Help Center/ Web Application Firewall/ User Guide/ Buying WAF/ Buying a Cloud WAF Instance
Updated on 2024-07-25 GMT+08:00
View PDF
Share

Buying a Cloud WAF Instance

Cloud WAF instances are billed either on a yearly/monthly (prepaid) or pay-per-use (postpaid) basis. In the yearly/monthly billing mode, the standard, professional, and platinum editions are available. Each edition offers domain, QPS, and rule expansion packages.

  • To buy pay-per-use WAF instances, submit a service ticket to enable the service.
  • To use cloud load balancer WAF, you need to submit a service ticket to enable it for you first. Cloud load balancer WAF is available in some regions. For details, see Functions.
  • If you want to use the load balancer access mode, make sure you are using standard, professional, or platinum cloud WAF. When you are using cloud WAF, the quotas for the domain name, QPS, and rule expansion packages are shared between the cloud load balancer and cloud CNAME access modes.
  • WAF APIs are free.

Before You Start

  • Only one billing mode can be selected for your WAF instance in an account.
  • Switch between yearly/monthly and pay-per-use payments is supported. For details, see Can I Switch Between Yearly/Monthly and Pay-per-Use Payments for WAF?
  • For a cloud WAF instance billed on a yearly/monthly basis, after it expires or you unsubscribe from it, you can enable another WAF instance billed on either yearly/monthly or pay-per-use basis. The WAF service can save the configuration data of the original WAF instance so that you can use the configuration data without having to configure the new WAF instance only when the following conditions are met:
    • If you choose the pay-per-use billing mode, the new and original WAF instances must be under the same project in the same region.
    • If you choose the yearly/monthly billing mode, the new and original WAF instances must be in the same region.
  • For a cloud WAF instance billed on a pay-per-use basis, you can disable the yearly/monthly billing mode and then enable the instance in either yearly/monthly or pay-per-use billing mode.

    After the pay-per-use billing mode is disabled, the WAF billing stops, the WAF configuration data is saved, and WAF Mode changes to Suspended. In this situation, WAF forwards your website traffic without inspecting traffic.

Prerequisites

Your account for logging in to the WAF console must have the WAF Administrator and BSS Administrator permissions.

Constraints

  • Only one WAF edition can be selected under an account in the same great region such as CN East, including CN East-Shanghai1 and CN East-Shanghai2 regions.

    For details about supported regions, see In Which Regions Is WAF Available?

    Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.

  • If you are using a professional or platinum WAF instance, you can configure any non-standard ports for your website. To do so, submit a ticket to enable custom non-standard ports.

Specification Limitations

  • A domain package allows you to add 10 domain names to WAF, including one top-level domain and nine subdomains or wildcard domains related to the top-level domain.
  • The QPS limit and bandwidth limit of a QPS expansion package:
    • For web applications deployed on Huawei Cloud

      Service bandwidth: 50 Mbit/s

      QPS: 1,000 (Each HTTP GET request is a query.)

    • For web applications not deployed on Huawei Cloud

      Service bandwidth: 20 Mbit/s

      QPS: 1,000 (Each HTTP GET request is a query.)

  • A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.
  • If you want to use the load balancer access mode, make sure you are using standard, professional, or platinum cloud WAF. When you are using cloud WAF, the quotas for the domain name, QPS, and rule expansion packages are shared between the cloud load balancers and cloud CNAME access modes.
  • The bandwidth limit applies only to websites connected to the cloud CNAME access mode. There is no bandwidth limit but only QPS limit for websites connected to WAF in load balancer access mode.

Application Scenarios

Cloud WAF is a good choice if your service servers are deployed on the cloud or on-premises and you plan to protect your website by adding its domain names to WAF.

The application scenarios for different editions are as follows:

  • Standard edition

    This edition is suitable for small and medium-sized websites that do not have special security requirements.

  • Professional

    This edition is suitable for medium-sized enterprise websites or services that are open to the Internet, focus on data security, and have high security requirements.

  • Platinum

    This edition is suitable for large and medium-sized enterprise websites that have large-scale services or have special security requirements.

Buying Cloud WAF Billed on a Yearly/Monthly Basis

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the upper right corner of the page, click Buy WAF.
  5. On the Buy Web Application Firewall page, select Cloud Mode for WAF Mode.
  6. Select a region.

    Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.

    To switch regions, select a region from the drop-down list. Only one WAF edition can be purchased in a region.

  7. Select an edition.
  8. Specify the number of domain name, QPS, or rule expansion packages.

    For details, see Domain Expansion Package, QPS Expansion Package, and Rule Expansion Package.
    Figure 1 Selecting expansion packages

  9. Configure the Required Duration. You can select the required duration from one month to three years.

    Select Auto-renew to enable the system to renew your service by the purchased period when the service is about to expire.

  10. Confirm the product details and click Buy Now.
  11. Check the order details and read the Huawei Cloud WAF Disclaimer. Then, check the box next to "I have read and agree to the WAF Disclaimer" and click Pay Now.
  12. On the payment page, select a payment method and pay for your order.

Buying a Cloud WAF Instance Billed on a Pay-per-use Basis

To buy pay-per-use WAF instances, submit a service ticket to enable the service.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the upper right corner of the page, click Buy WAF.
  5. On the Buy Web Application Firewall page, select Pay-per-use for Billing Mode and select a region.

    Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.

    To switch regions, select a region from the drop-down list. Only one WAF edition can be purchased in a region.

    Figure 2 Pay-per-use

  1. In the lower right corner of the page, click Next.
  2. Click Back to Website Settings and add domain names of websites to be protected.

    If you want to disable WAF, choose Instance Management > Product Details, and click Disable Pay-Per-Use Billing next to Cloud Mode.

Verification

Your WAF instance is purchased when your instance edition and its remaining validity days are shown in the upper right corner of the management console.

Expansion Packages

WAF provides extra domain name, bandwidth, and rule expansion packages. If the domain name, bandwidth, or rule quotas included in the WAF edition you are using cannot meet your service changes, you can buy extra expansion packages.

One domain package can protect 10 domain names, including a maximum of one top-level domain name. If the cloud WAF edition you are using cannot meet your business requirements, you can purchase domain expansion packages to increase the quota. For example, if you are using the standard edition, 10 domain names can be protected, including only one top-level domain name. If you want to protect three top-level domain names, you can purchase two domain name expansion packages to increase the quota.

Cloud WAF editions offer different domain quotas.
  • Standard edition: A maximum of 10 domain names can be protected, including only one top-level domain name.
  • Professional edition: A maximum of 50 domain names can be protected, including five top-level domain names.
  • Platinum edition: A maximum of 80 domain names can be protected, including eight top-level domain names.
  • If only one top-level domain can be added to a WAF instance, you can add one top-level domain and subdomain or wildcard domain names related to the top-level domain. For example, you can add one top-level domain name example.com and a maximum of nine sub-domains or generic domains, for example, www.example.com, *.example.com, mail.example.com, user.pay.example.com, and x.y.z.example.com. Each of these domain names (including the top-level domain name example.com) is counted toward a domain name quota in the domain name package.
  • If a domain name maps to different ports, each port is considered to represent a different domain name. For example, www.example.com:8080 and www.example.com:8081 are counted towards your quota as two distinct domain names.

You can also change specifications of your cloud WAF to increase the domain name quota. For details, see Changing the Edition and Specifications of a Cloud WAF Instance.

A certain amount of bandwidth is provided when you buy a standard, professional, or platinum WAF instance billed on a yearly/monthly basis. For details, see Edition Differences. If you have much more workloads to protect, you can buy additional QPS expansion packages.

For example, if your service traffic is 6,000 QPS and you have purchased the WAF professional edition, with a service request limit of 5,000 QPS, you can buy a QPS expansion package of 1,000 QPS to make up the difference. You can change the edition and specifications of a cloud WAF instance to increase QPS quota to meet service bandwidth growth requirements.

What Is the Service Bandwidth Limit?

  • The service bandwidth limit is the amount of normal traffic a WAF instance can protect. A QPS expansion package protects up to:
    • For web applications deployed on Huawei Cloud

      Service bandwidth: 50 Mbit/s

      QPS: 1,000 (Each HTTP GET request is a query.)

    • For web applications not deployed on Huawei Cloud

      Service bandwidth: 20 Mbit/s

      QPS: 1,000 (Each HTTP GET request is a query.)

    The bandwidth in WAF is calculated by WAF itself and is not associated with the bandwidth or traffic limit of other Huawei Cloud products (such as CDN, ELB, and ECS).

  • By default, a certain amount of bandwidth can be protected by the standard, professional, or platinum WAF instance billed in yearly/monthly mode. If your origin servers (such as ECSs or ELB load balancers) are on Huawei Cloud, more bandwidth can be protected. For example, if you use a platinum instance, it can protect up to 300 Mbit/s of bandwidth for origin servers on Huawei Cloud, or protect up to 100 Mbit/s of bandwidth for origin servers outside Huawei Cloud, such as in on-premises data centers.

What Happens If Website Traffic Exceeds the Service Bandwidth or Request Limit?

If your website normal traffic exceeds the service bandwidth or request limit offered by the edition you select, forwarding website traffic may be affected.

For example, traffic limiting and random packet loss may occur. Your website services may be unavailable, frozen, or respond very slowly. Sometimes, your customers may see "Website is under maintenance (Protected by WAF)" when visiting your website.

In this case, upgrade your edition or buy additional QPS expansion packages.

How Many QPS Expansion Packages Do I Need?

Before buying WAF, confirm the total inbound and outbound peak traffic of the websites to be protected by WAF. Ensure that the bandwidth of the WAF edition you select is greater than the total inbound peak traffic or the total outbound peak traffic, whichever is larger.

Generally, the outbound traffic is larger than the inbound traffic.

You can estimate the traffic by referring to the traffic statistics on the ECS console or using other monitoring tools.

Attack traffic must be removed in your estimations. For example, if your website is being accessed normally, WAF routes the traffic back to the origin ECS, but if your website is under attack, WAF blocks and filters out the illegitimate traffic, and routes only the legitimate traffic back to the origin ECS. The inbound and outbound traffic of the origin ECS you view on the ECS console is the normal traffic. If there are multiple ECSs, collect statistics on the normal traffic of all ECSs. For example, if you have six sites and the peak outbound traffic of each site does not exceed 2,000 QPS, then the total peak traffic volume does not exceed 12,000 QPS. In this case, you can buy the WAF platinum edition.

If you are using yearly/monthly cloud WAF, you can purchase rule expansion packages under the current WAF edition to get more quota for IP address whitelist and blacklist rules.

A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.

Rule expansion packages are available when you purchase or change a cloud WAF instance.

For details, see Changing the Edition and Specifications of a Cloud WAF Instance.

Related Operations

Parent Topic: Buying WAF