Cloud-native API Gateway integrates with Alibaba Cloud Web Application Firewall 3.0 (WAF 3.0), supporting both instance-level and route-level protection for your websites and applications.
How it works
WAF scrubs malicious traffic and forwards only safe requests to your servers, protecting your services and data. Unlike traditional WAF deployments, this integration routes requests directly through the API gateway without a separate WAF hop, improving performance without sacrificing security. The following figure compares the architecture before and after the integration.

Billing
The WAF integration is free on Cloud-native API Gateway. You are billed separately for WAF 3.0 based on usage.
Methods
-
(Recommended) Enable WAF from the Cloud-native API Gateway console: Enable instance-level protection and Enable route-level protection.
Enable instance-level protection
This operation might restart the gateway instance.
-
Log on to the Cloud-native API Gateway console. In the left-side navigation pane, choose Instance. In the top menu bar, select a region.
NoteWAF 3.0 is currently unavailable in the China (Shanghai) Finance region.
-
On the Instance page, click the ID of the target gateway instance.
-
On the Overview page, select the Basic Information tab. Find WAF and click Enable on the right.
-
In the Enable instance-level WAF protection dialog box, click Continue to enable instance-level WAF protection (Recommended).
Enable route-level protection
This operation might restart the gateway instance.
Log on to the API Gateway console.
In the left-side navigation pane, click . In the top navigation bar, select a region.
-
Click an existing HTTP or WebSocket API. On the API details page, click the target route name. Select the Configure Policy tab, click WAF, and then click Enable route-level WAF protection (Recommended).
-
In the Enable Route-level WAF Protection dialog box, click OK.
Next steps
After you enable WAF, rule-based protection and HTTP flood protection activate by default. Rule-based protection defends against SQL injection, Cross-Site Scripting (XSS), and webshell uploads. HTTP flood protection mitigates HTTP flood attacks. For enhanced security, configure additional modules and custom rules in the Gateway protection configuration guide.
FAQ
Does the gateway support WAF 2.0?
Yes. Add the IP address of the Server Load Balancer (SLB) instance associated with your Cloud-native API Gateway instance to the WAF back-to-origin address list as described in the WAF tutorial.