Enable WAF for ALB - Server Load Balancer - Alibaba Cloud Documentation Center

If the web services on your Application Load Balancer (ALB) instance are vulnerable to attacks, you can migrate the web services to a WAF-enabled ALB instance, which provides higher security. ALB is integrated with Web Application Firewall (WAF) 3.0. WAF 2.0 supports the transparent proxy mode, but WAF 3.0 supports the service integration mode. Listening and forwarding are performed by ALB instead of WAF. Forwarding services and security services are decoupled from each other to ensure compatibility and performance stability. This topic describes the benefits of WAF-enabled ALB instances and how to activate and manage WAF-enabled ALB instances.

Benefits of WAF-enabled ALB instances

One-stop protection
ALB is deeply integrated with WAF 3.0, which provides one-stop security services that can detect malicious requests. WAF-enabled ALB instances are resistant to intrusions, provide more stable performance, and support high security for services and data.
High compatibility
ALB is integrated with WAF 3.0 at the service level. WAF provides only security services and is decoupled from forwarding services. Listening and forwarding are performed by ALB so that request forwarding services and security services are decoupled from each other. This design improves compatibility and service performance.
Various features
Compared with standard ALB instances, WAF-enabled ALB instances are under enhanced protection. For more information about the differences between ALB editions, see Functions and features.
Support for all network types and protocols
WAF-enabled ALB instances support all network types and protocols. WAF-enabled ALB instances can be Internet-facing or internal-facing. WAF-enabled ALB instances support both IPv4 and dual stack.
Sufficient quotas
WAF-enabled ALB instances provide the same quotas as standard ALB instances, and provide higher quotas than basic ALB instances. For more information about resource quotas supported by different ALB editions, see ALB quotas.
On-demand protection
WAF-enabled ALB instances require only simple configurations. You can enable or disable WAF protection for your ALB instance with one click. You can purchase WAF-enabled ALB instances in the ALB console, or upgrade existing basic and standard ALB instances to WAF-enabled ALB instances.

Limits on WAF-enabled ALB instances

Before you can purchase WAF-enabled ALB instances, you must complete real-name verification.

The following table describes the regions in which WAF-enabled ALB instances are available for purchase.

Area	Region
China	China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Asia Pacific	Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and India (Mumbai)
Europe & Americas	Germany (Frankfurt), US (Silicon Valley), and US (Virginia)
Middle East	SAU (Riyadh - Partner Region)

You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.
Make sure that WAF is not activated in your Alibaba Cloud account, or WAF 3.0 is activated in your Alibaba Cloud account.
- If WAF is not activated in your Alibaba Cloud account, a pay-as-you-go WAF 3.0 instance is created after you create a WAF-enabled ALB instance.
- If a subscription WAF 3.0 instance exists in your Alibaba Cloud account, you are not charged additional fees for WAF after you purchase a WAF-enabled ALB instance.
- If a WAF 2.0 instance already exists in your Alibaba Cloud account, release the WAF 2.0 instance or migrate data from the WAF 2.0 instance to a WAF 3.0 instance.
  - For more information about how to release a WAF 2.0 instance, see Terminate the WAF service.
  - For more information about how to migrate data to WAF 3.0, see Migrate a WAF 2.0 instance to WAF 3.0.

Billing

After you create a WAF-enabled ALB instance or upgrade an existing ALB instance to the WAF-enabled edition, you are charged for using WAF 3.0. The following table describes the billable items of WAF-enabled ALB instances.

Billable item	Fee calculation	References
Instance fee	`Instance fee = Instance unit price (USD per hour) × Usage duration (hours)`	Instance fee
Load Balancer Capacity Unit (LCU) fee	`LCU fee per hour = max{Number of LCUs for new connections, Number of LCUs for concurrent connections, Number of LCUs for data transfer, Number of LCUs for rule evaluations} × LCU unit price`	LCU fee
Internet data transfer fee	You are not charged Internet data transfer fees if you use internal-facing ALB instances. You are charged Internet data transfer fees only if you use Internet-facing ALB instances. Internet-facing ALB instances use elastic IP addresses (EIPs) or Anycast EIPs to provide services over the Internet. After you create an Internet-facing ALB instance, it is associated with an EIP by default. The EIP associated with the ALB instance generates instance fees and data transfer fees. For more information, see Pay-as-you-go. After an ALB instance is associated with an Anycast EIP, the Anycast EIP generates configuration fees, Internet data transfer fees, and internal data transfer fees. For more information, see Billing rules.
WAF 3.0 fee	WAF 3.0 supports the subscription and pay-as-you-go billing methods. For more information, see Subscription WAF 3.0 instances and Pay-as-you-go WAF 3.0 instances. If no WAF instance is created in your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, a pay-as-you-go WAF 3.0 instance is created. If a subscription WAF 3.0 instance is created in your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, you are not charged additional fees for WAF.

Enable WAF protection for an ALB instance

Purchase a WAF-enabled ALB instance

Log on to the ALB console.
In the top navigation bar, select the region where you want to create the ALB instance.
On the Instances page, click Create ALB.
On the Application Load Balancer page, configure the parameters, click Buy Now, and then complete the payment.
This example describes only some of the parameters. For more information, see Create an ALB instance.
Edition: Select WAF Enabled.

Enable WAF protection for an existing ALB instance

You can upgrade an existing basic or standard ALB instance to a WAF-enabled ALB instance.

Log on to the ALB console.
In the top navigation bar, select the region where you want to create the ALB instance.
On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:
- Method 1: Move the pointer over the icon next to the instance name and click Enable Protection in the WAF Protection section.
- Method 2: Choose > Change Specification in the Actions column.
- Method 3: Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section and click Enable Protection.
- Method 4: Click the ID of the ALB instance. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click Enable Protection.
On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, select the Terms of Service, click Buy Now, and then complete the payment.

Manage WAF protection

Manage WAF protection in the ALB console

Log on to the ALB console.
In the top navigation bar, select the region where you want to create the ALB instance.

Manage WAF protection.

Operation	Procedure
Check whether WAF protection is enabled for an ALB instance	Use one of the following methods to check whether WAF protection is enabled for an instance: Protection Enabled indicates that WAF protection is enabled for the ALB instance. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon. In the WAF Protection section, you can view the protection status. Method 2: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, view the value of the WAF Protection parameter in the Basic Information section. Method 3: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Protection tab and view the protection status in the WAF Protection section.
View WAF security reports	To view WAF security reports, make sure that WAF protection is enabled for your ALB instance. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon. In the WAF Protection section, click View WAF Security Report to go to the WAF 3.0 console where you can view security reports. Method 2: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click View WAF Security Report on the right side of Security Protection in the Basic Information section to go to the Security Reports page in the WAF 3.0 console. Method 3: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click View WAF Security Report to go to the Security Reports page in the WAF console. For more information, see Security reports.
Disable WAF protection	After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and the WAF security reports no longer include the protection details about the ALB instance. Important After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Billing overview topic and the "Protection module overview" section in the Protection configuration overview topic. Method 1: On the Instances page, find the instance that you want to manage, move the pointer over the icon next to the instance name, and then click Disable WAF in the WAF Protection section. On the Application Load Balancer \| Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment. Method 2: On the Instances page, find the ALB instance that you want to manage, and choose > Change Specification in the Actions column. On the Application Load Balancer \| Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment. Method 3: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click Disable WAF next to WAF Protection in the Basic Information section. On the Application Load Balancer \| Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment. Method 4: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click Disable WAF. On the Application Load Balancer \| Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment.

Manage WAF protection in the WAF console

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
Manage WAF protection.
- View ALB instances that are protected by WAF
  On the Cloud Native tab, click ALB in the left-side product list.
- Add protected objects and protection rules
  Click the ID of the ALB instance to go to the Protected Objects page. On this page, you can view the protected objects and the protection rules of the ALB instance. For more information, see Overview.
  Note
  The value of Asset Type of a cloud service instance that is added to WAF in cloud native mode is the abbreviation of the cloud service name. For example, the value of Asset Type for an ALB instance is alb, and the value of Domain Name is empty.
- Disable WAF protection for an ALB instance
  After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and WAF security reports no longer include the protection details about the ALB instance.
  Important
  After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Billing overview topic and the "Protection module overview" section in the Protection configuration overview topic.
  1. On the Cloud Native tab, find the instance that you want to manage, and click Remove in the Actions column.
  2. In the message that appears, view the information and click Remove.
  3. In the Remove panel, set Edition to Standard, click Buy Now, and then complete the payment.

FAQ

What are the differences between the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0?
The following section describes the differences between the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0:
- Transparent proxy mode of WAF 2.0: Requests are filtered by WAF before the requests are forwarded to ALB or CLB. In transparent proxy mode, requests pass through two gateways. You must configure the timeout period and the certificates for WAF and Server Load Balancer (SLB).
- Service integration mode of WAF 3.0: WAF is deployed in bypass mode and requests are directly forwarded to ALB. Before the requests are forwarded to backend servers, ALB extracts and sends the request content to WAF for filtering. In service integration mode, requests pass through one gateway. This eliminates the need to synchronize certificates and settings between gateways, and prevents synchronization issues.
For more information, see Compare WAF 3.0 and WAF 2.0.
How do I enable WAF for ALB?
ALB is interfaced with WAF 3.0. If you want your ALB instances to be protected by WAF, purchase a WAF-enabled ALB instance. When you purchase WAF-enabled ALB instances, take note of the following information:
- If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF, you can enable WAF 3.0 for Internet-facing and internal-facing ALB instances by purchasing WAF-enabled ALB instances. This way, ALB is integrated with WAF on the service level. For more information about the regions that support WAF-enabled ALB instances, see Limits on WAF-enabled ALB instances.
- If your Alibaba Cloud account already has a WAF 2.0 instance: You can enable WAF 2.0 for Basic Edition Internet-facing ALB instance and Standard Edition Internet-facing ALB instances in transparent proxy mode. Internal-facing ALB instances do not support WAF 2.0.
  Only ALB instances in the following regions can be interfaced with WAF 2.0 in transparent proxy mode: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Beijing), and China (Zhangjiakou).
  Note
  If you want to enable WAF 3.0 for your ALB instance, release the WAF 2.0 instance first or migrate to WAF 3.0.
  - After you release the WAF 2.0 instance, service errors may arise because the X-Forwarded-Proto header is disabled for ALB by default. You must enable the X-Forwarded-Proto header for the listeners of the ALB instance to prevent errors. For more information, see Manage listeners.
  - For more information about how to release a WAF 2.0 instance, see Terminate the WAF service.
  - For more information about how to migrate to WAF 3.0, see Migrate a WAF 2.0 instance to WAF 3.0.

Do CLB and ALB support WAF 2.0 and WAF 3.0?

Service

WAF 2.0 (transparent proxy mode)

WAF 3.0 (service integration mode)

CLB

Supported.

For more information about how to connect WAF 2.0 to CLB in transparent proxy mode, see the following topics:

Not supported.

ALB

If your Alibaba Cloud account has a WAF 2.0 instance, you can connect the WAF 2.0 instance to ALB in transparent proxy mode. For more information, see the Configure a traffic redirection pot for an ALB instance section of the "Configure traffic redirection ports".
If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF, you can connect only WAF 3.0 to ALB. In this case, you must purchase a WAF-enabled ALB instance.

Supported.

For more information about the supported regions and related operations, see Activate and manage WAF-enabled ALB instances.

After I connect WAF 2.0 to CLB or ALB, why are the timeout period and certificates not synchronized?
After you connect WAF 2.0 to ALB or CLB, client requests are filtered by WAF before they are forwarded to ALB or CLB. The requests pass through two gateways, and you must synchronize the settings between WAF and ALB or CLB. If you change the timeout period or certificates, synchronization issues may occur due to latency.
If certificates are not updated or if the changes of the timeout period do not take effect, join DingTalk group 21715946 for consultation.

References

ALB documentation

For more information about how to purchase a WAF-enabled ALB instance, see Create an ALB instance.
For more information about the features of basic, standard, and WAF-enabled ALB instances, see Functions and features.
For more information about how to request a quota increase for a WAF-enabled ALB instance, see Limits.
For more information about how to change the edition of an ALB instance in the ALB console, see Change the edition of an ALB instance.
For more information about how to change the edition of an ALB instance by calling the API, see UpdateLoadBalancerEdition.

WAF documentation

For more information about how to purchase a subscription WAF 3.0 instance, see Purchase a subscription WAF 3.0 instance.
For more information about how to purchase a pay-as-you-go WAF 3.0 instance, see Purchase a pay-as-you-go WAF 3.0 instance.
For more information about the differences between WAF 3.0 and WAF 2.0 and the improvements of WAF 3.0, see Compare WAF 3.0 with WAF 2.0.