Alibaba Cloud Content Delivery Network (CDN) integrates with Web Application Firewall (WAF) to filter out malicious requests and redirect secure requests to origin servers. WAF can protect web servers against intrusions, secure core data, and prevent server anomalies caused by attacks. This topic describes the features, scenarios, and billing methods of WAF and how to configure WAF.
Prerequisites
- WAF is activated in the Alibaba Cloud CDN console. To activate WAF in the Alibaba Cloud CDN console, choose in the left-side navigation pane and click Activate.
- WAF can be used to protect only CDN nodes in mainland China. Before you activate WAF, confirm the accelerated region of your domain name. For more information about how to change the accelerated region, see Modify basic information.
Background information
Alibaba Cloud CDN is integrated with WAF. After WAF is activated, it can protect CDN nodes. For more information about features of WAF, see What is WAF?
WAF is applicable to industries such as finance, e-commerce, O2O, Internet Plus, gaming, government, and insurance. WAF protects websites against unexpected losses caused by attacks while Alibaba Cloud CDN accelerates the websites.
- Prevents website data leaks caused by SQL injections.
- Protects your website against Trojans that may compromise public trust of your website.
- Provides virtual patches that enable quick fixes of newly discovered vulnerabilities.
After you activate WAF for a domain name, WAF detects all requests sent to the domain name, counts the number of requests by account, and then charges fees accordingly. For more information about the pricing of WAF, see Pricing of value-added services - WAF.
Procedure
Assign a service linked role
After WAF is activated, the service linked role AliyunServiceRoleForCDNAccessingWAF is automatically created and assigned to Alibaba Cloud CDN. Alibaba Cloud CDN can assume this role to access resources in WAF.
AliyunServiceRoleForCDNAccessingWAF has the following permissions:
- DescribePayInfo
- CreatePostpaidInstance
- CreateOutputDomainConfig
- DeleteOutputDomainConfig
- DescribeDomainWebAttackTypePv
- ModifyLogServiceStatus
- DescribeProtectionModuleMode
- DescribeDomainRuleGroup
- DescribeRegions
- ModifyProtectionRuleStatus
- ModifyProtectionRuleCacheStatus
- DescribePeakValueStatisticsInfo
- DescribeDomainAccessStatus
- DescribeFlowStatisticsInfo
- DescribeDomainTotalCount
- DescribeResponseCodeStatisticsInfo
- DescribeDDosCreditThreshold
- ModifyDomainClusterType
- DescribeInstanceInfo
- DescribeOutputDomains
- CreateOutputDomain
- DeleteOutputDomain
- DeleteInstance
- DescribeInstanceSpecInfo
- DescribeDomainBasicConfigs
If you need to delete the AliyunServiceRoleForCDNAccessingWAF role, submit ticket to delete the WAF instance and disable WAF features for all accelerated domain names. Then, delete this role in the Resource Access Management (RAM) console.