All Products
Search
Document Center

Server Load Balancer:Activate and manage WAF-enabled ALB instances

Last Updated:Oct 09, 2024

If the web services on your Application Load Balancer (ALB) instance are vulnerable to attacks, you can migrate the web services to a WAF-enabled ALB instance, which provides higher security. ALB is integrated with Web Application Firewall (WAF) 3.0. WAF 2.0 supports the transparent proxy mode, but WAF 3.0 supports the service integration mode. Listening and forwarding are performed by ALB instead of WAF. Forwarding services and security services are decoupled from each other to ensure compatibility and performance stability. This topic describes the benefits of WAF-enabled ALB instances and how to activate and manage WAF-enabled ALB instances.

image

Benefits of WAF-enabled ALB instances

  • All-in-one protection

    ALB is deeply integrated with WAF 3.0, which provides all-in-one security services that can detect malicious requests. WAF-enabled ALB instances are resistant to intrusions, provide more stable performance, and support high security for services and data.

  • High compatibility

    ALB is integrated with WAF 3.0 at the service level. WAF provides only security services and is decoupled from forwarding services. Listening and forwarding are performed by ALB so that request forwarding services and security services are decoupled from each other. This design improves compatibility and service performance.

  • Various features

    Compared with standard ALB instances, WAF-enabled ALB instances are under enhanced protection. For more information about the differences between ALB editions, see Functions and features.

  • Support for all network types and protocols

    WAF-enabled ALB instances support all network types and protocols. WAF-enabled ALB instances can be Internet-facing or internal-facing. WAF-enabled ALB instances support both IPv4 and dual stack.

  • Sufficient quotas

    WAF-enabled ALB instances provide the same quotas as standard ALB instances, and provide higher quotas than basic ALB instances. For more information about resource quotas supported by different ALB editions, see ALB quotas.

  • On-demand protection

    WAF-enabled ALB instances require only simple configurations. You can enable or disable WAF protection for your ALB instance with one click. You can purchase WAF-enabled ALB instances in the ALB console, or upgrade existing basic and standard ALB instances to WAF-enabled ALB instances.

Limits on WAF-enabled ALB instances

  • Before you can purchase WAF-enabled ALB instances, you must complete real-name verification.

  • The following table describes the regions in which WAF-enabled ALB instances are available for purchase.

    Area

    Region

    China

    China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)

    Asia Pacific

    Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Singapore, and Thailand (Bangkok)

    Europe and Americas

    Germany (Frankfurt), US (Silicon Valley), and US (Virginia)

    Middle East

    SAU (Riyadh - Partner Region)

  • You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.

  • Make sure that WAF is not activated in your Alibaba Cloud account, or WAF 3.0 is activated in your Alibaba Cloud account.

    • If WAF is not activated in your Alibaba Cloud account, a pay-as-you-go WAF 3.0 instance is created after you create a WAF-enabled ALB instance.

    • If a subscription WAF 3.0 instance exists in your Alibaba Cloud account, you are not charged additional fees for WAF after you purchase a WAF-enabled ALB instance.

    • If a WAF 2.0 instance already exists in your Alibaba Cloud account, release the WAF 2.0 instance or migrate data from the WAF 2.0 instance to a WAF 3.0 instance.

Billing

After you create a WAF-enabled ALB instance or upgrade an existing ALB instance to the WAF-enabled edition, you are charged for using WAF 3.0. The following table describes the billable items of WAF-enabled ALB instances.

image

Billable item

Calculation formula

References

Instance fee

Instance fee = Instance unit price (USD per hour) × Usage duration (hours)

Instance fee

LCU fee

LCU fee per hour = max{Number of LCUs for new connections, Number of LCUs for concurrent connections, Number of LCUs for data transfer, Number of LCUs for rule evaluations} × LCU unit price

LCU fee

Internet data transfer fee

You are not charged Internet data transfer fees if you use internal-facing ALB instances. You are charged Internet data transfer fees only if you use Internet-facing ALB instances. Internet-facing ALB instances use elastic IP addresses (EIPs) or Anycast EIPs to provide services over the Internet.

  • After you create an Internet-facing ALB instance, it is associated with an EIP by default. The EIP associated with the ALB instance generates configuration fees and data transfer fees. For more information, see Pay-as-you-go.

  • After an ALB instance is associated with an Anycast EIP, the Anycast EIP generates configuration fees, Internet data transfer fees, and internal data transfer fees. For more information, see Billing rules.

WAF 3.0 fee

WAF 3.0 supports the subscription and pay-as-you-go billing methods. For more information, see Subscription WAF 3.0 instances and Pay-as-you-go WAF 3.0 instances.

  • If no WAF instance is created in your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, a pay-as-you-go WAF 3.0 instance is created.

  • If a subscription WAF 3.0 instance is created in your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, you are not charged additional fees for WAF.

Enable WAF protection for an ALB instance

Purchase a WAF-enabled ALB instance

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. On the Instances page, click Create ALB.

  4. On the Application Load Balancer page, configure the parameters, click Buy Now, and then complete the payment.

    This example describes only some of the parameters. For more information, see Create an ALB instance.

    Edition: Select WAF Enabled.

Enable WAF protection for an existing ALB instance

You can enable WAF protection for an existing basic or standard ALB instance.

Enable WAF protection on the ALB console

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:

    • Method 1:

      1. Click the ID of the ALB instance and then click the Integrated Services tab. In the Web Application Firewall section, click Enable Protection.

      2. In the Enable Protection dialog box, click OK and complete the payment.

    • Method 2:

      1. Move the pointer over the 未开启 icon next to the instance name and click Enable Protection in the WAF Protection section.

      2. In the Enable Protection dialog box, click OK and complete the payment.

    • Method 3:

      1. Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section and click Enable Protection.

      2. In the Enable Protection dialog box, click OK and complete the payment.

    • Method 4:

      1. Choose 选择 > Change Specification in the Actions column.

      2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, select the Terms of Service, click Buy Now, and then complete the payment.

Enable WAF protection on the SLB Overview page

  1. Log on to the SLB console.

  2. In the Security Overview section, click Enable Protection.

  3. In the Enable WAF Protection dialog box, set Instance Type to ALB, select the region in which the ALB instance is deployed from the Region drop-down list, find the ALB instance, and then click Enable Protection in the Actions column.

  4. In the Enable Protection dialog box, click OK and complete the payment.

Manage WAF protection

Manage WAF protection in the ALB console

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which the ALB instance is deployed.

  3. Manage WAF protection.

    Operation

    Procedure

    Check whether WAF protection is enabled for an ALB instance

    Use one of the following methods to check whether WAF protection is enabled for an instance: Protection Enabled indicates that WAF protection is enabled for the ALB instance.

    Method 1:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. Click the Integrated Services tab and view the status of WAF protection in the Web Application Firewall section.

    Method 2:

    1. On the Instances page, find the ALB instance that you want to manage and move the pointer over the 未开启 icon to the right of the instance name.

    2. In the hoverbox that appears, view the protection status in the WAF Protection section.

    Method 3:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, check whether WAF protection is enabled in the Basic Information section.

    View WAF security reports

    To view WAF security reports, make sure that WAF protection is enabled for your ALB instance.

    Method 1:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. Click the Integrated Services tab. In the Web Application Firewall section, click View WAF Security Report to go to the Security Reports page in the WAF 3.0 console.

    Method 2:

    1. On the Instances page, find the ALB instance that you want to manage and move the pointer over the 未开启 icon.

    2. In the hoverbox that appears, click View WAF Security Report in the WAF Protection section to go to the Security Reports page in the WAF 3.0 console.

    Method 3:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click View WAF Security Report on the right side of Security Protection in the Basic Information section to go to the Security Reports page in the WAF 3.0 console.

    For more information, see Security reports.

    Disable WAF protection

    After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and the WAF security reports no longer include the protection details about the ALB instance.

    Important

    After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete protection rules before you remove an MSE instance from WAF. For more information, see the "Billable items" section in the Billing overview topic and the "Protection module overview" section in the Protection configuration overview topic.

    Method 1:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. Click the Integrated Service tab. In the Web Application Firewall section, click Disable WAF.

    3. In the Disable Protection dialog box, click OK.

    Method 2:

    1. On the Instances page, find the ALB instance that you want to manage and move the pointer over the 未开启 icon to the right of the instance ID. In the hoverbox that appears, click Disable WAF in the WAF Protection section.

    2. In the Disable Protection dialog box, click OK.

    Method 3:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click Disable WAF next to WAF Protection in the Basic Information section.

    3. In the Disable Protection dialog box, click OK.

    Method 4:

    1. On the Instances page, find the ALB instance that you want to manage, and choose 选择 > Change Specification in the Actions column.

    2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment.

Manage WAF protection in the WAF console.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, click Website Configuration.

  3. Manage WAF protection.

    • View ALB instances that are protected by WAF

      On the Cloud Native tab, click ALB in the left-side product list.

    • Add protected objects and protection rules

      Click the ID of the ALB instance to go to the Protected Objects page. On this page, you can view the protected objects and the protection rules of the ALB instance. For more information, see Overview.

      Note

      The value of Asset Type of a cloud service instance that is added to WAF in cloud native mode is the abbreviation of the cloud service name. For example, the value of Asset Type for an ALB instance is alb, and the value of Domain Name is empty.

    • Disable WAF protection for an ALB instance

      After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and WAF security reports no longer include the protection details about the ALB instance.

      Important

      After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete protection rules before you remove an MSE instance from WAF. For more information, see the "Billable items" section in the Billing overview topic and the "Protection module overview" section in the Protection configuration overview topic.

      1. On the Cloud Native tab, find the instance that you want to manage, and click Remove in the Actions column.

      2. In the message that appears, view the information and click Remove.

      3. In the Remove panel, set Edition to Standard, click Buy Now, and then complete the payment.

FAQ

  1. What are the differences between the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0?

    The following section describes the differences between the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0:

    • Transparent proxy mode of WAF 2.0: Requests are filtered by WAF before the requests are forwarded to ALB or CLB. In transparent proxy mode, requests pass through two gateways. You must configure the timeout period and the certificates for WAF and Server Load Balancer (SLB).

    • Service integration mode of WAF 3.0: WAF is deployed in bypass mode and requests are directly forwarded to ALB. Before the requests are forwarded to backend servers, ALB extracts and sends the request content to WAF for filtering. In service integration mode, requests pass through one gateway. This eliminates the need to synchronize certificates and settings between gateways, and prevents synchronization issues.

    For more information, see Compare WAF 3.0 and WAF 2.0.

  2. How do I enable WAF for ALB?

    ALB is integrated with WAF 3.0. If you want your ALB instances to be protected by WAF, purchase a WAF-enabled ALB instance. When you purchase WAF-enabled ALB instances, take note of the following information:

    • If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF, you can enable WAF 3.0 for Internet-facing and internal-facing ALB instances by purchasing WAF-enabled ALB instances. This way, ALB is integrated with WAF on the service level. For more information about the regions that support WAF-enabled ALB instances, see Limits on WAF-enabled ALB instances.

    • If your Alibaba Cloud account already has a WAF 2.0 instance: You can enable WAF 2.0 for basic Internet-facing ALB instance and standard Internet-facing ALB instances in transparent proxy mode. Internal-facing ALB instances do not support WAF 2.0.

      Only ALB instances in the following regions can be interfaced with WAF 2.0 in transparent proxy mode: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Beijing), and China (Zhangjiakou).

      Note

      If you want to enable WAF 3.0 for your ALB instance, release the WAF 2.0 instance first or migrate to WAF 3.0.

      • After you release the WAF 2.0 instance, service errors may arise because the X-Forwarded-Proto header is disabled for ALB by default. You must enable the X-Forwarded-Proto header for the listeners of the ALB instance to prevent errors. For more information, see Manage listeners.

      • For more information about how to release a WAF 2.0 instance, see Terminate the WAF service.

      • For more information about how to migrate to WAF 3.0, see Migrate a WAF 2.0 instance to WAF 3.0.

  3. Do CLB and ALB support the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0?

    Service

    WAF 2.0 (transparent proxy mode)

    WAF 3.0 (service integration mode)

    CLB

    Supported.

    For more information about how to connect WAF 2.0 to CLB in transparent proxy mode, see the following topics:

    Not supported.

    ALB

    • If your Alibaba Cloud account has a WAF 2.0 instance, you can connect the WAF 2.0 instance to ALB in transparent proxy mode. For more information, see the Configure a traffic redirection pot for an ALB instance section of the "Configure traffic redirection ports".

    • If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF, you can connect only WAF 3.0 to ALB. In this case, you must purchase a WAF-enabled ALB instance.

    Supported.

    For more information about the supported regions and related operations, see Activate and manage WAF-enabled ALB instances.

  4. After I enable WAF 2.0 for CLB or ALB in transparent proxy mode, why are the timeout period and certificates not synchronized?

    After you integrate WAF 2.0 with ALB or CLB, client requests are filtered by WAF before they are forwarded to ALB or CLB. The requests pass through two gateways, and you must synchronize the settings between WAF and ALB or CLB. If you change the timeout period or certificates, synchronization issues may occur due to latency.

    If certificates are not updated or the changes of the timeout period do not take effect, join the DingTalk group 21715946 for consultation.

References

ALB documentation

  • For more information about how to purchase a WAF-enabled ALB instance, see Create an ALB instance.

  • For more information about the features of basic, standard, and WAF-enabled ALB instances, see Functions and features.

  • For more information about how to request a quota increase for a WAF-enabled ALB instance, see Limits.

  • For more information about how to change the edition of an ALB instance in the ALB console, see Change the edition of an ALB instance.

  • For more information about how to change the edition of an ALB instance by calling the API, see UpdateLoadBalancerEdition.

WAF documentation