Protection clusters for Hybrid Cloud WAF use your on-premises servers as WAF protection nodes. If you want to deploy protection clusters for Hybrid Cloud WAF, you must install the WAF agent (vagent) on your on-premises servers that you want to use as protection nodes. This topic describes how to install and start vagent on your on-premises servers.

Background information

vagent is a client application of WAF. You must install vagent on your on-premises servers that serve as protection nodes in protection clusters for Hybrid Cloud WAF.

vagent delivers the following capabilities:
  • Communicates with Alibaba Cloud WAF, reports the running status of WAF protection nodes, and downloads the latest WAF protection rules. These capabilities ensure service stability.
  • Adds or removes protection node configuration on your on-premises servers based on your cluster configuration, and monitors the service running status. The capabilities ensure stable and effective protection.

After you install and start vagent on your on-premises servers, the AliYunDunWaf process appears in the system processes of the servers. This indicates that vagent is working and can communicate with Alibaba Cloud WAF. Then, you can configure a cluster to add the servers to the cluster as on-premises protection nodes. For more information, see .

Installation environment requirements

vagent can be installed only on Linux servers by running the rpm command. The following table describes the operating system versions supported by vagent.
Note If vagent does not support your operating system version, contact WAF technical support.
Operating system Version
Linux
  • 64-bit CentOS 7 and 8
  • Spark 3.10 to 4.10

Procedure

  1. Log on to your on-premises server.
  2. Contact WAF technical support in the DingTalk group to obtain the latest version of vagent and download vagent to your on-premises server.
  3. Install vagent.
    1. Run the following command to install vagent on your on-premises server:
      Before you run the command, replace xxxxxxx.xxxxx with the version number of vagent you downloaded.
      sudo rpm -ivh t-yundun-vagent-xxxxxxx.xxxxx.rpm
    2. After the installation is complete, run the following command to view the version number of vagent. Make sure that you use the latest version of vagent.
      rpm -qa|grep vagent
  4. Modify the access configuration of vagent.
    After vagent is installed, you must modify the vagent configuration file to allow the communication between vagent and Alibaba Cloud WAF. Make sure that the configuration suits the access mode of Hybrid Cloud WAF. To modify the configuration, perform the following steps:
    1. Run the following command to open the vagent configuration file:
      sudo vi /home/admin/vagent/conf/vagent.toml
    2. Press i to enter the insert mode, and modify or add the following information:
      domain="wafopenapi.cn-hangzhou.aliyuncs.com" // The endpoint of Hybrid Cloud WAF For more information about the values, see the "Values of the domain parameter" section that follows the code example.
      access_key_id="yourAccessKeyId" //The AccessKey ID of your Alibaba Cloud account
      access_key_secret="yourAccessKeySecret" //The AccessKey secret of your Alibaba Cloud account   
      Values of the domain parameter
      Region of WAF Access mode of Hybrid Cloud WAF Value of the domain parameter
      Mainland China Internet access (If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet) wafopenapi.cn-hangzhou.aliyuncs.com
      Internal network access by using Express Connect circuits (If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you have deployed Express Connect)
      Note This mode is available only for virtual private clouds (VPCs) that reside in the China (Hangzhou), China (Shanghai), and China (Beijing) regions. If your VPC resides in other regions in China, you must submit a ticket to apply for this mode. The approval of your application requires seven days. You can use this mode after your application is approved.
      wafopenapi.vpc-proxy.aliyuncs.com
      Outside mainland China Internet access (If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet) wafopenapi.ap-southeast-1.aliyuncs.com
      Internal network access by using Express Connect circuits (If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you have deployed Express Connect)
      Note If your VPC resides in a region outside mainland China, you must submit a ticket to apply for this mode. The approval of your application requires a maximum of 10 business days. You can use this mode after your application is approved.
      wafopenapi-intl.vpc-proxy.aliyuncs.com
    3. Press Esc to exit the insert mode.
    4. Enter :wq and press Enter to save and exit.
  5. Start vagent.
    1. Run the following command to start vagent:
      sudo systemctl start vagent
    2. Run the following command to configure automatic startup of vagent:
      sudo systemctl enable vagent
      If the configuration succeeds, the system prompts the following information:
      Created symlink from /etc/systemd/system/multi-user.target.wants/vagent.service 
      to /usr/lib/systemd/system/vagent.service.
    Other related commands:
    • Stop vagent.
      sudo systemctl stop vagent
    • View the status of vagent.
      sudo systemctl status vagent
    If the startup of vagent fails, you can use the following methods to query the logs of vagent for troubleshooting:
    • Use the systemd tool. Run the following query command:
      sudo journalctl -u vagent
    • Use the vagent log file. Run the following query command:
      tail /home/admin/vagent/logs/vagent.log
  6. Verify that vagent is installed.
    In Linux operating system, you can run the following command to verify that vagent is installed:
    ps aux | grep AliYunDunWaf

    If the AliYunDunWaf process appears in the command output, vagent is installed on the on-premises server and is running.

    If the AliYunDunWaf process does not appear in the command output, check whether you correctly performed the installation steps and try to install and start vagent again. If vagent fails to be installed, contact WAF technical support.

What to do next

After you install vagent on your on-premises servers, you can add your on-premises servers to the protection clusters for Hybrid Cloud WAF as protection nodes. For more information, see Deploy a protection cluster for Hybrid Cloud WAF.