All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::WAF3::Instance

    Document Center

    Resource Orchestration Service:ALIYUN::WAF3::Instance

    Last Updated:Apr 02, 2024

    ALIYUN::WAF3::Instance is used to create a Web Application Firewall (WAF) 3.0 instance.

    Syntax

    {
  "Type": "ALIYUN::WAF3::Instance",
  "Properties": {
    "IgnoreExisting": Boolean,
    "IntelligentLoadBalancing": Boolean,
    "AutoRenew": Boolean,
    "Period": Integer,
    "BotWebProtection": Boolean,
    "ApiSecurity": Boolean,
    "AutoPay": Boolean,
    "TrafficBillingProtectionThreshold": Integer,
    "PayType": String,
    "LogStorage": Integer,
    "ElasticQps": Integer,
    "DomainsExtension": Integer,
    "WafVersion": String,
    "ExclusiveIPAddress": Integer,
    "AdditionalProtectionNodes": Integer,
    "Region": String,
    "QpsExtension": Integer,
    "FraudDetection": Boolean,
    "BotAppProtection": Boolean,
    "LogService": Boolean,
    "PeriodUnit": String
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    IgnoreExisting

    Boolean

    No

    No

    Specifies whether to ignore an existing WAF 3.0 instance.

    Valid values:

    • false: does not ignore an existing WAF 3.0 instance. Resource Orchestration Service (ROS) checks the uniqueness of WAF 3.0 instances. If a WAF 3.0 instance already exists, ROS reports an error when you create a new WAF 3.0 instance.  

    • true: ignores an existing WAF 3.0 instance. ROS does not check the uniqueness of WAF 3.0 instances. If a WAF 3.0 instance already exists, ROS ignores the instance when you create a new WAF 3.0 instance.  

    If the existing WAF 3.0 instance is not created by ROS, ROS ignores the instance when you update or delete the new WAF 3.0 instance.

    IntelligentLoadBalancing

    Boolean

    No

    No

    Specifies whether to enable intelligent load balancing.

    Valid values:

    • true

    • false

    AutoRenew

    Boolean

    No

    No

    Specifies whether to enable auto-renewal.

    Valid values:

    • true

    • false

    Period

    Integer

    No

    No

    The subscription duration.

    Valid values when PeriodUnit is set to Month: 1, 3, and 6.

    Valid values when PeriodUnit is set to Year: 1, 2, and 3.

    BotWebProtection

    Boolean

    No

    No

    Specifies whether to enable bot management for web application protection.

    Valid values:

    • true

    • false

    ApiSecurity

    Boolean

    No

    No

    Specifies whether to enable API security.

    The API security feature detects responses that match specific characteristics to check whether data leak risks exist in APIs. If you enable the feature, WAF is authorized to analyze the relevant data. If you set Region to ChineseMainland, the service is deployed and data is processed in the Chinese mainland.

    AutoPay

    Boolean

    No

    No

    Specifies whether to enable automatic payment.

    Valid values:

    • true

    • false

    TrafficBillingProtectionThreshold

    Integer

    No

    No

    The threshold value for traffic billing protection.

    By default, traffic billing protection is enabled for pay-as-you-go WAF 3.0 instances to resolve the issue of excessive charges caused by unexpected factors, such as HTTP flood attacks. If the actual peak traffic is higher than the threshold value for traffic billing protection, the WAF instance is added to a sandbox. WAF does not charge you fees that are generated within the hour when the WAF instance is added to a sandbox. If the actual peak traffic is lower than the threshold value within the subsequent hour, the WAF instance is automatically removed from the sandbox. For more information, see The sandbox feature. Valid values: 1000 to 100000.

    PayType

    String

    Yes

    No

    The billing method.

    Valid values:

    • Subscription

    • PayAsYouGo

    LogStorage

    Integer

    No

    No

    The log storage capacity.

    Valid values: 3 to 150. Unit: TB.

    ElasticQps

    Integer

    No

    No

    The burstable queries per second (QPS) (pay-as-you-go).

    If you experience a short-term or sudden increase in business traffic in scenarios such as promotional events, the actual QPS may exceed the sum of the QPS supported by your WAF edition and the extended QPS that you purchase. If you enable the burstable QPS (pay-as-you-go) feature in the scenarios, you are charged based on the usage of excess QPS. This feature helps prevent your instance from being added to a sandbox and ensure service continuity. Valid values: 0 to 60000.

    DomainsExtension

    Integer

    No

    No

    The extra domain.

    If the number of required domains exceeds the number of free domains supported by the WAF edition, you can use this property to increase the number of domains.

    The count for domains does not depend on the domain type. For example, each second-level domain, subdomain, or wildcard domain is counted as a domain. Valid values: 1 to 5000.

    WafVersion

    String

    No

    No

    The edition of WAF 3.0.

    Valid values:

    • Basic

    • Pro

    • Enterprise

    • Ultimate

    ExclusiveIPAddress

    Integer

    No

    No

    The number of exclusive IP addresses.

    Valid values: 0 to 100.

    AdditionalProtectionNodes

    Integer

    No

    No

    The protection nodes for a multi-cloud or hybrid-cloud environment.

    If you cannot use the CNAME record mode to connect services to WAF in the public cloud from specific environments, such as a multi-cloud environment, data center, private network, or private cloud, you can purchase the nodes to protect the services by using WAF in an on-premises environment.

    In reverse proxy mode, each protection node can handle up to 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.

    In SDK-based traffic mirroring mode, each protection node can handle up to 15,000 QPS for HTTP or HTTPS requests. To improve protection capabilities, we recommend that you increase the number of protection nodes. Valid values: 0 to 500.

    Region

    String

    Yes

    No

    The region of the WAF 3.0 instance.

    Valid values:

    • OutsideChineseMainland

    • ChineseMainland

    QpsExtension

    Integer

    No

    No

    The extended QPS.

    Valid values: 0 to 30000.

    FraudDetection

    Boolean

    No

    No

    Specifies whether to enable risk identification.

    After you purchase bot management, you can enable risk identification. If phone numbers hit suspicious behavior tags in specific scenarios, such as logon or registration scenarios, WAF blocks the requests or triggers CAPTCHA verification. You are charged based on the number of hits of the tags. Valid values:

    • true

    • false

    BotAppProtection

    Boolean

    No

    No

    Specifies whether to enable bot management for app protection.

    Valid values:

    • true

    • false

    LogService

    Boolean

    No

    No

    Specifies whether the WAF 3.0 instance supports Simple Log Service.

    Valid values:

    • true

    • false

    PeriodUnit

    String

    No

    No

    The unit of the subscription duration.

    Valid values:

    • Month

    • Year

    Return values

    Fn::GetAtt

    InstanceId: the ID of the WAF 3.0 instance.

    Examples

    • YAML format 

      ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AdditionalProtectionNodes:
    Default: 0
    Description:
      en: 'Each protection cluster has at least two protection nodes, and each node
        provides the protection capabilities of up to 5,000 QPS for HTTP requests
        or up to 3,000 QPS for HTTPS requests. You can add protection nodes to increase
        protection capabilities. '
    MaxValue: 500
    MinValue: 0
    Required: false
    Type: Number
  ApiSecurity:
    Description:
      en: The API security feature detects responses with specified characteristics
        to check whether data leaks occur. After you enable the feature, WAF is authorized
        to perform related analysis on your data. If you select Chinese Mainland,
        service deployment and data processing are performed in the Chinese mainland.
    Required: false
    Type: Boolean
  AutoPay:
    Default: false
    Description:
      en: Whether to auto pay the bill.
    Required: false
    Type: Boolean
  AutoRenew:
    Description:
      en: Whether to auto renew the prepay instance.
    Required: false
    Type: Boolean
  BotAppProtection:
    Default: true
    Description:
      en: Bot management module for App protection.
    Required: false
    Type: Boolean
  BotWebProtection:
    Default: true
    Description:
      en: Bot management module for Web application protection.
    Required: false
    Type: Boolean
  DomainsExtension:
    Default: 0
    Description:
      en: If the actual number of required access domain names exceeds the number
        of free domain names in the version, the number of domain names can be expanded
        according to this specification. Domain name counting does not differentiate
        between domain name types. The main domain name, sub-domain name, and pan-domain
        name are each counted as one domain name.
    MaxValue: 5000
    MinValue: 0
    Required: false
    Type: Number
  ElasticQps:
    Default: 0
    Description:
      en: The burstable QPS (pay-as-you-go) feature is suitable for scenarios that
        involve short-term or sudden traffic surges, for example, during promotions.
        In these scenarios, the traffic peak may exceed the sum of the maximum QPS
        that is supported by your WAF edition and the extended QPS. If you enable
        the feature, you are charged based on the amount of excess QPS resources that
        you use. This helps prevent your domain names from being added to a sandbox
        when QPS resources are excessively used and helps ensure service continuity.
    MaxValue: 60000
    MinValue: 0
    Required: false
    Type: Number
  ExclusiveIPAddress:
    Default: 0
    Description:
      en: Excluesive IP address number.
    MaxValue: 100
    MinValue: 0
    Required: false
    Type: Number
  FraudDetection:
    Default: true
    Description:
      en: 'You can enable this feature only after you enable the bot management module.
        If abnormal phone numbers are used in logon or registration scenarios, anomaly
        tags are matched. Requests from the abnormal phone numbers are blocked or
        CAPTCHA verification is required. You are charged based on the number of times
        that anomaly tags are matched. '
    Required: false
    Type: Boolean
  IgnoreExisting:
    Default: false
    Description:
      en: 'Whether to ignore existing WAF3 instance

        False: ROS will perform a uniqueness check.If the WAF3 instance exists, an
        error will be reported when creating it.

        True: ROS will not check the uniqueness.If the WAF3 instance exists, the creation
        process will be ignored.

        If the WAF3 instance is not created by ROS, it will be ignored during update
        and delete stage.'
    Required: false
    Type: Boolean
  IntelligentLoadBalancing:
    Description:
      en: Intelligent load balancer for WAF instance.
    Required: false
    Type: Boolean
  LogService:
    Description:
      en: Log service for WAF instance.
    Required: false
    Type: Boolean
  LogStorage:
    Description:
      en: Log storage capacity.
    MaxValue: 150
    MinValue: 3
    Required: false
    Type: Number
  PayType:
    AllowedValues:
    - PayAsYouGo
    - Subscription
    Description:
      en: 'The billing method of the firewall instance. Valid values:

        PayAsYouGo: pay-as-you-go

        Subscription: subscription'
    Required: true
    Type: String
  Period:
    AllowedValues:
    - 1
    - 2
    - 3
    - 6
    AssociationProperty: PayPeriod
    Description:
      en: 'The subscription period of the firewallIf PeriodUnit is month, the valid
        range is 1, 3, 6

        If periodUnit is year, the valid range is 1, 2, 3'
    Required: false
    Type: Number
  PeriodUnit:
    AllowedValues:
    - Month
    - Year
    AssociationProperty: PayPeriodUnit
    Description:
      en: 'The unit of the subscription duration. Valid values:

        Month

        Year

        Default value: Month.'
    Required: false
    Type: String
  QpsExtension:
    Default: 0
    Description:
      en: Extended QPS.
    MaxValue: 30000
    MinValue: 0
    Required: false
    Type: Number
  Region:
    AllowedValues:
    - OutsideChineseMainland
    - ChineseMainland
    Description:
      en: "Web Application Firewall is available in the following regions: regions\
        \ in the Chinese mainland, China (Hong Kong), Singapore (Singapore), Malaysia\
        \ (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt),\
        \ Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo).\n If\
        \ your origin server is deployed within the Chinese mainland, select Chinese\
        \ Mainland. If your origin server is deployed outside the Chinese mainland,\
        \ select Outside Chinese mainland. Intelligent region selection is supported."
    Required: true
    Type: String
  TrafficBillingProtectionThreshold:
    Description:
      en: In pay-as-you-go WAF 3.0, the traffic billing protection feature is automatically
        enabled to prevent unexpected and unusually high bills that result from unpredictable
        factors such as HTTP flood attacks. A bill is not generated for an hour if
        the peak traffic exceeds the traffic billing protection threshold within the
        hour. Then, your WAF instance is added to a sandbox. If the peak traffic is
        lower than the traffic billing protection threshold the next hour, your WAF
        instance is removed from the sandbox.
    MaxValue: 100000
    MinValue: 1000
    Required: false
    Type: Number
  WafVersion:
    AllowedValues:
    - Basic
    - Pro
    - Enterprise
    - Ultimate
    Description:
      en: 'The version of WAF3.0.

        '
    Required: false
    Type: String
Resources:
  Instance:
    Properties:
      AdditionalProtectionNodes:
        Ref: AdditionalProtectionNodes
      ApiSecurity:
        Ref: ApiSecurity
      AutoPay:
        Ref: AutoPay
      AutoRenew:
        Ref: AutoRenew
      BotAppProtection:
        Ref: BotAppProtection
      BotWebProtection:
        Ref: BotWebProtection
      DomainsExtension:
        Ref: DomainsExtension
      ElasticQps:
        Ref: ElasticQps
      ExclusiveIPAddress:
        Ref: ExclusiveIPAddress
      FraudDetection:
        Ref: FraudDetection
      IgnoreExisting:
        Ref: IgnoreExisting
      IntelligentLoadBalancing:
        Ref: IntelligentLoadBalancing
      LogService:
        Ref: LogService
      LogStorage:
        Ref: LogStorage
      PayType:
        Ref: PayType
      Period:
        Ref: Period
      PeriodUnit:
        Ref: PeriodUnit
      QpsExtension:
        Ref: QpsExtension
      Region:
        Ref: Region
      TrafficBillingProtectionThreshold:
        Ref: TrafficBillingProtectionThreshold
      WafVersion:
        Ref: WafVersion
    Type: ALIYUN::WAF3::Instance
Outputs:
  InstanceId:
    Description: Instance Id.
    Value:
      Fn::GetAtt:
      - Instance
      - InstanceId

    • JSON format 

      {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "IgnoreExisting": {
      "Type": "Boolean",
      "Description": {
        "en": "Whether to ignore existing WAF3 instance\nFalse: ROS will perform a uniqueness check.If the WAF3 instance exists, an error will be reported when creating it.\nTrue: ROS will not check the uniqueness.If the WAF3 instance exists, the creation process will be ignored.\nIf the WAF3 instance is not created by ROS, it will be ignored during update and delete stage."
      },
      "Required": false,
      "Default": false
    },
    "AutoRenew": {
      "Type": "Boolean",
      "Description": {
        "en": "Whether to auto renew the prepay instance."
      },
      "Required": false
    },
    "IntelligentLoadBalancing": {
      "Type": "Boolean",
      "Description": {
        "en": "Intelligent load balancer for WAF instance."
      },
      "Required": false
    },
    "Period": {
      "AssociationProperty": "PayPeriod",
      "Type": "Number",
      "Description": {
        "en": "The subscription period of the firewallIf PeriodUnit is month, the valid range is 1, 3, 6\nIf periodUnit is year, the valid range is 1, 2, 3"
      },
      "AllowedValues": [
        1,
        2,
        3,
        6
      ],
      "Required": false
    },
    "BotWebProtection": {
      "Type": "Boolean",
      "Description": {
        "en": "Bot management module for Web application protection."
      },
      "Required": false,
      "Default": true
    },
    "TrafficBillingProtectionThreshold": {
      "Type": "Number",
      "Description": {
        "en": "In pay-as-you-go WAF 3.0, the traffic billing protection feature is automatically enabled to prevent unexpected and unusually high bills that result from unpredictable factors such as HTTP flood attacks. A bill is not generated for an hour if the peak traffic exceeds the traffic billing protection threshold within the hour. Then, your WAF instance is added to a sandbox. If the peak traffic is lower than the traffic billing protection threshold the next hour, your WAF instance is removed from the sandbox."
      },
      "Required": false,
      "MinValue": 1000,
      "MaxValue": 100000
    },
    "ApiSecurity": {
      "Type": "Boolean",
      "Description": {
        "en": "The API security feature detects responses with specified characteristics to check whether data leaks occur. After you enable the feature, WAF is authorized to perform related analysis on your data. If you select Chinese Mainland, service deployment and data processing are performed in the Chinese mainland."
      },
      "Required": false
    },
    "PayType": {
      "Type": "String",
      "Description": {
        "en": "The billing method of the firewall instance. Valid values:\nPayAsYouGo: pay-as-you-go\nSubscription: subscription"
      },
      "AllowedValues": [
        "PayAsYouGo",
        "Subscription"
      ],
      "Required": true
    },
    "AutoPay": {
      "Type": "Boolean",
      "Description": {
        "en": "Whether to auto pay the bill."
      },
      "Required": false,
      "Default": false
    },
    "LogStorage": {
      "Type": "Number",
      "Description": {
        "en": "Log storage capacity."
      },
      "Required": false,
      "MinValue": 3,
      "MaxValue": 150
    },
    "ElasticQps": {
      "Type": "Number",
      "Description": {
        "en": "The burstable QPS (pay-as-you-go) feature is suitable for scenarios that involve short-term or sudden traffic surges, for example, during promotions. In these scenarios, the traffic peak may exceed the sum of the maximum QPS that is supported by your WAF edition and the extended QPS. If you enable the feature, you are charged based on the amount of excess QPS resources that you use. This helps prevent your domain names from being added to a sandbox when QPS resources are excessively used and helps ensure service continuity."
      },
      "Required": false,
      "MinValue": 0,
      "MaxValue": 60000,
      "Default": 0
    },
    "DomainsExtension": {
      "Type": "Number",
      "Description": {
        "en": "If the actual number of required access domain names exceeds the number of free domain names in the version, the number of domain names can be expanded according to this specification. Domain name counting does not differentiate between domain name types. The main domain name, sub-domain name, and pan-domain name are each counted as one domain name."
      },
      "Required": false,
      "MinValue": 0,
      "MaxValue": 5000,
      "Default": 0
    },
    "WafVersion": {
      "Type": "String",
      "Description": {
        "en": "The version of WAF3.0.\n"
      },
      "AllowedValues": [
        "Basic",
        "Pro",
        "Enterprise",
        "Ultimate"
      ],
      "Required": false
    },
    "AdditionalProtectionNodes": {
      "Type": "Number",
      "Description": {
        "en": "Each protection cluster has at least two protection nodes, and each node provides the protection capabilities of up to 5,000 QPS for HTTP requests or up to 3,000 QPS for HTTPS requests. You can add protection nodes to increase protection capabilities. "
      },
      "Required": false,
      "MinValue": 0,
      "MaxValue": 500,
      "Default": 0
    },
    "ExclusiveIPAddress": {
      "Type": "Number",
      "Description": {
        "en": "Excluesive IP address number."
      },
      "Required": false,
      "MinValue": 0,
      "MaxValue": 100,
      "Default": 0
    },
    "Region": {
      "Type": "String",
      "Description": {
        "en": "Web Application Firewall is available in the following regions: regions in the Chinese mainland, China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo).\n If your origin server is deployed within the Chinese mainland, select Chinese Mainland. If your origin server is deployed outside the Chinese mainland, select Outside Chinese mainland. Intelligent region selection is supported."
      },
      "AllowedValues": [
        "OutsideChineseMainland",
        "ChineseMainland"
      ],
      "Required": true
    },
    "QpsExtension": {
      "Type": "Number",
      "Description": {
        "en": "Extended QPS."
      },
      "Required": false,
      "MinValue": 0,
      "MaxValue": 30000,
      "Default": 0
    },
    "FraudDetection": {
      "Type": "Boolean",
      "Description": {
        "en": "You can enable this feature only after you enable the bot management module. If abnormal phone numbers are used in logon or registration scenarios, anomaly tags are matched. Requests from the abnormal phone numbers are blocked or CAPTCHA verification is required. You are charged based on the number of times that anomaly tags are matched. "
      },
      "Required": false,
      "Default": true
    },
    "BotAppProtection": {
      "Type": "Boolean",
      "Description": {
        "en": "Bot management module for App protection."
      },
      "Required": false,
      "Default": true
    },
    "LogService": {
      "Type": "Boolean",
      "Description": {
        "en": "Log service for WAF instance."
      },
      "Required": false
    },
    "PeriodUnit": {
      "AssociationProperty": "PayPeriodUnit",
      "Type": "String",
      "Description": {
        "en": "The unit of the subscription duration. Valid values:\nMonth\nYear\nDefault value: Month."
      },
      "AllowedValues": [
        "Month",
        "Year"
      ],
      "Required": false
    }
  },
  "Resources": {
    "Instance": {
      "Type": "ALIYUN::WAF3::Instance",
      "Properties": {
        "IgnoreExisting": {
          "Ref": "IgnoreExisting"
        },
        "AutoRenew": {
          "Ref": "AutoRenew"
        },
        "IntelligentLoadBalancing": {
          "Ref": "IntelligentLoadBalancing"
        },
        "Period": {
          "Ref": "Period"
        },
        "BotWebProtection": {
          "Ref": "BotWebProtection"
        },
        "TrafficBillingProtectionThreshold": {
          "Ref": "TrafficBillingProtectionThreshold"
        },
        "ApiSecurity": {
          "Ref": "ApiSecurity"
        },
        "PayType": {
          "Ref": "PayType"
        },
        "AutoPay": {
          "Ref": "AutoPay"
        },
        "LogStorage": {
          "Ref": "LogStorage"
        },
        "ElasticQps": {
          "Ref": "ElasticQps"
        },
        "DomainsExtension": {
          "Ref": "DomainsExtension"
        },
        "WafVersion": {
          "Ref": "WafVersion"
        },
        "AdditionalProtectionNodes": {
          "Ref": "AdditionalProtectionNodes"
        },
        "ExclusiveIPAddress": {
          "Ref": "ExclusiveIPAddress"
        },
        "Region": {
          "Ref": "Region"
        },
        "QpsExtension": {
          "Ref": "QpsExtension"
        },
        "FraudDetection": {
          "Ref": "FraudDetection"
        },
        "BotAppProtection": {
          "Ref": "BotAppProtection"
        },
        "LogService": {
          "Ref": "LogService"
        },
        "PeriodUnit": {
          "Ref": "PeriodUnit"
        }
      }
    }
  },
  "Outputs": {
    "InstanceId": {
      "Description": "Instance Id.",
      "Value": {
        "Fn::GetAtt": [
          "Instance",
          "InstanceId"
        ]
      }
    }
  }
}