Enable WAF protection for an NLB instance - Web Application Firewall

If you created a Network Load Balancer (NLB) instance and added a TCP listener to the instance, you can add the listener ports to Web Application Firewall (WAF) to redirect the web traffic of the instance to WAF for protection. This topic describes how to enable WAF protection for an NLB instance.

Background information

NLB is a Layer 4 load balancing service intended for the Internet of Everything (IoE) era. NLB offers ultra-high performance and can automatically scale on demand. An NLB instance supports up to 100 million concurrent connections and is suitable for services that require high concurrency. For more information about NLB, see What is NLB?

You can add an NLB instance to WAF for protection. After you add an NLB instance to WAF, all web traffic of the instance is redirected to WAF for inspection by using a specific gateway. WAF filters out malicious traffic and forwards normal traffic to the NLB instance. The following figure shows the network architecture.

Limits

Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), Elastic Compute Service (ECS), and Network Load Balancer (NLB).. If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Item	Description
Supported instances	You can add only an instance that meets the following requirements to WAF: The instance is an Internet-facing instance. The instance does not use IPv6. Mutual authentication is disabled for the instance.
Supported regions	Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao). Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
Number of traffic redirection ports	The maximum number of traffic redirection ports is the same as the maximum number of protected objects. Subscription WAF instances: 300 in the Basic edition, 600 in the Pro edition, 2,500 in the Enterprise edition, and 10,000 in the Ultimate edition. Pay-as-you-go WAF instances: 10,000.
Port settings	WAF automatically synchronizes the listener ports configured for NLB instances. You can select a listener port in the WAF console to enable WAF protection for the related NLB instance. Important WAF cannot synchronize the listener ports of NLB instances for which the multi-port listening feature is enabled or the listener protocol is set to UDP or TCPSSL. If you configured more than 50 listener ports for an NLB instance and the changes to the zones or subnets of the instance cause the elastic IP addresses (EIPs) that are associated with the instance to change, WAF automatically routes back-to-origin traffic to the new IP addresses of the instance. The new setting takes effect after a minute-level latency because the number of configured listener ports is large.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
An NLB instance is created, and a TCP listener is added to the NLB instance. The instance also meets the preceding requirements. For more information about the requirements, see Limits. For more information about how to add a TCP listener to an NLB instance, see Add a TCP listener.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.

Add traffic redirection ports

Important

When you add an instance to WAF, your web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
If you perform the following operations after you add a Layer 4 CLB, ECS, or NLB instance to WAF, traffic redirection ports are automatically removed from WAF. If you do not re-add the ports to WAF, traffic on the ports is not filtered by WAF.
- Change the public IP address associated with the instance.
  Note
  If the public IP address of the NLB instance changes, traffic redirection is not disabled.
- Enable mutual authentication.
- Remove the listener ports from the instance.
- Delete the instance.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click NLB in the left-side cloud service list. Then, click Add.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.
Note
If your WAF instance is already authorized to access NLB, skip this step.

In the Configure Instance - NLB panel, configure the parameters. The following table describes the parameters.

Parameter	Operation
Select the instance and port to be added.	Optional: Synchronize Instances If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list. Add Port Find the instance that you want to add to WAF and click Add Port in the Actions column. Select the port that you want to add to WAF. Configure the Protocol Type parameter for the port that you want to add to WAF. Valid values: HTTP and HTTPS. If you select HTTPS, you must upload a certificate. Note The total number of default and additional certificates that you upload cannot exceed 10. Default Certificate Upload Click Upload and configure the Certificate Name, Certificate File, and Private Key parameters. The value of the Certificate File parameter must be in the `-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----` format. The value of the Private Key parameter must be in the `-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----` format. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in another format, such as PFX or P7B, you must convert the certificate file to the PEM format before you can use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console and use the provided tool to convert the file format. For more information, see Convert the format of a certificate. If a domain name is associated with multiple SSL certificates or has a certificate chain, you can combine the text content of the certificate files and upload the combined text content. Select Existing Certificate If your certificate meets one of the following conditions, click Select Existing Certificate and select the certificate from the certificate list: The certificate is issued by using Certificate Management Service. The certificate is a third-party certificate that is uploaded to Certificate Management Service. Important If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Alibaba Cloud Security - Certificate Management Service and re-upload the certificate in the Certificate Management Service console. For more information, see Upload and share an SSL certificate. Additional Certificate If you configured the instance to allow traffic from multiple domain names over HTTPS, click Additional Certificate to import the certificates of the domain names. The parameters that are used to upload an additional certificate and a default certificate are the same. For more information, see Default Certificate. If you select HTTPS, you can click Advanced Settings to configure the following advanced parameters: TLS Version Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses an unsupported TLS version, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you specify the TLS versions based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access your website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for requests that are sent by using TLS 1.3. Cipher Suite Specify the cipher suites that are supported for HTTPS communication. If a client uses unsupported cipher suites, WAF blocks the requests that are sent from the client. The default value is All Cipher Suites (High Compatibility and Low Security). We recommend that you set this parameter to a different value only if your website supports specific cipher suites. Valid values: All Cipher Suites (High Compatibility and Low Security). Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website. For more information, see View supported cipher suites. Clients that use other cipher suites cannot access your website.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy or Alibaba Cloud CDN, is deployed in front of WAF. By default, No is selected. This value specifies that WAF receives requests that are sent from clients. The requests are not forwarded by proxies. Note When a request is sent from a client to WAF, WAF uses the IP address that is used to establish the connection to WAF as the IP address of the client. The IP address is specified by the `REMOTE_ADDR` field of the request. If a Layer 7 proxy is deployed in front of WAF, select Yes. This value specifies that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. To ensure that WAF can obtain the actual IP addresses of clients for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the `X-Forwarded-For` field as the IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge the X-Forwarded-For field to bypass WAF inspection. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF reads the header fields in sequence until it obtains the IP address of a client. If WAF cannot obtain the IP address of a client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Resource Group	Select the resource group to which you want to add the instance. If you do not select a resource group, the instance is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
Advanced Settings	Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field WAF automatically adds the `X-Forwarded-Proto` header field to HTTP requests to identify the original protocol used by the clients that send the requests. If your website cannot correctly handle the X-Forwarded-Proto header field, compatibility issues may occur and your business may be affected. To prevent such issues, clear Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field. Enable Traffic Mark If you select Enable Traffic Mark, requests that pass through WAF are marked. This helps origin servers obtain the originating IP addresses or ports of clients. If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark to intercept malicious traffic. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and is blocked. You can configure the following types of header fields: Custom Header If you want to add a custom header field, you must configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the origin server to check whether requests passed through WAF, collect statistics, and analyze data. For example, you can add the `ALIWAF-TAG: Yes` custom header field to mark the requests that pass through WAF. In this example, the name of the header field is `ALIWAF-TAG` and the value of the header field is `Yes`. Originating IP Address You can specify a header field that records the originating IP addresses of clients. This way, your origin server can obtain the originating IP addresses of clients. For more information about how WAF obtains the originating IP addresses of clients, see Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF. Source Port You can specify a header field that records the originating ports of clients. This way, your origin server can obtain the ports of clients. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field is overwritten by the value of the custom header field. You can click Add Mark to add a header field. You can specify up to five header fields. Back-to-origin Keep-alive Requests If the persistent connections between WAF and your origin server time out, you can reconfigure the timeout period of persistent connections, the number of reused persistent connections, and the timeout period of idle persistent connections. Read Connection Timeout Period: the amount of time during which WAF waits for a response from the origin server. After the timeout period ends, WAF closes the connection. Valid values: 1 to 3600. Default value: 120. Unit: seconds. Write Connection Timeout Period: the amount of time during which WAF waits for a request to be forwarded to the origin server. After the timeout period ends, the origin server closes the connection. Valid values: 1 to 3600. Default value: 120. Unit: seconds. Back-to-origin Keep-alive Requests: If you want to configure the number of reused persistent connections or the timeout period of idle persistent connections, turn on Back-to-origin Keep-alive Requests and configure the following parameters: Reused Keep-alive Requests: the number of requests that WAF can forward to the origin server or the number of responses that WAF can receive from the origin server at the same time. Valid values: 60 to 1000. Default value: 1000. Timeout Period of Idle Keep-alive Requests: the timeout period of idle persistent connections. Valid values: 10 to 3600. Default value: 3600. Unit: seconds.

Select the instance that you want to add to WAF and click OK.
After you add an instance to WAF, the instance becomes a protected object of WAF. The name of the protected object is in the Instance ID-Port-Asset type format. Basic protection rules are automatically enabled for the protected object. You can view the protected object and configure protection rules for the protected object on the Protected Objects page. To go to the page, click the ID of the instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.

Other operations

View origin servers and manage traffic redirection ports

After you add an instance to WAF, you can view the protection details of the origin servers and forcefully disable traffic redirection or remove traffic redirection ports in emergency disaster recovery scenarios.

On the Website Configuration page, click the Cloud Native tab.
Click NLB in the left-side cloud service list. Find the NLB instance that you want to manage and click the icon to the left of the instance name to view the traffic redirection ports that are added to WAF.
- View port details: Click Port Details in the Actions column to view port details, including the port, protocol, and certificate. You can reconfigure the following parameters: Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF, Enable Traffic Mark, and Back-to-origin Keep-alive Requests. You can click Advanced Settings to find the Enable Traffic Mark and Back-to-origin Keep-alive Requests parameters.
- Remove a port: Find the port and click Remove. In the Remove message, click OK.
  Important
  When you remove a traffic redirection port from WAF, your web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
  After you remove a traffic redirection port from WAF, traffic on the port is no longer protected by WAF. To re-add the port to WAF, click Add. For more information, see Add traffic redirection ports.

Update a certificate associated with a traffic redirection port

If a certificate that is associated with a traffic redirection port is about to expire or the certificate is changed, such as when the certificate is revoked, you must update the certificate.

Note

If the remaining validity period of the certificate is less than 30 days, the icon is displayed in the domain name list. This indicates that your certificate is about to expire. In this case, you must update the certificate at the earliest opportunity.
If you want to receive notifications by using methods such as email or text message when the certificate is about to expire, you can configure notifications for the certificate. For more information, see Configure notifications for SSL certificates.
To prevent service interruptions due to certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate when the hosted certificate is about to expire. For more information, see Introduction to the certificate hosting feature.

Perform the following steps:

Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload and share an SSL certificate.
Synchronize the certificate to WAF.
- Update the certificate in the WAF console.
  1. On the Cloud Native tab, click NLB in the left-side cloud service list. Find the instance that you want to manage and click the icon. Find the traffic redirection port whose certificate you want to update and click Modify in the Actions column.
  2. In the Default Certificate section, click Select Existing Certificate and select the new certificate from the drop-down list.