Edition Differences
WAF provides cloud and dedicated deployments. For their differences, see Cloud and Dedicated WAF Modes.
Cloud and Dedicated WAF Modes
You can select the cloud mode or dedicated mode to deploy WAF instances for your workloads. Figure 1 shows the deployment architectures. Table 1 describes the differences between them.
Specifications Supported by Each Edition
Table 2 describes the service specifications of each WAF mode. In cloud mode, to protect more domain names and traffic, you can either purchase domain name, QPS, and rule expansion packages or change the edition of your cloud WAF instance.
- A domain package allows you to add 10 domain names to WAF, including one top-level domain and nine subdomains or wildcard domains related to the top-level domain.
- The QPS limit and bandwidth limit of a QPS expansion package:
- A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.
![](https://support.huaweicloud.com/eu/productdesc-waf/public_sys-resources/notice_3.0-en-us.png)
- The number of domains is the total number of top-level domain names (for example, example.com), single domain names/second-level domains (for example, www.example.com), and wildcard domain names (for example, *.example.com). For example, the standard edition WAF can protect up to 10 domain names. You can add one top-level domain name and nine subdomain names or wildcard domain names related to the top-level domain name.
- If a domain name maps to different ports, each port is considered to represent a different domain name. For example, www.example.com:8080 and www.example.com:8081 are counted towards your quota as two distinct domain names.
- You can upload as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if you purchase a standard edition WAF instance, which can protect 10 domain names, a dedicated WAF instance, which can protect 2,000 domain names, and a domain name expansion package (20 domain names), your WAF instances can protect 2,030 domain names total (2,000 + 20 +10). In this case, you can upload 2,030 certificates.
Service Scale |
Standard |
Professional |
Platinum |
Cloud Mode (Pay-Per-Use Billing) |
Dedicated Mode |
---|---|---|---|---|---|
Peak rate of normal service requests |
|
|
|
N/A |
The following lists the specifications of a single instance.
NOTICE:
Maximum QPS values are for your reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize. |
Service bandwidth threshold (The origin server is deployed on the cloud.) |
100 Mbit/s |
200 Mbit/s |
300 Mbit/s |
N/A |
|
Service bandwidth threshold (The origin server is not deployed on Huawei Cloud.) |
30 Mbit/s |
50 Mbit/s |
100 Mbit/s |
N/A |
N/A |
Number of domains |
10 (Supports one top-level domain name.) |
50 (Supports five top-level domain names.) |
80 (Supports eight top-level domain names.) |
30 (Supports three top-level domain names.) |
2,000 (Supports 2,000 top-level domain names) |
Back-to-source IP address quantity (the number of WAF back-to-source IP addresses that can be allowed by a protected domain name) |
20 |
50 |
80 |
20 |
N/A |
Peak rate of CC attack defense |
100,000 QPS |
200,000QPS |
1,000,000 QPS |
N/A |
|
Number of CC attack defense rules |
20 |
50 |
100 |
200 |
100 |
Number of precise protection rules |
20 |
50 |
100 |
200 |
100 |
Number of reference table rules |
N/A |
50 |
100 |
200 |
100 |
Number of IP address blacklist or whitelist rules |
1,000 |
2,000 |
5,000 |
200 |
1,000 |
Number of geolocation access control rules |
N/A |
50 |
100 |
200 |
100 |
Number of web tamper protection rules |
20 |
50 |
100 |
200 |
100 |
Number of information leakage prevention rules |
N/A |
50 |
100 |
200 |
100 |
Global protection whitelist rules |
1,000 |
1,000 |
1,000 |
2,000 |
1,000 |
Number of data masking rules |
20 |
50 |
100 |
200 |
100 |
Functions Supported by Each Edition
For functions of each edition, see Table 3. To meet your increasing protection requirements, you can upgrade the WAF edition you are using.
Notes:
- √: The function is included in the current edition.
- x: The function is not included in the current edition.
- -: This function is not involved because the similar functions are available in ELB.
Function |
Standard |
Professional |
Platinum |
Dedicated Mode |
---|---|---|---|---|
Domain name, QPS, and rule expansion packages |
√ |
√ |
√ |
× |
Adding wildcard domain names |
√ |
√ |
√ |
√ |
Protection for ports except 80 and 443 |
√ |
√ |
√ |
√ |
Protection for ports except ports 80 and 443 |
× |
√ |
√ |
× |
Batch configuring defense policies |
× |
√ |
√ |
√ |
Batch adding domain names to a policy |
× |
√ |
√ |
√ |
Protection against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections |
√ |
√ |
√ |
√ |
Updating protection rules against zero-day vulnerabilities to the latest on the cloud and delivering virtual patches in a timely manner |
√ |
√ |
√ |
× |
Web shell detection |
√ |
√ |
√ |
√ |
Deep anti-evasion inspection to identify and block evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques |
√ |
√ |
√ |
√ |
Inspection of all header fields in the requests |
√ |
√ |
√ |
√ |
CC attack prevention |
√ |
√ |
√ |
√ |
Precise protection |
√ (excluding full detection) |
√ |
√ |
√ |
Reference table management |
× |
√ |
√ |
√ |
IP address whitelist and blacklist and batch importing of IP addresses/IP address ranges |
√ |
√ |
√ |
√ |
Allowing or blocking web requests based on the countries that the requests originate from. |
× |
√ |
√ |
√ |
Web page tampering protection |
√ |
√ |
√ |
√ |
Identification and blocking of crawler behavior such as search engines, scanners, script tools, and other crawlers |
× |
√ |
√ |
√ |
JavaScript-based anti-crawler protection |
× |
√ |
√ |
√ |
Information leakage prevention |
× |
√ |
√ |
√ |
Global protection whitelists |
√ |
√ |
√ |
√ |
Data masking |
√ |
√ |
√ |
√ |
Resource requirement suggestions |
N/A |
N/A |
N/A |
When using dedicated instances, you are advised to configure resource monitoring and alarms on Cloud Eye. It is recommended that the CPU usage be no more than 70% and the memory usage be no more than 80%.
NOTE:
When there are a large number of service requests or complex user-defined protection policies, the CPU and memory usage increases. In extreme cases, the performance fluctuates greatly. You are advised to evaluate the performance specifications based on the pressure tests made on your service model. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.