Configure protection rules for the traffic spike throttling module to ensure service availability during promotions - Web Application Firewall

Web Application Firewall (WAF) provides the traffic spike throttling module. You can use the module to prevent servers from being overwhelmed by traffic spikes during promotions. You can configure the module to allow only specific requests to the servers based on the queries per second (QPS) limit or percentage limit that you specify. This topic describes how to configure protection rules for the traffic spike throttling module.

Prerequisites

A subscription WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance. The traffic spike throttling module is a value-added service and is available only in the Pro, Enterprise, and Ultimate editions of WAF. Make sure that your WAF edition supports the module.
Web services are added to the WAF 3.0 instance as protected objects. For more information, see Configure protected objects and protected object groups.

Create a protection template

You can create a protection template to manage and apply protection rules in a centralized manner. If a new protected object is added and you want to apply protection rules to the protected object, you need to only select the protected object in the Edit panel of the protection template that contains the protection rules.

Step 1: Create a protection template of the traffic spike throttling module

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection. In the Traffic Spike Throttling section of the page that appears, click Create Template.
Note
If this is your first time to create a protection template of the traffic spike throttling module, you can also click Configure Now in the Traffic Spike Throttling card in the upper part of the Basic Web Protection page.

In the Create Template - Traffic Spike Throttling panel, configure the parameters and click OK.

Parameter	Description
Template Name	Specify a name for the template. The name must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template	Specify whether to set the template as the default template for the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. A default template is applied to all protected objects and protected object groups to which no custom protection templates are applied.
Rule Configuration	Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the traffic spike throttling module.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.

Step 2: Add protection rules to a protection template of the traffic spike throttling module

A protection template takes effect only after you add protection rules to the template.

In the Traffic Spike Throttling section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column. In the Create Rule dialog box, configure the parameters and click OK.

Parameter	Description
Rule Name	Specify a name for the rule. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition	Specify the characteristics of requests that you want the rule to match. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is matched only if all match conditions are met. Each match condition consists of the Match Field, Logical Operator, and Match Content parameters. Examples: Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to `/login.php`. If the URI of a request contains `/login.php`, the request matches the rule. Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to `192.1X.XX.XX`. If a request is sent from a client whose IP address is `192.1.XX.XX`, the request matches the rule. For more information about the match fields and logical operators, see Match conditions.
Access Source That Belongs to Following Regions	WAF obtains the source IP addresses of requests to identify the traffic sources. If you do not select this check box, WAF does not identify the traffic sources of protected objects on which the rule takes effect. If you select this check box, you can select regions in and outside China. If the traffic sources of requests are regions that are not selected, WAF does not match the requests against the rule.
Throttling Mode	QPS: You can specify a maximum QPS to limit traffic that is allowed to reach servers. If you want to strictly limit the number of requests to ensure server stability, we recommend that you select this mode. Percentage: You can specify a request percentage to limit traffic that is allowed to reach servers. If you want to dynamically limit the number of requests to handle traffic spikes, we recommend that you select this mode.
Throttling Threshold	QPS limit Specify a maximum QPS to limit the maximum number of requests that are allowed per second. For example, if you set the maximum QPS to 1,000, up to 1,000 requests can be processed per second. Note In actual scenarios, approximately 10% fluctuation in the maximum QPS is allowed due to the complexity of technical implementation and dynamic changes to system environments. The fluctuation is acceptable to throttling algorithms. This helps balance system performance and throttling precision. We recommend that you regularly monitor the actual QPS and adjust the QPS limit to optimize throttling performance. Percentage limit Specify a percentage to limit the maximum percentage of requests that are allowed. For example, if you set the percentage to 50%, only half of the requests are allowed. The other half of the requests are blocked.
Action	Select the action that you want WAF to perform on the requests that match the rule. Valid values: Block: blocks a request that matches the rule and returns a block page to the client that initiates the request. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure protection rules for the custom response module to configure custom block pages. Monitor: records a request that matches the rule in a log and does not block the request. You can query the logs of requests that match the rule and analyze the protection performance. For example, you can query logs to check whether normal requests are blocked. Important You can query logs only if the Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature.
Effective Mode	Permanently Effective: After the rule is enabled, the rule permanently takes effect until it is manually disabled. This mode is suitable for long-term and stable throttling. Fixed Schedule: The rule takes effect only within the time range that you specify. This mode is suitable for short-term throttling or throttling within a specific time range. You can select the required time zone for the Time Zone parameter and add multiple time ranges for the Effective Mode parameter. Recurring Schedule: The rule periodically takes effect within the specified time range on the specified days of the week. This mode is suitable for throttling on regular activities or during peak hours. You can select a time zone and multiple days of the week.

Examples

Example 1

You want to limit the maximum number of requests per second to 1,000 for a long period of time, use a permanently effective protection rule, implement throttling only on requests from the United States, and block requests that match the rule.

Rule Name: Long-term QPS Throttling
Effective Mode: Permanently Effective
Maximum QPS: 1,000
Source region: Outside China > North America > United States
Action: Block

Example 2

During promotions, you want to limit the maximum number of requests per second to 1,000 from 09:00 on a day of a month of a year to 18:00 on a day of a month of a year, implement throttling on requests whose URI contains shopping and whose traffic source is all regions in China, and block the matched requests.

Rule Name: Promotion Throttling
Effective Mode: Fixed Schedule
Match Field: URI Contains shopping
Effective Period: from 09:00 on a day of a month of a year to 18:00 on a day of a month of a year
Maximum QPS: 1,000
Source region: all regions in China
Action: Block

Example 3

You want to limit the maximum number of requests per second to 1,000 from 09:00 to 18:00 on each weekend, implement throttling only on requests from Hong Kong, China, and monitor the matched requests.

Rule Name: Weekend Throttling
Effective Mode: Recurring Schedule
Duration: from 09:00 to 18:00 every Saturday and Sunday
Maximum QPS: 1,000
Time Zone: the time zone of your business or server
Source region: HongKong,China
Action: Monitor

Modify a protection template

Business or project requirements change over time. You can modify protection templates to meet changing requirements. The modification helps improve system and process efficiency and performance, and reduce resource waste.

Enable and disable a protection template

After you create a protection template, you can turn on or turn off the switch in the Status column to enable or disable the template.

Edit a protection template

Find the protection template that you want to manage and click Edit in the Actions column. After you modify the settings, click OK.

Delete a protection template

You can delete a protection template that you no longer require. Before you delete a protection template, make sure that the template is not associated with protected objects. To delete a protection template, find the template and click Delete in the Actions column. In the message that appears, click OK.

Important

After a protection template is deleted, the system automatically applies the default template to the protected objects that are previously associated with the deleted protection template.
If you delete a default template and the template is associated with protected objects, the protected objects are no longer protected by the traffic spike throttling module.