All Products
Search
Document Center

API Gateway:Enable Web Application Firewall

Last Updated:Jun 03, 2026

Cloud-native API Gateway integrates with Alibaba Cloud Web Application Firewall 3.0 (WAF 3.0), supporting both instance-level and route-level protection for your websites and applications.

How it works

WAF scrubs malicious traffic and forwards only safe requests to your servers, protecting your services and data. Unlike traditional WAF deployments, this integration routes requests directly through the API gateway without a separate WAF hop, improving performance without sacrificing security. The following figure compares the architecture before and after the integration.

image.png

Billing

The WAF integration is free on Cloud-native API Gateway. You are billed separately for WAF 3.0 based on usage.

Methods

Enable instance-level protection

Important

This operation might restart the gateway instance.

  1. Log on to the Cloud-native API Gateway console. In the left-side navigation pane, choose Instance. In the top menu bar, select a region.

    Note

    WAF 3.0 is currently unavailable in the China (Shanghai) Finance region.

  2. On the Instance page, click the ID of the target gateway instance.

  3. On the Overview page, select the Basic Information tab. Find WAF and click Enable on the right.

  4. In the Enable instance-level WAF protection dialog box, click Continue to enable instance-level WAF protection (Recommended).

Enable route-level protection

Important

This operation might restart the gateway instance.

  1. Log on to the API Gateway console.

  2. In the left-side navigation pane, click Cloud-native API Gateway > API. In the top navigation bar, select a region.

  3. Click an existing HTTP or WebSocket API. On the API details page, click the target route name. Select the Configure Policy tab, click WAF, and then click Enable route-level WAF protection (Recommended).

  4. In the Enable Route-level WAF Protection dialog box, click OK.

Next steps

After you enable WAF, rule-based protection and HTTP flood protection activate by default. Rule-based protection defends against SQL injection, Cross-Site Scripting (XSS), and webshell uploads. HTTP flood protection mitigates HTTP flood attacks. For enhanced security, configure additional modules and custom rules in the Gateway protection configuration guide.

FAQ

Does the gateway support WAF 2.0?

Yes. Add the IP address of the Server Load Balancer (SLB) instance associated with your Cloud-native API Gateway instance to the WAF back-to-origin address list as described in the WAF tutorial.

Related documents