You can deploy Alibaba Cloud WAF and CDN (Content Delivery Network) together to speed up your website and protect against web attacks at the same time. We recommend that you use the following architecture: CDN (entry layer, website speed up) > WAF (intermediate layer, web attacks protection) > Origin.

Note Most CDN providers do not defend against HTTP Flood attacks, which result to accesses to HTTP Flood-attacked domain names are intercepted at the CDN layer. We recommend that you do not deploy WAF and CDN together for domain names that are frequently targeted by HTTP Flood attacks.

Procedure

Suppose you use Alibaba Cloud CDN. Follow these steps to deploy WAF and CDN together:
  1. See Get started with Alibaba Cloud CDN to implement a CDN for your domain name.
  2. Create a website configuration in Alibaba Cloud WAF.
    • Domain name: Enter the CDN-enabled domain name. Wildcard is supported.
    • Server address: Enter the public IP address of the ECS/Server Load Balancer instance, or the external server IP address of the origin server.
    • Any layer 7 proxy (e.g. Anti-DDoS/CDN) enabled?: Check yes.
    For more information, see Website configuration.

  3. When the website configuration is successfully created, WAF generates a dedicated CNAME address for it.
    Note For more information about how to view the WAF CNAME address, see WAF deployment guide.
  4. Modify the CDN configuration to change the origin site address to the WAF CNAME address.
    1. Log on to the Alibaba Cloud CDN console.
    2. Go to the Domain Names page, select the domain to be configured, and click Configure.
    3. Under Origin site settings, click Modify.
    4. Modify origin site information.
      • Type: Select Origin Site.
      • Origin site address IP: Enter the WAF CNAME address.
      • Use the same protocol as the back-to-source protocol: Select Enable.


    5. Under Back-to-Source Settings, make sure that Back-to-Source host is disabled.

After the operation is complete, the traffic goes through CDN, and the dynamic content continues to be checked and protected by WAF.