If your services are frequently attacked, you can use Application Load Balancer (ALB) instances that have Web Application Firewall (WAF) enabled to protect your services.
Background information
A WAF-enabled ALB instance is a specific type of ALB instance. You can use WAF-enabled ALB instances to prevent common network attacks, such as DDoS attacks, SQL injection, cross-site scripting, malicious HTTP requests, and SSH brute force attacks. WAF-enabled ALB instances support various HTTP protocols and encoding algorithms to help you build a in-depth and precise security system. For more information about the features of WAF-enabled ALB instances, see Benefits of WAF-enabled ALB instances. For more information about WAF, see What is WAF?
For more information about the billing rules of WAF-enabled ALB instances, see ALB billing rules.
Prerequisites
The ALB Ingress controller is installed in the cluster.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Configure a WAF-enabled ALB instance
When you create an ALB instance or modify the configuration of an existing ALB instance, you can configure the edition parameter in the AlbConfig.
Add the edition parameter to the AlbConfig and set the value to StandardWithWaf to enable WAF for the ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
addressType: Internet
edition: StandardWithWaf # Enable WAF protection.
zoneMappings:
#...If the ALB instance no longer needs WAF protection, set the value of the edition parameter to Standard.
References
For more information about how to enforce access control based on source IP addresses, see Configure an ACL to enable access control.
For more information about how to authenticate client identities, see Use HTTPS mutual authentication to enhance service security.