Web Application Firewall (WAF) can be integrated with the Resource Directory service of Resource Management as a trusted service. Multiple Alibaba Cloud accounts can be invited to join a resource directory as members. You can specify a member as a delegated administrator account to access the cloud resources of all members in the resource directory. This way, you can manage resources in a centralized manner. This topic describes how to use the multi-account management feature.
Limits
You must use a WAF instance that runs the Enterprise or Ultimate edition. Other WAF editions do not support the multi-account management feature.
Your administrator account and members must belong to the same resource directory and enterprise entity. The enterprise entity must pass the enterprise real-name verification.
If you use a delegated administrator account to purchase a WAF instance in the Chinese mainland, members cannot separately purchase a WAF instance in the Chinese mainland, but members can purchase a WAF instance outside the Chinese mainland. If a member has purchased a WAF instance, the instance must be released before the member uses the multi-account management feature.
After you add a member's cloud resources to the WAF instance purchased by a delegated administrator account, you can view protection configurations, overview data, and security reports in the WAF console only by using the delegated administrator account.
If you use a delegated administrator account to delete a member in the WAF console, the system automatically removes the cloud resources of the member from WAF.
Configuration process
Before you can use the multi-account management feature to add multiple members for centralized management, you must enable a resource directory, specify a delegated administrator account for WAF, and invite members to join the resource directory. Then, add the members to the feature in the WAF console.
Step 1: Enable a resource directory
Before you can use the multi-account management feature, you must add multiple Alibaba Cloud accounts to a resource directory. For more information about Resource Directory, see What is Resource Directory?.
Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. The Alibaba Cloud account is used as the administrator account of the resource directory. For more information, see Enable a resource directory.
Step 2: Invite members
After you invite an Alibaba Cloud account to join a resource directory, the account becomes a member of the resource directory. You can specify the invited member as a delegated administrator account.
Log on to the Resource Management console and use the administrator account to invite members. For more information, see Create a folder and Invite an Alibaba Cloud account to join a resource directory.
If no accounts are available to invite, you can create a member. For more information, see Create a member.
Step 3: Specify a delegated administrator account
Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The administrator account of a resource directory performs the organization management tasks of the resource directory. A delegated administrator account of a trusted service performs the business management tasks of the trusted service. This meets security requirements. You can use a delegated administrator account to access the multi-account management feature and perform management operations within the resource directory. For more information, see Manage a delegated administrator account.
Step 4: Add members
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Multi-account Management.
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select the members that you want to add and move the members from the Available Members section to the Selected Members section.
In the Selected Members section, select the members and click OK.
Step 5: Add the cloud resources of members to WAF
The method that you can use to add cloud resources to WAF varies based on the cloud service.
Cloud service | Method |
Application Load Balancer (ALB) | You can enable WAF protection for a member's cloud resources in the member's ALB console. Then, you can view the added cloud resources in the WAF console. |
Layer 7 Classic Load Balancer (CLB) | A member's cloud resources are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the delegated administrator account's WAF console. |
Layer 4 CLB | A member's cloud resources are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the delegated administrator account's WAF console. |
Elastic Compute Service (ECS) | A member's cloud resources are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the delegated administrator account's WAF console. |
Microservices Engine (MSE) | You can enable WAF protection for a member's cloud resources in the member's MSE console. Then, you can view the added cloud resources in the WAF console. |
Function Compute | You can enable WAF protection for a member's cloud resources in the member's Function Compute console. Then, you can view the added cloud resources in the WAF console. |
Serverless App Engine (SAE) | You can enable WAF protection for a member's cloud resources in the member's SAE console. Then, you can view the added cloud resources in the WAF console. |