Cloud native mode and CNAME record mode - Web Application Firewall

If you want to use Web Application Firewall (WAF) to protect your web services, you must add your web services to WAF. You can add your web services to WAF 3.0 in cloud native mode or CNAME record mode. You can select a mode based on the deployment model of your web services. This topic describes the implementation, recommended scenarios, protected objects, and access methods of the cloud native mode and CNAME record mode.

Comparison

Item	Cloud native mode		CNAME record mode
Item	SDK integration mode	Reverse proxy mode	CNAME record mode
Implementation	WAF is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. To prevent compatibility and stability issues, WAF does not forward traffic.	You must add the traffic redirection ports of your cloud services to WAF. This way, the gateways of the cloud services automatically redirect web service traffic to WAF. Then, WAF filters out malicious requests and forwards legitimate requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster.	You must update your CNAME record with your Domain Name System (DNS) provider to map your domain name to the CNAME that is provided by WAF. This ensures that requests destined for your domain name are redirected to WAF. Then, WAF filters out malicious requests and forwards legitimate requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster.
Recommended scenarios	If you use the following Alibaba Cloud services for your web services, we recommend that you add your web services to WAF in this mode: Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute.	If you use Alibaba Cloud Classic Load Balancer (CLB) or Elastic Compute Service (ECS) for your web services, we recommend that you add your web services to WAF in this mode.	If you do not use ALB, MSE, Function Compute, CLB, or ECS for your web services, you can add your web services to WAF in CNAME record mode.
Protected objects	ALB or MSE instances, including all domain names that are hosted on the instances. Custom domain names in Function Compute.	CLB or ECS instances, including all domain names that are hosted on the instances.	Domain names.
Access methods	In the ALB or MSE console, enable WAF protection for instances or domain names. For more information, see Enable WAF protection for an ALB instance and Enable WAF protection for an MSE instance. In the Function Compute console, enable WAF protection for custom domain names. For more information, see Enable WAF protection for a custom domain name bound to a web application in Function Compute.	In the WAF console, add the traffic redirection ports of CLB instances or ECS instances to WAF. For more information, see Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF.	Add a domain name to WAF and configure listeners and forwarding rules. For more information, see Add a domain name to WAF. Modify the DNS record of the domain name. For more information, see Modify the DNS record of a domain name. Allow access from the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.