All Products
Search

This Product

    Web Application Firewall:Enable WAF protection for ALB instances

    Document Center

    Web Application Firewall:Enable WAF protection for ALB instances

    Last Updated:Sep 23, 2025

    To protect your public-facing Application Load Balancer (ALB) instances from web attacks, enable Web Application Firewall (WAF) 3.0 protection. It provides your applications with low-latency, high availability (HA) web security without changing your existing network architecture or DNS configuration.

    How it works

    image

    After you enable WAF 3.0 protection for an ALB instance, WAF 3.0 integrates its security detection capabilities directly into the ALB data plane using an embedded SDK. When service traffic reaches the ALB instance, the SDK performs real-time traffic analysis and threat detection in the forwarding path. The SDK automatically blocks malicious requests and forwards valid ones to the backend server.

    Prerequisites

    • Account requirements: The ALB instance and the WAF instance must belong to the same Alibaba Cloud account, unless you have configured multi-account management.

    • Region requirements:

      Area

      Region

      China

      China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), China (Hong Kong)

      Asia-Pacific

      Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Singapore, Thailand (Bangkok), South Korea (Seoul)

      Europe and Americas

      Germany (Frankfurt), US (Silicon Valley), US (Virginia), Mexico

      Middle East

      SAU (Riyadh - Partner Region)

    If your ALB instance does not meet these requirements, use the CNAME record mode instead.

    Procedure

    1. Go to the WAF console.

      Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of your WAF instance. In the navigation pane on the left, click Onboarding. Click the Cloud Native tab, then click Application Load Balancer (ALB) from the list of cloud services on the left.

    2. Authorize the cloud service (for first-time users only).

      Follow the on-screen prompts and click Authorize Now to complete the cloud service authorization. You can view the AliyunServiceRoleForWAF service-linked Role on the Identities > Roles page of the RAM console.

    3. Add the ALB instance.

      In the list on the right, find the ALB instance to add to WAF and click Add Now in the Actions column. If you cannot find the target instance, click Synchronize Assets in the upper-right corner.

      When the status shows Full Protection, the instance is successfully added.

      Important

      When an ALB instance is added to WAF, it is automatically upgraded to the WAF-enabled edition. This incurs additional fees on the ALB side. 

      image

      Note

      You can also add multiple ALB instances in a batch or click One-Click Onboarding to add all instances at once.

    4. Verify the protection.

      To verify the protection, enter your website domain followed by a web attack string in your browser (for example, <your-website-domain>/alert(xss), where alert(xss) is a sample cross-site scripting attack). If WAF returns a 405 error page, it has successfully intercepted the attack and protection is active.

    What to do next

    View and configure protection rules

    After you enable WAF protection for your ALB instance, WAF automatically creates a protected object with a -alb suffix and enables default protection rules for it, such as those in the core protection module. You can view this on the Protection Configuration > Protected Objects page. If the default protection rules do not meet your requirements, create or edit protection rules. For more information, see Protection configuration overview.

    Note

    If you have multiple domains resolving to the same ALB instance and want different protection rules for each, manually add the domains as protected objects.

    image

    More operations

    Disable/Remove WAF protection for ALB instances

    • Temporarily disable WAF protection: If you encounter issues after integration, such as a high number of false positives, you may need to temporarily disable WAF protection. To do this, go to the Protected Objects page in the WAF console and turn off the WAF Protection Status switch. For more information, see Disable WAF protection with one click.

    • Remove protection: If you no longer want to use WAF to protect an ALB instance, go to the Cloud Native tab, click Application Load Balancer (ALB) from the cloud service list on the left, find the target instance, and click Remove in the Actions column. In the dialog box that appears, click OK.

      Important

      • After you remove the protection, traffic to the ALB instance is no longer WAF-protected, and security reports will not include data for that traffic.

      • If your WAF instance uses the pay-as-you-go billing method, you will not be charged for request processing after removing the ALB instance. However, you are still charged for feature usage fees because the WAF instance and its protection rules remain. If you want to stop using WAF and stop all WAF billing, see Terminate the WAF service.

    Enable and manage WAF protection in the ALB console

    In addition to the methods described in this topic, you can also enable WAF protection for an ALB instance in the ALB console. For more information, see the following topics:

    Apply in production

    Enabling and removing WAF protection for ALB instances do not affect your services. However, when you enable WAF protection, you should monitor logs and service health to ensure service availability.

    • Phased rollout: As a best practice, first add a non-production ALB instance during off-peak hours. After running the instance for a period and confirming your services are stable, integrate your production ALB instances.

    • Service monitoring: After the integration is complete, use the following methods to confirm that your services are working correctly.

      • Check logs: Check logs for significant fluctuations in the proportion of 200 status codes or sudden spikes or drops in QPS. If you have enabled Simple Log Service for ALB or WAF, refer to ALB logs or WAF logs.

      • Business monitoring: Check if your services, such as user access and transactions, are working correctly.

    • Maintenance: Perform ongoing operations and maintenance, paying close attention to attacks and false positives.

      • Review events: Monitor security reports and configure Cloud Monitor notifications to stay informed about attacks and security events.

      • Adjust rules: Review attack logs to analyze whether WAF is mistakenly blocking any valid business requests and optimize protection rules accordingly.

    Limitations

    • Identity verification: You must complete identity verification before you can purchase a WAF-enabled ALB instance.

    • Instance status:

    • Number of integrated instances: The number of integrated instances cannot exceed the limit of your WAF instance specifications.

      • Subscription: up to 300 for the Basic Edition, 600 for the Pro Edition, 2,500 for the Enterprise Edition, and 10,000 for the Ultimate Edition.

      • Pay-as-you-go: up to 10,000.

    • Unsupported features: Data leak prevention and the automatic Web SDK integration for the anti-crawler scenario in Bot Management.

    FAQs

    Why can't I find the ALB instance I want to add?

    First, click Synchronize Assets in the upper-right corner of the Onboarding page.image

    If you still cannot find the instance, it does not meet the Prerequisites. For example, an ALB instance in a region outside the Chinese mainland requires a WAF instance in a region outside the Chinese mainland for cloud-native integration, or you must use the CNAME record mode.

    image

    How do I add WAF protection if one domain name resolves to multiple ALB instances?

    • Use cloud-native mode: You must add all of these ALB instances to WAF to protect them.

    • Use CNAME record mode: Add the domain in CNAME record mode and configure the CNAMEs of the multiple ALB instances as the origin addresses.

    How do I add WAF protection if multiple domain names resolve to the same ALB instance?

    • Use cloud-native mode: After you add the ALB instance, all domain names on the instance are protected by the default WAF protection policy. However, if you want to configure different protection rules for each domain, you must manually add the domains as protected objects. For more information, see Manually add a protected object.

    • Use CNAME record mode: Add each domain one by one.

    Can I use both cloud-native and CNAME record modes for a domain on an ALB instance?

    This is not recommended, because using both modes will cause forwarding conflicts and protection failure. If you have a domain that is already added through CNAME record mode and you want to switch to cloud-native mode, you must first point your DNS records back to the origin, wait for the DNS changes to propagate, delete the CNAME record mode configuration for the domain, and then add the corresponding ALB instance by using cloud-native mode.

    What are the differences in how WAF 2.0 and WAF 3.0 integrate with ALB instances?

    image

    • WAF 3.0 SDK integration: WAF 3.0 uses an SDK-based integration. The SDK is embedded in the ALB instance and is responsible for traffic extraction, detection, and protection. Because WAF does not forward traffic, this integration avoids extra-hop latency and the compatibility issues of an additional forwarding layer. Requests pass through only one gateway, eliminating the need for WAF to synchronize certificate and encryption suite configurations from the ALB instance. This prevents issues like certificate or configuration drift.

    • WAF 2.0 transparent proxy: WAF 2.0 uses a transparent proxy method. By configuring traffic redirection ports, the cloud service gateway automatically changes the route to direct web traffic to WAF. WAF blocks attack traffic and forwards normal requests to the origin, participating in both traffic forwarding and security detection. Requests must pass through two gateways, and you must maintain configurations such as timeouts and certificates on both the WAF and load balancer.

    For more information, see Compare WAF 3.0 with WAF 2.0.