Enable WAF protection for an ALB instance - Web Application Firewall

If you configured an Application Load Balancer (ALB) instance for your web services, you can enable Web Application Firewall (WAF) protection for the ALB instance to redirect web service traffic to WAF. This topic describes how to enable WAF protection for an ALB instance.

Background information

ALB is a load balancing service that operates at the application layer and supports protocols such as HTTP, HTTPS, and Quick UDP Internet Connections (QUIC). ALB provides high elasticity and can be scaled on demand to process large volumes of traffic at the application layer. For more information, see What is ALB?

WAF is integrated into the gateways of ALB as an SDK module. In this scenario, WAF listens to but does not forward service traffic. This helps improve the security and facilitate O&M for your web services and ensures better user experience.

The following figure shows the network architecture.

Limits

Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE) 2.0, Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Before you can purchase WAF-enabled ALB instances, you must complete real-name verification.

The following table describes the regions in which WAF-enabled ALB instances are supported.

Area	Region
China	China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Asia Pacific	Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and Thailand (Bangkok)
Europe and Americas	Germany (Frankfurt), US (Silicon Valley), and US (Virginia)
Middle East	SAU (Riyadh - Partner Region)

You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.
The following features are not supported for ALB instances that are added to WAF:
- Data leakage prevention
- Automatic integration of the Web SDK in bot management for website protection

Prerequisites

Your Alibaba Cloud account does not have a WAF instance or has a WAF 3.0 instance.
Note
- If your Alibaba Cloud account does not have a WAF instance, a pay-as-you-go WAF 3.0 instance is automatically purchased when you purchase a WAF-enabled ALB instance.
- If your Alibaba Cloud account has a WAF 2.0 instance, migrate your WAF 2.0 instance to WAF 3.0. For more information, see Upgrade a WAF 2.0 instance to WAF 3.0.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.

Enable WAF protection

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click ALB in the left-side product list.
Click Add.
Click Authorize Now to authorize your WAF instance to access ALB.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.
Note
If your WAF instance is already authorized to access ALB, skip this step.
In the ALB console, enable WAF protection for an ALB instance.
- Purchase a WAF-enabled ALB instance
  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. On the Instances page, click Create ALB.
  4. On the Application Load Balancer page, configure the parameters, click Buy Now, and then complete the payment.
    This example describes only some of the parameters. For more information, see Create an ALB instance.
    Edition: Select WAF Enabled.
- Enable WAF protection for an existing ALB instance
  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:
    - Method 1: Move the pointer over the icon next to the instance name and click Enable Protection in the WAF Protection section.
    - Method 2: Choose > Change Specification in the Actions column.
    - Method 3: Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section and click Enable Protection.
    - Method 4: Click the ID of the ALB instance and then click the Integrated Services tab. In the Web Application Firewall section, click Enable Protection.
  4. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, select the Terms of Service, click Buy Now, and then complete the payment.

Manage WAF protection

Manage WAF protection in the WAF console

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
Manage WAF protection.
- On the Cloud Native tab, click ALB in the left-side product list.
- View protected objects and protection rules
  After you add an ALB instance to WAF, the instance becomes a protected object of WAF. The protected object name contains the -alb suffix. By default, basic protection rules are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the object. To go to the Protected Objects page, click the ID of the ALB instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
- Remove an ALB instance from WAF
  After you remove an ALB instance from WAF, service traffic that is generated on the instance is no longer protected by WAF. In addition, the protection details of service traffic are no longer included in WAF security reports.
  Important
  After WAF protection is disabled for an ALB instance, you are no longer charged request processing fees. You are charged feature fees for the protection rules that you configure. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic.
  1. Find the ALB instance that you want to remove from WAF and click Remove in the Actions column. In the Tips message, click Remove.
  2. In the Remove panel, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment.

Manage WAF protection in the ALB console

Log on to the ALB console.
In the top navigation bar, select the region where you want to create the ALB instance.

Manage WAF protection.

Operation	Procedure
Check whether WAF protection is enabled for an ALB instance	To check whether WAF protection is enabled for an ALB instance, use one of the following methods: Protection Enabled indicates that WAF protection is enabled for the ALB instance. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon to view the protection status in the WAF Protection section. Method 2: On the Instances page, find the ALB instance that you want to manage and click the instance ID. On the Instance Details tab, check whether WAF protection is enabled in the Basic Information section. Method 3: On the Instances page, find the ALB instance that you want to manage and click the instance ID. On the Instance Details tab, click the Integrated Services tab, and view the protection status in the Web Application Firewall section.
View WAF Security Report	To view WAF security reports, make sure that WAF protection is enabled for your ALB instance. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon. In the WAF Protection section, click View WAF Security Report to go to the WAF 3.0 console to view security reports. Method 2: On the Instances page, find the ALB instance that you want to manage and click the instance ID. On the Instance Details tab, click View WAF Security Report to the right of the WAF Protection parameter in the Basic Information section. You are redirected to the WAF 3.0 console that displays security reports. Method 3: On the Instances page, find the ALB instance that you want to manage and click the instance ID. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click View WAF Security Report to go to the Security Reports page of the WAF 3.0 console. For more information, see Security reports.
Disable WAF protection	After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF and the WAF security reports no longer include the protection details of the ALB instance. Important After you disable WAF protection for an ALB instance, you are no longer charged request processing fees. You are charged feature fees for the protection rules that you configure. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon to the right of the instance ID. In the hoverbox that appears, click Disable WAF in the WAF Protection section. On the ALB (Pay-As-You-Go) \| Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment. Method 2: On the Instances page, find the ALB instance that you want to manage, and choose > Change Specification in the Actions column. On the ALB (Pay-As-You-Go) \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment. Method 3: On the Instances page, find the ALB instance that you want to manage and click the instance ID. On the Instance Details tab, click Disable WAF to the right of WAF Protection in the Basic Information section. On the ALB (Pay-As-You-Go) \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment. Method 4: On the Instances page, find the ALB instance that you want to manage and click the instance ID. On the Instance Details tab, click the Integrated Services tab. In the Web Application Firewall section, click Disable WAF. On the ALB (Pay-As-You-Go) \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment.

FAQ

How do I check whether a domain name is protected by WAF?

Enter the domain name that you added to WAF in the address bar of a browser. If the domain name can be accessed, the domain name is protected by WAF.
Insert malicious SQL code, such as xxx.xxxx.com?id=1 and 1=1, into requests and check whether the requests are blocked. If the 405 Method Not Allowed error is returned, the requests are blocked.

What are the differences between the WAF 2.0 transparent proxy mode and WAF 3.0 cloud native mode?

Differences:

WAF 2.0 transparent proxy mode: Ports are added to WAF, and the gateways of cloud services automatically change routes to redirect traffic on the ports to WAF. WAF blocks malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster. In transparent proxy mode, requests pass through two gateways. You must configure the timeout period and the certificates for WAF and ALB or CLB.
WAF 3.0 is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. To prevent compatibility and stability issues, WAF does not forward traffic. In service integration mode, requests pass through one gateway. This eliminates the need to synchronize certificates and settings between gateways, and prevents synchronization issues.

For more information, see Compare WAF 3.0 with WAF 2.0.

References

ALB documentation

For information about how to purchase a WAF-enabled ALB instance, see Create an ALB instance.
For information about the features of basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features.
For information about how to request a quota increase for a WAF-enabled ALB instance, see Limits.
For information about how to modify the configurations of an ALB instance, see Modify the configurations of ALB instances.
For information about how to change the edition of an ALB instance by calling the API, see UpdateLoadBalancerEdition.
For information about the billing rules of WAF-enabled ALB instances, see Instance fees.

WAF documentation

For information about how to purchase a subscription WAF 3.0 instance, see Purchase a subscription WAF 3.0 instance.
For information about how to purchase a pay-as-you-go WAF 3.0 instance, see Purchase a pay-as-you-go WAF 3.0 instance.
For information about the differences between WAF 3.0 and WAF 2.0 and the improvements introduced in WAF 3.0, see Compare WAF 3.0 with WAF 2.0.