Edition Differences

WAF provides cloud and dedicated deployments. In cloud deployment, you can select the CNAME access or ELB access method. For more details, see Cloud and Dedicated WAF Modes.

To use ELB-access cloud WAF, you need to submit a service ticket to enable it for you first. ELB-access cloud WAF is available in some regions. For details, see Functions.
If you want to use the ELB access mode, make sure you are using standard, professional, or platinum cloud WAF. When you are using cloud WAF, the quotas for the domain name, QPS, and rule extension packages are shared between the ELB access and CNAME access modes.

Cloud and Dedicated WAF Modes

You can select CNAME access or ELB access in cloud mode or dedicated mode to deploy WAF instances for your workloads. Figure 1 shows the deployment architectures. Table 1 describes the differences between them.

Figure 1 Deployment architecture
Click to enlarge

**Table 1** Description of how to use different modes of WAF instances
Item	Cloud Mode		Dedicated Mode
Item	CNAME Access	ELB Access	Dedicated Mode
Billing mode	Yearly/Monthly Pay-per-use NOTE: If you buy a cloud WAF instance, you can change its billing mode anytime you want.	If you have purchased cloud WAF (standard, professional, or platinum edition), CNAME and ELB access methods share the domain name, bandwidth, and rule extension packages you have purchased.	Pay-per-use
Edition	The following editions support the yearly/monthly billing mode: Standard Professional Platinum	N/A	N/A
Application scenarios	Service servers are deployed on any cloud or in on-premises data centers. The application scenarios for different editions are as follows: Standard edition Suitable for small- and medium-sized websites that do not have special security requirements Professional edition Suitable for medium-sized enterprise websites or services that are open to the Internet, focus on data security, and have high security requirements Platinum edition Suitable for large- and medium-sized enterprise websites that have a large service scale or have customized security requirements	Service servers are deployed on Huawei Cloud. Large enterprise websites having high security requirements on service stability	Service servers are deployed on Huawei Cloud. This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.
Protection object	Domain names	Domain names IP addresses	Domain names IP addresses
Advantages	Expand protection capability by upgrading specifications. Protect cloud and on-premises web services. Protect IPv6 addresses.	Scaling out of your WAF protection capabilities without changing your service architecture Non-inline deployment and zero impacts on your website services High reliability. If your WAF instance becomes faulty, the load balancer directly distributes your website traffic over the origin servers, eliminating adverse impact incurred such on your normal business.	Enable cloud and on-premises deployment. Enable exclusive use of WAF instance. Meet requirements for protection against large-scale traffic attacks. Deploy dedicated WAF instances in a VPC to reduce network latency.

Specifications Supported by Each Edition

Table 2 describes the service specifications of each WAF mode. In cloud mode, to protect more domain names and traffic, you can either purchase domain name, QPS, and rule expansion packages or change the edition of your cloud WAF instance.

In cloud mode, ELB access is supported in only standard, professional, and platinum editions. ELB-access WAF and cloud WAF have the same service specifications.

The restrictions and specifications of the expansion package are as follows:

A domain package allows you to add 10 domain names to WAF, including one top-level domain and nine subdomains or wildcard domains related to the top-level domain.
The QPS limit and bandwidth limit of a QPS expansion package:
- For web applications deployed on Huawei Cloud
  Service bandwidth: 50 Mbit/s
  
  QPS: 1,000 (Each HTTP GET request is a query.)
- For web applications not deployed on Huawei Cloud
  Service bandwidth: 20 Mbit/s
  
  QPS: 1,000 (Each HTTP GET request is a query.)
- If you want to use the ELB access mode, make sure you are using standard, professional, or platinum cloud WAF. When you are using cloud WAF, the quotas for the domain name, QPS, and rule extension packages are shared between the ELB access and CNAME access modes.
- The bandwidth limit applies only to websites accessed in cloud mode. Websites accessed in ELB mode have no bandwidth limit but only QPS limit.
A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.

The number of domains is the total number of top-level domain names (for example, example.com), single domain names/second-level domains (for example, www.example.com), and wildcard domain names (for example, *.example.com). For example, the standard edition WAF can protect up to 10 domain names. You can add one top-level domain name and nine subdomain names or wildcard domain names related to the top-level domain name.
If a domain name maps to different ports, each port is considered to represent a different domain name. For example, www.example.com:8080 and www.example.com:8081 are counted towards your quota as two distinct domain names.
You can upload as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if you purchase a standard edition WAF instance, which can protect 10 domain names, a dedicated WAF instance, which can protect 2,000 domain names, and a domain name expansion package (20 domain names), your WAF instances can protect 2,030 domain names total (2,000 + 20 +10). In this case, you can upload 2,030 certificates.

**Table 2** WAF editions and applicable service scales
Service Scale	Standard	Professional	Platinum	Cloud Mode (Pay-Per-Use Billing)	Dedicated Mode
Peak rate of normal service requests	Service requests: 2,000 QPS WAF-to-Server connections: 6,000 per domain name	Service requests: 5,000 QPS WAF-to-Server connections: 6,000 per domain name	Service requests: 10,000 QPS WAF-to-Server connections: 6,000 per domain name	WAF-to-Server connections: 6,000 per domain name	The following lists the specifications of a single instance. Specifications: WI-500. Referenced performance: HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000. HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000. WebSocket service - Maximum concurrent connections: 5,000 Maximum WAF-to-server persistent connections: 60,000 Specifications: WI-100. Referenced performance: HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000. HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600 WebSocket service - Maximum concurrent connections: 1,000 Maximum WAF-to-server persistent connections: 60,000 NOTICE: Maximum QPS values are for your reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize.
Service bandwidth threshold (The origin server is deployed on the cloud.)	100 Mbit/s	200 Mbit/s	300 Mbit/s	N/A	Specifications: WI-500. Performance: Throughput: 500 Mbit/s Specifications: WI-100. Referenced performance: Throughput: 100 Mbit/s
Service bandwidth threshold (The origin server is not deployed on Huawei Cloud.)	30 Mbit/s	50 Mbit/s	100 Mbit/s	N/A	N/A
Number of domains	10 (Supports one top-level domain name.)	50 (Supports five top-level domain names.)	80 (Supports eight top-level domain names.)	30 (Supports three top-level domain names.)	2,000 (Supports 2,000 top-level domain names)
Back-to-source IP address quantity (the number of WAF back-to-source IP addresses that can be allowed by a protected domain name)	20	50	80	20	N/A
Quantity of supported ports NOTE: If you are using a professional or platinum cloud WAF instance, you can configure any non-standard ports for your protected website. To do so, submit a ticket to enable customized non-standard ports.	Standard ports: two (80 and 443) Non-standard ports: You can use as many ports as you want as long as the port is supported by WAF. For details, see Ports Supported by WAF.	Standard ports: two (80 and 443) Non-standard ports: You can use as many ports as you want as long as the port is supported by WAF. For details, see Ports Supported by WAF.	Standard ports: two (80 and 443) Non-standard ports: You can use as many ports as you want as long as the port is supported by WAF. For details, see Ports Supported by WAF.	N/A	Standard ports: two (80 and 443) Non-standard ports: You can use as many ports as you want as long as the port is supported by WAF. For details, see Ports Supported by WAF.
Peak rate of CC attack defense	100,000 QPS	200,000QPS	1,000,000 QPS	N/A	Specifications: WI-500. Referenced performance: Maximum QPS: 20,000 Specifications: WI-100. Referenced performance: Maximum QPS: 4,000
Number of CC attack defense rules	20	50	100	200	100
Number of precise protection rules	20	50	100	200	100
Number of reference table rules	N/A	50	100	200	100
Number of IP address blacklist or whitelist rules	1,000	2,000	5,000	200	1,000
Number of geolocation access control rules	N/A	50	100	200	100
Number of web tamper protection rules	20	50	100	200	100
JavaScript-based anti-crawler rules	N/A	50	100	200	100
Number of information leakage prevention rules	N/A	50	100	200	100
Global protection whitelist rules	1,000	1,000	1,000	2,000	1,000
Number of data masking rules	20	50	100	200	100
Security report templates	5	10	20	-	20

Functions Supported by Each Edition

For details about cloud and dedicated WAF instances, see Table 3. The standard, professional, and platinum editions provide cloud WAF instances. You can upgrade the WAF edition you are using to a higher one to meet your changing requirements. For details, see Changing Cloud WAF Edition and Specifications.

Notes:

√: The function is included in the current edition.
x: The function is not included in the current edition.
-: This function is not involved because the similar functions are available in ELB. For details about ELB load balancers, see Differences Between Dedicated and Shared Load Balancers.

**Table 3** Security features
Function	Cloud - CNAME Access			Cloud - ELB Access	Cloud Mode (Pay-Per-Use Billing)	Dedicated Mode
Function	Standard	Professional	Platinum	Cloud - ELB Access	Cloud Mode (Pay-Per-Use Billing)	Dedicated Mode
Domain name, QPS, and rule expansion packages	√	√	√	√ (Quota shared with CNAME access)	×	×
Adding wildcard domain names	√	√	√	√	√	√
Protection for ports except 80 and 443	√	√	√	-	√	√
Customization of standard ports other than ports 80 and 443	×	√	√	-	×	×
Batch configuring defense policies	×	√	√	√	√	√
Batch adding domain names to a policy	×	√	√	√	√	√
Protection against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections	√	√	√	√	√	√
Updating protection rules against zero-day vulnerabilities to the latest on the cloud and delivering virtual patches in a timely manner	√	√	√	√	√	×
Web shell detection	√	√	√	√	√	√
Deep anti-evasion inspection to identify and block evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques	√	√	√	√	√	√
Inspection of all header fields in the requests	√	√	√	√	√	√
CC attack prevention	√	√	√	√	√	√
Precise protection	√ (excluding full detection)	√	√	√ (excluding full detection)	√ (excluding full detection)	√
Reference table management	×	√	√	√	√	√
IP address whitelist and blacklist and batch importing of IP addresses/IP address ranges	√	√	√	√	√	√
Allowing or blocking web requests based on the countries that the requests originate from.	×	√	√	√	√	√
Web page tampering protection	√	√	√	√	√	√
Identification and blocking of crawler behavior such as search engines, scanners, script tools, and other crawlers	×	√	√	√	√	√
JavaScript-based anti-crawler protection	×	√	√	×	×	√
Information leakage prevention	×	√	√	√	√	√
Global Protection Whitelist Rule	√	√	√	√	√	√
Data masking	√	√	√	√	√	√
Resource requirement suggestions	N/A	N/A	N/A	N/A	N/A	When using dedicated instances, you are advised to configure resource monitoring and alarms on Cloud Eye. It is recommended that the CPU usage be no more than 70% and the memory usage be no more than 80%. NOTE: When there are a large number of service requests or complex user-defined protection policies, the CPU and memory usage increases. In extreme cases, the performance fluctuates greatly. You are advised to perform pressure testing based on service models and evaluate the performance specifications that best fit your need.

Previous topic: What Is WAF?

Next topic: Basic Concepts

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot