This topic describes how to configure Web Application Firewall (WAF) to enhance security of the APIs published in API Gateway.
1. Overview
API Gateway provides a range of security features to protect APIs, such as authentication, tamper-proofing, anti-replay, parameter validation, full-link signature verification, and throttling. To protect APIs against attack requests crafted by attackers, such as the top 10 web attacks defined by Open Web Application Security Project (OWASP) at the application layer and brute-force attacks, you can use WAF for enhanced security protection. This prevents data breach and enhances the security of your business.
API Gateway is fully compatible with WAF. You can follow the instructions described in section 3 "Procedure" to configure WAF.
2. Prerequisites
WAF is activated. For more information, see Purchase a subscription WAF instance.
APIs are published in API Gateway.
3. Procedure
Step 1: Bind your domain name to your API group. For more information, see Bind a domain name to an API group. The following figure shows that a domain name is bound to an API group.
You need to configure WAF in the next step. Therefore, we recommend that you bind the domain name by adding a TXT record in this step.
Step 2: Add the domain name to WAF. Log on to the WAF console. Choose Asset Center > Website Access in the left-side navigation pane. On the Website Access page, click Website Access. On the Add Domain Name page, configure parameters.
The following items describe the parameters:
Domain Name: Enter the domain name that was bound to the API group in Step 1.
Protocol Type: Select the protocol for publishing APIs in the API Gateway console.
Destination Server (IP Address): Select Domain Name (Such as CNAME) and enter the second-level domain name that is allocated to the API group.
Click Next and perform subsequent configurations by following the on-screen instructions. Then, add a CNAME record for the domain name to resolve the domain name to the CNAME generated by WAF. This way, your business traffic is switched to WAF.
Step 3: Disable the second-level domain name in the API Gateway console. This prevents callers from bypassing WAF and using the system-assigned public second-level domain name to access API Gateway. After you disable the second-level domain name, requests that are directed toward the domain name fail while those directed toward WAF are not affected.
