All Products
Search
Document Center

Server Load Balancer:Activate and manage WAF-enabled ALB instances

Last Updated:Jan 11, 2024

If the web services on your Application Load Balancer (ALB) instance are vulnerable to attacks, you can migrate the web services to a WAF-enabled ALB instance, which provides higher security. ALB is integrated with Web Application Firewall (WAF) 3.0. Compared with WAF 2.0, which supports the transparent proxy mode, WAF 3.0 supports the service integration mode. Listening and forwarding are performed by ALB instead of WAF. Forwarding services and security services are decoupled from each other to ensure compatibility and performance stability. This topic describes the benefits of WAF-enabled ALB instances and how to activate and manage WAF-enabled ALB instances.WAF 3.0服务化接入

Benefits of WAF-enabled ALB instances

  • One-stop protection

    ALB is deeply integrated with WAF 3.0, which provides one-stop security services that can detect malicious requests. WAF-enabled ALB instances are resistant to intrusions, provide more stable performance, and support high security for services and data.

  • High compatibility

    ALB is integrated with WAF 3.0 at the service level. WAF provides only security services and is decoupled from forwarding services. Listening and forwarding are performed by ALB so that request forwarding services and security services are decoupled from each other. This design improves compatibility and service performance.

  • Various features

    Compared with standard ALB instances, WAF-enabled ALB instances are under enhanced protection. For more information about the differences among ALB editions, see Functions and features.

  • Support for all network types and protocols

    WAF-enabled ALB instances support all network types and protocols. WAF-enabled ALB instances can be Internet-facing or internal-facing. WAF-enabled ALB instances support both IPv4 and dual stack.

  • Sufficient quotas

    WAF-enabled ALB instances provide the same quotas as standard ALB instances, and provide higher quotas than basic ALB instances. For more information about resource quotas supported by different ALB editions, see ALB quotas.

  • On-demand protection

    WAF-enabled ALB instances require only simple configurations. You can enable or disable WAF protection for your ALB instance with one click. You can purchase WAF-enabled ALB instances in the ALB console, or upgrade existing basic and standard ALB instances to WAF-enabled ALB instances.

Limits on WAF-enabled ALB instances

  • Before you purchase WAF-enabled ALB instances, you must complete real-name verification.

  • The following table describes the regions in which WAF-enabled ALB instances are available for purchase.

    Area

    Region

    China

    China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)

    Asia Pacific

    Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and India (Mumbai)

    Europe & Americas

    Germany (Frankfurt), US (Silicon Valley), and US (Virginia)

    Middle East

    SAU (Riyadh - Partner Region)

  • You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.

  • Make sure that WAF is not activated in your Alibaba Cloud account, or WAF 3.0 is activated in your Alibaba Cloud account.

    • If WAF is not activated in your Alibaba Cloud account, a pay-as-you-go WAF 3.0 instance is created after you create a WAF-enabled ALB instance.

    • If a subscription WAF 3.0 instance exists in your Alibaba Cloud account, you are not charged additional fees for WAF after you purchase a WAF-enabled ALB instance.

    • If a WAF 2.0 instance already exists in your Alibaba Cloud account, release the WAF 2.0 instance or migrate data from the WAF 2.0 instance to a WAF 3.0 instance.

Billing

After you create a WAF-enabled ALB instance or upgrade an existing ALB instance to the WAF-enabled edition, you are charged fees for using WAF 3.0. The following table describes the billable items of WAF-enabled ALB instances.

ALB WAF增强版计费组成

Billable item

Fee calculation

References

Instance fee

Instance fee = Instance unit price (USD per hour) × Duration of usage (hours)

Instance fee

Load Balancer Capacity Unit (LCU) fee

LCU fee per hour = max{Number of LCUs for new connections, Number of LCUs for concurrent connections, Number of LCUs for data transfer, Number of LCUs for rule evaluations} × LCU unit price

LCU fee

Internet data transfer fee

You are not charged Internet data transfer fees if you use internal-facing ALB instances. You are charged Internet data transfer fees only if you use Internet-facing ALB instances. Internet-facing ALB instances use elastic IP addresses (EIPs) or Anycast EIPs to provide services over the Internet.

  • After you create an Internet-facing ALB instance, it is associated with an EIP by default. The EIP associated with the ALB instance generates instance fees and data transfer fees. For more information, see Pay-as-you-go.

  • After an ALB instance is associated with an Anycast EIP, the Anycast EIP generates configuration fees, Internet data transfer fees, and internal data transfer fees. For more information, see Billing rules.

WAF 3.0 fee

WAF 3.0 supports the subscription and pay-as-you-go billing methods. For more information, see Subscription WAF 3.0 instances and Pay-as-you-go WAF 3.0 instances.

  • If no WAF instance is created in your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, a pay-as-you-go WAF 3.0 instance is created.

  • If a subscription WAF 3.0 instance is created in your Alibaba Cloud account and you purchase a WAF-enabled ALB instance, you are not charged additional fees for WAF.

Enable WAF protection for an ALB instance

Purchase a WAF-enabled ALB instance

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.

  3. On the Instances page, click Create ALB.

  4. On the Application Load Balancer page, configure the parameters, click Buy Now, and then complete the payment.

    This example lists only some of the parameters. For more information, see Create an ALB instance.

    Edition: Select WAF Enabled.

Enable WAF protection for an existing ALB instance

You can upgrade an existing basic or standard ALB instance to a WAF-enabled ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.

  3. On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:

    • Method 1: Move the pointer over the 未开启 icon next to the instance name and click Enable Protection in the WAF Protection section.

    • Method 2: Choose 选择 > Change Specification in the Actions column.

    • Method 3: Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section and click Enable Protection.

    • Method 4: Click the ID of the ALB instance. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click Enable Protection.

  4. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, select the Terms of Service, click Buy Now, and then complete the payment.

Manage WAF protection

Manage WAF protection in the ALB console

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.

  3. Manage WAF protection.

    Operation

    Procedure

    Check whether WAF protection is enabled for an ALB instance

    Use one of the following methods to check whether an instance has WAF protection enabled: Protection Enabled indicates that WAF protection is enabled for the ALB instance.

    Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the 未开启 icon. In the WAF Protection section, you can view the protection status.

    Method 2:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, view the value of the WAF Protection parameter in the Basic Information section.

    Method 3:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click the Security Protection tab, and view the protection status in the WAF Protection section.

    View WAF security reports

    To view WAF security reports, make sure that WAF protection is enabled for your ALB instance.

    Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the 未开启 icon. In the WAF Protection section, click View WAF Security Report to go to the WAF 3.0 console, where you can view security reports.

    Method 2:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click View WAF Security Report on the right side of Security Protection in the Basic Information section to go to the Security Reports page of the WAF 3.0 console.

    Method 3:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click View WAF Security Report to go to the Security Report page in the WAF console.

    For more information, see Security reports.

    Disable WAF protection

    After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and the WAF security reports no longer include the protection details about the ALB instance.

    Important

    After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Billing overview topic and the "Protection module overview" section in the Protection configuration overview topic.

    Method 1:

    1. On the Instances page, find the instance that you want to manage, move the pointer over the 未开启 icon next to the instance name, and then click Disable WAF in the WAF Protection section.

    2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment.

    Method 2:

    1. On the Instances page, find the ALB instance that you want to manage, and choose 选择 > Change Specification in the Actions column.

    2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment.

    Method 3:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click Disable WAF on the right side of WAF Protection in the Basic Information section.

    3. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment.

    Method 4:

    1. On the Instances page, click the ID of the ALB instance that you want to manage.

    2. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click Disable WAF.

    3. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to Standard, click Buy Now, and then complete the payment.

Manage WAF protection in the WAF console

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, click Website Configuration.

  3. Manage WAF protection.

    • View ALB instances that are protected by WAF

      On the Cloud Native tab, click ALB in the left-side product list.

    • Add protected objects and protection rules

      Click the ID of the ALB instance to go to the Protected Objects page. On this page, you can view the protected objects and the protection rules of the ALB instance. For more information, see Configure protection rules.

      Note

      The value of Asset Type of a cloud service instance that is added to WAF in cloud native mode is the abbreviation of the cloud service name. For example, the value of Asset Type for an ALB instance is alb, and the value of Domain Name is empty.

    • Disable WAF protection for an ALB instance

      After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and WAF security reports no longer include the protection details about the ALB instance.

      Important

      After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see the "Billable items" section in the Billing overview topic and the "Protection module overview" section in the Protection configuration overview topic.

      1. On the Cloud Native tab, find the instance that you want to manage, and click Remove in the Actions column.

      2. In the message that appears, view the information and click Remove.

      3. In the Remove panel, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.

FAQ

  1. What are the differences between the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0?区别

    The following section describes the differences between the transparent proxy mode of WAF 2.0 and the service integration mode of WAF 3.0:

    • Transparent proxy mode of WAF 2.0: Requests are filtered by WAF before the requests are forwarded to ALB or CLB. In transparent proxy mode, requests pass through two gateways. You must configure the timeout period and the certificates for WAF and ALB or CLB.

    • Service integration mode of WAF 3.0: WAF is deployed in bypass mode and requests are directly forwarded to ALB. Before the requests are forwarded to backend servers, ALB extracts and sends the request content to WAF for filtering. In service integration mode, requests pass through one gateway. This eliminates the need to synchronize certificates and settings between gateways, and prevents synchronization issues.

    For more information, see Compare WAF 3.0 with WAF 2.0.

  2. How do I enable WAF for ALB?

    ALB is interfaced with WAF 3.0. If you want your ALB instances to be protected by WAF, purchase ALB instances of WAF-enabled Edition. When you purchased WAF-enabled ALB instances, take note of the following information:

    • If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF, you can enable WAF 3.0 for Internet-facing and internal-facing ALB instances by purchasing WAF-enabled ALB instances. This way, ALB is interfaced with WAF on the service level. For more information about the regions that support WAF-enabled ALB instances, see Limits on WAF-enabled ALB instances.

    • If your Alibaba Cloud account already has a WAF 2.0 instance: You can enable WAF 2.0 for Basic Edition Internet-facing ALB instance and Standard Edition Internet-facing ALB instances in transparent proxy mode. Internal-facing ALB instances do not support WAF 2.0.

      Only ALB instances in the following regions can be interfaced with WAF 2.0 in transparent proxy mode: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Beijing), and China (Zhangjiakou).

      Note

      If you want to enable WAF 3.0 for your ALB instance, release the WAF 2.0 instance first or migrate to WAF 3.0.

  3. Do CLB and ALB support WAF 2.0 and WAF 3.0?

    Service

    WAF 2.0 (transparent proxy mode)

    WAF 3.0 (service integration mode)

    CLB

    Supported

    For more information about how to connect WAF 2.0 to CLB in transparent proxy mode, see the following topics:

    Not supported

    ALB

    • If your Alibaba Cloud account has a WAF 2.0 instance, you can connect the WAF 2.0 instance to ALB in transparent proxy mode. For more information, see the Configure a traffic redirection pot for an ALB instance section of the "Configure traffic redirection ports".

    • If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF, you can connect only WAF 3.0 to ALB. In this case, you must purchase a WAF-enabled ALB instance.

    Supported

    For more information about the supported regions and related operations, see Activate and manage WAF-enabled ALB instances.

  4. After I connect WAF 2.0 to CLB or ALB, why are the timeout period and certificates not synchronized?

    After you connect WAF 2.0 to ALB or CLB, client requests are filtered by WAF before they are forwarded to ALB or CLB. The requests pass through two gateways, and you must synchronize the settings between WAF and ALB or CLB. If you change the timeout period or certificates, synchronization issues may occur due to latency.

    If certificates are not updated or if the changes of the timeout period do not take effect, join DingTalk group 21715946 for consultation.

References

ALB documentation

  • For more information about how to purchase a WAF-enabled ALB instance, see Create an ALB instance.

  • For more information about the features of basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features.

  • For more information about how to request a quota increase for a WAF-enabled ALB instance, see Limits.

  • For more information about how to change the edition of an ALB instance in the ALB console, see Change the edition of an ALB instance.

  • For more information about how to change the edition of an ALB instance by calling the API, see UpdateLoadBalancerEdition.

WAF documentation