For enterprise customers who manage multiple Alibaba Cloud accounts with resources requiring Web Application Firewall (WAF) protection, the Trusted Service feature of Resource Management allows for centralized administration. By consolidating multiple accounts into a Resource Directory (where each account acts as member account) and delegating a specific member as the WAF Administrator, you can grant access to cloud resources across all member accounts. This enables unified management of WAF onboarding and security configurations. This topic describes how to implement multi-account unified management.
Limits
Multi-account management is available only for WAF Enterprise and Ultimate editions.
The management account and all member accounts must belong to the same Resource Directory and be registered under the same verified enterprise entity.
If the management account has an active WAF instance in the Chinese mainland, member accounts cannot purchase their own WAF instances in the Chinese mainland. However, they can purchase WAF instances Outside Chinese mainland. If a member account already has a running WAF instance, you must release it before setting up multi-account management.
After a member account's cloud resources are onboarded to the delegated administrator account's WAF instance, you can view Protection Configurations, Overview, and Security Reports only from the delegated administrator account's WAF console.
When a delegated administrator removes a member account in the WAF console, the system automatically removes protection for that member's cloud resources.
Configuration process
Before using the multi-account management feature, you must first enable a Resource Directory and invite accounts to join as members. Then, you designate a member as the WAF delegated administrator. Finally, you can use this feature in the WAF console to add the member accounts and centrally manage their cloud resources.
Step 1: Enable Resource Directory
To use the multi-account management feature, you must first consolidate your enterprise's Alibaba Cloud accounts into a resource directory. For more information about Resource Directory, see What is Resource Directory.
Log on to the Resource Management console with your management account to enable a resource directory. For details, see Enable a resource directory.
Step 2: Invite member accounts
When an account accepts an invitation to join the Resource Directory, it becomes a centrally managed member. You can then select from these accounts when you add a delegated administrator account.
Log on to the Resource Management console with your management account to invite accounts and build your organizational structure. For detailed instructions, see Create a folder and Invite an Alibaba Cloud account to join a resource directory.
If you do not have an existing account to invite, create a new member account directly. For detailed instructions, see Create a member.
Step 3: Assign a delegated administrator
A delegated administrator separates organizational management tasks from service-specific ones. The management account performs organizational tasks for the Resource Directory, while the delegated administrator account manages trusted services. This approach aligns with security best practices. Use this delegated administrator account to access the multi-account management feature in WAF and perform management operations for all members within the Resource Directory. For detailed instructions, see Manage a delegated administrator account.
Step 4: Add member accounts
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
In the left navigation pane, click Multi-account Management.
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select the member accounts to import and add them to the Selected Members list on the right.
In the Selected Members list on the right, select the target member accounts and click OK.
Step 5: Onboard cloud resources from member accounts
The onboarding method varies depending on the type of cloud resource.
Cloud resource | Onboarding method |
Application Load Balancer (ALB) | Onboard via the member account's ALB console. After onboarding, view the instance in the WAF console's ALB list (cloud native mode). |
Server Load Balancer (CLB) (HTTP/HTTPS) | Resources are automatically synced to the delegated administrator. Complete the onboarding via the delegated administrator's WAF console. |
CLB (TCP) | Resources are automatically synced to the delegated administrator. Complete the onboarding via the delegated administrator's WAF console. |
Elastic Compute Service (ECS) | Resources are automatically synced to the delegated administrator. Complete the onboarding via the delegated administrator's WAF console. |
Microservices Engine (MSE) | Onboard via the member account's MSE console. After onboarding, view the instance in the WAF console's MSE list (cloud native mode). |
Function Compute (FC) | Onboard via the member account's FC console. After onboarding, view the instance in the WAF console's FC list (cloud native mode). |
Serverless App Engine (SAE) | Onboard via the member account's SAE console. After onboarding, view the instance in the WAF console's SAE list (cloud native mode). |
Network Load Balancer (NLB) | Resources are automatically synced to the delegated administrator. Complete the onboarding via the delegated administrator's WAF console. |
API Gateway | Onboard via the member account's APIG console. After onboarding, view the instance in the WAF console's API Gateway list (cloud native mode). |