Enable WAF protection for an NLB instance - Web Application Firewall

If you have created a Network Load Balancer (NLB) instance and added a TCP listener to a port, you can add the traffic redirection port of the instance to Web Application Firewall (WAF) to protect your web traffic. This topic describes how to add an NLB instance to WAF.

Background information

Network Load Balancer (NLB) is a next-generation Layer 4 load balancing service provided by Alibaba Cloud that is designed for the Internet of Everything (IoE) era. It provides ultra-high performance and automatic scaling. A single instance can handle up to 100 million concurrent connections, which helps you manage high-concurrency services. For more information, see What is Network Load Balancer?.

WAF supports security protection for NLB instances. After you add a port of an NLB instance to WAF, all web traffic to that port is directed to WAF for inspection through a specified gateway. WAF filters out web application attacks and forwards normal traffic back to the NLB server.

Limits

You can add Alibaba Cloud services such as Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute (FC), Classic Load Balancer (CLB), Elastic Compute Service (ECS), Network Load Balancer (NLB) to Web Application Firewall (WAF) in cloud native mode. To protect web applications that are not deployed on Alibaba Cloud, add their domain names to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Limited Item Type	Description
Supported instances	Must be both: Public-facing instances IPv4 instances
Supported regions	The Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao). Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Singapore.
Number of traffic redirection ports	The number is the same as the number of protected objects: Subscription WAF instances: a maximum of 300 for Basic Edition, 600 for Pro, 2,500 for Enterprise, and 10,000 for Ultimate. Pay-as-you-go WAF instances: a maximum of 10,000.
Port configuration	Only ports with TCP listeners can be added. Mutual authentication cannot be enabled for the ports of the NLB instance. WAF automatically syncs the list of listener ports configured for the NLB instance. You can select specific ports to protect in the WAF console. Important Ports for which the all-port feature is enabled or whose listeners are configured with the UDP or TCPSSL protocol are not synced to WAF. If an NLB instance has more than 50 port listeners and you modify its zone or subnet, which involves a change to the Elastic IP Address, WAF automatically forwards traffic back to the new IP address of the NLB instance. Because many listener ports are configured, these changes may take several minutes to take effect.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Activate a pay-as-you-go WAF 3.0 instance.
You have created an NLB instance that meets the requirements and added a TCP listener to it. For more information about the requirements, see Limits. For more information about how to add a TCP listener to an NLB instance, see Add a TCP listener.
If you use a subscription instance, ensure that your instance has sufficient quota to add protected objects. Otherwise, you cannot add cloud services.
You can go to the Protected Objects page to view the remaining quota for protected objects.

Add a traffic redirection port

Important

When you add an instance to WAF, your web service may be interrupted for several seconds. If clients can automatically reconnect, the service resumes automatically and is not affected. We recommend that you monitor your service and prepare disaster recovery mechanisms, such as reconnection and back-to-origin, as needed.
After an NLB instance is added to WAF, the traffic redirection port is automatically removed from the protection list if the protected listener port is deleted or the instance is released. If mutual authentication is enabled, the instance status in the WAF console changes to Protection Abnormal.
If any of these situations occur, you must first correct the NLB instance configuration and then add the instance to WAF again in the WAF console. Otherwise, service traffic will not be protected by WAF.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Onboarding.
Click the Cloud Native Mode tab. From the cloud service list on the left, select Network Load Balancer (NLB).
On the authorization page, click Authorize Now to authorize your WAF instance to access the required cloud service.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.
Note
If the authorization is complete, the authorization page is not displayed. You can proceed to the next step.
View your Network Load Balancer (NLB) instances and their WAF protection status in the list on the right. If you cannot find the target instance, click Sync Assets in the upper-right corner of the page. Find the NLB instance that you want to add to WAF, click the icon to expand its details, select the port to configure, and then click Add Now in the Actions column.

In the dialog box that appears, complete the following configurations.

Configuration Item	Related Operations
Select Protocol Type For Port	Select a Protocol Type for the port. Valid values: HTTP and HTTPS. If you select HTTPS, you must upload a certificate. Note The cloud native mode does not support SM certificates. The total number of default and extension certificates cannot exceed 25. To upload more certificates, contact your business manager or solution architect. Default Certificate Upload Select Upload and enter the Certificate Name, Certificate File (example format: `-----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----`), and Private Key (example format: `-----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----`). Important If your certificate is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the content. If your certificate is in another format, such as PFX or P7B, you must convert the certificate to the PEM format before you can use a text editor to obtain the content. You can log on to the Certificate Management Service console and use the certificate format conversion tool. For more information, see Convert the format of a certificate. If a domain name is associated with multiple SSL certificates (for example, a certificate chain exists), you must concatenate the content of the certificate files and then upload the combined content to WAF. Select Existing Certificate If your certificate meets one of the following two conditions, you can select Select Existing Certificate and select the certificate that you want to upload to WAF from the drop-down list. The certificate is issued by Alibaba Cloud Certificate Management Service. The certificate is a third-party certificate and has been uploaded to Certificate Management Service. Important When you select a third-party certificate that is uploaded to Certificate Management Service, the WAF console may display the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.". This may indicate an issue with the selected certificate. You can click Alibaba Cloud Security - Certificate Service and re-upload a new certificate in the Certificate Management Service console. For more information, see Upload and share an SSL certificate. Additional Certificate If your instance is configured with HTTPS websites for multiple domain names, you can use Additional Certificate to import the certificates for the different domain names. The method for uploading an additional certificate is the same as that for a default certificate. For more information, see Default Certificate. Note When you add multiple additional certificates, make sure that each certificate you select is valid. If an expired certificate exists, the addition will fail. After you select HTTPS, you can also enable the following Advanced Settings: If your website supports HTTP/2, you can select HTTP2 to enable protection for HTTP/2 services. Note The port for the HTTP/2 protocol is the same as the port for the HTTPS protocol. TLS Version Specify the TLS versions that are allowed for HTTPS communication. If a client uses a protocol version that does not meet the requirements, WAF drops its request traffic. The higher the protocol version you set, the better the communication security, but the lower the compatibility. We recommend that you select the TLS versions that WAF is allowed to listen on based on the HTTPS configuration of your website. If you are unsure about the HTTPS configuration of your website, we recommend that you use the default options. Options: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this option, clients that use TLS 1.0 cannot access the website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this option, clients that use TLS 1.0 or 1.1 cannot access the website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for client requests that use the TLS 1.3 protocol. Cipher Suite Specify the cipher suites that are allowed for HTTPS communication. If a client uses a cipher suite that does not meet the requirements, WAF drops its request traffic. By default, all cipher suites supported by WAF are selected. We recommend that you modify this configuration only if your website supports only specific cipher suites. Options: All Cipher Suites (High Compatibility and Low Security) (default) Custom Cipher Suite (Select It based on protocol version. Proceed with caution.): If your website supports only specific cipher suites, select this option and select the cipher suites supported by your website from Supported WAF cipher suites. If clients use other cipher suites, they cannot access the website.
Is There A Layer 7 Proxy (such As Anti-DDoS Or CDN) In Front Of WAF?	No other proxy service. Select No (default). This indicates that the business requests received by WAF are directly initiated by clients, not forwarded by other proxy services. In this scenario, WAF directly obtains the IP address that establishes the connection with WAF (from the `REMOTE_ADDR` field of the request) as the client IP address. Another proxy service exists. Select Yes. This indicates that the business requests received by WAF are forwarded from other Layer 7 proxy services, not directly initiated by clients. To ensure that WAF can obtain the real client IP addresses for security analytics, you must further set the Obtain Source IP Address. Options: (Default) Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client By default, WAF preferentially reads the X-Real-IP request header field as the client IP address. If the X-Real-IP field does not exist, WAF reads the first IP address in the X-Forwarded-For (XFF) field as the client IP address. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If your website service is configured through other proxy services to place the originating IP address of the client in a custom header field (such as X-Real-IP or X-Client-IP), you must select this option and enter the corresponding header field in the Header Field box. Note We recommend that you use a custom header to store client IP addresses in your service and configure the corresponding header field in WAF. This method can prevent attackers from forging the XFF field to evade WAF detection rules and improve the security of your business. You can enter multiple header fields. Press the Enter key after you enter each header field. If you set multiple headers, WAF attempts to read the client IP address in sequence. If the first header does not exist, WAF reads the second, and so on. If none of the specified headers exist, WAF first attempts to read the X-Real-IP field. If no result is found, WAF uses the first IP address in the X-Forwarded-For (XFF) header as the client IP address.
Resource Group	Select the resource group to which the domain name belongs. If you do not select a resource group, the domain name is added to the Default Resource Group. Note You can use Resource Management to create resource groups and manage cloud resources by dimensions such as business department or project. For more information, see Create a resource group.
Advanced Settings	Obtain The WAF Listener Protocol By Using The X-Forwarded-Proto Header Field WAF 3.0 automatically inserts the `X-Forwarded-Proto` header into HTTP requests that pass through it. This header is used to identify whether the communication protocol between the client and WAF is HTTP or HTTPS. If your web application cannot correctly process this header, compatibility issues may occur and affect the normal operation of your business. You can choose to disable the feature that allows WAF to automatically insert this header to prevent such issues. Enable Traffic Tag Enabling traffic marking helps the origin server distinguish requests that pass through WAF and obtain the real originating IP address or port of the client. You can configure the following types of marking fields: Custom Header By configuring the Header Name and Header Value, you can make WAF add this header information to back-to-origin requests to mark requests that pass through WAF (to distinguish them from requests that do not pass through WAF, which facilitates statistical analysis by your backend service). For example, you can use `ALIWAF-TAG: Yes` to mark requests that pass through WAF. In this example, `ALIWAF-TAG` is the header name and `Yes` is the header value. Originating IP Address By configuring the header field name where the real originating IP address of the client is located, WAF can record this header field and pass it back to the origin server. For the specific rules that WAF uses to determine the real originating IP address of the client, see the description of the Is A Layer 7 Proxy (such As Anti-DDoS Pro Or CDN) Deployed In Front Of WAF? parameter. Source Port By configuring the header field name where the real originating port of the client is located, WAF can record this header field and pass it back to the origin server. Important Do not enter standard HTTP header fields (such as User-Agent). Otherwise, the content of the standard header field will be overwritten by the value of the custom field. Click Add Tag to add a marking field. You can set a maximum of five marking fields. Configure back-to-origin persistent connections If a persistent connection timeout response issue occurs between WAF and your origin server, you can adjust the connection timeout, number of retries, and idle connection timeout as needed. Read Timeout: The period of time that WAF waits for a response from the origin server. If this period is exceeded, WAF disconnects the connection. The default value is 120s. The configurable range is 1s to 3600s. Write Timeout: The period of time that WAF sends a request to the origin server. If this period is exceeded, WAF disconnects the connection. The default value is 120s. The configurable range is 1s to 3600s. Origin Keep-Alive: To configure the number of retries or the idle timeout for persistent connections, you can enable this feature and set the following parameters. Max Requests per Connection: The number of requests that WAF can send to the origin server or the number of responses that WAF can receive from the origin server at the same time. The default value is 1,000. The configurable range is 60 to 1,000. Idle Timeout: The time when an idle persistent connection is closed. The default value is 3600s. The configurable range is 10s to 3600s.

Click OK.
After the instance is added, WAF automatically creates a protected object named "Instance ID-Port-Asset Type" and associates all default mitigation templates with it. In the provisioning list, you can click the instance ID to navigate to the Protected Objects page, view the automatically created protected object, and configure protection rules for it. For more information, see Mitigation settings overview.

Related operations

View origin servers and manage traffic redirection ports

After an instance is added to WAF, you can view detailed protection information for the origin server and forcibly disable or delete traffic redirection ports for emergency disaster recovery.

On the Onboarding page, click the Cloud Native tab.
On the Network Load Balancer (NLB) tab, click the icon for the target instance to view the ports that are protected by WAF.
- View Port Details: Click Port Details to view information about the port, protocol, and the configured certificate. You can also configure the following settings: Is there a Layer 7 proxy (such as Anti-DDoS or CDN) in front of WAF?, Enable Traffic Marking (Advanced Settings), and Configure back-to-origin persistent connections (Advanced Settings).
- Remove from WAF: Click Remove, and in the Remove dialog box, click OK.
  Important
  When you remove an instance from WAF, your web services may experience transient connection interruptions that last for a few seconds. If clients can automatically reconnect, the connections are automatically restored and your services are not affected. We recommend that you monitor your services and prepare disaster recovery mechanisms, such as reconnection or back-to-origin routing, based on your service architecture.
  After you remove the instance, traffic to your asset is no longer protected by WAF. To re-enable protection, you can click Add Now to add the port again. For more information, see Add a traffic redirection port.

Update the certificate bound to a traffic redirection port

If a certificate is about to expire or is changed for other reasons, such as revocation, you must update the certificate that is bound to the traffic redirection port.

Note

When a certificate has less than 30 calendar days of validity remaining, WAF displays an icon in the record list to indicate that the certificate is about to expire. You must update it promptly to avoid affecting normal business operations.
You can set up SSL certificate message reminders to receive notifications by email, text message, and other methods before the certificate expires. For more information, see Set up message notifications for SSL certificates.
To avoid business interruptions caused by an expired certificate, enable the certificate hosting service of Alibaba Cloud Certificate Management Service (Original SSL Certificate). This service automatically requests certificates before they expire. For more information, see What is Certificate Hosting Service?.

Perform the following steps:

Renew the certificate or upload a third-party certificate to Certificate Management Service (Original SSL Certificate). For more information, see Renew an SSL certificateor Upload, sync, and share SSL certificates.
Sync the certificate to WAF.
- Update the certificate in the WAF console.
  1. On the Cloud Native tab, select the Network Load Balancer (NLB) tab. Find the target instance. In the Actions column for the target port, click the icon, and then click Modify.
  2. In the Default Certificate section, select Select Existing Certificate and choose the new certificate.

Configure protected objects

If you have multiple domain names that resolve to the same NLB instance and you want to configure separate protection rules for each domain name after you add the instance to WAF, you must manually add the domain names as protected objects. For more information, see Manually add a protected object.