All Products
Search
Document Center

Configure WAF

Last Updated: Mar 22, 2022

This topic describes how to configure Web Application Firewall (WAF) to enhance security of the APIs published on API Gateway.

1. Overview

API Gateway provides a range of security features to protect APIs, such as authentication, tamper-proofing, anti-replay, parameter validation, full-link signature verification, and throttling. To protect APIs against attack requests crafted by attackers, such as the top 10 web attacks defined by Open Web Application Security Project (OWASP) at the application layer and brute-force attacks, you can use WAF for enhanced security protection. This prevents data breach and better ensures the security of your business.

API Gateway is fully compatible with WAF. Follow the operations described in section 3 "Procedure" to configure WAF.

2. Prerequisites

3. Procedure

Step 1: Bind your domain name to an API group. For more information, see Bind a domain name to an API group. The following page shows that a domain name is bound to an API group.

Notice

You need to configure WAF in the next step. We recommend that you bind the domain name by adding a TXT record in this step.

Step 2: Add the domain name to WAF. Log on to the WAF console. Choose Asset Center > Website Access in the left-side navigation pane. On the Website Access page, click Website Access. On the Add Domain Name page, click the Manually Add tab and add the domain name.

Set the following parameters:

  • Domain Name: Enter the domain name that is bound to the API group in Step 1.

  • Protocol Type: Select the protocol for publishing APIs in the API Gateway console.

  • Destination Server (IP Address): Select Domain Name (Such as CNAME) and enter the second-level domain name that is allocated to the API group.

Click Next and perform subsequent configurations by following the on-screen instructions. Then, add a CNAME record for the domain name to resolve the domain name to the CNAME generated by WAF. This way, your business traffic is switched to WAF.

CNAME