All Products
Search
Document Center

Configure WAF

Last Updated: Sep 28, 2020

This topic describes how to configure Web Application Firewall (WAF) to enhance the security protection of the APIs published on API Gateway.

1. Overview

API Gateway provides a range of mechanisms that enhance security and reduce the risks arising from APIs. These mechanisms include authentication, tamper resistance, replay prevention, parameter validation, full-link signature verification, and request throttling. You can use WAF to provide protection against a variety of attacks, such as the top 10 OWASP attacks and brute-force attacks. This prevents data breach and better ensures the security of your business.

API Gateway is fully compatible with WAF. Follow the operations described in section 3 "Procedure" to configure WAF.

2. Prerequisites

3. Procedure

Step 1: Bind your domain name to an API group on the Group Details page in the API Gateway console. For more information, seeAccess a domain name by using HTTPS

You also need to configure WAF in the next step. We recommend that you do not configure a CNAME record in this step.

Step 2: Add a website to WAF for protection.

Log on to theWAF console.Click Asset Center and then click Website Access in the left-side navigation pane. On the Website Access page, click Add Domain Name in the upper-left corner.

On the Add Domain Name page, Specify the following parameters:

  • Domain Name: Set this parameter to the domain name that is bound in

    Step 1

    .

  • Protocol Type: Set this parameter to the protocol selected for publishing APIs in the API Gateway console.

  • Destination Server (IP Address): Select Destination Server (Domain Name) and enter your second-level domain name on the Internet.

Click Next and perform subsequent configurations as prompted. In addition, add a CNAME record for your domain name to switch traffic. For more information, seeBest practices for WAF configurations