Global Accelerator:Enable WAF protection for Global Accelerator

How it works

GA integrates WAF in bypass mode. After you enable this feature, a service-based WAF is deployed in the GA acceleration region. Rather than acting as a separate network node for traffic forwarding, WAF only extracts, inspects, and protects traffic to enhance application security.

1. Request reception: A client request arrives at a GA acceleration node.

2. Bypass inspection: GA sends the traffic to a WAF 3.0 instance over an internal channel for a security check.

3. Security analysis: WAF analyzes the request in real time based on your configured protection rules and returns the inspection result (allow or block) to GA.

4. Decision enforcement: GA enforces the decision based on the inspection result.

   • Allow: The request is forwarded to the origin server.

   • Block: The request is blocked, and a block page is returned to the client. The request does not reach the origin server.

Usage notes

• The service-based WAF integration for GA is in phased release. To use this feature, contact your account manager.

• Only pay-as-you-go GA instances support WAF protection.

• If you have WAF 2.0 instances in your account, you must first release them or migrate to WAF 3.0.

Enable WAF protection

• After enabling this feature, your GA instance is automatically connected to the WAF 3.0 service. If WAF is not activated for your account, a pay-as-you-go WAF 3.0 instance is automatically created.

• Supported acceleration regions:

  • If the Accelerated IP Address Type of your instance is EIP, you can enable WAF protection for acceleration regions in the Chinese mainland and regions outside the Chinese mainland separately.

  • If the Accelerated IP Address Type is Anycast EIP, you can enable WAF protection only for acceleration regions outside the Chinese mainland. WAF protection is not currently supported in the UK (London) region.

• After you enable WAF protection, it takes effect only if the instance meets the following conditions:

  • An HTTP or HTTPS listener is configured.

  • An acceleration region that supports WAF protection is configured.

View protection logs

After you enable WAF protection, WAF automatically creates a protected object and enables the core web protection rules by default. You can configure more protection rules as needed.

1. On the , find the target instance.Global Accelerator console

2. Hover over the icon next to the target instance ID. In the Web Application Firewall area, click View WAF Report for the corresponding protection region.

Disable WAF protection

After you disable WAF protection, traffic to your GA instance is no longer inspected by WAF. Security reports no longer include data for this traffic, and WAF stops charging request processing fees.

You are still charged for the WAF instance itself and any configured protection rules. To stop all WAF billing, you must disable WAF.

1. On the , find the target instance.Global Accelerator console

2. Hover over the icon next to the instance ID, and in the Web Application Firewall area, click Configure.

3. In the Configure Web Application Firewall dialog box, select Close for the corresponding protection region and click OK.

Billing

• GA fees: Enabling WAF protection does not affect the billing for your GA instance. GA continues to be billed according to its original billing rules.

• WAF 3.0 fees:

  • If you have not activated WAF, enabling WAF protection for GA automatically creates a WAF 3.0 pay-as-you-go instance.

  • If you already have a WAF 3.0 subscription instance, enabling WAF protection for GA does not incur additional WAF fees.

FAQ