The hybrid cloud mode is a web application protection and management solution provided by Alibaba Cloud to protect web services that are deployed outside Alibaba Cloud. If your web services are deployed on third-party clouds and data centers, you can add your web services to Web Application Firewall (WAF) in hybrid cloud mode. This way, you can manage and protect the web services in a centralized manner. This topic describes the hybrid cloud mode and how to add web services to WAF in this mode.
Introduction
The hybrid cloud mode uses the protection components of Alibaba Cloud to protect web applications that are deployed on third-party clouds and data centers.
Scenarios
The web services that you want to protect have special security requirements and cannot be migrated to a public cloud.
The web services that you want to protect in a centralized manner are deployed across Alibaba Cloud, third-party clouds, data centers, and virtual private clouds (VPCs).
The web services that you want to protect are latency-sensitive and require high reliability, active geo-redundancy, and centralized protection across multiple network environments.
Benefits
Assets that are deployed on clouds and data centers and protection policies can be managed in a centralized manner.
Web services can be protected by using the nearest protection nodes.
Protection rules and threat intelligence in clouds can be synchronized in real time.
Internet-facing services and internal services can be protected.
Service traffic can be redirected at the unified access layer and detected in bypass mode. Manual bypass and automatic bypass are supported. This way, service traffic can be detected and the detection results can be returned even if the hybrid cloud cluster fails.
Access modes
Access mode | Description | Scenario |
Reverse proxy mode | If you want to add a website to WAF in reverse proxy mode, you must add the domain name or the IP address of the website to WAF and modify the Domain Name System (DNS) record to point the domain name or IP address of the website to the IP address of the hybrid cloud cluster. A hybrid cloud cluster detects all requests on websites that are added to WAF in reverse proxy mode. | The reverse proxy mode is designed to protect websites whose network architecture can be modified and websites that do not have large traffic. For example, the reverse proxy mode is suitable for the Internet, retail, government, finance, and media industries. |
SDK-based traffic mirroring mode | In SDK-based traffic mirroring mode, SDKs are deployed on a unified access gateway to allow WAF to detect service traffic by using traffic mirroring. This way, the hybrid cloud cluster does not forward traffic and traffic forwarding is separated from traffic detection. | The SDK-based traffic mirroring mode is designed to protect websites that use an NGINX gateway, have large service traffic and strict requirements for low latency and high stability, and are managed by specialized O&M personnel. For example, the SDK-based traffic mirroring mode is suitable for large Internet enterprises and users who have special requirements for traffic forwarding. |
Limits
You cannot enable the following features to protect web services that are added to WAF in hybrid cloud mode:
Website tamper-proofing
Custom response
API security
Prerequisites
Before you add web services to WAF in hybrid cloud mode, join the DingTalk group (group ID: 34657699) for technical support.
A subscription WAF instance of the Enterprise or Ultimate edition is purchased. For more information, see Purchase a subscription WAF 3.0 instance.
NoteOnly subscription WAF instances of the Enterprise and Ultimate editions support the hybrid cloud mode.
All resources are prepared. For information about the numbers of servers and load balancers that you must prepare, see Prepare hybrid cloud cluster resources.
NoteA hybrid cloud cluster consists of management, storage, and protection components. To ensure cluster stability, we recommend that you deploy each type of component on different nodes. If a component is deployed on multiple nodes, we recommend that you deploy a load balancer for the nodes.
Step 1: Install the WAF client
WAF client introduction
If you want to deploy hybrid cloud clusters, you must prepare on-premises servers. Before you deploy hybrid cloud clusters, you must install the WAF agent (vagent) on the on-premises servers that you want to use as protection nodes.
vagent provides the following capabilities:
Communicates with Alibaba Cloud WAF and pulls the installation and update images of Hybrid Cloud WAF.
Monitors and reports the status of hybrid cloud protection components to ensure the availability of WAF.
Synchronizes the configurations of WAF instances in real time, including forwarding configurations, protection rules, and threat intelligence.
vagent can be installed on Linux servers only by running the rpm command. Only the following Linux distributions are supported:
64-bit CentOS 7 and 8
Spark 3.10 to 4.10
If your server version is not supported, join the DingTalk group (group ID: 34657699) for technical support.
Procedure
Log on to your on-premises server.
Obtain the latest version of vagent and download vagent to your on-premises server.
You can obtain the latest version of vagent by using the following method: join the DingTalk group (group ID: 34657699) for technical support.
Install vagent.
Run the following command to install vagent on your on-premises server:
sudo rpm -ivh t-yundun-vagent-xxxxxxx.xxxxx.rpm
NoteBefore you run the command, replace
xxxxxxx.xxxxx
with the version number of vagent.After the installation is complete, run the following command to view the version number of vagent. Make sure that you use the latest version of vagent.
rpm -qa|grep vagent
Modify the vagent configuration file.
After you install vagent, you must modify the vagent configuration file based on the access mode of Hybrid Cloud WAF to enable communication between vagent and Alibaba Cloud WAF. To modify the vagent configuration file, perform the following steps:
Run the following command to open the vagent configuration file:
sudo vi /home/admin/vagent/conf/vagent.toml
Press the i key to enter the edit mode. Then, modify the configuration file or add the following content to the file:
domain="wafopenapi.cn-hangzhou.aliyuncs.com" // The endpoint of Hybrid Cloud WAF For more information, see Table 1. access_key_id="yourAccessKeyId" // The AccessKey ID of your Alibaba Cloud account. access_key_secret="yourAccessKeySecret" // The AccessKey secret of your Alibaba Cloud account.
Table 1. Valid values of the domain parameter Region of WAF
Access mode
Values of the domain parameter
Chinese mainland
Internet access (If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet)
wafopenapi.cn-hangzhou.aliyuncs.com
Internal network access by using Express Connect circuits ((If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you have deployed Express Connect.)
NoteThis mode is available only for VPCs that reside in the following regions: China (Hangzhou), China (Shanghai), and China (Beijing). If your VPC resides in other regions in the Chinese mainland, join the DingTalk group (group ID: 34657699) for technical support.
wafopenapi.vpc-proxy.aliyuncs.com
Outside the Chinese mainland
Internet access (If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet)
wafopenapi.ap-southeast-1.aliyuncs.com
lnternet network access by using Express Connect circuits (If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you have deployed Express Connect.)
NoteIf your VPC resides outside the Chinese mainland, join the DingTalk group (group ID: 34657699) for technical support.
wafopenapi-intl.vpc-proxy.aliyuncs.com
Press the Esc key to exit the edit mode.
Enter :wq and press the Enter key to save the configuration file and exit.
Start vagent.
Run the following command to start vagent:
sudo systemctl start vagent
Run the following command to configure automatic startup of vagent:
sudo systemctl enable vagent
If the configuration is successful, the system displays the following information:
Created symlink from /etc/systemd/system/multi-user.target.wants/vagent.service to /usr/lib/systemd/system/vagent.service.
If the startup of vagent fails, you can use one of the following methods to query the logs of vagent for troubleshooting:
Run the following command to use the systemd tool to query the logs of vagent:
sudo journalctl -u vagent
Run the following command to use the vagent log file to query the logs of vagent:
tail /home/admin/vagent/logs/vagent.log
Run the following commands to view the status of vagent or stop vagent:
Check whether vagent is installed.
In Linux operating system, you can run the following command to check whether vagent is installed:
ps aux | grep AliYunDunWaf
If the
AliYunDunWaf
process appears in the command output, vagent is installed and running on the on-premises server and can communicate with Alibaba Cloud WAF. Then, you can configure a cluster to add the servers to the cluster as on-premises protection nodes.If the
AliYunDunWaf
process does not appear in the command output, check whether you correctly performed the installation steps. Then, reinstall and restart vagent. If the reinstallation fails, join the DingTalk group (group ID: 34657699) for technical support.
Step 2: Deploy a hybrid cloud cluster
On the Web Application Firewall buy page, select Enable for the Hybrid Cloud Protection parameter and configure the Additional Protection Nodes parameter.
NoteOnly subscription WAF instances of the Enterprise and Ultimate editions support the hybrid cloud mode.
Each protection cluster has at least two protection nodes. Each node provides protection for up to 5,000 queries per second (QPS) for HTTP requests or up to 3,000 QPS for HTTPS requests. To improve protection capabilities, we recommend that you specify the number of protection nodes based on the QPS of your web services that are protected by the hybrid cloud cluster.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Hybrid Cloud Cluster Management page, click Add Cluster.
In the Basic Information step, configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Cluster Name
Specify a name for the hybrid cloud cluster.
Cluster Type
Select the type of hybrid cloud cluster that you want to create. Valid values:
Reverse Proxy Mode: If you select this type, WAF is used as a reverse proxy cluster to forward and protect traffic.
SDK-based Traffic Mirroring Mode: If you select this type, you must deploy SDKs on your unified access gateway to allow WAF to detect your service traffic by using traffic mirroring. In this case, the hybrid cloud cluster does not forward traffic.
If the hybrid cloud cluster is in an abnormal state, turn on Bypass State. After you turn on Bypass State, WAF enters the Bypass state and no longer protects traffic.
ImportantAfter you create the hybrid cloud cluster, you cannot change the type of the cluster. Before you configure this parameter, we recommend that you confirm the type of the hybrid cloud cluster.
Protection Nodes
Specify the number of protection nodes for the hybrid cloud cluster.
NoteThe value of this parameter cannot be greater than the number of additional protection nodes that you purchase on the Web Application Firewall (Subscription) buy page.
Server Port
Specify the server ports for the hybrid cloud cluster. Make sure that the server ports include all ports that are used by the web services that you want to protect. When you associate the web services with the hybrid cloud cluster, you can select the ports for the web services only from the ports that are specified for the cluster.
By default, the following ports are enabled: 80, 8080, 443, and 8443. If you do not have special requirements, you do not need to modify the port settings.
If you want to add other ports, specify the ports. Press the Enter key each time you enter a port number.
ImportantYou cannot enter the following ports: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987. To view the ports that are not supported, click View the range of ports that are not supported.
To ensure security, we recommend that you specify only the ports that are required for your web services.
Cluster Access Mode
Select the network access mode for the hybrid cloud cluster. Valid values:
Internet: The WAF console allows access from the hybrid cloud cluster only over the Internet.
Internal Network: The WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit.
ImportantYou can select Internal Network only if you deployed Express Connect circuits. For more information, see What is Express Connect?
Remarks
Specify a description for the hybrid cloud cluster.
In the Node Group Configuration step, click Add Node Group. In the Add Node Group dialog box, click Next.
NoteYou must create multiple node groups in the hybrid cloud cluster before you add nodes to the node groups. You must configure a load balancer for each node group to prevent unbalanced services and single points of failure. If you do not configure a load balancer, join the DingTalk group (group ID: 34657699) for technical support.
Parameter
Description
Node Group Name
Specify a name for the node group.
Server IP Address for Load Balancing
Specify the public IP address of the load balancer that is associated with the node group.
Node Group Type
Select the type of the node group. Valid values:
Protection: a node group that consists of protection components. You can add multiple Protection node groups to a hybrid cloud cluster for disaster recovery.
Management: a node group that consists of management components. You can add multiple Management node groups to a hybrid cloud cluster for disaster recovery.
Storage: a node group that consists of storage components. You can add only one Storage node group to a hybrid cloud cluster.
Management and Storage: a node group that consists of management components and storage components. You can add only one Management and Storage node group to a hybrid cloud cluster.
You must add the node groups in sequence based on the method that you want to use.
Method 1: Add at least three node groups
Add one Storage node group, at least one Management node group, and one Protection node group.
Method 2: Add at least two node groups
Add one Management and Storage node group and at least one Protection node group.
Region
If you set the Node Group Type parameter to Protection, you must select the region where the node group resides. If you specify a different value for the Node Group Type parameter, you do not need to configure this parameter.
Remarks
Specify a description for the node group.
In the Initial Node Configuration step, click Add Node, configure the parameters, and then click Save. The following table describes the parameters.
Parameter
Description
Server IP Address
Specify the public IP address of the on-premises server.
Node Name
Specify a name for the node.
Region
Select the region of the node.
Server Configuration
The system automatically displays the configuration of the on-premises server.
Protection Node Group
Select the node group to which you want to add the node.
The number of nodes that can be added to the hybrid cloud cluster cannot exceed the number of nodes that you specified for the cluster.
We recommend that you add at least two nodes to the Protection node group to allow WAF to perform online active-active disaster recovery.
After you create a hybrid cloud cluster, you can click Switch Cluster, select a cluster that you want to query, and perform the following operations:
In the Basic Information section, view the basic information about the cluster. Click Edit to change the cluster name, number of protection nodes, service ports, or remarks.
Click Node Group Configuration to add or modify a node group. For more information, see Step 6.
Click Add Node to add a node. For more information, see Step 7.
View the node status of the hybrid cloud cluster.
Node Status indicates whether the server runs as expected. The value Normal indicates that the server is running as expected. The value Stopped indicates that the server is shut down.
If the server is shut down, the node cannot provide protection services. We recommend that you check the cause of the server shutdown and fix the issue at the earliest opportunity.
Application Status indicates whether vagent runs as expected on a node. The value Normal indicates that vagent is running as expected. The value Stopped indicates that vagent stopped running.
If vagent stops running, the node may be unable to provide protection services. We recommend that you log on to your on-premises machine, check the installation status and running status of vagent, and fix the issue at the earliest opportunity. For more information, see Step 1: Install the WAF client.
ImportantWe recommend that you do not delete the RAM user and the permissions of the RAM user that you used to deploy the hybrid cloud cluster. Otherwise, the node status check may fail. If you delete the RAM user, join the DingTalk group (group ID: 34657699) for technical support.
Prepare cluster resources
You can select a deployment method based on your business requirements. The numbers of servers and load balancers that you must prepare vary based on the deployment method.
Protection scenario | Deployment method | Required resource | Description |
Services that require high stability and powerful protection capabilities | Disaster recovery deployment for protection and management components |
|
|
Services that require high stability | Disaster recovery deployment for protection components |
|
|
Proof of concept (POC) tests for basic protection capabilities | Minimum cluster deployment. |
|
|
Step 3: Add a website to WAF
Reverse proxy mode
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Hybrid Cloud tab, click Reverse Proxy and then click Add.
In the Configure Listener step of the Add Domain Name wizard, configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Domain Name/IP
Specify the domain name or IP address that you want to protect. Configure the parameters based on the following requirements:
You can enter an exact match domain name, such as
www.aliyundoc.com
, or a wildcard domain name, such as*.aliyundoc.com
.NoteIf you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchaliyundoc.com
.WAF does not match the wildcard domain name with domain names at different levels. For example, if you enter
*.aliyundoc.com
, WAF does not matchwww.example.aliyundoc.com
.WAF automatically matches all domain names at the same level as the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF matches subdomain names such aswww.aliyundoc.com
andexample.aliyundoc.com
.If you enter an exact match domain name and a wildcard domain name, the protection rules of the exact match domain name take precedence.
You can enter an IP address. Example: 192.168.XX.XX.XX.
Protocol Type
Specify the protocol type and ports that are used by the website.
Select HTTP or HTTPS and enter the ports that you want to use to forward traffic. Press the Enter key each time you enter a port number.
NoteThe ports that you specify must be within the port range supported by the hybrid cloud cluster. If the ports that you want to specify are outside the supported port range, change the port range for the hybrid cloud cluster. For more information, see Step 2: Deploy a hybrid cloud cluster.
If you select HTTP, you do not need to configure the Upload Type parameter.
If you select HTTPS, you must upload the associated SSL certificate to allow WAF to monitor and protect HTTPS traffic.
Purchase Certificate
Click Apply to go to the Purchase Certificate page of the Certificate Management Service console to apply for a certificate.
You can apply for only a paid domain validated (DV) certificate. After you apply for a certificate, the certificate is automatically uploaded to WAF.
NoteIf you want to apply for other types of certificates, you must purchase a certificate by using Certificate Management Service. For more information, see Purchase an SSL Certificate.
After you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements:
HTTP2
If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests.
NoteHTTP/2 uses the same port as HTTPS.
Advanced Settings
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF
Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Default value: No. Valid values: Yes and No.
Resource Group
Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.
Parameter
Description
Node Settings
Select a node group from the Protected Node Group drop-down list and add the origin server address to the protection node group. The origin server address is the IP address of the origin server of the website. The origin server address is used to receive the back-to-origin requests that are forwarded by WAF. Valid values:
IP
You can enter multiple origin IP addresses. Press the Enter key each time you enter an origin IP address. You can enter up to 20 origin IP addresses.
NoteIf you enter multiple origin IP addresses, WAF distributes workloads across the origin IP addresses.
You can enter IPv4, IPv6, or IPv4 addresses together with IPv6 addresses.
If you enter IPv4 and IPv6 addresses, WAF forwards requests that are sent from IPv6 addresses to origin servers that use IPv6 addresses and requests that are sent from IPv4 addresses to origin servers that use IPv4 addresses.
If you enter only IPv4 addresses, WAF forwards all requests to the origin server over IPv4.
If you enter only IPv6 addresses, WAF forwards all requests to the origin server over IPv6.
Domain Name (Such as CNAME)
If you select Domain Name (Such as CNAME), the domain name can be resolved to only an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address.
If your website is deployed on multiple protection nodes, you can click + Add Protection Node to add the protection nodes to WAF.
Public Cloud Disaster Recovery
After you enable this feature, service traffic can be redirected to a public cloud cluster for disaster recovery. When the hybrid cloud cluster fails, the domain name is resolved to the CNAME provided by the public cloud cluster for disaster recovery. This way, traffic is redirected to the public cloud cluster, and then forwarded to the origin server. If you enable Public Cloud Disaster Recovery, you must configure the Origin Server Address parameter. The configuration requirements of the origin server address are the same as the requirements in the description of the Note Settings parameter. For more information, see Origin server address.
Load Balancing Algorithm
If you specify multiple origin server addresses, select the load balancing algorithm for WAF to forward back-to-origin requests to the origin servers. Valid values:
Advanced HTTPS Settings
Other Advanced Settings
Modify the DNS record of a domain name
ImportantBefore you modify the DNS record, make sure that the forwarding configurations for your website take effect. If you modify the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.
If you add a domain name to WAF in reverse proxy mode, you must modify the DNS record. If you add an IP address to WAF in reverse proxy mode, skip this step.
Modify the DNS A record of the domain name to point the domain name to the IP address of the node group.
If you enable public cloud disaster recovery in Step5, you must modify the DNS CNAME record to point the domain name to the CNAME of the public cloud cluster.
NoteIf you use Alibaba Cloud DNS, log on to the Alibaba Cloud DNS console and modify the DNS A record and DNS CNAME record of the domain name. For more information, see Change the DNS record of a domain name.
After you add a domain name or IP address to WAF in hybrid cloud mode, the domain name or IP address is added as a protected object. By default, basic protection rules are enabled for the protected objects. In the left-side navigation pane, choose Protection configuration overview.
to go to the Protected Objects page. On the Protected Objects page, you can view the automatically added protected objects and configure protection rules for the protected objects. For more information, see
SDK-based traffic mirroring mode
In SDK-based traffic mirroring mode, SDKs are deployed on a unified access gateway to allow WAF to detect service traffic by using traffic mirroring. This way, traffic forwarding is separated from traffic detection. If you want to add a website to WAF in SDK-based traffic mirroring mode, join the DingTalk group (group ID: 34657699) for technical support.
After you deploy SDKs and hybrid cloud clusters, you can perform the following operations:
You can view the IP addresses of the forwarding nodes on which the SDKs are deployed and the corresponding hybrid cloud clusters and protection node groups. You can also view the status of the forwarding nodes.
Log on to the WAF 3.0 console.
In the left-side navigation pane, click Website Configuration.
On the Hybrid Cloud tab, click SDK-based Traffic Mirroring.
You can view the IP addresses of the forwarding nodes on which the SDKs are deployed and the corresponding hybrid cloud clusters and protection node groups. You can also view the status of the forwarding nodes.
Add a protected object
After you add a website to WAF in SDK-based traffic mirroring mode, the domain name of the website is not automatically added as a protected object. You must manually add the domain name or URL of the website as a protected object on the Protected Objects page in the WAF console. For more information, see Protected objects and protected object groups.
Configure protection rules for a protected object
After you add a protected object, you must configure protection rules for the protected object. For more information, see Protection configuration overview.