Web Application Firewall:Deploy a hybrid cloud WAF cluster

Prerequisites

Before you begin, ensure that you have:

• A Hybrid Cloud WAF instance

• On-premises servers with the WAF agent (vagent) installed. See Install the WAF agent

• Load balancers provisioned based on your deployment plan (see Choose a deployment plan)

Choose a deployment plan

Each cluster node handles 5,000 QPS for HTTP or 2,000 QPS for HTTPS. The default protection setup covers 10,000 QPS (HTTP) or 4,000 QPS (HTTPS). Add nodes if your traffic exceeds these limits.

Select a plan based on your stability and protection requirements:

To scale beyond the default capacity, add nodes. Each additional node adds 5,000 QPS (HTTP) or 2,000 QPS (HTTPS).

Create a hybrid cloud cluster

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region of your WAF instance. The region can be Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Systems > Hybrid Cloud Settings.

3. Click Create Cluster.

4. Complete the Basic information configuration step, then click Next.

   Warning

   For security purposes, specify only the ports required for your web services.

   Parameter	Description
   Cluster Name	Enter a name for the cluster.
   Protection Nodes	Specify the number of nodes. The total across all hybrid cloud clusters cannot exceed the limit set at purchase. Each node corresponds to one server.
   Server Port	Ports 80, 8080, 443, and 8443 are enabled by default. Add extra ports only if your web services require them. Press Enter after each port to save it. The following ports are reserved and cannot be used: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987.
   Cluster Access Mode	Internet: the WAF console connects to the cluster over the Internet. Internal Network: the WAF console connects over an Express Connect circuit. Select Internal Network only if Express Connect is deployed.
   Remarks	(Optional) Enter a description.

5. Complete the Node group configuration step. Node groups organize servers by role. Add groups in one of the following sequences: Node group type constraints: To add a node group:

6. Complete the Initial node configuration step. Add your on-premises servers as cluster nodes. Install vagent on each server before adding it. See Install the WAF agent. The number of nodes cannot exceed the Protection Nodes value set for the cluster. Add at least 2 nodes to the Protection node group to enable online active-active disaster recovery. To add a node:

   1. Click Create Node.

   2. In the Create Node dialog box, configure the following parameters:

      

      Parameter	Description
      Server IP Address	Enter the public IP address of the on-premises server.
      Node Name	Enter a name for the node.
      Region	Select the region of the node.
      Server Configuration	Automatically populated by the system.
      Protection Node Group	Select the node group to add this node to.

   3. Click Save.

7. Wait several minutes for the cluster to finish deploying.

Verify the cluster

After the cluster deploys, go to Systems > Hybrid Cloud Settings to confirm the cluster is healthy.

In the General Information section at the top of the page, confirm the cluster details are displayed. If you have multiple clusters, click Switch Cluster to select a specific one.

In the Cluster Nodes section, check the status of each node:

What's next

Go to the Website Access page and associate your web services with the cluster:

1. In the Enter Your Website Information step, set Protection Resource to Hybrid Cloud Cluster.

2. Set Name of Protected Node Group to the node group you want to use.

3. Configure the remaining parameters the same way as for a shared cluster.

For details, see Add a website.