All Products
Search

This Product

    Web Application Firewall:Enable WAF protection for an MSE instance

    Document Center

    Web Application Firewall:Enable WAF protection for an MSE instance

    Last Updated:Dec 23, 2024

    If you configured a Microservices Engine (MSE) instance for your web services, you can enable Web Application Firewall (WAF) protection for the MSE instance to redirect the web traffic of the instance to WAF. This topic describes how to enable WAF protection for an MSE instance.

    Background information

    MSE is an end-to-end microservices platform that is developed for mainstream open source microservices ecosystems. MSE provides the following modules: Microservices Registry, Cloud-native Gateway, and Microservices Governance. Microservices Registry supports native Nacos, ZooKeeper, and Eureka engines. Cloud-native Gateway supports native Ingress and Envoy. Microservices Governance supports native Spring Cloud, Dubbo, and Sentinel and complies with OpenSergo. WAF 3.0 is integrated with MSE cloud-native gateways. This can help improve the O&M efficiency and security of your web services and ensure a seamless and interactive user experience.

    Limits

    Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), Elastic Compute Service (ECS), and Network Load Balancer (NLB).. If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

    • The MSE instance for which you want to enable WAF protection must reside in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), and US (Silicon Valley).

    • You cannot enable the following features for MSE instances for which WAF protection is enabled:

      • Website tamper-proofing

      • Data leakage prevention

      • Automatic integration of the Web SDK in bot management for web application protection and legitimate bot management

      • Bot threat intelligence

    Prerequisites

    • A cloud-native gateway is created. For more information, see Create a cloud-native gateway.

    • If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.

      To view the number of protected objects that you can add to WAF, go to the Protected Objects page. image.png

    Enable WAF protection for an MSE instance

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. On the Cloud Native tab, click MSE in the left-side cloud service list.

    4. On the authorization page, click Authorize Now to authorize your WAF instance to access the required cloud service.

      Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

      Note

      If the authorization is complete, the authorization page is not displayed. You can proceed to the next step.

    5. Click Add. You are navigated to the MSE console.

    6. In the top navigation bar, select China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), and US (Silicon Valley).

    7. Enable WAF protection.

      • Enable instance-level protection.

        Find the gateway for which you want to enable WAF protection, move the pointer over the未开启 icon in the WAF Protection column, and then click Enable Gateway Protection. You can also choose More > Enable WAF Protection in the Actions column. In the Enable WAF Protection dialog box, click OK.

      • Enable route-level protection.

        1. Find the gateway for which you want to enable WAF protection, click the name of the gateway, and then choose Routes > Route Settings in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.

        2. Find the route for which you want to enable WAF protection and choose More > Enable Route Protection in the Actions column. Then, click OK.

    Manage WAF protection in the MSE console

    1. Log on to the MSE console. In the left-side navigation pane, choose Cloud-native Gateway > Gateways.

    2. In the top navigation bar, select China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), and US (Silicon Valley).

    3. Manage WAF protection.

      • View MSE instances for which WAF protection is enabled.

        In the instance list, you can view the MSE instances for which WAF protection is enabled. If the 已开启 icon is displayed on the right side of the name of an MSE instance, WAF protection is enabled for the MSE instance.

      • Disable WAF protection for an MSE instance.

        After you disable WAF protection for an MSE instance, web traffic of the MSE instance is no longer protected by WAF, and you can no longer view protection details of the web traffic in WAF security reports.

        Important

        After you disable WAF protection for an MSE instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the MSE instance. We recommend that you delete protection rules before you disable WAF protection for an MSE instance. For more information, see Billing overview and Protection module overview.

        • Disable instance-level protection.

          Find the gateway for which you want to disable WAF protection, click the 已开启 icon in the WAF Protection column, and then click Disable Gateway Protection. You can also choose More > Disable WAF Protection in the Actions column. In the Disable WAF Protection dialog box, click OK.

        • Disable route-level protection.

          1. Find the gateway for which you want to disable WAF protection, click the name of the gateway, and then choose Routes > Route Settings in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.

          2. Find the route for which you want to disable WAF protection and choose More > Disable Route Protection in the Actions column. Then, click OK.

    Manage WAF protection in the WAF console

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. Manage WAF protection.

      • View MSE instances for which WAF protection is enabled.

        On the Cloud Native tab, click MSE in the left-side cloud service list.

      • Configure protected objects and protection rules.

        After you enable WAF protection for an MSE instance, the MSE instance automatically becomes a protected object of WAF. The name of the protected object contains the -mse suffix. By default, protection rules of the core protection rule module are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the object. To go to the Protected Objects page, click the ID of the MSE instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview. 防护对象

      • Disable WAF protection for an MSE instance.

        After you disable WAF protection for an MSE instance, web traffic of the MSE instance is no longer protected by WAF, and you can no longer view protection details of the web traffic in WAF security reports.

        Important

        After you disable WAF protection for an MSE instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the MSE instance. We recommend that you delete protection rules before you disable WAF protection for an MSE instance. For more information, see Billing overview and Protection module overview.

        1. Find the MSE instance for which you want to disable WAF protection and click Remove in the Actions column.

          You are redirected to the Gateways page in the MSE console.

        2. Disable WAF protection in the MSE console. For more information, see Disable WAF protection for an MSE instance.