If a Microservices Engine (MSE) instance is configured for your web services, you can enable Web Application Firewall (WAF) 3.0 protection for the MSE instance. This topic describes how to enable WAF protection for an MSE instance.
Background information
MSE is an end-to-end microservices platform that is developed for mainstream open source microservices ecosystems. MSE provides the following modules: Microservices Registry, Cloud-native Gateway, and Microservices Governance. Microservices Registry supports the native Nacos, ZooKeeper, and Eureka engines. Cloud-native Gateway supports native Ingress and Envoy. Microservices Governance supports native Spring Cloud, Dubbo, and Sentinel and complies with OpenSergo. WAF 3.0 is integrated with MSE cloud-native gateways. This can help improve the O&M efficiency and security of your web services and ensure a seamless and interactive user experience.
Limits
Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
The MSE instance for which you want to enable WAF protection must reside in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), and US (Silicon Valley).
You cannot enable the following features for MSE instances for which WAF protection is enabled:
Website tamper-proofing
Data leakage prevention
Automatic integration of the Web SDK in bot management for website protection
API security
Prerequisites
A cloud-native gateway is created. For more information, see Create a cloud-native gateway.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Enable WAF protection for an MSE instance
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click MSE in the left-side cloud service list.
Click Add.
Click Authorize Now to authorize your WAF instance to access MSE.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf your WAF instance is already authorized to access MSE, skip this step.
You are redirected to the MSE console.
In the top navigation bar, select China (Hangzhou), Chia (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), or US (Silicon Valley) for the region.
Enable WAF protection.
Enable instance-level protection.
Find the gateway for which you want to enable WAF protection, move the pointer over the icon in the WAF Protection column, and then click Enable Gateway Protection. You can also choose
in the Actions column. In the Enable WAF Protection dialog box, click OK.Enable route-level protection.
Find the gateway for which you want to enable WAF protection, click the name of the gateway, and then choose
in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.Find the route for which you want to enable WAF protection and choose
in the Actions column. Then, click OK.
Manage WAF protection in the MSE console.
Log on to the MSE console. In the left-side navigation pane, choose .
In the top navigation bar, select China (Hangzhou), Chia (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), or US (Silicon Valley) for the region.
Manage WAF protection.
View MSE instances for which WAF protection is enabled.
In the instance list, you can view the MSE instances for which WAF protection is enabled. If the icon is displayed on the right side of the name of an MSE instance, WAF protection is enabled for the MSE instance.
Disable WAF protection for an MSE instance.
After you disable WAF protection for an MSE instance, web service traffic that is generated on the MSE instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.
ImportantAfter you disable WAF protection for an MSE instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the MSE instance. We recommend that you delete protection rules before you remove an MSE instance from WAF. For more information, see Billable items and Protection module overview.
Disable instance-level protection.
Find the gateway for which you want to disable WAF protection, click the icon in the WAF Protection column, and then click Disable Gateway Protection. You can also choose
in the Actions column. In the Disable WAF Protection dialog box, click OK.Disable route-level protection.
Find the gateway for which you want to disable WAF protection, click the name of the gateway, and then choose
in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.Find the route for which you want to disable WAF protection and choose
in the Actions column. Then, click OK.
Manage WAF protection in the WAF console.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
Manage WAF protection.
View MSE instances for which WAF protection is enabled.
On the Cloud Native tab, click MSE in the left-side cloud service list.
Configure protected objects and protection rules.
After you enable WAF protection for an MSE instance, the MSE instance automatically becomes a protected object of WAF. The name of the protected object contains the
-mse
suffix. By default, basic protection rules are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the object. To go to the Protected Objects page, click the ID of the MSE instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.Remove an MSE instance from WAF.
After you remove an MSE instance from WAF, web service traffic that is generated on the instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.
ImportantAfter you disable WAF protection for an MSE instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the MSE instance. We recommend that you delete protection rules before you remove an MSE instance from WAF. For more information, see Billable items and Protection module overview.
Find the instance that you want to remove and click Remove in the Actions column.
You are redirected to the Gateways page in the MSE console.
Disable WAF protection in the MSE console. For more information, see Disable WAF protection for an MSE instance.