If a website service encounters volumetric attacks and sophisticated web application attacks, a single network security service is insufficient to protect the website service. We recommend that you add the website service to Anti-DDoS Pro or Anti-DDoS Premium and Web Application Firewall (WAF) to protect the website. This topic describes how to add a website service to Anti-DDoS Pro or Anti-DDoS Premium and WAF.
Prerequisites
An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
A WAF instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance or Purchase a pay-as-you-go WAF 3.0 instance.
Background information
To configure Anti-DDoS Pro or Anti-DDoS Premium and WAF for a website service, you can apply the following network architecture: Use Anti-DDoS Pro or Anti-DDoS Premium at the ingress to defend against DDoS attacks. Use WAF at the intermediate layer to defend against web application attacks. Configure an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, virtual private cloud (VPC), or server in a data center as the origin server. This way, traffic is scrubbed by Anti-DDoS Pro or Anti-DDoS Premium, and then filtered by WAF. Only normal service traffic is forwarded to the origin server to ensure service and data security. The following figure shows how traffic is forwarded.
After you apply the preceding architecture, requests are sent to multiple intermediate proxy servers before the requests reach the origin server. The origin server cannot directly obtain the originating IP addresses of the requests. For information about how to obtain the originating IP addresses, see Obtain the originating IP addresses of requests.
Step 1: Add your website service to WAF
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Domain Names tab, click Website Access.
Add a domain name.
Access mode: CNAME record mode
NoteBy default, the Access Mode parameter is set to CNAME Record on the Add Domain Name page. In CNAME record mode, you do not need to modify the value of the Access Mode parameter.
In the Enter Your Website Information step, configure the following parameters based on your business requirements:
Domain Name: Enter the domain name of the website that you want to protect.
Protection Resource: Select the type of protection resource that you want to use.
Protocol Type: Select the protocol that is supported by the website that you want to protect.
Destination Server (IP Address): Select IP and enter the public IP address of the SLB instance or ECS instance on which the origin server is deployed or the IP address of an origin server that is not deployed on Alibaba Cloud.
Destination Server Port: Specify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services.
Load Balancing Algorithm: Select a load balancing algorithm based on your business requirements. If you specify multiple IP addresses for the Destination Server (IP Address) parameter, the selected algorithm is used to distribute traffic.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.
Enable Traffic Mark: Specify whether to enable the WAF traffic marking feature based on your business requirements.
Resource Group: If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.
Click Next.
On the Domain Names tab, find the domain name that you added, and copy the CNAME that is assigned by WAF to the domain name in the Domain Name/CNAME column.
Access mode: transparent proxy mode
On the Add Domain Name page, set the Access Mode parameter to Transparent Proxy Mode.
In the Add Domain Name step, configure the following parameters based on your business requirements:
Domain Name: Enter the domain name of the website that you want to protect.
SLB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, or ECS-based Domains: Find the instance that you want to protect on the required tab and select the ports that correspond to the instance.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.
Enable Traffic Mark: Specify whether to enable the WAF traffic marking feature based on your business requirements.
Resource Group: If you want to manage cloud resources by department or project, select the resource group to which you want to add the domain name from the resource group drop-down list.
Click Next.
Check and confirm the information in the Check and Confirm Added Information step and click Next.
Click Completed. Return to the website list.
Step 2: Add your website service to Anti-DDoS Pro or Anti-DDoS Premium
Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your asset.
Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose .
On the Website Config page, click Add Domain.
Complete the steps in the Add Domain wizard.
In the Enter Site Information step, configure the following parameters based on your business requirements:
Function Plan: Select the function plan of the instance that you want to use.
Instance: Select the instance that you want to use.
Domain: Enter the domain name of the website that you want to protect.
Protocol: Select the protocol that is supported by the website that you want to protect.
Enable OCSP: Specify whether to enable the Online Certificate Status Protocol (OCSP) feature.
Server IP:
If you add the domain name to WAF in CNAME record mode, select Origin Server Domain and enter the CNAME that is obtained in Step 1.
If you add the domain name to WAF in transparent proxy mode, select Origin Server IP and enter the public IP address of the origin server.
Server Port: Specify the port based on the value of the Protocol parameter. The port is used by the origin server to provide services.
Cname Reuse: Specify whether to enable CNAME reuse based on your business requirements. If multiple website services are deployed on the same origin server, you can turn on Cname Reuse to map the domain names of the website services to the CNAME that is assigned by Anti-DDoS Pro or Anti-DDoS Premium.
Click Add.
On the Website Config page, find the domain name that you added and copy the CNAME that is assigned by Anti-DDoS Pro or Anti-DDoS Premium to the domain name in the Domain column.
Step 3: Change the DNS record of the domain name
If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS record to map the domain name to the CNAME that is obtained in Step 2. If you use a third-party DNS service, log on to the system of the DNS provider to change the DNS record. The following example is only for reference.
Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, find the domain name for which you want to change the DNS record and click Configure in the Actions column to go to the DNS Settings page.
On the DNS Settings page, find the DNS record that you want to change and click Edit in the Actions column.
NoteIf you cannot find the DNS record that you want to change in the list, you can click Add Record to add a record.
In the Edit Record (or Add Record) panel, select CNAME- Canonical name for the Type parameter and set the Value parameter to the CNAME that is obtained in Step 2.
Click OK and wait for the settings to take effect.
Check whether the website can be accessed from a browser.
If an exception occurs during website access, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?.
References
Add a domain name to WAF: This topic describes how to add a domain name to WAF in CNAME record mode.
Transparent proxy mode: This topic describes how to add a domain name to WAF in transparent proxy mode.
Add one or more websites: This topic describes how to add a domain name to Anti-DDoS Pro or Anti-DDoS Premium and how to import the configurations of multiple domain names to Anti-DDoS Pro or Anti-DDoS Premium at the same time.
Change DNS records to protect website services: This topic describes how to manually change the DNS record of a domain name in Anti-DDoS Pro or Anti-DDoS Premium to protect the website services of the domain name.