If your services are frequently attacked, enable Web Application Firewall (WAF) on Application Load Balancer (ALB) instances to protect them. WAF-enabled ALB instances defend against DDoS attacks, SQL injection, cross-site scripting (XSS), malicious HTTP requests, and SSH brute force attacks. WAF-enabled ALB instances support various HTTP protocols and encoding algorithms to help you build an in-depth and precise security system.
For more information, see Benefits of WAF-enabled ALB instances and What is WAF?
For more information about the billing rules of WAF-enabled ALB instances, see ALB billing rules.
Prerequisites
Before you begin, ensure that you have:
The ALB Ingress controller installed in the cluster
A kubectl client connected to the ACK cluster — for setup instructions, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster
Enable WAF protection
Set the edition parameter in AlbConfig to StandardWithWaf to enable WAF, or Standard to disable it. Apply this change when creating a new ALB instance or modifying an existing one.
| Parameter | Allowed values | Description |
|---|---|---|
edition | Standard, StandardWithWaf | The edition of the ALB instance. Set to StandardWithWaf to enable WAF protection. Set to Standard to disable it. |
To enable WAF, set edition to StandardWithWaf in your AlbConfig:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
addressType: Internet
edition: StandardWithWaf
zoneMappings:
#...To disable WAF, set edition to Standard and reapply.
Next steps
Configure an ACL to enable access control — enforce access control based on source IP addresses
Use HTTPS mutual authentication to enhance service security — authenticate client identities