This topic lists frequently asked questions about Web Application Firewall 3.0 billing.
How do charges change after upgrading from WAF 2.0 to WAF 3.0?
The upgrade itself is free of charge. However, your charges may change after you upgrade to Web Application Firewall (WAF) 3.0. For details about the pricing of WAF 3.0 subscription and pay-as-you-go instances, see Subscription billing and Pay-as-you-go billing.
Subscription
WAF 3.0 adds a Basic Edition for users with low traffic.
The billable items are simplified:
The traffic specification is unified as queries per second (QPS). You no longer need to consider bandwidth in bps. Elastic pay-as-you-go is supported to prevent instances from being sandboxed due to excessive QPS usage.
The number of domain names is no longer distinguished by primary domain name. In addition, tiered pricing is available for additional domain names. The more additional domain names you purchase, the lower the unit price.
Multi-cloud/hybrid-cloud Protection is available in more editions.
After a WAF 2.0 instance is migrated to WAF 3.0, the billing method and edition of the instance remain unchanged. For more information about billing changes after migration, see Billing changes for subscription instances.
Pay-as-you-go
A unified metering unit, Security Capacity Unit (SeCU), is introduced to simplify the billing logic and lower the billing threshold. Tiered pricing is available for SeCU resource plans. The higher the usage, the lower the cost.
Hourly billing is added. Billing stops automatically when a configuration is deleted or a feature is disabled. You do not need to manually enable or disable the feature.
Does using WAF and ESA (Edge Security Acceleration) together cause conflicts? How do I deploy them?
The two services do not conflict and are often used together to balance security and performance. Edge Security Acceleration (ESA) focuses on global acceleration, static content caching, and DDoS protection, while WAF focuses on application-layer security, such as protection against SQL injections and XSS attacks.
Note that ESA has a built-in WAF feature, which differs from the WAF described in this topic. When deploying your services, choose one based on your actual needs.
Billing difference: The WAF protection feature of ESA is deeply integrated. The costs are included under ESA billing. The WAF described in this document is an independent cloud product that requires separate activation and is billed according to its own Billing methods.
Feature difference: The built-in WAF feature of ESA is primarily adapted for edge security acceleration scenarios and meets common website protection needs. The WAF product described in this document is more comprehensive. It not only covers all capabilities of ESA WAF but also provides protection rules that cover a full range of business scenarios.
How to check whether pay-as-you-go WAF is activated?
Follow these steps:
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
- Important
The WAF instances for the Chinese Mainland and Outside Chinese Mainland are separate. We recommend that you switch between regions to check each instance separately.
Check the left-side navigation pane:
Activated: The left-side navigation pane appears.
Not activated: The left-side navigation pane does not appear.
In the left-side navigation pane, click Overview. If you have not added any assets to WAF, a welcome page appears. Click Go to Console on the right. Then, check the current WAF edition in the Edition Information section.
To disable WAF and stop billing, see Disable WAF. After you complete the operation, a final bill for usage up to that day is generated on the following day. No further charges will be incurred starting on the third day.
Are refunds available for pay-as-you-go WAF bills that have already been incurred?
Once a WAF 3.0 pay-as-you-go instance is activated, billing continues even if no assets are added (because the WAF instance itself incurs feature fees). Refunds are not available for charges already incurred. If you no longer need the instance, promptly disable it to stop further billing.
Can I add a Simple Application Server to WAF?
Yes. The CNAME record mode of WAF allows you to add any domain name that is accessible over the internet. This mode is suitable for multi-cloud and cross-account scenarios and has no restrictions on specific cloud products.
How to query the billing type (pay-as-you-go or subscription) of a WAF instance?
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
In the left-side navigation pane, click Overview. If you have not added any assets to WAF, a welcome page appears. Click Go to Console on the right. Then, check the current WAF edition in the Edition Information section.
If you have multiple assets that require WAF protection, how many WAF instances should you purchase?
WAF provides two region options: Chinese Mainland and Outside Chinese Mainland. You can purchase only one instance per region and cannot purchase multiple instances in the same region.
Role of the region: The region determines the physical location of the WAF protection nodes, which affects access latency and data compliance.
Recommendations:
If your origin server is in the Chinese Mainland, select the Chinese Mainland WAF instance.
If your origin server is outside the Chinese mainland, select the Outside Chinese Mainland WAF instance.
What does the RegionId parameter in WAF OpenAPI represent? What is its relationship with the actual protection node region?
When calling WAF OpenAPI, the RegionId parameter only represents the region where the WAF instance is managed, and does not directly correspond to the physical protection node through which traffic actually flows. The scheduling logic for actual business traffic is as follows:
Fixed values for RegionId: When you call an API operation, the RegionId parameter must be set to a specific value that corresponds to your WAF instance:
Chinese Mainland instance: Use
cn-hangzhou.Outside Chinese Mainland instance: Use
ap-southeast-1.
Distribution and scheduling of physical protection nodes: WAF has 11 protection node clusters deployed worldwide. The system automatically routes traffic to the optimal node with the lowest latency based on the IP address of your origin server. This process is fully automated and is not tied to the API parameters. The node resource pools are divided as follows:
Chinese Mainland resource pool (3 nodes): Beijing, Hangzhou, and Shenzhen. When you purchase a Chinese Mainland WAF instance, the system automatically selects one of these three nodes.
Outside Chinese Mainland resource pool (8 nodes): China (Hong Kong), Singapore, Malaysia, US West, Germany, Indonesia, Dubai, and Japan. When you purchase an Outside Chinese Mainland WAF instance, the system automatically selects one of these eight nodes.
After adding resources to WAF, will other ECS instances in the account that have not been added be billed or affected?
No. WAF 3.0 charges are only incurred for instances or domain names that have been added for protection. Other ECS instances in your account that have not been added to WAF will not be affected and will not incur WAF-related charges.
Does the cost increase as more cloud product instances (such as ECS or CLB instances) are added to WAF?
Adding multiple cloud product instances (such as ECS or CLB) does not result in cumulative charges based on the number of instances. In WAF 3.0 pay-as-you-go mode, billing is based on the total traffic after access, not on the number of instances. For detailed rules, see Pay-as-you-go billing.