Cloud native mode and CNAME record mode - Web Application Firewall

If you want to use Web Application Firewall (WAF) to protect your web services, you must add your web services to WAF. You can add your web services to WAF 3.0 in cloud native mode or CNAME record mode. You can select a mode based on the deployment of your web services. This topic describes the implementation, recommended scenarios, added objects, and access methods of the cloud native mode and CNAME record mode.

Comparison

Type	Cloud native mode		CNAME record mode
Type	SDK module	Reverse proxy cluster	CNAME record mode
How it works	WAF is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. WAF does not forward traffic to prevent compatibility and reliability issues.	To use this mode, you must add the traffic redirection ports of your cloud service instances to WAF. This way, the gateways of the instances automatically redirect web service traffic to WAF. Then, WAF filters out malicious requests and forwards legitimate requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster.	To use this mode, you must update your CNAME record with your Domain Name System (DNS) provider to map your domain name to the CNAME that is provided by WAF. This routes requests that are bound for your domain name to WAF. Then, WAF filters out malicious requests and forwards legitimate requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster.
Recommended scenarios	If you use the following Alibaba Cloud services for your web services, we recommend that you add your web services to WAF in this mode: Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute.	If you use Alibaba Cloud Classic Load Balancer (CLB) or Elastic Compute Service (ECS) for your web services, we recommend that you add your web services to WAF in this mode.	If you do not use ALB, MSE, Function Compute, CLB, or ECS for your web services, you can add your web services to WAF in CNAME record mode.
Added objects	ALB or MSE instances, including all domain names that are hosted on the ALB or MSE instances. Custom domain names in Function Compute.	CLB or ECS instances, including all domain names that are hosted on the CLB or ECS instances.	Domain names.
Access methods	In the ALB or MSE console, enable WAF protection for instances or domain names. For more information, see Add an ALB instance to WAF and Add an MSE instance to WAF. In the Function Compute console, enable WAF protection for a custom domain name in Function Compute. For more information, see Add a custom domain name in Function Compute to WAF.	In the WAF console, add the traffic redirection ports of CLB instances or ECS instances to WAF. For more information, see Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF.	Add a domain name to WAF and configure listeners and forwarding rules. For more information, see Add a domain name to WAF. Modify the DNS record of the domain name. For more information, see Modify the DNS record of a domain name. Allow access from the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.