Application Load Balancer (ALB) is integrated with Web Application Firewall (WAF) 3.0, which supports more transparent integration than WAF 2.0. Listening and forwarding are performed by ALB instead of WAF. Forwarding services and security services are decoupled from each other to ensure compatibility and performance stability. This topic describes the benefits of WAF-enabled ALB instances and how to activate and manage WAF-enabled ALB instances. Integration with WAF 3.0

Benefits of WAF-enabled ALB instances

  • One-stop protection

    ALB is deeply integrated with WAF 3.0, which provides one-stop security services that can detect malicious requests. WAF-enabled ALB instances are resistant to intrusions, provide more stable performance, and support higher security for services and data.

  • High compatibility

    ALB is integrated with WAF 3.0 at the service level. WAF provides only security services and is decoupled from the forwarding services. Listening and forwarding are performed by ALB so that request forwarding services and security services are decoupled from each other. This design improves compatibility and service performance.

  • Various features

    Compared with standard ALB instances, WAF-enabled ALB instances are under enhanced protection. For more information about the difference between ALB editions, see Functions and features.

  • Limit-free on network types and protocols

    WAF-enabled ALB instances support all network types and protocols. WAF-enabled ALB instances can be Internet-facing or internal-facing. WAF-enabled ALB instances support both IPv4 and dual stack.

    Note By default, the dual-stack feature of ALB is unavailable. To use this feature, log on to the Quota Center console. On the Whitelist Quotas page, enter the quota ID slb_user_visible_gray_label/support_ipv6, and then apply for the privilege to use the feature. For more information, see Manage ALB quotas.
  • Sufficient quotas

    WAF-enabled ALB instances provide the same quotas as standard ALB instances, and provide higher quotas than basic ALB instances. For more information about resource quotas supported by different ALB editions, see ALB quotas.

  • On-demand protection

    WAF-enabled ALB instances require only simple configurations. You can enable or disable WAF protection for your ALB instance with one click. You can purchase WAF-enabled ALB instances in the ALB console, or upgrade existing basic and standard ALB instances to WAF-enabled ALB instances.

Limits on WAF-enabled ALB instances

  • Before you purchase WAF-enabled ALB instances, you must complete real-name verification.
  • The following table describes the regions in which WAF-enabled ALB instances are available for purchase.
    AreaRegion
    ChinaChina (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
    Asia PacificPhilippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and India (Mumbai)
    Europe and AmericasGermany (Frankfurt), US (Silicon Valley), and US (Virginia)
  • You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.
  • Make sure that WAF is not activated within your Alibaba Cloud account, or WAF 3.0 is activated in your Alibaba Cloud account.
    • If WAF is not activated in your Alibaba Cloud account, a pay-as-you-go WAF 3.0 instance is created after you create a WAF-enabled ALB instance.
    • If a WAF 2.0 instance already exists in your Alibaba Cloud account, release the WAF 2.0 instance or migrate data from the WAF 2.0 instance to a WAF 3.0 instance. (Automatic migration is not supported. If you want to migrate data, join the DingTalk group 34657699 for consultation). For more information about how to release a WAF 2.0 instance, see Terminate the WAF service.

Billing

After you create a WAF-enabled ALB instance or upgrade an existing ALB instance to a WAF-enabled ALB instance, you are charged fees for using WAF 3.0. The following table describes the billable items of WAF-enabled ALB instances.

Billable itemCalculation formulaReferences
Instance feeInstance fee = Instance unit price (USD/hour) × Duration of usage (hours)Instance fees
LCU feeLCU fee per hour = max{Number of LCUs for new connections, Number of LCUs for concurrent connections, Number of LCUs for data transfer, Number of LCUs for rule evaluations} × LCU unit priceLCU fees
Internet data transfer fee
You are not charged for data transfer over the Internet if you use internal-facing ALB instances. You are charged for data transfer over the Internet only if you use Internet-facing ALB instances. Internet-facing ALB instances use elastic IP addresses (EIPs) or Anycast EIPs to provide services over the Internet.
  • By default, a newly created Internet-facing ALB instance is associated with an EIP. ALB charges an instance fee and a bandwidth fee or a data transfer fee for the EIP. For more information, see Pay-as-you-go.
  • After an ALB instance is associated with an Anycast EIP, ALB charges a configuration fee, an Internet data transfer fee, and an internal data transfer fee for the Anycast EIP. For more information, see Billing.
WAF 3.0 feeWAF 3.0 supports the subscription and pay-as-you-go billing methods. For more information, see Subscription WAF 3.0 instances and Pay-as-you-go WAF 3.0 instances. If no WAF instance is created within your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, the version of the WAF instance is 3.0 and the billing method is pay-as-you-go.

Enable WAF protection for an ALB instance

Purchase a WAF-enabled ALB instance

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. On the Instances page, click Create ALB.
  4. On the Application Load Balancer page, set the parameters, click Buy Now, and then complete the payment.
    This example lists only some of the parameters. For more information, see Create an ALB instance.

    Edition: Select WAF Enabled.

Enable WAF protection for an existing ALB instance

You can upgrade an existing basic or standard ALB instance to a WAF-enabled ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:
    • Method 1: Move your pointer over the WAF protection disabled icon next to the instance name and click Enable Protection in the WAF Protection message.
    • Method 2: Choose Choose > Upgrade Edition in the Actions column.
    • Method 3: Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section, and click Enable Protection.
    • Method 4: Click the ID of the ALB instance. On the Instance Details tab, click the Security Protection tab. Then, click Enable Protection.
  4. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, click Buy Now, and then complete the payment.

Manage WAF protection

Manage WAF protection in the ALB console

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. Manage WAF protection.
    OperationProcedure
    Check whether an instance has WAF protection enabledUse one of the following methods to check whether an instance has WAF protection enabled:

    Method 1: On the Instances page, find the ALB instance that you want to manage and move your pointer over the Protection Disabled icon. In the WAF Protection section, you can view the protection status.

    Method 2:
    1. On the Instances page, find the ALB instance that you want to manage and click its ID.
    2. On the Instance Details tab, view the value of the WAF Protection parameter in the Basic Information section.
    Method 3:
    1. On the Instances page, find the ALB instance that you want to manage and click its ID.
    2. On the Instance Details tab, click the Security Protection tab, and view the protection status in the WAF Protection section.
    View security reportsYou can view the security reports of WAF to check the protection status of your ALB instance.

    Method 1: On the Instances page, find the ALB instance that you want to manage and move your pointer over the Protection Disabled icon. In the WAF Protection section, click View WAF Security Report to go to the WAF 3.0 console, where you can view security reports.

    Method 2:
    1. On the Instances page, find the ALB instance that you want to manage and click its ID.
    2. On the Instance Details tab, find the Basic Information section, and click View WAF Security Report on the right side of WAF Protection. You are redirected to the WAF 3.0 console, where you can view security reports.
    Method 3:
    1. On the Instances page, find the ALB instance that you want to manage and click its ID.
    2. On the Instance Details tab, click the Security Protection tab and view the protection status in the WAF Protection section.

    For more information, see Security reports.

    Disable WAF protectionAfter you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and the WAF security reports no longer include the protection details about the ALB instance.
    Important After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see Billable items and Protection module overview.
    Method 1:
    1. On the Instances page, find the ALB instance that you want to manage, move the pointer over the Protection Disabled icon, and click Disable WAF in the WAF Protection section.
    2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.
    Method 2:
    1. On the Instances page, find the ALB instance that you want to manage, and choose Choose > Upgrade Edition in the Actions column.
    2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.
    Method 3:
    1. On the Instances page, find the ALB instance that you want to manage and click its ID.
    2. On the Instance Details tab, find the Basic Information section, and click Disable WAF on the right side of WAF Protection.
    3. On the Application Load Balancer | Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.

Manage WAF protection in the WAF console

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. Manage WAF protection.
    • View ALB instances that are protected by WAF

      On the Cloud Native tab, click ALB in the left-side product list.

    • Add protected objects and protection rules
      Click the ID of the ALB instance to go to the Protected Objects page. On this page, you can view the protected objects and the protection rules of the ALB instance. For more information, see Configure protection rules.
      Note The value of Asset Type of a cloud service instance that is added to WAF in cloud native mode is the abbreviation of the cloud service name. For example, the value of Asset Type for an ALB instance is alb, and the value of Domain Name is empty.
    • Disable WAF protection for an ALB instance
      After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and WAF security reports no longer include the protection details about the ALB instance.
      Important After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see Billable items and Protection module overview.
      1. On the Cloud Native tab, find the instance that you want to manage, and click Remove in the Actions column.
      2. In the message that appears, view the information and click Remove.
      3. In the Remove panel, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.

References