Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Edition Differences

Updated on 2025-01-17 GMT+08:00

WAF provides cloud and dedicated instances. The access mode varies depending on the instance type you are using. This topic summaries comparisons on access modes, service specifications, and functions between different editions, so you can quickly know which type of instance best fits your service requirements.

Service Edition Overview

When you make a purchase decision, consider the access mode, specifications, and functions the WAF edition you plan to use supports.

  • Access modes

    You can connect a website to WAF in cloud mode or dedicated mode. In cloud mode, Cloud Mode - CNAME and Cloud Mode - Load balancer access modes are supported. For more details, see Access Mode Description.

  • Service editions

    To support different service scenarios, WAF provides multiple editions. For details about the specifications of different editions, see Specifications Supported by Each Edition. For details about the supported functions and features, see Functions Supported by Each Service Edition.

    • For cloud mode, WAF can be billed on a yearly/monthly or pay-per-use basis. In yearly/monthly billing mode, you can use the standard, professional, or platinum edition. For details about the different access modes and service editions, see Figure 1.

      In cloud mode, you can change the billing mode between yearly/monthly and pay-per-use. For more details, see Changing the Billing Mode.

    • For dedicated mode, WAF can be billed only in pay-per-use mode.
    Figure 1 Service editions and access modes
NOTE:
  • To use cloud mode - load balancer access mode, you need to purchase the standard, professional, or platinum edition billed on a yearly/monthly basis first. Then you can submit a service ticket to request for the use of this mode. For details about regions supported by Cloud Mode - Load Balancer Access, see Function Overview.
  • Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued. There is no impact on your use or renewal of dedicated WAF instances you already purchased.

Access Mode Description

The service edition you can use is restricted by the access mode you want to use. So, before making a purchase, check which WAF access mode best fits your need.

WAF provides three access modes: cloud mode - CNAME, cloud mode - load balancer, and dedicated mode. The following figure shows the deployment architecture. For details about the differences, see Table 1.

Table 1 Access Mode Description

Item

Cloud Mode - CNAME Access

Cloud Mode - Load Balancer Access

Dedicated Mode

Application scenarios

Suitable for service scenarios of various scales.

For details about service scales and cloud mode editions, see Service Editions.

This mode is suitable for large enterprise websites having high security requirements on service stability.

This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.

Where web services are deployed

Service servers are deployed on any cloud or in on-premises data centers.

Service servers are deployed on Huawei Cloud.

Service servers are deployed on Huawei Cloud.

Protected objects

Domain names

Domain names and IP addresses (public or private IP addresses)

Domain names and IP addresses (public or private IP addresses)

Billing mode

Yearly/Monthly and pay-per-use billing

Yearly/Monthly and pay-per-use billing

Pay-per-use billing

Service editions

Standard, professional, and platinum editions

Standard, professional, and platinum editions

-

Advantages

  • Protection capability scaling by upgrading specifications
  • Protection for cloud and on-premises web services
  • IPv6 protection
  • Scaling out of your WAF protection capabilities without changing your service architecture
  • Non-inline deployment and zero impacts on your website services
  • High reliability

    If your WAF instance becomes faulty, the load balancer directly distributes your website traffic over the origin servers, eliminating adverse impact incurred such on your normal business.

  • Enable cloud and on-premises deployment.
  • Enable exclusive use of WAF instance.
  • Meet requirements for protection against large-scale traffic attacks.
  • Deploy dedicated WAF instances in a VPC to reduce network latency.

Access Guide

Connecting Your Website to WAF (Cloud Mode - CNAME Access)

Connecting Your Website to WAF (Cloud Mode - Load Balancer Access)

Connect Your website to WAF (Dedicated Mode)

Specifications Supported by Each Edition

After selecting an access mode, you need to select a proper service edition based on your service scale. Table 2 lists the service specifications supported by different service editions.

NOTE:
  • In cloud mode, the domain name, QPS, and rule expansion package quotas can be shared by the load balancer and CNAME access modes. This is because the same service specifications are provided for the two modes.
  • In cloud mode, to protect more domain names and traffic, you can either purchase domain name, QPS, and rule expansion packages or change the edition of your cloud WAF instance. Service edition rankings are as follows: standard, professional, and platinum, in ascending order.

Table 2 Applicable service scales

Service Scale

Cloud Mode

Cloud Mode (Pay-Per-Use Billing)

Dedicated Mode (Pay-per-Use)

Standard

Professional

Platinum

Service scale

This edition is suitable for small and medium-sized websites that do not have special security requirements.

This edition is suitable for medium-sized enterprise websites or services that are open to the Internet, focus on data security, and have high security requirements.

This edition is suitable for large and medium-sized enterprise websites that have a large service scale or have customized security requirements.

The mode is recommended if you expect frequent service usage changes.

This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.

Peak rate of normal service requests

  • Service requests: 2,000 QPS
  • Support for QPS expansion packages
    • Origin servers deployed on Huawei Cloud: Each expansion package supports 1,000 QPS and 50 Mbit/s bandwidth.
    • Origin servers not deployed on Huawei Cloud: Each expansion package supports 1,000 QPS and 20 Mbit/s bandwidth.
  • WAF-to-Server connections: 6,000 per domain name
  • Service requests: 5,000 QPS
  • Support for QPS expansion packages
    • Origin servers deployed on Huawei Cloud: Each expansion package supports 1,000 QPS and 50 Mbit/s bandwidth.
    • Origin servers not deployed on Huawei Cloud: Each expansion package supports 1,000 QPS and 20 Mbit/s bandwidth.
  • WAF-to-Server connections: 6,000 per domain name
  • Service requests: 10,000 QPS
  • Support for QPS expansion packages
    • Origin servers deployed on Huawei Cloud: Each expansion package supports 1,000 QPS and 50 Mbit/s bandwidth.
    • Origin servers not deployed on Huawei Cloud: Each expansion package supports 1,000 QPS and 20 Mbit/s bandwidth.
  • WAF-to-Server connections: 6,000 per domain name

WAF-to-Server connections: 6,000 per domain name

The following lists the specifications of a single instance.

  • Specifications: WI-500. Estimated performance:
    • HTTP services: 5,000 QPS (recommended)
    • HTTPS services: 4,000 QPS (recommended)
    • WebSocket service - Maximum concurrent connections: 5,000
    • Maximum WAF-to-server persistent connections: 60,000
  • Specifications: WI-100. Estimated performance:
    • HTTP services: 1,000 QPS (recommended)
    • HTTPS services: 800 QPS (recommended)
    • WebSocket service - Maximum concurrent connections: 1,000
    • Maximum WAF-to-server persistent connections: 60,000
NOTICE:

Maximum QPS values are for your reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize.

Service bandwidth threshold (origin servers deployed on Huawei Cloud)

300Mbit/s

  • Specifications: WI-500. Estimated performance:

    Throughput: 500 Mbit/s

  • Specifications: WI-100. Estimated performance:

    Throughput: 100 Mbit/s

Service bandwidth threshold (origin servers not deployed on Huawei Cloud)

100Mbit/s

N/A

Number of domain names

200

2,000

Back-to-source IP address quantity (the number of WAF back-to-source IP addresses that can be allowed by a protected domain name)

20

50

80

20

N/A

Quantity of supported ports

  • Standard ports: two (80 and 443)
  • Non-standard ports: any ports listed in Ports Supported by WAF. The number of ports is not limited.
  • Standard ports: two (80 and 443)
  • Non-standard ports: any ports listed in Ports Supported by WAF. The number of ports is not limited.
  • Standard ports: two (80 and 443)
  • Non-standard ports: any ports listed in Ports Supported by WAF. The number of ports is not limited.

Peak rate of CC attack protection

100,000 QPS

200,000 QPS

1,000,000 QPS

1,000,000QPS

  • Specifications: WI-500. Estimated performance:

    Maximum QPS: 20,000

  • Specifications: WI-100. Estimated performance:

    Maximum QPS: 4,000

CC attack protection rules

20

50

100

200

100

Precise protection rules

20

50

100

200

100

Number of reference table rules

-

50

100

200

100

IP address blacklist and whitelist rules

  • 1,000
  • Support for rule expansion packages. (Each expansion package supports 10 IP blacklist and whitelist protection rules.)
  • 2,000
  • Support for rule expansion packages. (Each expansion package supports 10 IP blacklist and whitelist protection rules.)
  • 5,000
  • Support for rule expansion packages. (Each expansion package supports 10 IP blacklist and whitelist protection rules.)

200

1,000

Number of geolocation access control rules

-

50

100

200

100

Web tamper protection rules

20

50

100

200

100

Website anti-crawler protection

-

50

100

200

100

Number of information leakage prevention rules

-

50

100

200

100

Global protection whitelist rules

1,000

1,000

1,000

2,000

1,000

Data masking rules

20

50

100

200

100

Security report templates

5

10

20

-

20

How to count protected domain names:

  • The number of domain names is the total number of top-level domain names (for example, example.com), single domain names/second-level domains (for example, www.example.com), and wildcard domain names (for example, *.example.com).
  • If a domain name maps to different ports, each port is considered to represent a different domain name. For example, www.example.com:8080 and www.example.com:8081 are counted towards your quota as two distinct domain names.
  • You can upload as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if you purchase a standard edition WAF instance, which can protect 10 domain names, a dedicated WAF instance, which can protect 2,000 domain names, and a domain name expansion package (20 domain names), your WAF instances can protect 2,030 domain names total (2,000 + 20 +10). In this case, you can upload 2,030 certificates.

Functions Supported by Each Service Edition

After determining the access mode and service edition, you need to consider whether the security functions supported by the selected access mode and service edition meet your service requirements. For details, see Table 3.

Notes:

  • √: The function is included in the current edition.
  • x: The function is not included in the current edition.
  • -: This function is not involved because the similar functions are available in ELB. For details about ELB load balancers, see Differences Between Dedicated and Shared Load Balancers.
Table 3 Security features

Function

Function Description

Cloud Mode - CNAME Access

Cloud Mode - Load Balancer Access (Standard/Professional/Platinum Edition)

Cloud Mode (Pay-Per-Use Billing)

Dedicated Mode (Pay-per-Use)

Standard

Professional

Platinum

Domain Expansion Package

A domain expansion package can protect a maximum of 10 domain names.

×

×

QPS Expansion Package

A QPS expansion package protects up to:

  • For web applications deployed on Huawei Cloud
    • Service bandwidth: 50 Mbit/s
    • QPS: 1,000
  • For web applications not deployed on Huawei Cloud
    • Service bandwidth: 20 Mbit/s
    • QPS: 1,000

×

×

Rule Expansion Package

A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.

×

×

Wildcard domain name

Wildcard domain names (for example, *.example.com) can be added to WAF.

Protection for ports except 80 and 443

WAF can protect services on specific non-standard ports in addition to standard ports 80 and 443.

-

Protection for ports except ports 80 and 443

You can submit a service ticket to apply for protection for non-standard ports except standard ports 80 and 443.

×

-

×

×

Batch configuring defense policies

You can flexibly configure protection policies for protected domain names in batches.

×

Applying a protection policy to a domain name

When adding a domain name, you can apply a protection policy to it.

  • System-generated policy (default): This option is unavailable if the number of added protection policies reaches the quota.
  • Custom protection policy: A policy you create based on your security requirements. For more details, see Configuring a Protection Policy.

x (System-generated policy supported only)

Batch adding domain names to a policy

Batch adding domain names to a policy

×

Common web application attack defense

Protection against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections

Zero-day vulnerability protection

Updating protection rules against zero-day vulnerabilities to the latest on the cloud and delivering virtual patches in a timely manner

×

Webshell Detection

Protects web applications from web shells.

Deep Inspection

WAF can identify and block evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques.

Header Inspection

Detects all header fields in the requests.

CC Attack Protection

You can customize a CC attack protection rule to restrict access to your website based on an IP address, cookie, or Referer, mitigating CC attacks.

Precise Protection

You can configure complex conditions by combining common HTTP fields to match requests precisely. You can log only, allow, or block matched requests.

√ (excluding full detection)

√ (excluding full detection)

√ (excluding full detection)

Reference Table Management

You can configure single-type protection metrics, such as paths, user agent, IP, params, cookie, referer, and headers, in batches.

×

IP Address Blacklist and Whitelist

You can allow or block specific IP addresses in one click. IP addresses or IP address segments can be imported in batches.

Geolocation Access Control

You can allow or block web requests based on the countries that the requests originate from.

×

Web Tamper Protection

You can lock website pages (such as sensitive pages) to prevent malicious content tampering.

Anti-crawler Protection

Identification and blocking of crawler behavior such as search engines, scanners, script tools, and other crawlers.

×

JavaScript-based anti-crawler protection

×

×

×

Number of information leakage prevention rules

WAF can prevent leakage of privacy data, such as ID card numbers, phone numbers, and email addresses.

×

Global protection whitelist rules

You can configure global protection whitelist to ignore false positives.

Data Masking

You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.

Resource requirement suggestions

When using dedicated instances, you are advised to configure resource monitoring and alarms on Cloud Eye. It is recommended that the CPU usage be no more than 70% and the memory usage be no more than 80%.

NOTE:

When there are a large number of service requests or complex user-defined protection policies, the CPU and memory usage increases. In extreme cases, the performance fluctuates greatly. You are advised to evaluate the performance specifications based on the pressure tests made on your service model.

-

N/A

N/A

N/A

-

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback