Edition Differences
WAF provides cloud and dedicated instances. The access mode varies depending on the instance type you are using. This topic summaries comparisons on access modes, service specifications, and functions between different editions, so you can quickly know which type of instance best fits your service requirements.
Service Edition Overview
When you make a purchase decision, consider the access mode, specifications, and functions the WAF edition you plan to use supports.
- Access modes
You can connect a website to WAF in cloud mode or dedicated mode. In cloud mode, Cloud Mode - CNAME and Cloud Mode - Load balancer access modes are supported. For more details, see Access Mode Description.
- Service editions
To support different service scenarios, WAF provides multiple editions. For details about the specifications of different editions, see Specifications Supported by Each Edition. For details about the supported functions and features, see Functions Supported by Each Service Edition.
- For cloud mode, WAF can be billed on a yearly/monthly or pay-per-use basis. In yearly/monthly billing mode, you can use the standard, professional, or platinum edition. For details about the different access modes and service editions, see Figure 1.
In cloud mode, you can change the billing mode between yearly/monthly and pay-per-use. For more details, see Changing the Billing Mode.
- For dedicated mode, WAF can be billed only in pay-per-use mode.
- For cloud mode, WAF can be billed on a yearly/monthly or pay-per-use basis. In yearly/monthly billing mode, you can use the standard, professional, or platinum edition. For details about the different access modes and service editions, see Figure 1.
- To use cloud mode - load balancer access mode, you need to purchase the standard, professional, or platinum edition billed on a yearly/monthly basis first. Then you can submit a service ticket to request for the use of this mode. For details about regions supported by Cloud Mode - Load Balancer Access, see Function Overview.
- Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued. There is no impact on your use or renewal of dedicated WAF instances you already purchased.
Access Mode Description
The service edition you can use is restricted by the access mode you want to use. So, before making a purchase, check which WAF access mode best fits your need.
WAF provides three access modes: cloud mode - CNAME, cloud mode - load balancer, and dedicated mode. The following figure shows the deployment architecture. For details about the differences, see Table 1.
Item |
Cloud Mode - CNAME Access |
Cloud Mode - Load Balancer Access |
Dedicated Mode |
---|---|---|---|
Application scenarios |
Suitable for service scenarios of various scales. For details about service scales and cloud mode editions, see Service Editions. |
This mode is suitable for large enterprise websites having high security requirements on service stability. |
This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements. |
Where web services are deployed |
Service servers are deployed on any cloud or in on-premises data centers. |
Service servers are deployed on Huawei Cloud. |
Service servers are deployed on Huawei Cloud. |
Protected objects |
Domain names |
Domain names and IP addresses (public or private IP addresses) |
Domain names and IP addresses (public or private IP addresses) |
Billing mode |
Yearly/Monthly and pay-per-use billing |
Yearly/Monthly and pay-per-use billing |
Pay-per-use billing |
Service editions |
Standard, professional, and platinum editions |
Standard, professional, and platinum editions |
- |
Advantages |
|
|
|
Access Guide |
Connecting Your Website to WAF (Cloud Mode - Load Balancer Access) |
Specifications Supported by Each Edition
After selecting an access mode, you need to select a proper service edition based on your service scale. Table 2 lists the service specifications supported by different service editions.
- In cloud mode, the domain name, QPS, and rule expansion package quotas can be shared by the load balancer and CNAME access modes. This is because the same service specifications are provided for the two modes.
- In cloud mode, to protect more domain names and traffic, you can either purchase domain name, QPS, and rule expansion packages or change the edition of your cloud WAF instance. Service edition rankings are as follows: standard, professional, and platinum, in ascending order.
Service Scale |
Cloud Mode |
Cloud Mode (Pay-Per-Use Billing) |
Dedicated Mode (Pay-per-Use) |
||
---|---|---|---|---|---|
Standard |
Professional |
Platinum |
|||
Service scale |
This edition is suitable for small and medium-sized websites that do not have special security requirements. |
This edition is suitable for medium-sized enterprise websites or services that are open to the Internet, focus on data security, and have high security requirements. |
This edition is suitable for large and medium-sized enterprise websites that have a large service scale or have customized security requirements. |
The mode is recommended if you expect frequent service usage changes. |
This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements. |
Peak rate of normal service requests |
|
|
|
WAF-to-Server connections: 6,000 per domain name |
The following lists the specifications of a single instance.
NOTICE:
Maximum QPS values are for your reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize. |
Service bandwidth threshold (origin servers deployed on Huawei Cloud) |
|
|
|
300Mbit/s |
|
Service bandwidth threshold (origin servers not deployed on Huawei Cloud) |
|
|
|
100Mbit/s |
N/A |
Number of domain names |
|
|
|
200 (Supports 20 top-level domain names.) |
2,000 (Supports 2,000 top-level domain names) |
Back-to-source IP address quantity (the number of WAF back-to-source IP addresses that can be allowed by a protected domain name) |
20 |
50 |
80 |
20 |
N/A |
Quantity of supported ports |
|
|
|
|
|
Peak rate of CC attack protection |
100,000 QPS |
200,000 QPS |
1,000,000 QPS |
1,000,000QPS |
|
CC attack protection rules |
20 |
50 |
100 |
200 |
100 |
Precise protection rules |
20 |
50 |
100 |
200 |
100 |
Number of reference table rules |
- |
50 |
100 |
200 |
100 |
IP address blacklist and whitelist rules |
|
|
|
200 |
1,000 |
Number of geolocation access control rules |
- |
50 |
100 |
200 |
100 |
Web tamper protection rules |
20 |
50 |
100 |
200 |
100 |
Website anti-crawler protection |
- |
50 |
100 |
200 |
100 |
Number of information leakage prevention rules |
- |
50 |
100 |
200 |
100 |
Global protection whitelist rules |
1,000 |
1,000 |
1,000 |
2,000 |
1,000 |
Data masking rules |
20 |
50 |
100 |
200 |
100 |
Security report templates |
5 |
10 |
20 |
- |
20 |
How to count protected domain names:
|
Functions Supported by Each Service Edition
After determining the access mode and service edition, you need to consider whether the security functions supported by the selected access mode and service edition meet your service requirements. For details, see Table 3.
Notes:
- √: The function is included in the current edition.
- x: The function is not included in the current edition.
- -: This function is not involved because the similar functions are available in ELB. For details about ELB load balancers, see Differences Between Dedicated and Shared Load Balancers.
Function |
Function Description |
Cloud Mode - CNAME Access |
Cloud Mode - Load Balancer Access (Standard/Professional/Platinum Edition) |
Cloud Mode (Pay-Per-Use Billing) |
Dedicated Mode (Pay-per-Use) |
||
---|---|---|---|---|---|---|---|
Standard |
Professional |
Platinum |
|||||
Domain Expansion Package |
One domain package can protect 10 domain names, including a maximum of one top-level domain name. |
√ |
√ |
√ |
√ |
× |
× |
QPS Expansion Package |
A QPS expansion package protects up to:
|
√ |
√ |
√ |
√ |
× |
× |
Rule Expansion Package |
A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules. |
√ |
√ |
√ |
√ |
× |
× |
Wildcard domain name |
Wildcard domain names (for example, *.example.com) can be added to WAF. |
√ |
√ |
√ |
√ |
√ |
√ |
Protection for ports except 80 and 443 |
WAF can protect services on specific non-standard ports in addition to standard ports 80 and 443. |
√ |
√ |
√ |
- |
√ |
√ |
Protection for ports except ports 80 and 443 |
You can submit a service ticket to apply for protection for non-standard ports except standard ports 80 and 443. |
× |
√ |
√ |
- |
× |
× |
Batch configuring defense policies |
You can flexibly configure protection policies for protected domain names in batches. |
× |
√ |
√ |
√ |
√ |
√ |
Batch adding domain names to a policy |
Batch adding domain names to a policy |
× |
√ |
√ |
√ |
√ |
√ |
Common web application attack defense |
Protection against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections |
√ |
√ |
√ |
√ |
√ |
√ |
Zero-day vulnerability protection |
Updating protection rules against zero-day vulnerabilities to the latest on the cloud and delivering virtual patches in a timely manner |
√ |
√ |
√ |
√ |
√ |
× |
Webshell Detection |
Protects web applications from web shells. |
√ |
√ |
√ |
√ |
√ |
√ |
Deep Inspection |
WAF can identify and block evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques. |
√ |
√ |
√ |
√ |
√ |
√ |
Header Inspection |
Detects all header fields in the requests. |
√ |
√ |
√ |
√ |
√ |
√ |
CC Attack Protection |
You can customize a CC attack protection rule to restrict access to your website based on an IP address, cookie, or Referer, mitigating CC attacks. |
√ |
√ |
√ |
√ |
√ |
√ |
Precise Protection |
You can configure complex conditions by combining common HTTP fields to match requests precisely. You can log only, allow, or block matched requests. |
√ (excluding full detection) |
√ |
√ |
√ (excluding full detection) |
√ (excluding full detection) |
√ |
Reference Table Management |
You can configure single-type protection metrics, such as paths, user agent, IP, params, cookie, referer, and headers, in batches. |
× |
√ |
√ |
√ |
√ |
√ |
IP Address Blacklist and Whitelist |
You can allow or block specific IP addresses in one click. IP addresses or IP address segments can be imported in batches. |
√ |
√ |
√ |
√ |
√ |
√ |
Geolocation Access Control |
You can allow or block web requests based on the countries that the requests originate from. |
× |
√ |
√ |
√ |
√ |
√ |
Web Tamper Protection |
You can lock website pages (such as sensitive pages) to prevent malicious content tampering. |
√ |
√ |
√ |
√ |
√ |
√ |
Anti-crawler Protection |
Identification and blocking of crawler behavior such as search engines, scanners, script tools, and other crawlers. |
× |
√ |
√ |
√ |
√ |
√ |
JavaScript-based anti-crawler protection |
× |
√ |
√ |
× |
× |
√ |
|
Number of information leakage prevention rules |
WAF can prevent leakage of privacy data, such as ID card numbers, phone numbers, and email addresses. |
× |
√ |
√ |
√ |
√ |
√ |
Global protection whitelist rules |
You can configure global protection whitelist to ignore false positives. |
√ |
√ |
√ |
√ |
√ |
√ |
Data Masking |
You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. |
√ |
√ |
√ |
√ |
√ |
√ |
Resource requirement suggestions |
When using dedicated instances, you are advised to configure resource monitoring and alarms on Cloud Eye. It is recommended that the CPU usage be no more than 70% and the memory usage be no more than 80%.
NOTE:
When there are a large number of service requests or complex user-defined protection policies, the CPU and memory usage increases. In extreme cases, the performance fluctuates greatly. You are advised to evaluate the performance specifications based on the pressure tests made on your service model. |
- |
N/A |
N/A |
N/A |
- |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot