Buying a Cloud WAF Instance
Cloud WAF instances are billed either on a yearly/monthly (prepaid) or pay-per-use (postpaid) basis. In the yearly/monthly billing mode, the standard, professional, and platinum editions are available. Each edition offers domain, QPS, and rule expansion packages.
Prerequisites
Your account for logging in to the WAF console must have the WAF Administrator and BSS Administrator permissions.
Constraints
- Only one WAF edition can be selected under an account in the same great region.
- Expansion package can only be renewed or unsubscribed together with the WAF instance you are using.
Specification Limitations
- A domain package allows you to add 10 domain names to WAF, including one top-level domain and nine subdomains or wildcard domains related to the top-level domain.
- The QPS limit and bandwidth limit of a QPS expansion package:
- A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.
Application Scenarios
Cloud WAF is a good choice if your service servers are deployed on the cloud or on-premises and you plan to protect your website by adding its domain names to WAF.
The application scenarios for different editions are as follows:
- Standard edition
This edition is suitable for small and medium-sized websites that do not have special security requirements.
- Professional
This edition is suitable for medium-sized enterprise websites or services that are open to the Internet, focus on data security, and have high security requirements.
- Platinum
This edition is suitable for large and medium-sized enterprise websites that have large-scale services or have special security requirements.
Buying Cloud WAF Billed on a Yearly/Monthly Basis
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Security > Web Application Firewall.
- In the upper right corner of the page, click Buy WAF.
- (Optional): Select an enterprise project from the Enterprise Project drop-down list.
This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members.
- Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
- The default option is available in the Enterprise Project drop-down list only when you purchase WAF under the logged-in account.
- On the Buy Web Application Firewall page, select Cloud Mode for WAF Mode.
- Billing Mode: Select Yearly/Monthly. Select a region.
Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.
To switch regions, select a region from the drop-down list. Only one WAF edition can be purchased in a region.
- Select an edition.
Figure 1 Selecting WAF edition
- Specify the number of domain name, QPS, or rule expansion packages.
For details, see Domain Expansion Package, QPS Expansion Package, and Rule Expansion Package.Figure 2 Selecting expansion packages
- Configure the Required Duration. You can select the required duration from one month to three years.
Select Auto-renew to enable the system to renew your service by the purchased period when the service is about to expire.
- Confirm the product details and click Buy Now.
- Check the order details and read the Huawei Cloud WAF Disclaimer. Then, check the box next to "I have read and agree to the WAF Disclaimer" and click Pay Now.
- On the payment page, select a payment method and pay for your order.
Buying a Cloud WAF Instance Billed on a Pay-per-use Basis
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall under Security.
- In the upper right corner of the page, click Buy WAF.
- On the Buy Web Application Firewall page, select Pay-per-use for Billing Mode and select a region.
Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.
To switch regions, select a region from the drop-down list. Only one WAF edition can be purchased in a region.
Figure 3 Pay-per-use
- In the lower right corner of the page, click Next.
- Click Back to Website Settings and add domain names of websites to be protected.
If you want to disable WAF, choose Disable Pay-Per-Use Billing next to Cloud Mode.
, and click
Verification
Your WAF instance is purchased when your instance edition and its remaining validity days are shown in the upper right corner of the management console.
Expansion Packages
WAF provides extra domain name, bandwidth, and rule expansion packages. If the domain name, bandwidth, or rule quotas included in the WAF edition you are using cannot meet your service changes, you can buy extra expansion packages.
Domain Expansion Package
One domain package can protect 10 domain names, including a maximum of one top-level domain name. If the cloud WAF edition you are using cannot meet your business requirements, you can purchase domain expansion packages to increase the quota. For example, if you are using the standard edition, 10 domain names can be protected, including only one top-level domain name. If you want to protect three top-level domain names, you can purchase two domain name expansion packages to increase the quota.
- Standard edition: A maximum of 10 domain names can be protected, including only one top-level domain name.
- Professional edition: A maximum of 50 domain names can be protected, including five top-level domain names.
- Platinum edition: A maximum of 80 domain names can be protected, including eight top-level domain names.
- If only one top-level domain can be added to a WAF instance, you can add one top-level domain and subdomain or wildcard domain names related to the top-level domain. For example, you can add one top-level domain name example.com and a maximum of nine sub-domains or generic domains, for example, www.example.com, *.example.com, mail.example.com, user.pay.example.com, and x.y.z.example.com. Each of these domain names (including the top-level domain name example.com) is counted toward a domain name quota in the domain name package.
- If a domain name maps to different ports, each port is considered to represent a different domain name. For example, www.example.com:8080 and www.example.com:8081 are counted towards your quota as two distinct domain names.
You can also change specifications of your cloud WAF to increase the domain name quota. For details, see Changing the Edition and Specifications of a Cloud WAF Instance.
QPS Expansion Package
A certain amount of bandwidth is provided when you buy a standard, professional, or platinum cloud WAF instance billed on a yearly/monthly basis. If you need to protect a larger QPS, you can buy additional QPS expansion packages.
For example, if your service traffic is 6,000 QPS and you have purchased the WAF professional edition, with a service request limit of 5,000 QPS, you can buy a QPS expansion package of 1,000 QPS to make up the difference. You can change the edition and specifications of a cloud WAF instance to increase QPS quota to meet service bandwidth growth requirements.
What Is the Service Bandwidth Limit?
- The service bandwidth limit is the amount of normal traffic a WAF instance can protect. A QPS expansion package protects up to:
- For web applications deployed on Huawei Cloud
QPS: 1,000 (Each HTTP GET request is a query.)
- For web applications not deployed on Huawei Cloud
QPS: 1,000 (Each HTTP GET request is a query.)
The bandwidth in WAF is calculated by WAF itself and is not associated with the bandwidth or traffic limit of other Huawei Cloud products (such as CDN, ELB, and ECS).
- For web applications deployed on Huawei Cloud
- By default, a certain amount of bandwidth can be protected by the standard, professional, or platinum WAF instance billed in yearly/monthly mode. If your origin servers (such as ECSs or ELB load balancers) are on Huawei Cloud, more bandwidth can be protected. For example, if you use a platinum instance, it can protect up to 300 Mbit/s of bandwidth for origin servers on Huawei Cloud, or protect up to 100 Mbit/s of bandwidth for origin servers outside Huawei Cloud, such as in on-premises data centers.
What Happens If Website Traffic Exceeds the Service Bandwidth or Request Limit?
If your website normal traffic exceeds the service bandwidth or request limit offered by the edition you select, forwarding website traffic may be affected.
For example, traffic limiting and random packet loss may occur. Your website services may be unavailable, frozen, or respond very slowly.
In this case, upgrade your edition or buy additional QPS expansion packages.
How Many QPS Expansion Packages Do I Need?
Before buying WAF, confirm the total inbound and outbound peak traffic of the websites to be protected by WAF. Ensure that the bandwidth of the WAF edition you select is greater than the total inbound peak traffic or the total outbound peak traffic, whichever is larger.
Generally, the outbound traffic is larger than the inbound traffic.
You can estimate the traffic by referring to the traffic statistics on the ECS console or using other monitoring tools.
Attack traffic must be removed in your estimations. For example, if your website is being accessed normally, WAF routes the traffic back to the origin ECS, but if your website is under attack, WAF blocks and filters out the illegitimate traffic, and routes only the legitimate traffic back to the origin ECS. The inbound and outbound traffic of the origin ECS you view on the ECS console is the normal traffic. If there are multiple ECSs, collect statistics on the normal traffic of all ECSs. For example, if you have six sites and the peak outbound traffic of each site does not exceed 2,000 QPS, then the total peak traffic volume does not exceed 12,000 QPS. In this case, you can buy the WAF platinum edition.
Rule Expansion Package
If you are using yearly/monthly cloud WAF, you can purchase rule expansion packages under the current WAF edition to get more quota for IP address whitelist and blacklist rules.
A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.
Rule expansion packages are available when you purchase or change a cloud WAF instance. A rule expansion package must be renewed or unsubscribed from along with the associated WAF instance.
For details, see Changing the Edition and Specifications of a Cloud WAF Instance.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.