Product billing FAQ

更新时间:
复制 MD 格式

Frequently asked questions about Web Application Firewall (WAF) 3.0 billing, including upgrade costs, pay-as-you-go activation, refund policies, and instance pricing.

How do charges change after upgrading from WAF 2.0 to WAF 3.0?

The upgrade is free, but your charges may change after you upgrade to WAF 3.0. For pricing details of subscription and pay-as-you-go instances, see Subscription billing and Pay-as-you-go billing.

Subscription

  • WAF 3.0 adds a Basic Edition for users with low traffic.

  • The billable items are simplified:

    • The traffic specification is unified as queries per second (QPS). You no longer need to consider bandwidth in bps. Elastic pay-as-you-go is supported to prevent instances from being sandboxed due to excessive QPS usage.

    • The number of domain names is no longer distinguished by primary domain name. In addition, tiered pricing is available for additional domain names. The more additional domain names you purchase, the lower the unit price.

  • Multi-cloud/hybrid-cloud Protection is available in more editions.

  • After a WAF 2.0 instance is migrated to WAF 3.0, the billing method and edition of the instance remain unchanged. For more information about billing changes after migration, see Billing changes for subscription instances.

Pay-as-you-go

  • A unified metering unit, Security Capacity Unit (SeCU), is introduced to simplify the billing logic and lower the billing threshold. Tiered pricing is available for SeCU resource plans. The higher the usage, the lower the cost.

  • Hourly billing is added. Billing stops automatically when a configuration is deleted or a feature is disabled. You do not need to manually enable or disable the feature.

Does using WAF and ESA (Edge Security Acceleration) together cause conflicts? How do I deploy them?

The two services do not conflict and are often deployed together. ESA focuses on global acceleration, static content caching, and DDoS protection, while WAF focuses on application-layer security such as SQL injection and XSS prevention.

ESA includes a built-in WAF feature that differs from the standalone WAF described here. Choose the appropriate option based on your needs.

  • Billing difference: The WAF protection feature of ESA is deeply integrated. The costs are included under ESA billing. The WAF described in this document is an independent cloud product that requires separate activation and is billed according to its own Billing methods.

  • Feature difference: The built-in WAF feature of ESA is primarily adapted for edge security acceleration scenarios and meets common website protection needs. The WAF product described in this document is more comprehensive. It not only covers all capabilities of ESA WAF but also provides protection rules that cover a full range of business scenarios.

How to check whether pay-as-you-go WAF is activated?

Follow these steps:

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. Important

    The WAF instances for the Chinese Mainland and Outside Chinese Mainland are separate. We recommend that you switch between regions to check each instance separately.

  3. Check the left-side navigation pane:

    • Activated: The left-side navigation pane appears.

    • Not activated: The left-side navigation pane does not appear.

  4. In the left-side navigation pane, click Overview. If you have not added any assets to WAF, a welcome page appears. Click Go to Console on the right. Then, check the current WAF edition in the Edition Information section.

  5. To disable WAF and stop billing, see Disable WAF. After you complete the operation, a final bill for usage up to that day is generated on the following day. No further charges will be incurred starting on the third day.

Are refunds available for pay-as-you-go WAF bills that have already been incurred?

After a WAF 3.0 pay-as-you-go instance is activated, billing continues even if no assets are added, because the WAF instance itself incurs feature fees. Refunds are not available for charges already incurred. If you no longer need the instance, disable it promptly to stop further billing.

Can I add a Simple Application Server to WAF?

Yes. WAF CNAME record mode allows you to add any internet-accessible domain name. This mode supports multi-cloud and cross-account scenarios without restrictions on specific cloud products.

How to query the billing type (pay-as-you-go or subscription) of a WAF instance?

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. In the left-side navigation pane, click Overview. If you have not added any assets to WAF, a welcome page appears. Click Go to Console on the right. Then, check the current WAF edition in the Edition Information section.

If you have multiple assets that require WAF protection, how many WAF instances should you purchase?

WAF provides two region options: Chinese Mainland and Outside Chinese Mainland. Only one instance can be purchased per region.

  • Role of the region: The region determines the physical location of the WAF protection nodes, which affects access latency and data compliance.

  • Recommendations:

    • If your origin server is in the Chinese Mainland, select the Chinese Mainland WAF instance.

    • If your origin server is outside the Chinese mainland, select the Outside Chinese Mainland WAF instance.

What does the RegionId parameter in WAF OpenAPI represent? What is its relationship with the actual protection node region?

The RegionId parameter in WAF OpenAPI represents only the management region of the WAF instance, not the physical protection node that handles traffic. Traffic scheduling works as follows:

  • Fixed values for RegionId: When you call an API operation, the RegionId parameter must be set to a specific value that corresponds to your WAF instance:

    • Chinese Mainland instance: Use cn-hangzhou.

    • Outside Chinese Mainland instance: Use ap-southeast-1.

  • Distribution and scheduling of physical protection nodes: WAF has 11 protection node clusters deployed worldwide. The system automatically routes traffic to the lowest-latency node based on your origin server IP address. The node resource pools are divided as follows:

    • Chinese Mainland resource pool (3 nodes): Beijing, Hangzhou, and Shenzhen. When you purchase a Chinese Mainland WAF instance, the system automatically selects one of these three nodes.

    • Outside Chinese Mainland resource pool (8 nodes): China (Hong Kong), Singapore, Malaysia, US West, Germany, Indonesia, Dubai, and Japan. When you purchase an Outside Chinese Mainland WAF instance, the system automatically selects one of these eight nodes.

After adding resources to WAF, will other ECS instances in the account that have not been added be billed or affected?

No. WAF 3.0 charges apply only to instances or domain names that are added for protection. Other ECS instances in your account that are not added to WAF are not affected and do not incur WAF-related charges.

Does the cost increase as more cloud product instances (such as ECS or CLB instances) are added to WAF?

No. Adding multiple cloud product instances (such as ECS or CLB) does not incur cumulative per-instance charges. WAF 3.0 pay-as-you-go billing is based on total traffic volume, not the number of instances. For details, see Pay-as-you-go billing.