Web Application Firewall (WAF) protects websites that are deployed in hybrid clouds. This topic describes how to add a website that is deployed in a hybrid cloud to WAF for protection.


  • A WAF instance is purchased. The number of domain names that you add to the WAF instance does not reach the upper limit.
    Note The total number of domain names that you can add to a WAF instance is based on the specifications of the instance and the number of extra domain packages that you purchase. For more information, see Extra domain quota.
  • If your domain name is protected by a WAF instance in mainland China, you must complete ICP filing for your domain name. If you add your domain name to WAF before you complete ICP filing, an error may occur, and the system prompts you to complete ICP filing.
  • A protection cluster for Hybrid Cloud WAF that uses on-premises servers as WAF protection nodes is deployed. The WAF protection nodes can communicate with the Internet. For more information, see Deploy a protection cluster for Hybrid Cloud WAF.

Background information

Hybrid Cloud WAF is a hybrid cloud solution that enables you to protect and manage web applications in various environments in a centralized manner. Hybrid Cloud WAF is available across public clouds and data centers. Both Alibaba Cloud and third-party clouds are supported. Hybrid Cloud WAF combines the shared and exclusive resources both in and outside the cloud to deliver an elastic effective system. This allows you to protect web applications in a centralized manner. After you add your website to WAF, the traffic destined for the protected website can be forwarded to your origin server over the Internet or a private network. WAF forwards the requests based on the network type of the origin server.

Add a website deployed in a hybrid cloud

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Domain Names tab, click Website Access.
  5. On the Add Domain Name page, click Manually Add Other Websites.
  6. On the Add Domain Name page, enter the Domain Name that you want to protect and set Access Mode to CNAME Record.
    The value of the Domain Name parameter must meet the following requirements:
    • The domain name can be an exact match domain, such as www.aliyun.com, or a wildcard domain, such as *.aliyun.com.
      • If you use a wildcard domain, WAF automatically matches all subdomains of the wildcard domain.
      • If you configure both a wildcard domain and an exact match domain, WAF uses the forwarding rules and protection policies of the exact match domain.
    • The domain name cannot be .edu domain names. To add .edu domain names, submit a ticket to contact after-sales technical support.
  7. Specify the information about the website that you want to use WAF to protect.
    Configure the website parameters and click Next. The following table describes the parameters. Enter your website information
    Parameter Description
    Protection Resource Select the type of resource that you want to use WAF to protect. For this example, select Hybrid Cloud Cluster.
    Protocol Type Select a protocol type. Valid values:
    • HTTP
    • HTTPS: If your website uses HTTPS, select HTTPS and upload the certificate and private key files after you add the website configurations. For more information, see Upload HTTPS certificates.
      After you select HTTPS, click Advanced Settings to show more options. HTTPS
      Advanced Settings supports the following features:
      • Enforce HTTPS Routing: If this feature is enabled, HTTP requests are automatically redirected to HTTPS requests on port 443. You must clear HTTP before you turn on Enforce HTTPS Routing.

        If you want a client to access your website by using HTTPS, enable this feature. This enhances access security.

        Notice Before you enable this feature, make sure that your website supports HTTPS. After this feature is enabled, requests are delivered over HTTPS.
      • Enable HTTP: If this feature is enabled, WAF forwards requests over HTTP. The default port is 80.

        This feature implements HTTPS access to your website without the need to modify the origin server. This reduces the workload of the origin server. If your website does not support HTTPS, turn on Enable HTTP.

    • HTTP2: This option is available only when you use the WAF Business or Enterprise edition and select HTTPS.
    Node Settings Select Name of Protected Node Group.

    If your website is deployed in multiple protection nodes, you can click Add Node for Protection to the right of Node Settings to add the protection nodes to WAF.

    Destination Server (IP Address) Specify the address of the origin server on which the domain name is deployed. You can use the IP address or domain name of the origin server. After your website is added, WAF filters and forwards requests to this address.
    • If you set Destination Server (IP Address) to IP, enter the public or private IP address of the origin server. The origin server can be an Elastic Compute Service (ECS) instance in Alibaba Cloud, a cloud server of a third-party cloud service provider, or a server in a data center.

      Separate multiple IP addresses with commas (,). You can enter a maximum of 20 IP addresses. Do not use line breaks.

      • If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on these IP addresses before it forwards requests.
      • If you want to achieve disaster recovery in Hybrid Cloud WAF, you must specify the back-to-origin Classless Inter-Domain Routing (CIDR) blocks of Hybrid Cloud WAF for the load balancer that is deployed in front of WAF.
    • If you set Destination Server (IP Address) to Destination Server (Domain Name), enter the back-to-origin domain name of the origin server. For example, enter the CNAME address of an Object Storage Service (OSS) bucket. The domain name of the origin server must be different from the domain name that you want to protect.
      Note If you enter a domain name of an OSS bucket, you must bind this domain name to the bucket in the OSS console. For more information, see Bind custom domain names.
    Destination Server Port Specify the port that you use to forward website requests.
    Note Only Alibaba Cloud technical support can configure this parameter.

    The port must be within the range of the ports that are enabled for the hybrid cloud cluster. By default, ports 80, 8080, 443, and 8443 are enabled for hybrid cloud clusters. When you create a hybrid cloud cluster, you can specify the custom ports that you want to enable. For more information, see Configure basic information for a hybrid cloud cluster.

    WAF forwards filtered requests only by using the ports that you specify. If you enable ports that are not specified here, no security threats are posed to the origin server.

    Notice Protocol Type and Destination Server Port must be the protocol and port that the origin server uses to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP port 80, HTTP and port 80 must be configured for your domain name.
    Default ports:
    • If you set Protocol Type to HTTP, Destination Server Port is automatically set HTTP 80.
    • If you set Protocol Type to HTTPS, Destination Server Port is automatically set HTTPS 443.
      Note HTTP/2 uses the same port as HTTPS.
    Custom Port: Click Customize and specify port numbers based on the protocol type (HTTP or HTTPS). Separate multiple port numbers with commas (,). Custom port

    Click View Allowed Port Range to query all supported ports.

    Load Balancing Algorithm If multiple origin IP addresses are configured, specify this parameter. Valid values:
    • IP hash: The requests from a specific IP address are redirected to the same origin server. This is the default value.
      Note If you select IP hash but the IP addresses of origin servers are not scattered on different network segments, unbalanced loads may occur.
    • Round Robin: All requests are distributed to origin servers in turn.
    • Least time: You can use the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to minimize the latency when requests are forwarded to origin servers.
      Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.

    After the settings take effect, WAF distributes back-to-origin requests to the IP addresses of multiple origin servers to achieve load balancing.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF If you need to configure a Layer 7 proxy in front of WAF, select Yes. If you do not select Yes, WAF cannot obtain the actual IP addresses of clients in this situation. For more information, see the following topics:

    If you do not need to configure a Layer 7 proxy in front of WAF, select No.

    Request Tag Enter a Header Field Name that is not occupied and a custom Header Field Value to mark website requests that are forwarded by WAF.

    WAF adds the specified header field and value to the filtered requests. This allows your origin server to identify and collect the requests that are forwarded by WAF, which in turn implements precise protection and effect analysis.

    Notice If a request already contains the specified header field, WAF overwrites the original field value with the newly specified value.
    Resource Group Select the resource group to which the domain name belongs from the resource group list.
    Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
  8. Modify the hosts file of your computer to map the domain name to the load balancer that is deployed in front of the on-premises WAF node. Then, test whether WAF can filter and forward requests as expected.
    Note Only Alibaba Cloud technical support can perform this step.
  9. Modify the DNS record of the domain name that you want to protect to map the domain name to the on-premises load balancer.
  10. Click Completed. Return to the website list..
    After you complete these steps, the domain name is protected by Hybrid Cloud WAF.