All Products
Search
Document Center

Function Compute:Enable WAF protection

Last Updated:Apr 01, 2026

Protect your Function Compute applications from web attacks by integrating Alibaba Cloud Web Application Firewall (WAF) 3.0 with a custom domain name. WAF 3.0 inspects incoming traffic, filters malicious requests, and forwards clean traffic to your backend functions — providing end-to-end security protection for your websites and applications.

Supported regions

WAF integration for Function Compute custom domain names is available only in the following regions:

  • China (Hangzhou)

  • China (Shanghai)

  • China (Beijing)

  • China (Shenzhen)

  • China (Zhangjiakou)

Billing

After you enable WAF for a custom domain name, charges apply based on WAF 3.0 usage. For details, see Billing overview.

Prerequisites

Before you begin, ensure that you have:

Enable WAF when creating a custom domain name

  1. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.

  2. In the top navigation bar, select the target region. On the Custom Domains page, click Add Custom Domain Name.

  3. On the Add Custom Domain Name page, configure the Domain Name parameter. In the WAF Settings section, set Web Application Firewall (WAF) to Enable, then click Create.

For all other domain name parameters, see the "Step 3: Add the custom domain name" section of Configure a custom domain name.

Enable WAF for an existing custom domain name

  1. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.

  2. On the Custom Domains page, find the target domain name and click Modify in the Actions column.

  3. On the Modify Custom Domain Name page, set Web Application Firewall (WAF) to Enable, then click Save.

What's next

After WAF is enabled, all traffic to the custom domain name passes through WAF before reaching your functions.

Two protection features are enabled by default:

FeatureProtects against
Protection rules engineSQL injections, cross-site scripting (XSS) attacks, and webshell uploads
HTTP flood protectionHTTP flood attacks

To configure additional protection features and custom protection rules, see Protection configuration overview.