If you created a Classic Load Balancer (CLB) instance and added an HTTP or HTTPS listener to the instance, you can add the listener ports to Web Application Firewall (WAF) to redirect the web traffic of the instance to WAF for protection. This topic describes how to enable WAF protection for a Layer 7 CLB instance.
Background information
After you add Elastic Compute Service (ECS) instances that are deployed in the same region to a CLB instance, CLB uses virtual IP addresses (VIPs) to combine the ECS instances into a high-performance, high-availability server pool. Then, CLB forwards inbound requests to the ECS instances based on forwarding rules. For more information, see What is CLB?
You can add a Layer 7 CLB instance to WAF. After you add a Layer 7 CLB instance to WAF, all traffic of the CLB instance is redirected to WAF by using a specified gateway. WAF filters out malicious traffic and forwards normal traffic to the CLB instance. The following figure shows the network architecture.
Limits
Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), Elastic Compute Service (ECS), and Network Load Balancer (NLB).. If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
Item | Description |
Supported instances | You can add only an instance that meets the following requirements to WAF:
|
Supported regions |
|
Number of traffic redirection ports | The maximum number of traffic redirection ports is the same as the maximum number of protected objects.
|
TLS security policies | If HTTPS listener ports are configured, only built-in Transport Layer Security (TLS) security policies are supported. If custom TLS security policies are configured for the ports, you cannot add the ports to WAF. For more information, see Supported TLS security policies. |
Services that are protected by Anti-DDoS Proxy and WAF | If you want to protect your web services by using Anti-DDoS Proxy and WAF, you can add the services to WAF in transparent proxy mode only if you add the services to Anti-DDoS Proxy by adding a domain name. |
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
A CLB instance is created, and an HTTP or HTTPS listener is added to the CLB instance. The instance also meets the preceding requirements. For more information about the requirements, see the "Limits" section of this topic. For more information about how to add an HTTP or HTTPS listener, see Add an HTTP listener or Add an HTTPS listener.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Add traffic redirection ports
When you add an instance to WAF, your web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
If you perform the following operations after you add a Layer 7 CLB instance to WAF, traffic redirection ports are automatically removed from WAF. If you do not re-add the ports to WAF, traffic on the ports is not filtered by WAF.
Change the public IP address associated with the instance.
Replace the certificate associated with a traffic redirection port with a certificate that is issued not by using Certificate Management Service (Original SSL Certificate).
Enable mutual authentication.
Remove the listener ports from the instance.
Delete the instance.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click CLB(HTTP/HTTPS) in the left-side cloud service list.
Click Add.
Click Authorize Now to authorize your WAF instance to access CLB.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf your WAF instance is already authorized to access CLB, skip this step.
In the Configure Instance - Layer 7 CLB Instance panel, configure the parameters. The following table describes the parameters.
Parameter
Operation
Select the instance and port to be added.
Synchronize Instances
If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list.
Add Port
Find the instance that you want to add to WAF and click Add Port in the Actions column.
Select the HTTP or HTTPS ports that you want to add and click OK.
ImportantIf you want to add an HTTPS port, make sure that the certificate that is configured for the port is purchased by using Alibaba Cloud Certificate Management Service or uploaded to Certificate Management Service. Otherwise, the instance may fail to be added to WAF. For more information, see What do I do if an error message indicating that the certificate is incomplete is displayed when I add an HTTPS port for traffic redirection?
If a certificate that is configured for a port of the instance has expired or was manually uploaded in the CLB console, certificates cannot be synchronized to WAF. You must replace the certificate with a new certificate that is purchased by using Certificate Management Service or uploaded to Certificate Management Service.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF
Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy and Alibaba Cloud CDN, is deployed in front of WAF.
By default, No is selected. This value specifies that WAF receives requests that are sent from clients. The requests are not forwarded by proxies.
NoteWhen a request is sent from a client to WAF, WAF uses the IP address that is used to establish the connection to WAF as the IP address of the client. The IP address is specified by the
REMOTE_ADDR
field of the request.If a Layer 7 proxy is deployed in front of WAF, select Yes. This value specifies that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. To ensure that WAF can obtain the actual IP addresses of clients for security analysis, you must configure the Obtain Actual IP Address of Client parameter.
Resource Group
Select the resource group to which you want to add the CLB instance. If you do not select a resource group, the instance is added to the default resource group.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
Advanced Settings
Select the instance that you want to add to WAF and click OK.
After you add a CLB instance to WAF, the CLB instance automatically becomes a protected object of WAF. The name of the protected object is in the following format: Instance ID-Port-Asset type. Basic protection rules are automatically enabled for the protected object. You can configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the ID of the CLB instance that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
Manage WAF protection
Manage WAF protection in the WAF console
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
Manage WAF protection.
On the Cloud Native tab, click CLB(HTTP/HTTPS) in the left-side cloud service list. Then, you can view CLB instances that are added to WAF.
View protected objects and configure protection rules.
After you add a CLB instance to WAF, the instance automatically becomes a protected object of WAF. The name of the protected object contains the -clb7 suffix and basic protection rules are automatically enabled for the protected object. You can view and configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the instance ID on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
View origin servers and remove a CLB instance from WAF.
After you add a CLB instance to WAF, you can view the protection details of the origin servers and disable traffic redirection or remove traffic redirection ports in emergency disaster recovery scenarios.
Click the icon to the left of the instance name and view the ports that are added to WAF.
View port details: Click Port Details to view information about the port, protocol, and certificate, and then configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF, Enable Traffic Mark (Advanced Settings), and Back-to-origin Keep-alive Requests (Advanced Settings) parameters.
Remove a traffic redirection port: Find the port that you want to remove from WAF and click Remove in the Actions column. In the Remove message, click OK.
ImportantWhen you remove a traffic redirection port from WAF, traffic on the port is no longer protected by WAF. To re-add the traffic redirection port to WAF, click Add. For more information, see Add traffic redirection ports.
After you remove a traffic redirection port from WAF, your web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
Update a certificate associated with a traffic redirection port
If a certificate that is associated with a traffic redirection port is about to expire or the certificate is changed, such as when the certificate is revoked, you must update the certificate.
If the remaining validity period of the certificate is less than 30 days, the icon is displayed in the domain name list. This indicates that your certificate is about to expire. In this case, you must update the certificate at the earliest opportunity.
If you want to receive notifications by using methods such as email or text message when the certificate is about to expire, you can configure notifications for the certificate. For more information, see Configure notifications for SSL certificates.
To prevent service interruptions due to certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate when the hosted certificate is about to expire. For more information, see Introduction to the certificate hosting feature.
Perform the following steps:
Renew the certificate or upload a certificate to Certificate Management Service. For more information, see Certificate renewal or Upload an SSL certificate.
Synchronize the certificate to your Layer 7 CLB instance. You can use one of the following methods:
In the Server Load Balancer console, update the certificate. For more information, see Replace a certificate.
If you update the certificate in the CLB console, the certificate is automatically synchronized to WAF.
In the Certificate Management Service console, deploy the certificate to your Layer 7 CLB instance. For more information, see Deploy certificates to Alibaba Cloud services.
If you update the certificate in the Certificate Management Service console, you must also perform the following steps in the WAF console:
On the Cloud Native tab of the Website Configuration page, click CLB(HTTP/HTTPS) in the left-side cloud service list. Then, click Add.
In the Configure Instance - Layer 7 CLB Instance panel, click Synchronize Instances to synchronize the updated certificate.
If the new certificate is not purchased by using Certificate Management Service (Original SSL Certificate), the traffic redirection port is automatically removed from WAF. After you update the certificate, re-add the port to WAF. For more information, see Add traffic redirection ports.
If a Layer 7 CLB instance is associated with an expired certificate, WAF cannot synchronize the new certificate. You must delete the expired certificate before WAF can synchronize the new certificate.
Manage WAF protection in the CLB console
FAQ
How do I check whether WAF protection is enabled for a Layer 7 CLB instance?
Enter the domain name that you added to WAF in the address bar of a browser. If the domain name can be accessed, the domain name is protected by WAF.
Insert malicious SQL code, such as
xxx.xxxx.com?id=1 and 1=1
, into requests and check whether the requests are blocked. If the 405 Method Not Allowed error is returned, the requests are blocked.
CLB supports Layer 4 and Layer 7 listeners. Layer 4 listeners use the TCP or UDP protocol, and Layer 7 listeners use the HTTP or HTTPS protocol.
Layer 4 listeners directly forward requests to backend servers. When a CLB instance receives a request, the CLB instance modifies the destination IP address and destination port of the data packet based on the listener port. Then, the CLB instance forwards the request to a backend server. A TCP connection is established between the client and the backend server.
A Layer 7 listener functions as a reverse proxy. After a client request reaches a Layer 7 listener of CLB, CLB establishes a new TCP connection to a backend server over HTTP, instead of directly forwarding the request to the backend server. Compared with Layer 4 listeners, Layer 7 listeners require an additional step of Tengine processing. Factors such as client port exhaustion or excessive workloads on backend servers may affect the throughput capacity of Layer 7 listeners. If your business requires higher performance, we recommend that you use Layer 4 listeners.
For more information, see CLB listener overview.
Can I add an HTTP port and an HTTPS port to WAF when I enable WAF protection for a layer 7 CLB instance?
Yes, you can add an HTTP port and an HTTPS port.
What do I do if the "The CLB certificate whose port number is 443 is incomplete. Go to the SLB console and select a certificate that is from Certificate Management Service." error message appears when I enable WAF protection for a layer 7 CLB instance?
You must log on to the Certificate Management Service console to renew or upload the certificate and then select the certificate in the CLB console. For more information, see Certificate renewal or Upload an SSL certificate.
References
For information about how to obtain the originating IP addresses of clients, see Enable Layer 7 listeners to preserve client IP addresses.
For information about how to troubleshoot the issue that CLB or ECS instances are not displayed on the Website Configuration page, see Why am I unable to find the CLB or ECS instance that I want to add to WAF on the Website Configuration page?