×
Community Blog Deploying Anti-DDoS, CDN, and WAF on Alibaba Cloud

Deploying Anti-DDoS, CDN, and WAF on Alibaba Cloud

In this tutorial, we'll discuss how to deploy Anti-DDoS, CDN, and WAF to accelerate and secure our web applications on Alibaba Cloud.

In this tutorial, we'll discuss how to deploy Anti-DDoS, Content Delivery Network (CDN), and Web Application Firewall (WAF) all together to accelerate and secure our websites or web applications on Alibaba Cloud. For this solution to work correctly, you must have both Alibaba Cloud domestic and international accounts.

By Joon Park, Solutions Architect

Scenario Description

In case of "China service", for those who want to apply Anti-DDoS, CDN, and WAF features together on Alibaba Cloud environment, consider using SCDN(Secure CDN) on a Domestic account and WAF on an International account together. In case of International account, we cannot simultaneously utilize Anti-DDoS and CDN at the time of writing. In this way, this alternative can make it possible, before SCDN product on International account is released. Once again, this scenario works only for Chinese regions.

Architecture Diagram

The diagram describes the traffic flow from Clients to an Elastic Compute Service (ECS) instance. Server Load Balancer (SLB) is optional, you may remove it from your architecture.

1

Step 1: Configure WAF on International Account

  1. Add your service domain on WAF
    • International account -> WAF -> Management -> Website Configuration -> Add Domain

      2

  2. Add other domains manually on WAF console

    3

  3. Input your service domain, Protocol type: HTTP, Server address: IP, input your Web server's Public IP or SLB's Public IP here. Any layer 7 proxy: Yes.

    Note:Please make sure the domain for Chinese service has an ICP filling.

    4

  4. Take note of the "cname" of your service domain on WAF console. In this case "cname" is "abcdefghijklmno.aliyunwaf.com"

    5

Step 2: Configure SCDN on Domestic Account

  1. Add your service domain on SCDN
    • Domestic account -> SCDN -> Domain Management -> Add domain name

      6

  2. Input your service domain on Accelerate domain name, Source station information: Source station domain name, Input cname from WAF on international console as abcdefghiklmno.aliyunwaf.com, Port: 80 port.

    7

  3. On Back to source configuration, Protocol follows the source: "Disable"

    8

  4. Upload or buy your SSL certification on SSL Certification console on Domestic account.

    Note:You can learn about the details here: Upload certificates, Update HTTPS certificates

    9

  5. Choose SSL certification from "Step 4" or Upload custom SSL certification on HTTPS configuration.

    10

  6. Back to main menu of SCDN on Domestic account, and take a note about cname. In this case cname is "www.test.com.scdnpesk.com".

    11

Step 3: Configure CNAME Record of SCDN on DNS

  1. Update service domain "www.test.com" with cname record from SCDN "www.test.com.scdnpesk.com" .
    Note:You can refer to this document for more information: Update the DNS settings
  2. As soon as update your DNS, please make sure your service can successfully lookup cname from SCDN.

    12

  3. Go to your Web browser and input your server domain "www.test.com". You finally made it!

    13

Step 4: Security Hardening on SLB or ECS

Make sure your SLB and ECS have Public IP. This means that anyone can access your service directly without SCDN or WAF service(note, normally "http port" is any opened 0.0.0.0/0). In this way, these two products(SLB, ECS) have to configure access control to allow traffic the only from WAF on Alibaba Cloud, and all deny from any for security purposes.

14

Troubleshooting

If your web browser cannot correctly display, make sure the option or domain has been set up correctly. Here are some troubleshooting tips that can potentially solve the errors.

  1. If you can find "question symbol" on your cname. Go back to step 3.1 and review your DNS setting. As soon as DSN setting correctly set up, the symbol is removed from console.

    15

  2. Make sure "HTTPS" protocol is only on SCDN tier, not SLB and ECS. This means that you need to configure "HTTP" listener on SLB and open "HTTP"port on ECS as well.
0 2 2
Share on

Alibaba Clouder

2,599 posts | 764 followers

You may also like

Comments