Cloud-native gateways of Microservices Engine (MSE) are integrated with Web Application Firewall 3.0. You can use WAF 3.0 at the instance level or route level to provide end-to-end security protection for your websites or apps.
Background information
WAF effectively identifies malicious web traffic, scrubs and filters out the malicious traffic, and then forwards the legitimate traffic to your server. This protects your web servers from attacks and ensures the security of your data and business. In traditional WAF scenarios, requests are forwarded to WAF and then gateways. After the integration with cloud-native gateways, requests are directly forwarded to cloud-native gateways rather than WAF. This improves performance without affecting security capabilities. The following figures show the request processes before and after the integration.
Billing rules
If you use the WAF 3.0 service in MSE, you are not charged for WAF 3.0 in the MSE console. Instead, you are charged for WAF 3.0 in the WAF console based on the amount of resources that you used.
Enable WAF protection
You can enable Alibaba Cloud WAF 3.0 protection for cloud-native gateways by using one of the following methods:
MSE console: We recommend that you use this method. For more information, see Enable instance-level protection and Enable route-level protection.
WAF 3.0 console: For more information, see Enable WAF protection for an MSE instance.
Enable instance-level WAF protection
Log on to the MSE console. In the top navigation bar, select a region.
NoteThe WAF 3.0 integration feature is available in the China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), Malaysia (Kuala Lumpur), and Singapore regions.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways.
On the Gateways page, find the desired gateway and click More in the Actions column. Then, select Enable WAF Protection.
In the Enable WAF Protection message, click OK.
Enable route-level WAF protection
Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. On the Gateways page, click the name of the gateway.
In the left-side navigation pane, click Routes, and click the Routes tab.
Click Policies in the Actions column of the route that you want to manage. On the left side of the Policies tab, click WAF, and click Enable Route-level WAF Protection (Recommended) in the right-side section.
In the Tips message, click OK.
What to do next
After you enable WAF protection, website access traffic is detected and filtered by WAF. WAF provides multiple features to protect your website against different types of attacks. By default, only the protection rules engine and HTTP flood protection features are enabled. The protection rules engine feature protects your website against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP flood protection feature protects your website against HTTP flood attacks. You must manually enable other features and configure protection rules. For more information, see Overview.
FAQ
Can cloud-native gateways of MSE be integrated with WAF 2.0?
Yes. To integrate cloud-native gateways of MSE with WAF 2.0, you must add the IP address of the Server Load Balancer (SLB) instance that is associated with your cloud-native gateway to the back-to-origin IP addresses of WAF. For more information, see Tutorial.