This topic describes how to configure Web Application Firewall (WAF) to enhance the security protection of the APIs published on API Gateway.
API Gateway provides a range of mechanisms that enhance security and reduce the risks arising from APIs. These mechanisms include authentication, tamper resistance, replay prevention, parameter validation, full-link signature verification, and request throttling. You can use WAF to provide protection against a variety of attacks, such as the top 10 OWASP attacks and brute-force attacks. This prevents data breach and better ensures the security of your business.
API Gateway is fully compatible with WAF. Follow the operations described in section 3 "Procedure" to configure WAF.
APIs are published on API Gateway.
Step 1: Bind your domain name to an API group on the Group Details page in the API Gateway console. For more information, seeAccess a domain name by using HTTPS
You also need to configure WAF in the next step. We recommend that you do not configure a CNAME record in this step.
Step 2: Add a website to WAF for protection.
Log on to theWAF console.Click Asset Center and then click Website Access in the left-side navigation pane. On the Website Access page, click Add Domain Name in the upper-left corner.
On the Add Domain Name page, Specify the following parameters:
Domain Name: Set this parameter to the domain name that is bound in Step 1.
Protocol Type: Set this parameter to the protocol selected for publishing APIs in the API Gateway console.
Destination Server (IP Address): Select Destination Server (Domain Name) and enter your second-level domain name on the Internet.
Click Next and perform subsequent configurations as prompted. In addition, add a CNAME record for your domain name to switch traffic. For more information, seeBest practices for WAF configurations