WAF provides a basic protection capability of 5 Gbit/s against DDoS attacks. If you want to improve the DDoS mitigation capability of WAF, we recommend that you use WAF in combination with Anti-DDoS Pro or Anti-DDoS Premium. This topic describes how to deploy WAF and Anti-DDoS Pro or Anti-DDoS Premium.

Background information

The core capability of WAF is to mitigate attacks at the application layer. WAF can block the requests that are constructed by attackers. However, WAF cannot mitigate DDoS attacks over 5 Gbit/s. The core capability of Anti-DDoS Pro or Anti-DDoS Premium is to mitigate DDoS attacks, especially volumetric attacks. For more information, see Anti-DDoS Pro.

Attackers do not use only a single attack method to launch attacks but use a variety of methods. For example, attackers may combine volumetric attacks and sophisticated web attacks. Therefore, a single security protection method cannot achieve the desired protective effect. We recommend that you analyze the attacks and select appropriate protection methods.

WAF is fully compatible with Anti-DDoS Pro or Anti-DDoS Premium. You can deploy WAF and Anti-DDoS Pro or Anti-DDoS Premium in the following sequence: Anti-DDoS Pro or Anti-DDoS Premium, WAF, and origin servers. Anti-DDoS Pro or Anti-DDoS Premium is deployed at the ingress layer to protect against DDoS attacks. WAF is deployed at the intermediate layer to protect applications.

Procedure

  1. Add the domain name that you want to protect to WAF.
    1. Log on to the WAF console.
    2. In the left-side navigation pane, choose Asset Center > Website Access. On the page that appears, click Website Access.
    3. Add the domain name and configure the following parameters:
      • Domain Name: Enter the domain name that you want to protect.
      • Destination Server (IP Address): Select IP. Then, enter the public IP address of the SLB instance, the public IP address of the ECS instance, or the IP address of the server that is not deployed on Alibaba Cloud.
      • Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.
      Note For more information, see Add websites.
      The domain name is added to WAF.
    4. On the Website Access page, copy the canonical name (CNAME) that is generated by WAF.
  2. Add the domain name to Anti-DDoS Pro or Anti-DDoS Premium.
    1. Log on to the Anti-DDoS Pro console.
    2. In the left-side navigation pane, choose Provisioning > Website Config and click Add Domain.
    3. In the Enter Site Information step, configure the following parameters and click Add.
      • Function Plan and Instance: Select the function plan and the Anti-DDoS Pro or Anti-DDoS Premium instance that you want to use.
      • Domain: Enter the domain name of the website that you want to protect.
      • Protocol: Select the protocol supported by origin servers.
      • Server IP: Select Origin Server Domain and enter the CNAME that you copy in Step 1.
      Note For more information, see Add forwarding rules.
      Add Domain page
      After you add the domain name, Anti-DDoS Pro or Anti-DDoS Premium generates a CNAME.
  3. Change the DNS record of the domain name. Visit the website of your DNS provider and add a CNAME record that points to the CNAME that you obtain in Step 2.
    Note For more information, see Configure service traffic forwarding.

Result

After the configuration is complete, the traffic passes through Anti-DDoS Pro or Anti-DDoS Premium and then is forwarded to WAF.