All Products
Search

This Product

    API Gateway:Configure WAF

    Document Center

    API Gateway:Configure WAF

    Last Updated:Dec 25, 2025

    This topic describes how to configure Web Application Firewall (WAF) to enhance the security of APIs published in API Gateway.

    Overview

    API Gateway provides core security features for your APIs. These features include authentication, tamper-proofing, anti-replay, parameter validation, full-link signatures, and throttling. To protect against application-layer attacks, such as the OWASP Top 10 and brute-force attacks, use Web Application Firewall (WAF). WAF prevents data breaches and improves the security of your services.

    API Gateway is fully compatible with WAF. Follow these steps to add WAF protection to your APIs.

    Prerequisites

    Procedure

    1. You can bind a custom domain name to your API group. For more information, see Call an API using a custom domain name. The following figure shows a successful binding:

      image.png

      Important

      When you bind the domain name, use a TXT record for resolution. This record is required for the WAF configuration.

    2. Add a domain name in WAF. Go to the WAF console.

      Web Application Firewall 2.0

      1. In the navigation pane on the left, choose Management > Website Configuration, and then click Add Site. Configure the following parameters:

        • Domain Name: Enter the same domain name that you bound to the API group in Step 1.

        • Protocol Type: Select the same protocol type that you used to publish the API in API Gateway.

        • Server Address: Select Other Address and enter the public second-level domain name assigned to the API group.

      2. Click Next and follow the prompts to add the site. Then, add a CNAME record for the domain name to resolve it to the CNAME address of WAF. This routes your service traffic to WAF.

        CNAME address

      Web Application Firewall 3.0

      1. In the navigation pane on the left, choose Provisioning. On the CNAME Provisioning tab, click Add and complete the provisioning process. For more information, see Enable WAF protection for a website using a CNAME record.

        • In the Listener Configuration section, configure the following parameters:

          • Domain Name: Enter the same domain name that you bound to the API group in Step 1.

          • Protocol Type: Select the same protocol type that you used to publish the API in API Gateway.

        • In the Forwarding Configuration section, configure the following parameters:

          • Origin Domain Name: Enter the public second-level domain name assigned to the API group.

        image

    3. In the API Gateway console, disable access through the group's second-level domain name. This prevents users from bypassing WAF to access API Gateway directly. After you disable access, direct calls that use the second-level domain name fail. Calls made through the WAF domain name are not affected.

      image.png