The endpoint of the Web Application Firewall (WAF) console randomly changes. To log on to the WAF console, you can use Elastic Compute Service (ECS) instances to configure network address translation (NAT) rules in iptables. This way, on-premises WAF servers in data centers and self-managed data centers can connect to the WAF console without the need to add routes between the on-premises network and the CIDR block of your Hybrid Cloud WAF instance.

Prerequisites

  • An ECS instance that runs CentOS is created. The ECS instance resides in the same region as your Hybrid Cloud WAF instance.
  • The NAT service is available on the ECS instance.
  • A CIDR block, such as 101.0.0.0/8, is available only for the ECS instance.

Background information

Hybrid Cloud WAF centrally manages protection results in various scenarios by using a RESTful API. You can access a Hybrid Cloud WAF instance by using the WAF console. However, in some scenarios, Cloud Enterprise Network (CEN) is required to keep access traffic confidential and secure. In this case, you can configure NAT rules on the ECS instances in CEN to implement connectivity.

Procedure

  1. Log on to the ECS instance as the root user.
  2. View the iptables rules.
    IPtables–L
  3. Check whether the IP forwarding feature is enabled
    sysctl-a|grep'net.ipv4.ip_forward'
    Command output description:
    • If the command returns 1, the IP forwarding feature is enabled. In this case, go to Step 5.
    • If the command returns other values, the IP forwarding feature is disabled. In this case, go to Step 4.
  4. Modify the /etc/sysctl.conf configuration file.
    1. Add net.ipv4.ip_forward=1.
    2. Run the sysctl -p command.
  5. Deploy an on-premises WAF server.
    Configure a route to the 101.0.0.0/8 CIDR block of the ECS instance.
    Note The 101.xxx.xxx.xxx CIDR block must map the 100.xxx.xxx.xxx CIDR block of the domain name that is added to WAF based on the domain name information.
  6. Configure NAT rules in iptables on the ECS instance. The rules are used to forward requests to Hybrid Cloud WAF.
    1. Configure source network address translation (SNAT) rules that are used to send all requests over the 101.xxx.xxx.xxx CIDR block of the ECS instance.
      iptables-tnat-APOSTROUTING-sCIDR block of the on-premises WAF server-jSNAT--to-source CIDR block of the ECS instance
    2. Configure destination network address translation (DNAT) rules that are used to replace the 101.xxx.xxx.xxx CIDR block in all requests with the 100.xxx.xxx.xxx CIDR block of the domain name that is added to WAF.
      iptables-tnat-APREROUTING-d101.xxx.xxx.xxx CIDR block-jDNAT--to-destination100.xxx.xxx.xxx CIDR block of the domain name that is added to WAF
      Note You must configure a DNAT rule in iptables for each of the IP addresses of the domain names that are added to WAF. If the IP address of a domain name that is added to WAF changes, the IP address in the iptables rules must be modified.
  7. Optional:If you have a self-managed DNS server in the internal network, configure the DNS records of your domain names on the server.
  8. Check whether requests are forwarded.
    Run the Curl <Domain name that is added to WAF>-v command. Then, capture packets on the ECS instance.