCU usage is measured in hourly intervals, for example, from 10:00:00 to 10:59:59.
Rounding rule: SeCU usage is rounded up to the nearest integer. For example, if you use 0.1 SeCU in an hour, you are billed for 1 SeCU during that measurement period.
Hourly cost = Total SeCUs consumed by all billable items × Unit price.
Billable items
The billable items for WAF pay-as-you-go instances are categorized into base request, onboarding features, and protection features.
WAF instance and request fees
Billable item | SeCU | Description |
WAF instance | 0.5 SeCU/hour | Billing for a WAF pay-as-you-go instance starts immediately after activation, regardless of whether you configure onboarding or protection settings. Note Only this billable item uses exact SeCU usage without rounding up. All other items follow the rounding-up rule. |
Base request fee | 1 SeCU per 5,000 requests/hour | Number of business requests initiated by clients within a full hour, including both normal and attack requests. Server-side responses are not counted. Note
|
QPS peak |
| Billed hourly based on the maximum QPS peak within a full hour. Note If the excess is less than 5 QPS, it is billed as 5 QPS. |
Resource onboarding fees
Billable item | SeCU | Description |
Number of domains accessed via CNAME | Tiered pricing (progressive segments):
| For CNAME access, billing is based on the number of domains actually connected, regardless of whether they are root domains or wildcard domains. |
CNAME access: dedicated IP | 15 SeCU/dedicated IP/hour | For CNAME access, billing is based on the number of domains with dedicated IPs enabled. |
CNAME access: non-standard ports |
| For CNAME access, enabling any non-standard port other than 80, 8080, 443, or 8443 counts as enabling this feature. |
CNAME access: intelligent load balancing |
| For CNAME access, configuring intelligent load balancing for any domain counts as enabling this feature. |
CNAME access: IPv6 |
| For CNAME access, configuring IPv6 for any domain counts as enabling this feature. |
Asset center |
| Billed after enabling the asset center feature. |
Web core protection fees
Billable item | SeCU | Description |
Web core protection rules |
|
|
Web core protection rules: intelligent allowlist engine |
| Billed based on the number of Web core protection rule templates with the intelligent allowlist feature enabled. |
IP blacklist | 2 SeCU/rule/hour | Billed based on the number of IP blacklist rules, regardless of whether they are enabled or disabled. |
Custom rules |
| Billed based on the number of custom protection rules, regardless of whether they are enabled or disabled. Note A rule is classified as advanced if it meets any of the following conditions. All other rules are basic:
|
Custom rules: slider CAPTCHA action | 1 SeCU per 10 invocations/hour | Billed based on the number of invocations. If fewer than 10 invocations occur, they are billed as 10. |
Scan protection | 10 SeCU/rule/hour | Billed based on the number of scan protection rules, regardless of whether they are enabled or disabled. Each scan protection template includes exactly 3 rules. |
HTTP flood protection | 2 SeCU/rule/hour | Billed based on the number of HTTP flood protection rules, regardless of whether they are enabled or disabled. |
Geo-blocking | 10 SeCU/rule/hour | Billed based on the number of geo-blocking rules, regardless of whether they are enabled or disabled. |
Custom response | 10 SeCU/rule/hour | Billed based on the number of custom response rules, regardless of whether they are enabled or disabled. Each custom response template includes exactly 1 rule. |
Web tamper proofing | 5 SeCU/rule/hour | Billed based on the number of web tamper-proofing rules, regardless of whether they are enabled or disabled. |
Information leakage prevention | 5 SeCU/rule/hour | Billed based on the number of information leakage prevention rules, regardless of whether they are enabled or disabled. |
Peak traffic throttling | 150 SeCU/rule/hour | Billed based on the number of peak traffic throttling rules, regardless of whether they are enabled or disabled. |
Threat intelligence | 50 SeCU/template/hour | Billed based on the number of threat intelligence protection templates, regardless of whether they are enabled or disabled. |
Advanced protection fees
Billable item | SeCU | Description |
Bot management |
| Billed based on the number of configured bot-web and bot-app protection templates, regardless of whether they are enabled or disabled. Note This section describes billing for the new version of bot management. For more information, see [Announcement] Bot management version upgrade and service pricing adjustment. |
Bot management: request processing fee | 1 SeCU per 7,500 requests/hour | Number of requests that hit a protected object within a full hour. Note If the request count is not a multiple of 7,500, SeCUs are rounded up. For more information, see Billing examples. |
Bot management: Fraud Detection | 1 SeCU per hit/hour | Billed based on the number of hits. |
Bot management: advanced custom rules | 15 SeCU/rule/hour | Billed based on the number of bot management advanced custom rules, regardless of whether they are enabled or disabled. |
API security | 20 SeCU/protected object/hour | Billed based on the number of protected objects with API security enabled. |
API security: request processing fee | 1 SeCU per 7,500 requests/hour | Number of requests that hit a protected object within a full hour. Note If the request count is not a multiple of 7,500, SeCUs are rounded up. For more information, see Billing examples. |
Other fees
Billable item | Description |
Log Service | Billed and invoiced by Simple Log Service. No fees are charged on the WAF side. |
Critical event support | WAF pay-as-you-go supports critical event support, which uses a subscription billing method. Minimum purchase period is 30 days. For more information, see Critical event support. |
Billing examples
Example 1
You added five domain names to WAF for protection using CNAME access and configured two IP blacklist rules. During a one-hour period, your business received 0 requests and the queries per second (QPS) peaked at 0.
In this scenario, you consumed 27.5 SeCUs in one hour, for a total cost of CNY 1.375. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = CNY 0.05) |
Base request fee | 1 SeCU per 5,000 requests/hour | 0 SeCU | 0.05*0=0 CNY |
QPS peak | QPS peak ≤1,000 QPS, 0 SeCU/hour | 0 SeCU | 0.05*0=0 CNY |
CNAME access domain count | Tiered pricing:
| 1*0+4*5=20 SeCU | 0.05*20=1 CNY |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.05*0.5=0.025 CNY |
IP blacklist | 2 SeCU/rule/hour | 4 SeCU | 0.05*4=0.2 CNY |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.05*3=0.15 CNY |
Example 2
You added 12 domain names to WAF for protection using CNAME access. For two of the domain names, you enabled dedicated IPs and intelligent load balancing. You also created one scan protection template. During a one-hour period, your business received 50,001 requests and the QPS peaked at 4,000.
In this scenario, you consumed 775.5 SeCUs in one hour, for a total cost of CNY 38.775. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = CNY 0.05) |
Base request fee | 1 SeCU per 5,000 requests/hour | 11 SeCU | 0.05*11=0.55 CNY |
QPS peak | QPS peak ≤1,000 QPS, 0 SeCU/hour >1,000 QPS, excess priced at 1 SeCU per 5 QPS/hour | 600 SeCU | 0.05*600=30 CNY |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.05*0.5=0.025 CNY |
CNAME access domain count | Tiered pricing:
| 1*0+9*5+2*3=51 SeCU | 0.05*51=2.55 CNY |
CNAME access: dedicated IP | 15 SeCU/dedicated IP/hour | 30 SeCU | 0.05*30=1.5 CNY |
CNAME access: intelligent load balancing | Enabled: 50 SeCU/hour | 50 SeCU | 0.05*50=2.5 CNY |
Scan protection Note Each scan protection template includes exactly 3 rules. | 10 SeCU/rule/hour | 30 SeCU | 0.05*30=1.5 CNY |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.05*3=0.15 CNY |
Example 3
You enabled WAF protection for a Layer 7 Classic Load Balancer (CLB) instance that uses HTTP/HTTPS using the cloud native mode (for example, in the China (Hangzhou) region). In addition to configuring Web core protection rules, you enabled bot management and HTTP flood protection, and set up the corresponding protection templates. Specifically, you configured two HTTP flood protection rules (disabled) and one bot management template (enabled) with Fraud Detection enabled. During a one-hour period, your business received 4,200 total requests and the QPS peaked at 537. The bot management rule was hit 34 times, and the Fraud Detection rule was hit 3 times.
In this scenario, you consumed 62.5 SeCUs in one hour, for a total cost of CNY 3.125. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = CNY 0.05) |
Base request fee | 1 SeCU per 5,000 requests/hour | 1 SeCU | 0.05*1=0.05 CNY |
QPS peak | QPS peak ≤1,000 QPS, 0 SeCU/hour | 0 SeCU | 0.05*0=0 CNY |
Bot management: request processing fee | Billed based on the number of requests that hit a protected object within a full hour. 1 SeCU per 7,500 requests | 1 SeCU | 0.05*1=0.05 CNY |
Bot management: Fraud Detection | Billed based on the number of hits. 1 SeCU per hit/hour | 3 SeCU | 0.05*3=0.15 CNY |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.05*0.5=0.025 CNY |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.05*3=0.15 CNY |
Bot management | Billed based on the number of configured Bot-Web protection templates, regardless of whether they are enabled or disabled. Bot-Web template: 50 SeCU/template/hour | 50 SeCU | 0.05*50=2.5 CNY |
HTTP flood protection | Billed based on the number of HTTP flood protection rules, regardless of whether they are enabled or disabled. 2 SeCU/rule/hour | 4 SeCU | 0.05*4=0.2 CNY |
Example 4
You enabled WAF protection for an Application Load Balancer (ALB) instance using the cloud native mode (for example, in the China (Hangzhou) region) and created two custom response templates that are applied to different protected objects. During a one-hour period, your business received 50,004 requests and the QPS peaked at 5,997.
In this scenario, you consumed 1,034.5 SeCUs in one hour. The WAF-enhanced ALB instance fee is CNY 0.208 per hour, for a total cost of CNY 51.933. The following table describes the billing details.
Billable item | Unit price | SeCU (rounded up per hour) | Total cost (1 SeCU = CNY 0.05) |
Base request fee | 1 SeCU per 5,000 requests/hour | 11 SeCU | 0.05 *11=0.55 CNY |
QPS peak | QPS peak >1,000 QPS, excess priced at 1 SeCU per 5 QPS/hour | 1,000 SeCU | 0.05*1000=50 CNY |
WAF instance | Billing starts after activating a WAF pay-as-you-go instance. 0.5 SeCU/hour | 0.5 SeCU | 0.05*0.5=0.025 CNY |
Custom response | 10 SeCU/rule/hour | 20 SeCU | 0.05*20=1.0 CNY |
Web core protection rules Note After connecting resources to WAF, the system automatically creates protected objects and applies them to the default Web core protection rule template. | With protected objects: 3 SeCU/hour | 3 SeCU | 0.05*3=0.15 CNY |
WAF-enhanced ALB instance fee | CNY 0.208/hour, actual prices are subject to the purchase page. | / | 0.208*1=0.208 CNY |
After you activate the pay-as-you-go billing method for WAF, your actual usage and charges appear on your Alibaba Cloud bill.
Billing cycle
Pay-as-you-go fees are settled daily based on the UTC+8 time zone. A new billing cycle begins after the settlement is complete.
Pay-as-you-go billing typically occurs overnight. If you plan to modify your configuration, such as adding domain names or enabling new protection features, we recommend that you make the changes after 06:00 (UTC+8) each day. Otherwise, the charges for the modification may be included in the bill for the previous day.
If your available account balance, which includes your Alibaba Cloud account balance and vouchers, is insufficient to cover the pending bill amount, you will receive a text message or email notification.
Overdue payments
Overdue payments may affect your use of WAF services. Monitor your Expenses and Costs and resolve overdue payments promptly. For more information about how to check your overdue balance and handle overdue payments, see Overdue payments.
If you have an overdue payment, your WAF service may be suspended. The system notifies you to make a payment promptly to avoid service disruption.
View bills
For more information about how to view the actual usage and detailed charges for your WAF 3.0 pay-as-you-go instance, see View bills.
FAQ
Why am I still being charged after terminating WAF?
If you are still being charged after terminating WAF, it may be for one of the following reasons:
Incomplete termination operation: You may have only removed the asset or disabled the WAF protection switch. Follow the steps in How do I terminate WAF to stop billing? to terminate the instance correctly.
Billing generation delay: Bills for pay-as-you-go WAF are generated on the following day. For example, if you terminate the WAF service on October 2, the bill for October 2 will be generated on October 3. No new bills will be generated from October 3 onwards.
Incorrect region switching: If you purchased a WAF instance for the Outside Chinese Mainland region, you must switch the region in the top menu bar of the Overview page before you terminate the WAF service.
