If you configured an Application Load Balancer (ALB) instance for your web services, you can enable Web Application Firewall (WAF) protection for the ALB instance to redirect web service traffic to WAF. This topic describes how to enable WAF protection for an ALB instance.
Background information
ALB is a load balancing service that operates at the application layer and supports protocols such as HTTP, HTTPS, and Quick UDP Internet Connections (QUIC). ALB provides high elasticity and can be scaled on demand to process large volumes of traffic at the application layer. For more information, see What is ALB?
WAF is integrated into the gateways of ALB as an SDK module. In this scenario, WAF listens to but does not forward service traffic. This helps improve the security and facilitate O&M for your web services and ensures better user experience.
The following figure shows the network architecture.
Limits
Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE) 2.0, Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
Before you can purchase WAF-enabled ALB instances, you must complete real-name verification.
The following table describes the regions in which WAF-enabled ALB instances are supported.
Area
Region
China
China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Asia Pacific
Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Singapore, and Thailand (Bangkok)
Europe and Americas
Germany (Frankfurt), US (Silicon Valley), and US (Virginia)
Middle East
SAU (Riyadh - Partner Region)
You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.
The following features are not supported for ALB instances that are added to WAF:
Data leakage prevention
Automatic integration of the Web SDK in bot management for website protection
Prerequisites
Your Alibaba Cloud account does not have a WAF instance or has a WAF 3.0 instance.
NoteIf your Alibaba Cloud account does not have a WAF instance, a pay-as-you-go WAF 3.0 instance is automatically purchased when you purchase a WAF-enabled ALB instance.
If your Alibaba Cloud account has a WAF 2.0 instance, migrate your WAF 2.0 instance to WAF 3.0. For more information, see Upgrade a WAF 2.0 instance to WAF 3.0.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Enable WAF protection
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click ALB in the left-side product list.
Click Add.
Click Authorize Now to authorize your WAF instance to access ALB.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf your WAF instance is already authorized to access ALB, skip this step.
In the ALB console, enable WAF protection for an ALB instance.
Purchase a WAF-enabled ALB instance
- Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
On the Instances page, click Create ALB.
On the Application Load Balancer page, configure the parameters, click Buy Now, and then complete the payment.
This example describes only some of the parameters. For more information, see Create an ALB instance.
Edition: Select WAF Enabled.
Enable WAF protection for an existing ALB instance
- Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:
Method 1:
Click the ID of the ALB instance and then click the Integrated Services tab. In the Web Application Firewall section, click Enable Protection.
In the Enable Protection dialog box, click OK and complete the payment.
Method 2:
Move the pointer over the icon next to the instance name and click Enable Protection in the WAF Protection section.
In the Enable Protection dialog box, click OK and complete the payment.
Method 3:
Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section and click Enable Protection.
In the Enable Protection dialog box, click OK and complete the payment.
Method 4:
Choose
in the Actions column.On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, select the Terms of Service, click Buy Now, and then complete the payment.
Manage WAF protection
Manage WAF protection in the WAF console
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
Manage WAF protection.
On the Cloud Native tab, click ALB in the left-side product list.
View protected objects and protection rules
After you add an ALB instance to WAF, the instance becomes a protected object of WAF. The protected object name contains the
-alb
suffix. By default, basic protection rules are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the object. To go to the Protected Objects page, click the ID of the ALB instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.Remove an ALB instance from WAF
After you remove an ALB instance from WAF, service traffic that is generated on the instance is no longer protected by WAF. In addition, the protection details of service traffic are no longer included in WAF security reports.
ImportantAfter WAF protection is disabled for an ALB instance, you are no longer charged request processing fees. You are charged feature fees for the protection rules that you configure. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic.
Find the ALB instance that you want to remove from WAF and click Remove in the Actions column. In the Tips message, click Remove.
In the Remove panel, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment.
Manage WAF protection in the ALB console
- Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
Manage WAF protection.
Operation
Procedure
Check whether WAF protection is enabled for an ALB instance
To check whether WAF protection is enabled for an ALB instance, use one of the following methods: Protection Enabled indicates that WAF protection is enabled for the ALB instance.
Method 1:
On the Instances page, find the ALB instance that you want to manage and click the instance ID.
On the Instance Details tab, check whether WAF protection is enabled in the Basic Information section.
Method 2:
On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon.
In the hoverbox that appears, view the protection status.
Method 3:
On the Instances page, find the ALB instance that you want to manage and click the instance ID.
On the Instance Details tab, click the Integrated Services tab, and view the protection status in the Web Application Firewall section.
View WAF Security Report
To view WAF security reports, make sure that WAF protection is enabled for your ALB instance.
Method 1:
On the Instances page, find the ALB instance that you want to manage and click the instance ID.
Select the Integrated Services tab. In the Web Application Firewall area, click View WAF Security Report to go to the WAF 3.0 console to view security reports.
Method 2:
On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon.
In the hoverbox that appears, click View WAF Security Report to go to the WAF 3.0 console to view security reports.
Method 3:
On the Instances page, find the ALB instance that you want to manage and click the instance ID.
On the Instance Details tab, find the Basic Information section, click View WAF Security Report to the right of WAF Protection to go to the WAF 3.0 console to view security reports.
For more information, see Security reports.
Disable WAF protection
After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF and the WAF security reports no longer include the protection details of the ALB instance.
ImportantAfter you disable WAF protection for an ALB instance, you are no longer charged request processing fees. You are charged feature fees for the protection rules that you configure. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic.
Method 1:
On the Instances page, find the ALB instance that you want to manage and click the instance ID.
Click the Integrated Services tab. In the Web Application Firewall section, click Disable WAF.
In the Disable Protection dialog box, click OK to disable WAF protection.
Method 2:
On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon to the right of the instance ID. In the hoverbox that appears, click Disable WAF in the WAF Protection section.
In the Disable Protection dialog box, click OK to disable WAF protection.
Method 3:
On the Instances page, find the ALB instance that you want to manage and click the instance ID.
On the Instance Details tab, click Disable WAF to the right of WAF Protection in the Basic Information section.
In the Disable Protection dialog box, click OK to disable WAF protection.
Method 4:
On the Instances page, find the ALB instance that you want to manage, and choose
in the Actions column.On the Application Load Balancer | Upgrade/Downgrade page, set the Edition parameter to Standard and select the Terms of Service, click Buy Now, and then complete the payment.
FAQ
How do I check whether a domain name is protected by WAF?
Enter the domain name that you added to WAF in the address bar of a browser. If the domain name can be accessed, the domain name is protected by WAF.
Insert malicious SQL code, such as
xxx.xxxx.com?id=1 and 1=1
, into requests and check whether the requests are blocked. If the 405 Method Not Allowed error is returned, the requests are blocked.
What are the differences between the WAF 2.0 transparent proxy mode and WAF 3.0 cloud native mode?
Differences:
WAF 2.0 transparent proxy mode: Ports are added to WAF, and the gateways of cloud services automatically change routes to redirect traffic on the ports to WAF. WAF blocks malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster. In transparent proxy mode, requests pass through two gateways. You must configure the timeout period and the certificates for WAF and ALB or CLB.
WAF 3.0 is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. To prevent compatibility and stability issues, WAF does not forward traffic. In service integration mode, requests pass through one gateway. This eliminates the need to synchronize certificates and settings between gateways, and prevents synchronization issues.
For more information, see Compare WAF 3.0 with WAF 2.0.
References
ALB documentation
For information about how to purchase a WAF-enabled ALB instance, see Create an ALB instance.
For information about the features of basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features.
For information about how to request a quota increase for a WAF-enabled ALB instance, see Limits.
For information about how to modify the configurations of an ALB instance, see Modify the configurations of ALB instances.
For information about how to change the edition of an ALB instance by calling the API, see UpdateLoadBalancerEdition.
For information about the billing rules of WAF-enabled ALB instances, see Instance fees.
WAF documentation
For information about how to purchase a subscription WAF 3.0 instance, see Purchase a subscription WAF 3.0 instance.
For information about how to purchase a pay-as-you-go WAF 3.0 instance, see Purchase a pay-as-you-go WAF 3.0 instance.
For information about the differences between WAF 3.0 and WAF 2.0 and the improvements introduced in WAF 3.0, see Compare WAF 3.0 with WAF 2.0.