Global Accelerator:Enable WAF Protection for Global Accelerator

How it works

GA integrates WAF using one-arm mode. After you enable WAF, GA deploys a managed WAF service in your acceleration areas. WAF does not act as an independent network node for traffic forwarding. Instead, WAF extracts, inspects, and protects traffic to improve your application’s security protection capabilities.

1. Receive request: The client request reaches a GA edge node.

2. Bypass inspection: GA sends traffic to a WAF 3.0 instance over an internal channel for security inspection.

3. Security analysis: WAF analyzes the request content in real time based on configured protection rules and returns the inspection result—allow or block—to GA.

4. Execute decision: GA performs the final action based on the inspection result.

   • Allow: Forward the request normally to the origin server.

   • Block: Block the request and return a block page to the client. The request never reaches the origin server.

Applicability

• The managed WAF feature for GA is rolling out in a phased release. Contact your account manager to request access.

• Only pay-as-you-go GA instances support WAF protection.

• GA integrates managed WAF using the WAF 3.0 service architecture. If your account already has a WAF 2.0 instance, first release the WAF 2.0 instance or migrate to WAF 3.0.

Enable WAF protection

• After you enable WAF, your GA instance automatically connects to the WAF 3.0 service. If you do not have an active WAF instance, GA automatically creates a new pay-as-you-go WAF instance.

• Supported acceleration areas:

  • If your instance Accelerated IP Address Type is Elastic IP Address, you can enable WAF protection separately for acceleration areas in the Chinese mainland and outside the Chinese mainland.

  • If your instance Accelerated IP Address Type is anycast Elastic IP Address, you can enable WAF protection only for acceleration areas outside the Chinese mainland. The UK (London) region does not support WAF protection.

• After you enable WAF protection, your GA instance must meet the following conditions for WAF protection to take effect:

  • You have configured an HTTP or HTTPS listener.

  • You have configured an acceleration area that supports WAF protection.

View protection records

After you enable WAF protection, WAF automatically creates protected objects and enables the default web core protection rules. You can configure additional security protection rules as needed.

1. Log on to the Standard Instance Console. Find your target instance.

2. Hover your mouse over the icon next to the target instance ID. In the Web Application Firewall section, click View WAF Report for the relevant protection area.

Disable WAF protection

After you disable WAF protection, your GA instance’s service traffic no longer receives WAF protection. Security reports no longer include protection data for that traffic. WAF no longer charges for request processing.

WAF instances and protection rules still incur feature fees. To stop all WAF billing, disable WAF.

1. Log on to the Standard Instance Console. Find your target instance.

2. Hover your mouse over the icon next to the target instance ID. In the Web Application Firewall section, click Configure.

3. In the Configure Web Application Firewall dialog box, for each supported protection area, set Close. Click OK.

Billing information

• GA fees: Enabling WAF protection does not change how GA instances are billed. GA continues to bill according to the original billing rules.

• WAF 3.0 fees:

  • If you do not have an active WAF instance, enabling WAF protection for GA automatically creates a WAF 3.0 pay-as-you-go instance.

  • If you already have a WAF 3.0 subscription instance, enabling WAF protection for GA incurs no additional WAF fees.

FAQ