All Products
Search
Document Center

Web Application Firewall:Overview

Last Updated:Dec 11, 2024

If you want to use Web Application Firewall (WAF) 3.0 to protect your web services, you must add your web services to WAF 3.0. You can add your web services to WAF 3.0 in cloud native mode, CNAME record mode, or hybrid cloud mode. The modes are also referred to as access methods. You can select an access method based on the deployment of your web services. This topic describes the implementation, recommended scenarios, protected objects, and procedures of the access methods.

Comparison

Item

Cloud native mode

CNAME record mode

Hybrid cloud mode

SDK integration mode

Reverse proxy mode

Implementation

  • WAF is integrated as an SDK module into the gateways of cloud services to detect and protect traffic.

  • To prevent compatibility and stability issues, WAF does not forward traffic.

  • You must add the ports of your cloud services to WAF. This way, the gateways of the cloud services automatically redirect the web traffic of the cloud services to WAF. Then, WAF filters out malicious requests and forwards legitimate requests to the origin server.

  • WAF detects and forwards requests as a reverse proxy cluster.

  • You must add a domain name and modify the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME provided by WAF. This way, the web traffic of the domain name is redirected to WAF. Then, WAF filters out malicious requests and forwards legitimate requests to the origin server.

  • WAF detects and forwards requests as a reverse proxy cluster.

  • Reverse proxy mode: You must add a domain name or IP address of your website to WAF and modify the DNS record of the domain name to resolve the domain name to the address of the hybrid cloud cluster that is used. The hybrid cloud cluster detects all requests for websites that are added to WAF in reverse proxy mode.

  • SDK integration mode: WAF SDK is deployed on the unified access gateway of your web services to detect traffic by using traffic mirroring. This way, traffic forwarding is separated from traffic detection. The hybrid cloud cluster that is used does not forward traffic.

Recommended scenarios

If you use the following Alibaba Cloud services for your web services, we recommend that you add your web services to WAF in this mode: Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute.

If you use the following Alibaba Cloud services for your web services, we recommend that you add your web services to WAF in this mode: Network Load Balancer (NLB), Classic Load Balancer (CLB), and Elastic Compute Service (ECS).

If you do not use ALB, MSE, Function Compute, NLB, CLB, or ECS for your web services, you can add your web services to WAF in CNAME record mode.

  • If your web services cannot be migrated to public clouds, you can add your web services to WAF in this mode.

  • If your web services are deployed on Alibaba Cloud, third-party public clouds, private clouds, data centers, and virtual private clouds (VPCs), you can add your web services to WAF in this mode.

  • If your web services are latency-sensitive and require high reliability, active geo-redundancy, and centralized protection across multiple network environments, you can add your web services to WAF in this mode.

Protected objects

  • ALB or MSE instances, including all domain names that are hosted on the instances.

  • Custom domain names that are bound to web applications in Function Compute.

NLB, CLB, or ECS instances, including all domain names that are hosted on the instances.

Domain names.

Domain names or IP addresses.

Procedure

In the WAF console, add the ports of NLB, CLB, or ECS instances to WAF to redirect traffic. For more information, see Enable WAF protection for an NLB instance, Enable WAF protection for a Layer 7 CLB instance, Enable WAF protection for a Layer 4 CLB instance, and Enable WAF protection for an ECS instance.

  • Step 1: Add a domain name on the Website Configuration page of the WAF 3.0 console. For more information, see Add a domain name.

  • Step 2: Check whether the forwarding configurations take effect on your on-premises machine. For more information, see Verify domain name settings.

  • Step 3: Allow access from back-to-origin CIDR blocks of WAF. If the origin server on which the domain name is hosted uses a third-party firewall, add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  • Step 4: Modify the DNS record of the domain name to resolve the domain name to the CNAME or IP address provided by WAF. For more information, see Modify the DNS record of a domain name.

For more information, see Hybrid cloud mode.