All Products
Search
Document Center

API Gateway:WAF integration

Last Updated:Jun 30, 2026

This topic explains how to configure Web Application Firewall (WAF) to enhance the security of APIs published on API Gateway.

Overview

API Gateway provides core security features, such as authentication, anti-tampering, anti-replay, parameter validation, end-to-end signing, and throttling. However, to defend against sophisticated application-layer attacks, such as the OWASP Top 10 and brute-force attacks, you can integrate WAF to prevent intrusions and data breaches, better protecting your business.

Prerequisites

  • You have activated WAF.

  • You have published APIs on API Gateway.

Procedure

  1. Bind a custom domain name to an API group. For more information, see Call an API by using a custom domain name.

    On the Custom Domain Names management page in the API Gateway console, click Bind Domain Name in the upper-right corner to add a custom domain name. The table of bound domain names includes these columns:

    • Custom domain name: The custom domain name.

    • Network type: For example, Internal Network.

    • WebSocket channel status: If the channel is not enabled, click the Enable link to enable it.

    • Validity status: For example, Normal.

    • Environment: For example, Default.

    • SSL certificate: Displays the certificate expiration date. You can click Update Certificate to update it.

    • Automatic HTTP to HTTPS redirect: If not enabled, click the Enable link to enable it.

    • Actions: Includes Delete Domain Name, Change Environment, and Delete Certificate.

    Important

    Since you will configure WAF later, use a TXT record for domain verification.

  2. Go to the WAF console and add the domain name.

    WAF 2.0

    1. In the left-side navigation pane, choose Management > Website Configuration, and then click Add Site. On the Add Website page, configure the following parameters:

      • Domain name: Must match the domain name bound to the API Gateway group in Step 1.

      • Protocol type: Must match the protocol type of the API published in API Gateway.

      • Origin server address: Select Other addresses, and then enter the public subdomain assigned to the API Gateway group.

      On the Add Website Information page in WAF, configure the following parameters:

      • Domain: Enter the domain name to protect. This must be the same custom domain name from Step 1.

      • Protocol type: Select HTTP. The protocol must match that of the API published in API Gateway.

      • Origin server address: Select Other address, and enter the public subdomain of the API group.

      • Server port: The default port for HTTP is 80.

      • Is there a Layer 7 proxy (such as Anti-DDoS or CDN) in front of WAF?: Select No.

      • Load balancing algorithm: Select IP hash.

      • Resource group: Select the default resource group.

    2. Click Next and follow the prompts to add the website. After the website is added, add a CNAME record that points your domain name to the WAF CNAME address. This will route your traffic through WAF.

      To find the CNAME address, log on to the WAF console. In the left-side navigation pane, choose Website Access. On the Domain List tab, find and expand your domain name to view its CNAME address.

    WAF 3.0

    1. In the left navigation bar, select Access Management. On the CNAME Access tab, click Add. Refer to Use CNAME access to enable WAF protection for a website to complete the process.

      • In the Configure Listener step, configure the following parameters:

        • Domain name: Must be the same as the domain name bound to the API Gateway group in Step 1.

        • Protocol type: Must match the protocol type of the API published in API Gateway.

      • In the Configure Forwarding Rule step, configure the following parameters:

        • Origin domain name: Enter the public subdomain of the API group.

      On the Domain Names page, to complete Configure Listener (Step 1), you must set the following parameters:

      • Domain Name: Enter the domain name of the website to protect.

      • Protocol Type: Select HTTP or HTTPS. You must select at least one. For HTTPS, you can enable SM-based HTTPS.

      • Is a Layer 7 proxy (such as Anti-DDoS or CDN) deployed in front of WAF?: Select Yes or No.

      • More Settings: Lets you enable IPv6 and a Dedicated IP.

      • Protection Resource: Select Shared Cluster or Shared Cluster with Intelligent Load Balancing.

      • Resource Group: Select a resource group from the drop-down list.

  3. After completing these steps, disable access through the public subdomain in the API Gateway console. This prevents users from bypassing WAF to access your APIs directly. After you disable access, direct requests to the public subdomain fail, but requests that are routed through your WAF-protected custom domain name are not affected.

    On the basic information page of the API group in the API Gateway console, find the Subdomain section. This section lists the public subdomain (for testing only, with a limit of 1,000 requests per day; we recommend binding a custom domain name), the self-invoking subdomain, and the internal VPC subdomain. Next to the subdomain list, click Disable Public Subdomain Access.