Get started with WAF 3.0 - Web Application Firewall - Alibaba Cloud Documentation Center

Web Application Firewall (WAF) blocks malicious web traffic and forwards normal traffic to your origin server. This protects your origin server from attacks and ensures data security. This topic describes how to get started with WAF 3.0 to protect your web services.

WAF use process

After you purchase a WAF instance, you must determine the web services that you want to protect and add protected objects to WAF. Then, WAF provides protection services for the objects. WAF also provides security reports that you can use to understand the overall security status of your business in daily O&M.

Step 1: Purchase a WAF 3.0 instance

Log on to the WAF 3.0 console. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription or Activate Pay-as-you-go Edition.
On the Web Application Firewall 3.0 (Subscription) or Web Application Firewall (Pay as you go) buy page, select the specifications based on your business requirements and complete the payment.
- For more information about how to purchase a subscription WAF 3.0 instance, see Purchase a subscription WAF 3.0 instance.
- For more information about how to purchase a pay-as-you-go WAF 3.0 instance, see Purchase a pay-as-you-go WAF 3.0 instance.
- For more information about the supported features of each WAF 3.0 edition, see Editions.

Step 2: Add protected objects

After you purchase a WAF 3.0 instance, you can view a user guide on the Overview page of the WAF 3.0 console. If you want to automatically add Application Load Balancer (ALB) or Classic Load Balancer (CLB) instances to WAF, click Automatic Full Access in the dialog box that automatically appears. After the instances are added, close the dialog box. You are navigated to the Overview page of the console. You can also close the dialog box and manually add web services.

You can select an access method based on the deployment of your business. If your business servers are deployed on Alibaba Cloud, we recommend that you select the cloud native mode. If your business servers are deployed on Alibaba Cloud, on third-party clouds, or in data centers and are associated with domain names, we recommend that you select the CNAME record mode. For more information about the differences between the two access methods, see Overview. Access procedure:

CNAME record mode

Step 1: Add a domain name on the Website Configuration page of the WAF 3.0 console. For more information, see Add a domain name.
Step 2: Check whether the forwarding configurations take effect on your on-premises machine. For more information, see Verify domain name settings.
Step 3: Allow access from back-to-origin CIDR blocks of WAF. If the origin server on which the domain name is hosted uses a third-party firewall, add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
Step 4: Modify the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME or IP address provided by WAF. For more information, see Modify the DNS record of a domain name.

Cloud native mode

In the left-side navigation pane, click Website Configuration. On the page that appears, click the Cloud Native tab. In the left-side cloud service list that appears, click the service whose instance you want to add.
Click Add. In the Configure Instance panel, find the instance you want to add and click Add Port in the Actions column. In the dialog box that appears, enter the port information and click OK to return to the panel. Then, click OK in the panel. If the information about the instance is displayed on the page that appears, the instance is added to WAF.

Note

The first time you add your web service to WAF, you must authorize WAF to access the required Alibaba Cloud services. You must follow the on-screen instructions and click Authorize Now to complete the authorization. Then, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

Step 3: Enable protection provision

After you add a domain name or an instance to WAF, WAF automatically adds the domain name or instance as a protected object and enables protection rules of the core protection rule module for the object. By default, medium and loose rules are used and the protection action is set to Block.

If you do not have special security requirements, you can use default settings. You can view protection details on the Security Reports page. For more information, see Step 4: Analyze business security.
If your website encounters web attacks, we recommend that you configure protection policies based on the attack details that are displayed on the Overview and Security Reports pages. For more information, see Protection configuration overview.

Step 4: Analyze business security

You can view security reports to obtain the protection records of protection rules for different WAF protection modules, such as the core protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports. You can go to the Security Reports page of the WAF 3.0 console to view security reports.

References

For more information about WAF 3.0, refer to the following topics:

Editions: This topic describes the supported editions of WAF 3.0 and the supported features of each edition.
Billing overview: This topic describes the billing methods of WAF 3.0.
Overview: This topic describes the supported access methods of WAF 3.0.
Protection configuration overview: This topic describes the supported protection configurations of WAF 3.0.