Enterprises with multiple Alibaba Cloud accounts can centralize WAF protection through multi-account management. This feature uses Resource Directory to consolidate accounts, designate a WAF delegated administrator, and manage WAF onboarding and protection configurations for all member accounts from a single console.
How it works
Multi-account management builds on the Trusted Service feature of Resource Management. The setup follows this model:
Resource Directory groups your Alibaba Cloud accounts into an organizational hierarchy. One account serves as the management account.
Member accounts join the Resource Directory by invitation or direct creation. Each member account represents a business unit, team, or environment that owns cloud resources.
WAF delegated administrator is a member account designated to manage WAF across the entire directory. This separation keeps organizational tasks on the management account and security tasks on the delegated administrator, following security best practices.
Resource onboarding connects member accounts' cloud resources (ALB, CLB, ECS, NLB, and others) to the delegated administrator's WAF instance for centralized protection.
Limitations
| Item | Description |
|---|---|
| WAF edition | Available only for WAF Enterprise and Ultimate editions |
| Account affiliation | The management account and all member accounts must belong to the same Resource Directory and be registered under the same verified enterprise entity |
| Regional instance conflict | If the management account has an active WAF instance in the Chinese mainland, member accounts cannot purchase their own WAF instances in the Chinese mainland. Member accounts can still purchase WAF instances Outside Chinese Mainland. If a member account already has a running WAF instance, release it before you set up multi-account management |
| Console visibility | After a member account's cloud resources are onboarded to the delegated administrator's WAF instance, Protection Configurations, Overview, and Security Reports are only viewable from the delegated administrator account's WAF console |
| Member removal | When a delegated administrator removes a member account in the WAF console, the system automatically removes protection for that member's cloud resources |
Set up multi-account management
The setup has five steps: enable a Resource Directory, invite member accounts, assign a delegated administrator, add members in WAF, and onboard cloud resources.
Step 1: Enable a Resource Directory
Group your enterprise's Alibaba Cloud accounts by enabling a Resource Directory. For more information, see What is Resource Directory.
Log on to the Resource Management console with the management account.
Enable the Resource Directory. For instructions, see Enable a resource directory.
Step 2: Invite member accounts
Invite existing Alibaba Cloud accounts to join the Resource Directory. After an account accepts the invitation, it becomes a member account that you manage centrally.
Log on to the Resource Management console with the management account.
Build your organizational structure and invite accounts. For instructions, see Create a folder and Invite an Alibaba Cloud account to join a resource directory.
To create a new member account instead of inviting an existing one, see Create a member.
Step 3: Assign a delegated administrator
A delegated administrator separates organizational management from service-specific operations. The management account handles organizational tasks for the Resource Directory, while the delegated administrator account manages WAF across all member accounts. For instructions, see Manage a delegated administrator account.
Step 4: Add member accounts in WAF
Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
In the left-side navigation pane, click Multi-account Management.
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select the member accounts to import and add them to the Selected Members list on the right.
In the Selected Members list, select the target member accounts and click OK.
Step 5: Onboard cloud resources from member accounts
The onboarding method depends on the resource type. Some resources sync automatically to the delegated administrator, while others require action from the member account's own service console.
Resources that sync automatically
The following resources sync automatically to the delegated administrator. Complete the onboarding through the delegated administrator's WAF console.
| Cloud resource | Onboarding action |
|---|---|
| Classic Load Balancer (CLB) (HTTP/HTTPS) | Onboard through the delegated administrator's WAF console |
| CLB (TCP) | Onboard through the delegated administrator's WAF console |
| Elastic Compute Service (ECS) | Onboard through the delegated administrator's WAF console |
| Network Load Balancer (NLB) | Onboard through the delegated administrator's WAF console |
Resources onboarded from the member account console
The following resources are onboarded from the member account's own service console. After onboarding, the instance appears in the WAF console's corresponding list under cloud native mode.
| Cloud resource | Onboarding action | Where to view after onboarding |
|---|---|---|
| Application Load Balancer (ALB) | Onboard through the member account's ALB console | WAF console ALB list (cloud native mode) |
| Microservices Engine (MSE) | Onboard through the member account's MSE console | WAF console MSE list (cloud native mode) |
| Function Compute (FC) | Onboard through the member account's FC console | WAF console FC list (cloud native mode) |
| Serverless App Engine (SAE) | Onboard through the member account's SAE console | WAF console SAE list (cloud native mode) |
| API Gateway | Onboard through the member account's APIG console | WAF console API Gateway list (cloud native mode) |