Relationship and differences between WAF 2.0 and WAF 3.0, get started with WAF - Web Application Firewall

This topic describes the relationship and differences between Web Application Firewall (WAF) 2.0 and WAF 3.0 and how to get started with WAF.

What is WAF?

WAF identifies and filters out malicious traffic to websites and applications and forwards secure and normal traffic to origin servers. This helps protect the origin servers from intrusions, ensure the security of core data, and prevent server exceptions that are caused by attacks.

Relationship between WAF 2.0 and WAF 3.0

WAF 3.0 is a new version of WAF. Compared with WAF 2.0, WAF 3.0 provides different underlying architecture, specifications, configuration logic, and user experience. However, an Alibaba Cloud account cannot have a WAF 2.0 instance and a WAF 3.0 instance at the same time. If you purchased a WAF 2.0 instance, you are directed to the WAF 2.0 interface when you log on to the WAF console. If you purchased a WAF 3.0 instance, you are directed to the WAF 3.0 interface when you log on to the WAF console.

If you purchased a WAF 2.0 instance, you can still use, renew, and upgrade your WAF 2.0 instance. WAF 2.0 continues to provide service level agreement (SLA) guarantees.
If you purchased a WAF 2.0 instance and you want to use WAF 3.0, you can use the upgrade tool of Alibaba Cloud to upgrade your WAF 2.0 instance to WAF 3.0. For more information, see Upgrade a WAF 2.0 instance to WAF 3.0.

Differences between WAF 2.0 and WAF 3.0

Access modes

WAF 2.0 supports the CNAME record mode and transparent proxy mode. WAF 3.0 is integrated with cloud services, such as Application Load Balancer (ALB). You can protect your web services by adding your cloud service instance to WAF. You can enable WAF protection for Internet-facing and internal-facing instances in cloud service consoles, such as the ALB console, without the need to modify DNS records or configure complex access and forwarding configurations. This helps improve business performance and stability.

Access mode	Working mechanism	WAF 3.0	WAF 2.0
CNAME record mode	WAF blocks attacks and forwards normal requests to the origin server as a reverse proxy cluster. WAF detects and forwards requests.	Supported	Supported
Cloud native mode (formerly known as transparent proxy mode)	WAF blocks attacks and forwards normal requests to the origin server as a reverse proxy cluster. WAF detects and forwards requests.	Supported	Supported
Cloud native mode (new cloud native architecture)	WAF is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. WAF does not forward traffic. This prevents compatibility and stability issues.	Supported	Not supported

Protection configuration

Feature	WAF 3.0	WAF 2.0
Objects for which protection rules take effect	Protection rules take effect for protected objects or protected object groups. Protected objects can be domain names or cloud service instances that are added to WAF 3.0. You can add multiple protected objects to a protected object group. If you configure a protection rule for the protected object group, the protection rule takes effect for all protected objects in the protected object group.	You can configure protection rules for only one domain name each time. If you add an instance to WAF in transparent proxy mode, separately add all domain names that are hosted on the instance to WAF before you configure protection rules for the domain names. If you do not separately add the domain names to WAF, only default protection rules can be applied to the domain names. You cannot modify the default protection rules.
Implementation	You can create protection templates and configure protection rules for the protection templates to apply different protection rules to different protected objects.	You can configure protection rules for a specific domain name.
Viewing methods	You can view the protection rules that are configured for a protected object or a protected object group. You can view the protection rules of a protection module. You can search for protection rules by rule ID.	You can view the protection rules that are configured for a domain name.
Management of default protection rules	By default, basic protection rules are enabled for new protected objects. You can change the protection actions in the basic protection rules.	By default, the protection rules engine is enabled for a domain name that is newly added to WAF. You cannot change the protection action in the protection rules engine. You can specify a protection action only after you configure a protection rule for the domain name.
Specifications	For information about the number of supported protected objects of each edition, see Editions. For information about the supported protection modules and the number of supported protection rules of each module, see Editions.	For information about the number of domain names that can be protected by each edition, see Default number of second-level domains that can be protected and Default number of domain names that can be protected in total. For information about the supported protection modules and the number of supported protection rules of each module, see Overview.

Billing methods

Subscription

Comparison item		WAF 3.0	WAF 2.0
Editions		Basic Edition, Pro Edition, Enterprise Edition, and Ultimate Edition are supported. Basic Edition is suitable for customers who have low traffic.	Pro Edition, Business Edition, and Enterprise Edition are supported.
Billable items	Traffic specifications	Traffic is measured only in queries per second (QPS).	Traffic is measured in QPS and bandwidth.
	Domain name specifications	Limits are imposed on the total number of second-level domain names and subdomains that are added to WAF.	Limits are imposed on the number of second-level domain names and the number of subdomains.
	Hybrid cloud	If your WAF 3.0 instance is an Enterprise Edition or Ultimate Edition instance, you can add your web services to WAF in hybrid cloud mode.	You must separately activate Hybrid Cloud WAF Exclusive Edition.

Pay-as-you-go

Comparison item	WAF 3.0	WAF 2.0
Supported regions	Regions in the Chinese mainland and outside the Chinese mainland	Regions in the Chinese mainland
Billing units	WAF 3.0 uses security capacity units (SeCUs) as billing units. The unit price of a SeCU is USD 0.01.	N/A
Billing rules	The fees of a pay-as-you-go WAF 3.0 instance are generated every hour. You are charged for using the features. You can use the features without the need to enable the features. After you delete configurations or disable features, billing for the configurations or features is automatically stopped.	Before you use a feature, you must enable the feature. After you disable a feature, billing for the feature is automatically stopped.

Get started with WAF

Operation		WAF 3.0	WAF 2.0
Learn about WAF		What is WAF 3.0? WAF 3.0 editions Billing overview Access modes Protection configuration overview	What is WAF 2.0? WAF 2.0 editions Billing overview Access modes Protection configuration overview
Purchase a WAF instance		Purchase a subscription WAF 3.0 instance Purchase a pay-as-you-go WAF 3.0 instance	WAF 2.0 instances are no longer available for purchase.
Add a domain name or an instance to WAF		Cloud native mode Enable WAF protection for an ALB instance Enable WAF protection for a Microservices Engine (MSE) instance Enable WAF protection for a custom domain name bound to a web application in Function Compute Add a Layer 7 Classic Load Balancer (CLB) instance to WAF Add a Layer 4 CLB instance to WAF Add an Elastic Compute Service (ECS) instance to WAF CNAME record mode Add a domain name to WAF Modify the DNS record of a domain name	Transparent proxy mode CNAME record mode Add a domain name to WAF Modify a DNS record
Use WAF	View domain names	Asset center	Asset Discovery
	Use WAF for protection	Configure protected objects and protected object groups Configure protection rules Basic protection rules Whitelist rules IP address blacklist rules Custom rules Scan protection rules Custom response rules HTTP flood protection rules Region blacklist rules Website tamper-proofing rules Data leakage prevention rules Major event protection Bot management	Protection rules engine Whitelist Website whitelist Web intrusion prevention whitelist Data security whitelist Bot management whitelist Access control or throttling whitelist IP address blacklist Custom protection policies Scan protection HTTP flood protection Website tamper-proofing Data leak prevention Positive security model Account security Bot management
	Configure monitoring and alerting	Configure CloudMonitor notifications Use Simple Log Service to configure monitoring and alerting for WAF	Configure CloudMonitor notifications Use Simple Log Service to configure monitoring and alerting for WAF
	View protection data	Security reports Query logs	Security reports Query logs
API operations		WAF 3.0 API operations	WAF 2.0 API operations