If your web services are deployed on an Elastic Compute Service (ECS) instance, you can add the ECS instance to Web Application Firewall (WAF). WAF monitors and filters inbound and outbound traffic on the ports of the ECS instance to enhance the security of your web services. This topic describes how to enable WAF protection for an ECS instance.
Background information
ECS is a high-performance, stable, reliable, and scalable IaaS-level service provided by Alibaba Cloud. ECS eliminates the need for upfront investment in IT hardware. This way, you can deploy applications in an efficient manner. ECS allows you to scale resources based on changes in requirements and traffic spikes. For more information, see What is ECS?.
You can enable WAF protection for an ECS instance. After you enable WAF protection for an ECS instance, all web traffic of the instance is routed to WAF by using a specific gateway for inspection. WAF filters out malicious traffic and forwards normal traffic to the ECS instance. The following figure shows the network architecture.
Limits
Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), Elastic Compute Service (ECS), and Network Load Balancer (NLB).. If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
Item | Description |
Supported instances | You can add only an instance that meets the following requirements to WAF:
|
Supported regions |
|
Number of traffic redirection ports | The maximum number of traffic redirection ports is the same as the maximum number of protected objects.
|
Supported ports | Standard and non-standard ports from 0 to 65535 are supported. For more information, see View supported ports. |
Services protected by Anti-DDoS Proxy and WAF | If you want to protect your web services by using Anti-DDoS Proxy and WAF, you can add the services to WAF in transparent proxy mode only if you add the services to Anti-DDoS Proxy by adding a domain name. |
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
An ECS instance that complies with the preceding usage limits is created. For more information, see the "Limits" section in this topic. For information about how to create an ECS instance, see Create an instance.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Add traffic redirection ports
The first time you add an instance to WAF, your web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
If you perform the following operations after you enable WAF protection for an ECS instance, the traffic redirection ports are automatically removed from WAF. If you do not re-add the ports to WAF, traffic on the ports is not filtered by WAF.
Change the public IP address associated with the instance
Create a migration task and change the zone
The instance is released.
If you enable WAF protection for an ECS instance, traffic that is destined for the elastic IP address (EIP) or public IP address associated with the ECS instance is redirected to WAF.
If you disassociate an EIP from the ECS instance, traffic redirection is automatically disabled.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab of the Website Configuration page, select ECS in the left-side cloud service list. Click Add.
Click Authorize Now to authorize your WAF instance to access ECS.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf you already authorized your WAF instance to access ECS, skip this step.
In the Configure Instance - ECS Instance panel, configure the parameters. The following table describes the parameters.
Parameter
Operation
Select the instance and port to be added.
Synchronize Instances
If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list.
Add Port
Find the instance that you want to add to WAF and click Add Port in the Actions column.
Enter the number of the port that you want to add to WAF and press the Enter key.
The port number must be supported by WAF. You can click View Port Range to view the HTTP and HTTPS ports supported by WAF. For more information, see View supported ports.
Select the protocol type for the port that you want to add to WAF. Valid values: HTTP and HTTPS.
If you select HTTPS, you must upload a certificate.
NoteThe total number of default and additional certificates that you upload cannot exceed 10.
Default Certificate
If you select HTTPS, you can click Advanced Settings to configure the following advanced parameters:
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF
Specify whether a Layer 7 proxy is deployed in front of WAF, such as Anti-DDoS Proxy and Alibaba Cloud CDN. Valid values: Yes and No.
By default, No is selected. This value specifies that WAF receives requests that are sent from clients. The requests are not forwarded by proxies.
NoteWhen a request is sent from a client to WAF, WAF uses the IP address that is used to establish the connection to WAF as the IP address of the client. The IP address is specified by the
REMOTE_ADDR
field of the request.If a Layer 7 proxy is deployed in front of WAF, select Yes. This value specifies that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. To ensure that WAF can obtain the actual IP addresses of clients for security analysis, you must configure the Obtain Actual IP Address of Client parameter.
Resource Group
Select the resource group to which you want to add the ECS instance from the Resource Group drop-down list. If you do not select a resource group, the ECS instance is added to the default resource group.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
Advanced Settings
Select the ECS instance that you want to enable WAF protection and click OK.
After you enable WAF protection for an ECS instance, the instance automatically becomes a protected object of WAF. The name of the protected object is in the following format: Instance ID-Port number-Asset type. By default, basic protection rules are enabled for the protected object. You can configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the ID of the ECS instance that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
Manage WAF protection
View origin servers and manage traffic redirection ports
After you enable WAF protection for an ECS instance, you can view the protection details of the origin servers and forcibly disable traffic redirection or remove traffic redirection ports in emergency disaster recovery scenarios.
On the Website Configuration page, click the Cloud Native tab.
In the left-side cloud service list, click ECS. Find the ECS instance whose traffic redirection ports you want to view and click the icon to the left of the instance name to view the ports that are added to WAF.
View port details: Click Port Details in the Actions column to view information about the port, protocol, and certificate. Then, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF, Enable Traffic Mark (Advanced Settings), and Back-to-origin Keep-alive Requests (Advanced Settings) parameters.
Remove ports: Click Remove in the Actions column. In the Remove message, click OK.
ImportantAfter you remove a traffic redirection port from WAF, the following occurs:
Traffic on the port is no longer protected by WAF. To re-add the traffic redirection port to WAF, click Add. For more information , see Add traffic redirection ports.
Your web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
Update the SSL certificate bound to a traffic redirection port
If the SSL certificate that is bound to a traffic redirection port is about to expire or the certificate is changed, you must update the certificate.
If the remaining validity period of the certificate is less than 30 days, the icon is displayed in the domain name list. This indicates that your certificate is about to expire. In this case, you must update the certificate at the earliest opportunity.
If you want to receive notifications by using methods such as email or text message when the certificate is about to expire, you can configure notifications for the certificate. For more information, see Configure notifications for SSL certificates.
To prevent service interruptions due to certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate when the hosted certificate is about to expire. For more information, see Introduction to the certificate hosting feature.
To update the SSL certificate that is bound to a traffic redirection port, perform the following steps:
Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload and share an SSL certificate.
Synchronize the certificate to WAF.
In the Certificate Management Service console, deploy the certificate to WAF. For more information, see Deploy certificates to Alibaba Cloud services.
Update the certificate in the WAF console.
On the Cloud Native tab, click ECS in the left-side cloud service list. Find the instance that you want to manage and click the icon. Find the traffic redirection port whose certificate you want to update and click Modify in the Actions column.
In the Default Certificate dialog box, select Select Existing Certificate, and then select the new certificate from the drop-down list.