All Products
Search
Document Center

Web Application Firewall:Enable WAF protection for an MSE instance

Last Updated:Aug 29, 2024

If a Microservices Engine (MSE) instance is configured for your web services, you can enable Web Application Firewall (WAF) 3.0 protection for the MSE instance. This topic describes how to enable WAF protection for an MSE instance.

Background information

MSE is an end-to-end microservices platform that is developed for mainstream open source microservices ecosystems. MSE provides the following modules: Microservices Registry, Cloud-native Gateway, and Microservices Governance. Microservices Registry supports the native Nacos, ZooKeeper, and Eureka engines. Cloud-native Gateway supports native Ingress and Envoy. Microservices Governance supports native Spring Cloud, Dubbo, and Sentinel and complies with OpenSergo. WAF 3.0 is integrated with MSE cloud-native gateways. This can help improve the O&M efficiency and security of your web services and ensure a seamless and interactive user experience.

Limits

Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

  • The MSE instance for which you want to enable WAF protection must reside in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), and US (Silicon Valley).

  • You cannot enable the following features for MSE instances for which WAF protection is enabled:

    • Website tamper-proofing

    • Data leakage prevention

    • Automatic integration of the Web SDK in bot management for website protection

    • API security

Prerequisites

  • A cloud-native gateway is created. For more information, see Create a cloud-native gateway.

  • If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.

    To view the number of protected objects that you can add to WAF, go to the Protected Objects page. image.png

Enable WAF protection for an MSE instance

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, click Website Configuration.

  3. On the Cloud Native tab, click MSE in the left-side cloud service list.

  4. Click Add.

  5. Click Authorize Now to authorize your WAF instance to access MSE.

    Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

    Note

    If your WAF instance is already authorized to access MSE, skip this step.

    You are redirected to the MSE console.

  6. In the top navigation bar, select China (Hangzhou), Chia (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), or US (Silicon Valley) for the region.

  7. Enable WAF protection.

    • Enable instance-level protection.

      Find the gateway for which you want to enable WAF protection, move the pointer over the 未开启 icon in the WAF Protection column, and then click Enable Gateway Protection. You can also choose More > Enable WAF Protection in the Actions column. In the Enable WAF Protection dialog box, click OK.

    • Enable route-level protection.

      1. Find the gateway for which you want to enable WAF protection, click the name of the gateway, and then choose Routes > Route Settings in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.

      2. Find the route for which you want to enable WAF protection and choose More > Enable Route Protection in the Actions column. Then, click OK.

Manage WAF protection in the MSE console.

  1. Log on to the MSE console. In the left-side navigation pane, choose Cloud-native Gateway > Gateways.

  2. In the top navigation bar, select China (Hangzhou), Chia (Shanghai), China (Beijing), China (Ulanqab), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), China (Zhangjiakou), China (Shenzhen), Japan (Tokyo), Germany (Frankfurt), or US (Silicon Valley) for the region.

  3. Manage WAF protection.

    • View MSE instances for which WAF protection is enabled.

      In the instance list, you can view the MSE instances for which WAF protection is enabled. If the 已开启 icon is displayed on the right side of the name of an MSE instance, WAF protection is enabled for the MSE instance.

    • Disable WAF protection for an MSE instance.

      After you disable WAF protection for an MSE instance, web service traffic that is generated on the MSE instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.

      Important

      After you disable WAF protection for an MSE instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the MSE instance. We recommend that you delete protection rules before you remove an MSE instance from WAF. For more information, see Billable items and Protection module overview.

      • Disable instance-level protection.

        Find the gateway for which you want to disable WAF protection, click the 已开启 icon in the WAF Protection column, and then click Disable Gateway Protection. You can also choose More > Disable WAF Protection in the Actions column. In the Disable WAF Protection dialog box, click OK.

      • Disable route-level protection.

        1. Find the gateway for which you want to disable WAF protection, click the name of the gateway, and then choose Routes > Route Settings in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.

        2. Find the route for which you want to disable WAF protection and choose More > Disable Route Protection in the Actions column. Then, click OK.

Manage WAF protection in the WAF console.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, click Website Configuration.

  3. Manage WAF protection.

    • View MSE instances for which WAF protection is enabled.

      On the Cloud Native tab, click MSE in the left-side cloud service list.

    • Configure protected objects and protection rules.

      After you enable WAF protection for an MSE instance, the MSE instance automatically becomes a protected object of WAF. The name of the protected object contains the -mse suffix. By default, basic protection rules are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the object. To go to the Protected Objects page, click the ID of the MSE instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview. 防护对象

    • Remove an MSE instance from WAF.

      After you remove an MSE instance from WAF, web service traffic that is generated on the instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.

      Important

      After you disable WAF protection for an MSE instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the MSE instance. We recommend that you delete protection rules before you remove an MSE instance from WAF. For more information, see Billable items and Protection module overview.

      1. Find the instance that you want to remove and click Remove in the Actions column.

        You are redirected to the Gateways page in the MSE console.

      2. Disable WAF protection in the MSE console. For more information, see Disable WAF protection for an MSE instance.