Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF - Anti-DDoS

If your website service encounters volumetric attacks and sophisticated web application attacks, a single network security service is insufficient to protect the website service. We recommend that you add the website service to both Anti-DDoS Pro or Anti-DDoS Premium and Web Application Firewall (WAF) for protection. This topic describes how to add a website service to both Anti-DDoS Pro or Anti-DDoS Premium and WAF.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
A WAF instance is purchased. For more information, see Purchase a subscription WAF instance.

Background information

To configure Anti-DDoS Pro or Anti-DDoS Premium and WAF for your website service, you can apply the following network architecture: Use Anti-DDoS Pro or Anti-DDoS Premium at the ingress to defend against DDoS attacks. Use WAF at the intermediate layer to defend against web application attacks. Configure an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, virtual private cloud (VPC), or server in a data center as the origin server. This way, traffic is scrubbed by Anti-DDoS Pro or Anti-DDoS Premium and then filtered by WAF. Only service traffic is forwarded to the origin server. This ensures service and data security.

Note After you apply the preceding architecture, requests are sent to multiple intermediate proxy servers before they reach the origin server. The origin server cannot directly obtain the originating IP addresses of the requests. For more information about how to obtain the originating IP addresses, see Obtain the actual source IP addresses of requests.

Step 1: Add your website service to WAF

Log on to the WAF console.
In the top navigation bar, select the resource group and the region to which the WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Domain Names tab, click Website Access.
Add a domain name to WAF.
- Access mode: CNAME record mode
  
  Note On the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default. In CNAME record mode, you do not need to modify the value of Access Mode.
  1. In the Enter Your Website Information step, configure the following parameters based on your business requirements:
    
    Note The CNAME record mode supports the Automatically Add and Manually Add methods. If you want to add your website service to both Anti-DDoS Pro or Anti-DDoS Premium and WAF, we recommend that you use the Manually Add method.
    - Domain Name: Enter the domain name of your website that you want to protect.
    - Protection Resource: Select the type of protection resource that you want to use.
    - Protocol Type: Select the protocol that is supported by your website.
    - Destination Server (IP Address): Select IP and enter the public IP address of the SLB or ECS instance on which the origin server is deployed, or the IP address of the origin server that is not deployed on Alibaba Cloud.
    - Destination Server Port: Specify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services.
    - Load Balancing Algorithm: Select a scheduling algorithm based on your business requirements. If you specify multiple addresses for the Destination Server (IP Address) parameter, the selected algorithm is used to schedule requests.
    - Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.
    - Enable Traffic Mark: Specify whether to enable the WAF traffic marking feature based on your business requirements.
    - Resource Group: If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.
  2. Click Next.
  3. On the Domain Names tab, find the domain name that you added, and copy the CNAME that is assigned by WAF to the domain name in the Domain Name/CNAME column.
- Access mode: transparent proxy mode
  1. On the Add Domain Name page, set Access Mode to Transparent Proxy Mode.
  2. In the Add Domain Name step, configure the following parameters based on your business requirements:
    - Domain Name: Enter the domain name of your website that you want to protect.
    - SLB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, or ECS-based Domains: Find the instance that you want to protect on the required tab and select the ports that correspond to the instance.
    - Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.
    - Enable Traffic Mark: Specify whether to enable the WAF traffic marking feature based on your business requirements.
    - Resource Group: If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.
  3. Click Next.
  4. Check and confirm the information in the Check and Confirm Added Information step and click Next.
  5. Click Completed. Return to the website list.

Step 2: Add your website service to Anti-DDoS Pro or Anti-DDoS Premium

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Provisioning > Website Config.
On the Website Config page, click Add Domain.
Complete the Add Domain wizard.
1. In the Enter Site Information step, configure the following parameters based on your business requirements:
  - Function Plan: Select the function plan of the instance that you want to use.
  - Instance: Select the instance that you want to use.
  - Domain: Enter the domain name of your website that you want to protect.
  - Protocol: Select the protocol that is supported by your website.
  - Enable OCSP: Specify whether to enable the Online Certificate Status Protocol (OCSP) feature.
  - Server IP:
    - If you add the domain name to WAF in CNAME record mode, select Origin Server Domain and enter the CNAME that is obtained in Step 1.
    - If you add the domain name to WAF in transparent proxy mode, select Origin Server IP and enter the public IP address of the origin server.
  - Server Port: Specify the port based on the value of the Protocol parameter. The port is used by the origin server to provide services.
  - Cname Reuse: Specify whether to enable CNAME reuse based on your business requirements. If multiple website services are deployed on the same origin server, you can turn on Cname Reuse to map the domain names of the website services to the CNAME that is assigned by Anti-DDoS Pro or Anti-DDoS Premium.
2. Click Add.
3. On the Website Config page, find the domain name that you added, and copy the CNAME that is assigned by Anti-DDoS Pro or Anti-DDoS Premium to the domain name in the Domain column.

Step 3: Change the DNS record of the domain name

If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS record to map the domain name to the CNAME that is obtained in Step 2. If you use a third-party DNS service, log on to the system of the DNS provider to change the DNS record. The following example is for reference only.

Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, find the domain name for which you want to change the DNS record, and click Configure in the Actions column to go to the DNS Settings page.
On the DNS Settings page, find the DNS record that you want to change and click Edit in the Actions column.

Note If you cannot find the DNS record that you want to change in the list, you can click Add Record to add a record.
In the Edit Record (or Add Record) panel, select CNAME- Canonical name for Type and set Value to the CNAME that is obtained in Step 2.
Click Confirm and wait for the settings to take effect.
Check whether your website is accessible from a browser.
For more information about how to handle access errors, see How do I handle the issues of slow response, high latency, and access failure on websites that are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?.

References

Add a domain name: This topic describes how to add a domain name to WAF in CNAME record mode.
Add a domain name in transparent proxy mode: This topic describes how to add a domain name to WAF in transparent proxy mode.
Add a website: This topic describes how to add a domain name to Anti-DDoS Pro or Anti-DDoS Premium. This topic also describes how to import the configurations of more than one domain name to Anti-DDoS Pro or Anti-DDoS Premium at a time.
Change DNS records to protect website services: This topic describes how to manually change the DNS record of a domain name to protect the website services corresponding to the domain name in Anti-DDoS Pro or Anti-DDoS Premium.