All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::WAF3::Instance

更新時間:Apr 02, 2024

ALIYUN::WAF3::Instance is used to create a Web Application Firewall (WAF) 3.0 instance.

Syntax

{
  "Type": "ALIYUN::WAF3::Instance",
  "Properties": {
    "IgnoreExisting": Boolean,
    "IntelligentLoadBalancing": Boolean,
    "AutoRenew": Boolean,
    "Period": Integer,
    "BotWebProtection": Boolean,
    "ApiSecurity": Boolean,
    "AutoPay": Boolean,
    "TrafficBillingProtectionThreshold": Integer,
    "PayType": String,
    "LogStorage": Integer,
    "ElasticQps": Integer,
    "DomainsExtension": Integer,
    "WafVersion": String,
    "ExclusiveIPAddress": Integer,
    "AdditionalProtectionNodes": Integer,
    "Region": String,
    "QpsExtension": Integer,
    "FraudDetection": Boolean,
    "BotAppProtection": Boolean,
    "LogService": Boolean,
    "PeriodUnit": String
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

IgnoreExisting

Boolean

No

No

Specifies whether to ignore an existing WAF 3.0 instance.

Valid values:

  • false: does not ignore an existing WAF 3.0 instance. Resource Orchestration Service (ROS) checks the uniqueness of WAF 3.0 instances. If a WAF 3.0 instance already exists, ROS reports an error when you create a new WAF 3.0 instance.  

  • true: ignores an existing WAF 3.0 instance. ROS does not check the uniqueness of WAF 3.0 instances. If a WAF 3.0 instance already exists, ROS ignores the instance when you create a new WAF 3.0 instance.  

If the existing WAF 3.0 instance is not created by ROS, ROS ignores the instance when you update or delete the new WAF 3.0 instance.

IntelligentLoadBalancing

Boolean

No

No

Specifies whether to enable intelligent load balancing.

Valid values:

  • true

  • false

AutoRenew

Boolean

No

No

Specifies whether to enable auto-renewal.

Valid values:

  • true

  • false

Period

Integer

No

No

The subscription duration.

Valid values when PeriodUnit is set to Month: 1, 3, and 6.

Valid values when PeriodUnit is set to Year: 1, 2, and 3.

BotWebProtection

Boolean

No

No

Specifies whether to enable bot management for web application protection.

Valid values:

  • true

  • false

ApiSecurity

Boolean

No

No

Specifies whether to enable API security.

The API security feature detects responses that match specific characteristics to check whether data leak risks exist in APIs. If you enable the feature, WAF is authorized to analyze the relevant data. If you set Region to ChineseMainland, the service is deployed and data is processed in the Chinese mainland.

AutoPay

Boolean

No

No

Specifies whether to enable automatic payment.

Valid values:

  • true

  • false

TrafficBillingProtectionThreshold

Integer

No

No

The threshold value for traffic billing protection.

By default, traffic billing protection is enabled for pay-as-you-go WAF 3.0 instances to resolve the issue of excessive charges caused by unexpected factors, such as HTTP flood attacks. If the actual peak traffic is higher than the threshold value for traffic billing protection, the WAF instance is added to a sandbox. WAF does not charge you fees that are generated within the hour when the WAF instance is added to a sandbox. If the actual peak traffic is lower than the threshold value within the subsequent hour, the WAF instance is automatically removed from the sandbox. For more information, see The sandbox feature. Valid values: 1000 to 100000.

PayType

String

Yes

No

The billing method.

Valid values:

  • Subscription

  • PayAsYouGo

LogStorage

Integer

No

No

The log storage capacity.

Valid values: 3 to 150. Unit: TB.

ElasticQps

Integer

No

No

The burstable queries per second (QPS) (pay-as-you-go).

If you experience a short-term or sudden increase in business traffic in scenarios such as promotional events, the actual QPS may exceed the sum of the QPS supported by your WAF edition and the extended QPS that you purchase. If you enable the burstable QPS (pay-as-you-go) feature in the scenarios, you are charged based on the usage of excess QPS. This feature helps prevent your instance from being added to a sandbox and ensure service continuity. Valid values: 0 to 60000.

DomainsExtension

Integer

No

No

The extra domain.

If the number of required domains exceeds the number of free domains supported by the WAF edition, you can use this property to increase the number of domains.

The count for domains does not depend on the domain type. For example, each second-level domain, subdomain, or wildcard domain is counted as a domain. Valid values: 1 to 5000.

WafVersion

String

No

No

The edition of WAF 3.0.

Valid values:

  • Basic

  • Pro

  • Enterprise

  • Ultimate

ExclusiveIPAddress

Integer

No

No

The number of exclusive IP addresses.

Valid values: 0 to 100.

AdditionalProtectionNodes

Integer

No

No

The protection nodes for a multi-cloud or hybrid-cloud environment.

If you cannot use the CNAME record mode to connect services to WAF in the public cloud from specific environments, such as a multi-cloud environment, data center, private network, or private cloud, you can purchase the nodes to protect the services by using WAF in an on-premises environment.

In reverse proxy mode, each protection node can handle up to 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.

In SDK-based traffic mirroring mode, each protection node can handle up to 15,000 QPS for HTTP or HTTPS requests. To improve protection capabilities, we recommend that you increase the number of protection nodes. Valid values: 0 to 500.

Region

String

Yes

No

The region of the WAF 3.0 instance.

Valid values:

  • OutsideChineseMainland

  • ChineseMainland

QpsExtension

Integer

No

No

The extended QPS.

Valid values: 0 to 30000.

FraudDetection

Boolean

No

No

Specifies whether to enable risk identification.

After you purchase bot management, you can enable risk identification. If phone numbers hit suspicious behavior tags in specific scenarios, such as logon or registration scenarios, WAF blocks the requests or triggers CAPTCHA verification. You are charged based on the number of hits of the tags. Valid values:

  • true

  • false

BotAppProtection

Boolean

No

No

Specifies whether to enable bot management for app protection.

Valid values:

  • true

  • false

LogService

Boolean

No

No

Specifies whether the WAF 3.0 instance supports Simple Log Service.

Valid values:

  • true

  • false

PeriodUnit

String

No

No

The unit of the subscription duration.

Valid values:

  • Month

  • Year

Return values

Fn::GetAtt

InstanceId: the ID of the WAF 3.0 instance.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      AdditionalProtectionNodes:
        Default: 0
        Description:
          en: 'Each protection cluster has at least two protection nodes, and each node
            provides the protection capabilities of up to 5,000 QPS for HTTP requests
            or up to 3,000 QPS for HTTPS requests. You can add protection nodes to increase
            protection capabilities. '
        MaxValue: 500
        MinValue: 0
        Required: false
        Type: Number
      ApiSecurity:
        Description:
          en: The API security feature detects responses with specified characteristics
            to check whether data leaks occur. After you enable the feature, WAF is authorized
            to perform related analysis on your data. If you select Chinese Mainland,
            service deployment and data processing are performed in the Chinese mainland.
        Required: false
        Type: Boolean
      AutoPay:
        Default: false
        Description:
          en: Whether to auto pay the bill.
        Required: false
        Type: Boolean
      AutoRenew:
        Description:
          en: Whether to auto renew the prepay instance.
        Required: false
        Type: Boolean
      BotAppProtection:
        Default: true
        Description:
          en: Bot management module for App protection.
        Required: false
        Type: Boolean
      BotWebProtection:
        Default: true
        Description:
          en: Bot management module for Web application protection.
        Required: false
        Type: Boolean
      DomainsExtension:
        Default: 0
        Description:
          en: If the actual number of required access domain names exceeds the number
            of free domain names in the version, the number of domain names can be expanded
            according to this specification. Domain name counting does not differentiate
            between domain name types. The main domain name, sub-domain name, and pan-domain
            name are each counted as one domain name.
        MaxValue: 5000
        MinValue: 0
        Required: false
        Type: Number
      ElasticQps:
        Default: 0
        Description:
          en: The burstable QPS (pay-as-you-go) feature is suitable for scenarios that
            involve short-term or sudden traffic surges, for example, during promotions.
            In these scenarios, the traffic peak may exceed the sum of the maximum QPS
            that is supported by your WAF edition and the extended QPS. If you enable
            the feature, you are charged based on the amount of excess QPS resources that
            you use. This helps prevent your domain names from being added to a sandbox
            when QPS resources are excessively used and helps ensure service continuity.
        MaxValue: 60000
        MinValue: 0
        Required: false
        Type: Number
      ExclusiveIPAddress:
        Default: 0
        Description:
          en: Excluesive IP address number.
        MaxValue: 100
        MinValue: 0
        Required: false
        Type: Number
      FraudDetection:
        Default: true
        Description:
          en: 'You can enable this feature only after you enable the bot management module.
            If abnormal phone numbers are used in logon or registration scenarios, anomaly
            tags are matched. Requests from the abnormal phone numbers are blocked or
            CAPTCHA verification is required. You are charged based on the number of times
            that anomaly tags are matched. '
        Required: false
        Type: Boolean
      IgnoreExisting:
        Default: false
        Description:
          en: 'Whether to ignore existing WAF3 instance
    
            False: ROS will perform a uniqueness check.If the WAF3 instance exists, an
            error will be reported when creating it.
    
            True: ROS will not check the uniqueness.If the WAF3 instance exists, the creation
            process will be ignored.
    
            If the WAF3 instance is not created by ROS, it will be ignored during update
            and delete stage.'
        Required: false
        Type: Boolean
      IntelligentLoadBalancing:
        Description:
          en: Intelligent load balancer for WAF instance.
        Required: false
        Type: Boolean
      LogService:
        Description:
          en: Log service for WAF instance.
        Required: false
        Type: Boolean
      LogStorage:
        Description:
          en: Log storage capacity.
        MaxValue: 150
        MinValue: 3
        Required: false
        Type: Number
      PayType:
        AllowedValues:
        - PayAsYouGo
        - Subscription
        Description:
          en: 'The billing method of the firewall instance. Valid values:
    
            PayAsYouGo: pay-as-you-go
    
            Subscription: subscription'
        Required: true
        Type: String
      Period:
        AllowedValues:
        - 1
        - 2
        - 3
        - 6
        AssociationProperty: PayPeriod
        Description:
          en: 'The subscription period of the firewallIf PeriodUnit is month, the valid
            range is 1, 3, 6
    
            If periodUnit is year, the valid range is 1, 2, 3'
        Required: false
        Type: Number
      PeriodUnit:
        AllowedValues:
        - Month
        - Year
        AssociationProperty: PayPeriodUnit
        Description:
          en: 'The unit of the subscription duration. Valid values:
    
            Month
    
            Year
    
            Default value: Month.'
        Required: false
        Type: String
      QpsExtension:
        Default: 0
        Description:
          en: Extended QPS.
        MaxValue: 30000
        MinValue: 0
        Required: false
        Type: Number
      Region:
        AllowedValues:
        - OutsideChineseMainland
        - ChineseMainland
        Description:
          en: "Web Application Firewall is available in the following regions: regions\
            \ in the Chinese mainland, China (Hong Kong), Singapore (Singapore), Malaysia\
            \ (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt),\
            \ Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo).\n If\
            \ your origin server is deployed within the Chinese mainland, select Chinese\
            \ Mainland. If your origin server is deployed outside the Chinese mainland,\
            \ select Outside Chinese mainland. Intelligent region selection is supported."
        Required: true
        Type: String
      TrafficBillingProtectionThreshold:
        Description:
          en: In pay-as-you-go WAF 3.0, the traffic billing protection feature is automatically
            enabled to prevent unexpected and unusually high bills that result from unpredictable
            factors such as HTTP flood attacks. A bill is not generated for an hour if
            the peak traffic exceeds the traffic billing protection threshold within the
            hour. Then, your WAF instance is added to a sandbox. If the peak traffic is
            lower than the traffic billing protection threshold the next hour, your WAF
            instance is removed from the sandbox.
        MaxValue: 100000
        MinValue: 1000
        Required: false
        Type: Number
      WafVersion:
        AllowedValues:
        - Basic
        - Pro
        - Enterprise
        - Ultimate
        Description:
          en: 'The version of WAF3.0.
    
            '
        Required: false
        Type: String
    Resources:
      Instance:
        Properties:
          AdditionalProtectionNodes:
            Ref: AdditionalProtectionNodes
          ApiSecurity:
            Ref: ApiSecurity
          AutoPay:
            Ref: AutoPay
          AutoRenew:
            Ref: AutoRenew
          BotAppProtection:
            Ref: BotAppProtection
          BotWebProtection:
            Ref: BotWebProtection
          DomainsExtension:
            Ref: DomainsExtension
          ElasticQps:
            Ref: ElasticQps
          ExclusiveIPAddress:
            Ref: ExclusiveIPAddress
          FraudDetection:
            Ref: FraudDetection
          IgnoreExisting:
            Ref: IgnoreExisting
          IntelligentLoadBalancing:
            Ref: IntelligentLoadBalancing
          LogService:
            Ref: LogService
          LogStorage:
            Ref: LogStorage
          PayType:
            Ref: PayType
          Period:
            Ref: Period
          PeriodUnit:
            Ref: PeriodUnit
          QpsExtension:
            Ref: QpsExtension
          Region:
            Ref: Region
          TrafficBillingProtectionThreshold:
            Ref: TrafficBillingProtectionThreshold
          WafVersion:
            Ref: WafVersion
        Type: ALIYUN::WAF3::Instance
    Outputs:
      InstanceId:
        Description: Instance Id.
        Value:
          Fn::GetAtt:
          - Instance
          - InstanceId
                            
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "IgnoreExisting": {
          "Type": "Boolean",
          "Description": {
            "en": "Whether to ignore existing WAF3 instance\nFalse: ROS will perform a uniqueness check.If the WAF3 instance exists, an error will be reported when creating it.\nTrue: ROS will not check the uniqueness.If the WAF3 instance exists, the creation process will be ignored.\nIf the WAF3 instance is not created by ROS, it will be ignored during update and delete stage."
          },
          "Required": false,
          "Default": false
        },
        "AutoRenew": {
          "Type": "Boolean",
          "Description": {
            "en": "Whether to auto renew the prepay instance."
          },
          "Required": false
        },
        "IntelligentLoadBalancing": {
          "Type": "Boolean",
          "Description": {
            "en": "Intelligent load balancer for WAF instance."
          },
          "Required": false
        },
        "Period": {
          "AssociationProperty": "PayPeriod",
          "Type": "Number",
          "Description": {
            "en": "The subscription period of the firewallIf PeriodUnit is month, the valid range is 1, 3, 6\nIf periodUnit is year, the valid range is 1, 2, 3"
          },
          "AllowedValues": [
            1,
            2,
            3,
            6
          ],
          "Required": false
        },
        "BotWebProtection": {
          "Type": "Boolean",
          "Description": {
            "en": "Bot management module for Web application protection."
          },
          "Required": false,
          "Default": true
        },
        "TrafficBillingProtectionThreshold": {
          "Type": "Number",
          "Description": {
            "en": "In pay-as-you-go WAF 3.0, the traffic billing protection feature is automatically enabled to prevent unexpected and unusually high bills that result from unpredictable factors such as HTTP flood attacks. A bill is not generated for an hour if the peak traffic exceeds the traffic billing protection threshold within the hour. Then, your WAF instance is added to a sandbox. If the peak traffic is lower than the traffic billing protection threshold the next hour, your WAF instance is removed from the sandbox."
          },
          "Required": false,
          "MinValue": 1000,
          "MaxValue": 100000
        },
        "ApiSecurity": {
          "Type": "Boolean",
          "Description": {
            "en": "The API security feature detects responses with specified characteristics to check whether data leaks occur. After you enable the feature, WAF is authorized to perform related analysis on your data. If you select Chinese Mainland, service deployment and data processing are performed in the Chinese mainland."
          },
          "Required": false
        },
        "PayType": {
          "Type": "String",
          "Description": {
            "en": "The billing method of the firewall instance. Valid values:\nPayAsYouGo: pay-as-you-go\nSubscription: subscription"
          },
          "AllowedValues": [
            "PayAsYouGo",
            "Subscription"
          ],
          "Required": true
        },
        "AutoPay": {
          "Type": "Boolean",
          "Description": {
            "en": "Whether to auto pay the bill."
          },
          "Required": false,
          "Default": false
        },
        "LogStorage": {
          "Type": "Number",
          "Description": {
            "en": "Log storage capacity."
          },
          "Required": false,
          "MinValue": 3,
          "MaxValue": 150
        },
        "ElasticQps": {
          "Type": "Number",
          "Description": {
            "en": "The burstable QPS (pay-as-you-go) feature is suitable for scenarios that involve short-term or sudden traffic surges, for example, during promotions. In these scenarios, the traffic peak may exceed the sum of the maximum QPS that is supported by your WAF edition and the extended QPS. If you enable the feature, you are charged based on the amount of excess QPS resources that you use. This helps prevent your domain names from being added to a sandbox when QPS resources are excessively used and helps ensure service continuity."
          },
          "Required": false,
          "MinValue": 0,
          "MaxValue": 60000,
          "Default": 0
        },
        "DomainsExtension": {
          "Type": "Number",
          "Description": {
            "en": "If the actual number of required access domain names exceeds the number of free domain names in the version, the number of domain names can be expanded according to this specification. Domain name counting does not differentiate between domain name types. The main domain name, sub-domain name, and pan-domain name are each counted as one domain name."
          },
          "Required": false,
          "MinValue": 0,
          "MaxValue": 5000,
          "Default": 0
        },
        "WafVersion": {
          "Type": "String",
          "Description": {
            "en": "The version of WAF3.0.\n"
          },
          "AllowedValues": [
            "Basic",
            "Pro",
            "Enterprise",
            "Ultimate"
          ],
          "Required": false
        },
        "AdditionalProtectionNodes": {
          "Type": "Number",
          "Description": {
            "en": "Each protection cluster has at least two protection nodes, and each node provides the protection capabilities of up to 5,000 QPS for HTTP requests or up to 3,000 QPS for HTTPS requests. You can add protection nodes to increase protection capabilities. "
          },
          "Required": false,
          "MinValue": 0,
          "MaxValue": 500,
          "Default": 0
        },
        "ExclusiveIPAddress": {
          "Type": "Number",
          "Description": {
            "en": "Excluesive IP address number."
          },
          "Required": false,
          "MinValue": 0,
          "MaxValue": 100,
          "Default": 0
        },
        "Region": {
          "Type": "String",
          "Description": {
            "en": "Web Application Firewall is available in the following regions: regions in the Chinese mainland, China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo).\n If your origin server is deployed within the Chinese mainland, select Chinese Mainland. If your origin server is deployed outside the Chinese mainland, select Outside Chinese mainland. Intelligent region selection is supported."
          },
          "AllowedValues": [
            "OutsideChineseMainland",
            "ChineseMainland"
          ],
          "Required": true
        },
        "QpsExtension": {
          "Type": "Number",
          "Description": {
            "en": "Extended QPS."
          },
          "Required": false,
          "MinValue": 0,
          "MaxValue": 30000,
          "Default": 0
        },
        "FraudDetection": {
          "Type": "Boolean",
          "Description": {
            "en": "You can enable this feature only after you enable the bot management module. If abnormal phone numbers are used in logon or registration scenarios, anomaly tags are matched. Requests from the abnormal phone numbers are blocked or CAPTCHA verification is required. You are charged based on the number of times that anomaly tags are matched. "
          },
          "Required": false,
          "Default": true
        },
        "BotAppProtection": {
          "Type": "Boolean",
          "Description": {
            "en": "Bot management module for App protection."
          },
          "Required": false,
          "Default": true
        },
        "LogService": {
          "Type": "Boolean",
          "Description": {
            "en": "Log service for WAF instance."
          },
          "Required": false
        },
        "PeriodUnit": {
          "AssociationProperty": "PayPeriodUnit",
          "Type": "String",
          "Description": {
            "en": "The unit of the subscription duration. Valid values:\nMonth\nYear\nDefault value: Month."
          },
          "AllowedValues": [
            "Month",
            "Year"
          ],
          "Required": false
        }
      },
      "Resources": {
        "Instance": {
          "Type": "ALIYUN::WAF3::Instance",
          "Properties": {
            "IgnoreExisting": {
              "Ref": "IgnoreExisting"
            },
            "AutoRenew": {
              "Ref": "AutoRenew"
            },
            "IntelligentLoadBalancing": {
              "Ref": "IntelligentLoadBalancing"
            },
            "Period": {
              "Ref": "Period"
            },
            "BotWebProtection": {
              "Ref": "BotWebProtection"
            },
            "TrafficBillingProtectionThreshold": {
              "Ref": "TrafficBillingProtectionThreshold"
            },
            "ApiSecurity": {
              "Ref": "ApiSecurity"
            },
            "PayType": {
              "Ref": "PayType"
            },
            "AutoPay": {
              "Ref": "AutoPay"
            },
            "LogStorage": {
              "Ref": "LogStorage"
            },
            "ElasticQps": {
              "Ref": "ElasticQps"
            },
            "DomainsExtension": {
              "Ref": "DomainsExtension"
            },
            "WafVersion": {
              "Ref": "WafVersion"
            },
            "AdditionalProtectionNodes": {
              "Ref": "AdditionalProtectionNodes"
            },
            "ExclusiveIPAddress": {
              "Ref": "ExclusiveIPAddress"
            },
            "Region": {
              "Ref": "Region"
            },
            "QpsExtension": {
              "Ref": "QpsExtension"
            },
            "FraudDetection": {
              "Ref": "FraudDetection"
            },
            "BotAppProtection": {
              "Ref": "BotAppProtection"
            },
            "LogService": {
              "Ref": "LogService"
            },
            "PeriodUnit": {
              "Ref": "PeriodUnit"
            }
          }
        }
      },
      "Outputs": {
        "InstanceId": {
          "Description": "Instance Id.",
          "Value": {
            "Fn::GetAtt": [
              "Instance",
              "InstanceId"
            ]
          }
        }
      }
    }