You can use Application Load Balancer (ALB) instances that have Web Application Firewall (WAF) enabled to prevent common network attacks, such as DDoS attacks, SQL injection, cross-site scripting, malicious HTTP requests, and SSH brute force attacks. WAF-enabled ALB instances support various HTTP protocols and encoding algorithms to help you build a in-depth and precise security system. If your web applications are vulnerable to intrusions or require higher security, you can use WAF-enabled ALB instances.
For more information about WAF-enabled ALB instances, see Benefits of WAF-enabled ALB instances. For more information about WAF, see What is WAF?
For more information about the billing rules of WAF-enabled ALB instances, see ALB billing rules.
Prerequisites
The ALB Ingress controller is installed in the cluster. For more information, see Manage the ALB Ingress controller.
NoteTo use an ALB Ingress to access Services deployed in an ACK dedicated cluster, you need to first grant the cluster the permissions required by the ALB Ingress controller. For more information, see Authorize an ACK dedicated cluster to access the ALB Ingress controller.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Configure a WAF-enabled ALB instance
When you create an ALB instance or modify the configuration of an existing ALB instance, you can add the edition parameter to the AlbConfig and set the value to StandardWithWaf to enable WAF for the ALB instance. You cannot modify the edition parameter of a reused ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
addressType: Internet
edition: StandardWithWaf # Enable WAF protection.
zoneMappings:
#...If the ALB instance no longer needs WAF protection, set the value of the edition parameter to Standard.
References
For more information about how to enforce access control based on source IP addresses, see Use AlbConfigs to add and modify ACL rules.
For more information about how to authenticate client identities, see Use HTTPS mutual authentication to enhance security.