All Products
Search

This Product

    Server Load Balancer:Enable WAF protection for an ALB instance

    Document Center

    Server Load Balancer:Enable WAF protection for an ALB instance

    Last Updated:Dec 02, 2025

    Enable Web Application Firewall (WAF) protection for your Application Load Balancer (ALB) instance to defend it against common web exploits. A WAF-enabled ALB instance uses the WAF 3.0 SDK integration model, which decouples security inspection from traffic forwarding. This design avoids issues common in legacy inline WAF deployments, such as high network latency, complex configurations, and potential single points of failure (SPOFs).

    How it works

    A WAF-enabled ALB instance uses the WAF 3.0 SDK integration model. In this model, WAF does not act as an inline network node (gateway) in the forwarding path. Instead, WAF is responsible only for traffic extraction, inspection, and protection. This approach avoids the high network latency, complex configurations (such as certificate synchronization settings), and potential SPOFs introduced by the transparent proxy mode of legacy WAF deployments.

    For more information, see Compare WAF 3.0 with WAF 2.0.
    image

    1. Request reception: The ALB instance receives a client request.

    2. Bypass inspection: Before forwarding the request to a backend server, ALB uses an embedded Software Development Kit (SDK) to synchronously extract and send the traffic data to a WAF 3.0 security inspection cluster.

    3. Security analysis: WAF 3.0 analyzes the request content in real time based on your configured protection rules, such as those for core web protection and malicious IP blocking. It then returns an inspection result (allow or block) to ALB.

    4. Decision enforcement: ALB acts on the inspection result from WAF:

      • Allow: ALB forwards the original request to the backend server.

      • Block: ALB immediately blocks the request and returns an interception page to the client (typically with a 405 status code). The request does not reach the backend server.

    Usage notes

    For WAF-enabled ALB instances:

    • Supported regions:

      Area

      Region

      China

      China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)

      Asia Pacific

      Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Singapore, Thailand (Bangkok), and South Korea (Seoul)

      Europe and Americas

      Germany (Frankfurt), US (Virginia), US (Silicon Valley), and Mexico

      Middle East

      SAU (Riyadh - Partner Region)

    • WAF version: You must use WAF 3.0. If you have a WAF 2.0 instance in your account, you must first release the WAF 2.0 instance or migrate it to WAF 3.0.

      By default, ALB does not enable the X-Forwarded-Proto header in requests forwarded to the backend server group. After you terminate a WAF 2.0 instance, accessing the ALB directly may cause service exceptions, such as infinite loop redirection, because the backend service cannot properly identify the protocol (HTTP/HTTPS). To prevent this issue, you must manually enable the X-Forwarded-Proto request header in the ALB listener configuration.

    • Feature availability: WAF for ALB instances does not support the following features: the data leakage prevention module and the automatic Web SDK integration feature for anti-crawler rules for websites in the bot management module.

    Enable WAF protection for an ALB instance

    When you enable WAF protection, your ALB instance automatically integrates with an existing WAF instance. If you do not have a WAF instance, a pay-as-you-go WAF instance is automatically created.

    The areas for WAF instances include Chinese Mainland and Outside Chinese Mainland. Depending on whether your ALB instance's region is in the Chinese mainland, it connects to a WAF instance in the corresponding area.

    Create a WAF-enabled ALB instance

    Console

    Go to the ALB purchase page. Set Edition to WAF Enabled and configure other parameters by referring to Create and manage an ALB instance.

    API

    To create a WAF-enabled ALB instance, call the CreateLoadBalancer operation and set the LoadBalancerEdition parameter to StandardWithWaf.

    Enable WAF protection for an existing ALB instance

    You can enable WAF protection for Basic and Standard ALB instances, that is, upgrade them to the WAF-enabled edition.

    • Before you start, make sure the target instance is in the Running state.

    • The unit price for ALB instances varies based on the instance edition. Refer to the price displayed on the buy page.

    Console

    1. Go to the ALB Instances page.

    2. Hover over the 未开启 icon next to the ID of the target instance. In the WAF Protection section, click Enable WAF.

    API

    To upgrade your ALB instance to the WAF-enabled edition, call the UpdateLoadBalancerEdition operation and set the LoadBalancerEdition parameter to StandardWithWaf.

    View protection logs

    When you enable WAF protection for an ALB instance, WAF automatically creates a protected object whose name ends with -alb and enables the core web protection rule for it by default. This rule enables security reports for the protected object by default, which display the protection logs.

    To meet other security requirements, configure protection rules.
    If multiple domain names resolve to the same ALB instance and you need to configure different protection rules for each domain, you must add the domain names as protected objects.

    Console

    1. Go to the ALB Instances page.

    2. Hover over the 未开启 icon next to the ID of the target instance. In the WAF Protection section, click View WAF Security Report.

    Disable WAF protection

    After you disable WAF protection, traffic to your ALB instance is no longer protected by WAF. The security reports will no longer include protection data for this traffic, and you will not be charged for request processing by WAF.

    However, because the WAF instance and its protection rules still exist, you will still be charged for the WAF service. To completely stop all billing, you must terminate the WAF service.

    Console

    Temporarily disable protection

    If your service traffic triggers a high number of false positives and the traffic is largely blocked, temporarily disable WAF protection to quickly restore your service. In this case, the ALB instance remains a WAF-enabled edition. Traffic still flows through the WAF SDK embedded in ALB but is no longer forwarded to the WAF cluster for inspection. Instead, it is forwarded directly to the backend server group.

    1. Go to the WAF console - Protected Objects page.

    2. In the upper-right corner of the page, turn off WAF Protection Status.

    Permanently disable WAF protection

    When you disable WAF protection, your ALB instance is downgraded from the WAF-enabled edition to Standard edition. This change does not disrupt your services.

    1. Go to the ALB Instances page.

    2. Hover over the 未开启 icon next to the ID of the target instance. In the WAF Protection section, click Disable WAF.

    API

    To downgrade a WAF-enabled ALB instance to the Standard edition, call the UpdateLoadBalancerEdition operation and set the LoadBalancerEdition parameter to Standard.

    Apply in production

    • Canary testing: Start by enabling WAF protection for an ALB instance in an environment that mirrors your production environment, preferably during off-peak hours. After you confirm that your services run as expected, enable protection for your production ALB instance.

    • Continuous monitoring: To receive alerts about attacks and other security events, regularly check security reports and configure CloudMonitor notifications.

    • Rule tuning: To analyze false positives and fine-tune your protection rules to improve their accuracy, regularly review WAF interception logs.

    Billing

    image

    • Instance fees: Instance fee = Instance unit price (USD/hour) × Billing duration (hours)

    • Load Balancer Capacity Unit (LCU) fees: Hourly LCU fee = max{LCUs for new connections, LCUs for concurrent connections, LCUs for processed data, LCUs for rule evaluations} × LCU unit price

    • Internet data transfer fees:

      • Only internet-facing ALB instances are charged for internet data transfer.

      • Internet-facing ALB instances use an Elastic IP Address (EIP) or Anycast EIP to provide services over the internet. You are charged for the EIP or Anycast EIP associated with your ALB instance.

    • WAF 3.0 billing: WAF 3.0 supports both subscription and pay-as-you-go.

      • If you do not have a WAF instance, a pay-as-you-go WAF instance is automatically created, and you are billed for its usage when you create a WAF-enabled ALB instance.

      • If you already have a subscription WAF 3.0 instance, you are not charged additional WAF fees when you create a WAF-enabled ALB instance.

    FAQ

    Can I enable WAF 2.0 protection for ALB instances?

    • If you have an existing WAF 2.0 instance, you can integrate your Basic and Standard Internet-facing ALB instances with the WAF 2.0 instance. This feature is supported in the following regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Beijing), and China (Zhangjiakou). Internal ALB instances cannot be integrated with WAF 2.0 instances.

    • If you have no WAF 2.0 instances or haven't activated WAF, all your ALB instances can only be protected by WAF 3.0 (upgraded to the WAF-enabled edition).