tencent cloud

Feedback

Sandbox Isolation Status

Last updated: 2024-09-05 15:20:10
    Within the same natural day, if the instance's business QPS peak exceeds the instance specification value but does not reach the instance's sandbox isolation threshold for a cumulative of 3 times (including) or if the QPS peak exceeds the instance sandbox isolation threshold once (including), the instance business traffic will immediately enter the sandbox isolation status. Instances in the sandbox isolation status will no longer guarantee the compliance of SLA.
    
    This document will introduce what the sandbox isolation status is, the conditions under which an instance enters the sandbox isolation status, and how to lift an instance from the sandbox isolation status.

    1. Overview of the Isolated Cluster

    Isolated clusters are separated isolation spaces set up for abnormal instance traffic where the actual business QPS peak exceeds the QPS traffic specification value.

    Instance QPS Traffic Specification Value

    Instance QPS traffic specification value is the sum of the QPS specification value within the version, the extended QPS specification value, and the elastic postpaid QPS value. The calculation method of the instance QPS traffic specification value is as follows:

    Instances with Elastic Pay-as-you-go Not Enabled

    Instance QPS specification value = purchased QPS specification value = default QPS for the package version + extended QPS for the business extension package
    

    Instances with Elastic Pay-as-you-go Enabled

    Instance QPS specification value = purchased QPS specification value + elastic QPS specification value = default QPS for the package version + extended QPS for the business extension package + elastic postpaid QPS
    

    Sandbox Isolation Threshold

    The sandbox isolation threshold is the maximum protective QPS threshold for short-term service of WAF instances with different QPS specifications. When the QPS of an instance exceeds the threshold, the instance will immediately enter the isolated cluster. The calculation method of the QPS sandbox isolation threshold of an instance is as follows:

    Instances with Elastic Pay-as-you-go Not Enabled and Purchased Business Extension Package Not Customized

    Instance QPS sandbox isolation threshold = purchased QPS specification value x 3
    Example: If an Enterprise Edition SaaS WAF instance in a Chinese mainland region has purchased 3 extension packages, the QPS sandbox isolation threshold of the instance is (5,000 + 3*1,000) x 3.
    

    Instances with Elastic Pay-as-you-Go Enabled and Purchased Business Extension Package Customized

    Instance QPS sandbox isolation threshold = take the maximum value among [instance QPS specification value, maximum QPS sandbox isolation threshold for the instance version]
    Maximum QPS sandbox isolation threshold for the instance version = (default QPS specification value for the package version + maximum extendable QPS specification value for the instance) x 3
    Example 1: For an SaaS Enterprise Edition WAF instance in a Chinese mainland region, you can purchase 40 extension packages after applying for customizing the number of expansion packages available for purchase, the instance QPS specification value = 5,000 + 40 x 1,000 = 45,000. The maximum QPS sandbox isolation threshold for the instance version = (5,000 + 30,000) x 3 = 105,000. Instance QPS sandbox isolation threshold = take the maximum value among [45,000, 105,000] = 105,000 QPS.
    Example 2: For an Enterprise Edition WAF instance in a Chinese mainland region, you can purchase 150 extension packages after applying for customizing the number of extension packages available for purchase, the instance QPS specification value = 5,000 + 150 x 1,000 = 155,000 QPS. The maximum QPS sandbox isolation threshold for the instance version = (5,000 + 30,000) x 3 = 105,000 QPS. The final instance QPS sandbox isolation threshold = take the maximum value among [155,000, 105,000] = 155,000 QPS.
    Example 3: More example data for Instances with Elastic Pay-as-you-go not Enabled and Business Extension Package Available for Purchase Customized is as follows:
    Region
    Version
    Default Purchasable Business Extension Packages
    Actually Purchased Business Extension Packages
    Instance QPS Specification Value
    Maximum QPS Sandbox Isolation Threshold for Instance Version
    Instance QPS Sandbox Isolation Threshold
    Regions in the Chinese Mainland
    Advanced Edition
    20
    30
    2,500+30 x 1,000=42,500
    (2,500+20 x 1,000)*3= 67,500
    67,500
    Enterprise Edition
    30
    80
    5,000+80 x 1,000=85,000
    (5,000+30 x 1,000) x 3= 105,000
    105,000
    120
    5,000+120 x 1,000=125,000
    125,000
    Ultimate Edition
    40
    100
    10,000+100 x 1,000=110,000
    (10,000+40 x 1,000) x 3=150,000
    150,000
    150
    10,000+150 x 1,000=160,000
    160,000
    Non-Chinese Mainland regions
    Advanced Edition
    5
    10
    2,500+10 x 1,000=12,500
    (2,500+5 x 1,000) x 3=22,500
    22,500
    Enterprise Edition
    10
    12
    5,000+12 x 1,000=17,000
    (5,000+10 x 1,000)*3=45,000
    45,000
    50
    5,000+50 x 1,000=55,000
    55,000
    Ultimate Edition
    20
    60
    10,000+60 x 1,000=70,000
    (10,000+20 x 1,000) x 3=90,000
    90,000
    100
    10,000+100 x 1,000=110,000
    110,000
    Note:
    The maximum number of extendable business extension packages (including the maximum extendable QPS specification value) varies by region and WAF instance version. For details, see Plans and Editions.

    Instances with Elastic Pay-as-you-go Enabled and Purchased Business Extension Package Not Customized

    Instance QPS sandbox isolation threshold = purchased QPS specification value x 3 + elastic QPS specification value
    Example: If an Enterprise Edition WAF instance in a Chinese mainland region has purchased 3 extension packages, you can enable Elastic protection, and set the specification value to 50,000. The instance QPS sandbox isolation threshold = (5,000 + 31,000) 3 + 50,000.
    

    Instances with Elastic Pay-as-you-go Enabled and with Purchased Business Extension Package Customized

    Instance QPS sandbox isolation threshold = take the maximum value among [instance QPS specification value, maximum QPS sandbox isolation threshold for the instance version]
    Maximum QPS sandbox isolation threshold for instance version = (default package version QPS specification value + maximum instance extendable QPS specification value) x 3 + elastic QPS specification value
    Example 1: If an Enterprise Edition WAF instance in a Chinese mainland region has purchased 40 extension packages after customization is applied, you can enable elastic billing, and set the specification value to 50,000. The instance QPS specification value = 5,000 + 40 x 1,000 + 50,000 = 95,000, and the maximum QPS sandbox isolation threshold for instance version = (5,000 + 30,000) x 3 + 50,000 = 155,000. The instance QPS sandbox isolation threshold = take the maximum value [95,000, 155,000] = 155,000 QPS.
    Example 2: If an Enterprise Edition WAF instance in a Chinese mainland region has purchased 150 extension packages after customization is applied, you can enable elastic billing, and set the specification value to 50,000. The instance QPS specification value = 5,000 + 150 x 1,000 + 50,000 = 205,000 QPS, and the maximum QPS sandbox isolation threshold for instance version = (5,000 + 30,000) x 3 + 50,000 = 155,000 QPS. The instance QPS sandbox isolation threshold = take the maximum value among [205,000, 155,000] = 205,000 QPS.
    Example 3: More example data for Instances with Elastic Pay-as-you-go enabled and Purchased Business Extension Package Customized is as follows:
    Region
    Version
    Default Purchasable Business Extension Packages
    Default Maximum Elastic QPS that Can Be Enabled
    Actually Purchased Business Extension Packages
    Elastic Postpaid Actually Enabled Specification Value
    Instance QPS Specification Value
    Maximum QPS Sandbox Isolation Threshold for the Instance Version
    Instance QPS Sandbox Isolation Threshold
    Regions in the Chinese Mainland
    Advanced Edition
    40
    200,000
    10
    200,000
    2,500+10 x 1,000+200,000=212,500
    (2,500+40 x 1,000) x 3+200,000=287,500
    287,500
    Enterprise Edition
    60
    300,000
    100
    300,000
    5,000+100 x 1,000+300,000=405,000
    (5,000+60*1,000) x 3+300,000= 435,000
    405,000
    120
    5,000+120 x 1,000+300,000=425,000
    435,000
    Ultimate Edition
    80
    400,000
    100
    400,000
    10,000+100*1,000+400,000=510,000
    (10,000+80 x 1,000) x 3 + 400,000
    =590,000
     
    590,000
    400,000
    150
    400,000
    10,000+150 x 1,000+400,000=560,000
    590,000
    Non-Chinese mainland regions
    Advanced Edition
    10
    Not involved
    10
    Not involved
    2,500+10 x 1,000=12,500
    (2,500+10 x 1,000) x 3=27,500
    27,500
    Enterprise Edition
    20
    12
    5,000+12 x 1,000=17,000
    (5,000+20 x 1,000) x 3=55,000
    55,000
    50
    5,000+50 x 1,000=55,000
    (5,000+20 x 1,000) x 3=55,000
    55,000
    Ultimate Edition
    40
    60
    10,000+60 x 1,000=70,000
    (10,000+40 x 1,000) x 3=110,000
    110,000
    100
    10,000+100 x 1000=110,000
    (10,000+40 x 1,000) x 3=110,000
    110,000

    2. Conditions for an Instance to Enter and Exit Isolation Status

    Within the same natural day, if the instance QPS peak is greater than the instance QPS specification value but less than the instance QPS sandbox isolation threshold for a cumulative of 3 times (including), or exceeds the instance QPS sandbox isolation threshold once (including), the instance will immediately enter the isolated cluster. WAF instances that enter the isolated cluster will no longer guarantee the compliance of SLA.
    Note:
    QPS excess count judgment rules: WAF will obtain the average value (10s) of QPS at each time point in real time to determine the peak value of of each point, which is considered as the instance QPS.
    If the instance QPS peak exceeds the instance QPS specification value but does not exceed the instance QPS sandbox isolation threshold, it is deemed as one excess. The number of excesses within 5 minutes are counted as one excess. If the instance's QPS excess count reach three times, the instance will immediately enter the isolation status.
    If the instance QPS peak exceeds the current instance QPS sandbox isolation threshold once, the excess count for the day will no longer be calculated, and the instance will directly enter the isolation status.
    After an instance enters the isolation status, you can extend the instance QPS specification value. When the extended instance QPS specification value is greater than the maximum business peak value, the isolation will automatically end, and normal protection and product service SLA will be restored. If the instance QPS specification value is not extended, the business QPS peak value need to continuously drop below the instance QPS specification value for 3 consecutive natural days for the instance to be released from the isolation status.

    3. Impact on the Business When an Instance Enters the Isolated Cluster

    Instances that enter the isolated cluster will no longer guarantee the compliance of SLA (i.e., the service availability is not guaranteed by WAF regardless of whether the instance QPS exceeds the specification value). Domain names and instance protection objects connected to this instance may experience abnormal business access at any time, including but not limited to packet loss, speed limit, connection limit, protection failure, abnormal log or report data, access timeout, entering DDoS cleaning or black hole.
    After an instance enters the isolated cluster, the system will notify you via email, SMS, or Message Center. Simultaneously, you can view QPS excess alarms and warning events at the top of the Security Overview and Instances Management pages in the console.
    After an instance enters the isolated cluster, if you enable Elastic Pay-as-you-go or purchase a business extension package to extend the instance QPS specification value, and the extended instance QPS specification value is greater than the maximum business peak at the time of the current day's QPS excess, the instance isolation status can be lifted immediately.

    4. Viewing Instances in the Isolated Status

    After the instance QPS exceeds the limit, at the top of the Instances Management page in the WAF console (as shown in Figure 1), you will receive an alarm for the event; moreover, in the specification section of the instance list, you can view the business QPS peaks and the instance QPS specification values within 30 days. If there is an excess usage event within 30 days, it will be highlighted in red, and you can click to jump to the Security Overview page to view the QPS traffic trend of that instance within 30 days (as shown in Figure 2).
    
    
    After the instance QPS exceeds the limit and enters an isolated status, the security overview page will display an isolation status alarm; by clicking Operations analysis, in the QPS area, you can view the actual QPS usage through the QPS peak chart.
    

    5. How to Lift the Sandbox Isolation Status of an Instance

    The isolation status of annual and monthly subscription instances will not automatically be lifted within the same day, even if the actual QPS usage has dropped back within the current instance QPS specification value. You need to either extend the instance QPS specification value or have the business QPS peak value dropped below the instance QPS specification value for 3 consecutive natural days to lift the isolation status. If your instance QPS exceeds the limit again after an upgrade and enters isolation, you need to extend the instance QPS specification value again.
    You can end the instance isolation status using the following methods:

    Upgrading the Package or Business Extension Package of the Instance to Extend the QPS Specification Value

    On the Instances Management Page, select the excessive instances, and click Upgrade > Extra domain package / Extra capacity package to upgrade the package QPS specification, or click More > Extra capacity package to extend the instance QPS specification value. Once the extended instance QPS specification value is greater than the maximum business peak at the time of excess for that day, the product will automatically lift the instance isolation status, and the instance will restore normal service in compliance of SLA, while the QPS excess count resets to zero.
    

    Enabling Elastic Billing to Extend the QPS Specification Value

    1. For instances without elastic billing enabled, you can go to Instances Management page, and click the target Instance ID.
    
    2. On the instance details page, click
    
    to enable the elastic billing to extend the QPS specification value.
    
    3. After elastic billing is enabled, you can adjust and increase the elastic billing's upper limit to extend the QPS specification value. Once the adjusted instance QPS specification value is greater than the maximum business peak at the time of excess for that day, the product will automatically lift the instance isolation status, restore the normal service in compliance of SLA, and reset the QPS excess count to zero.
    
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support