All Products
Search
Document Center

Web Application Firewall:Enable WAF protection for Cloud-native API Gateway instances

Last Updated:Jul 03, 2026

Enable Web Application Firewall (WAF) protection for Cloud-native API Gateway (APIG) instances to add low-latency, high-availability web security without changing your network architecture or DNS configuration.

How it works

image

Cloud-native API Gateway uses SDK integration. The SDK embeds directly in the cloud product to extract, detect, and protect traffic. Because WAF does not forward traffic, this avoids compatibility and stability issues from an additional forwarding layer.

Applicable scope

If your APIG instance does not meet the following requirements, use CNAME integration instead.

  • Account requirements: APIG and WAF instances must belong to the same Alibaba Cloud account, unless the multi-account management feature is configured.

  • Region requirements: You can enable WAF protection only for APIG instances in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Ulanqab), China (Zhangjiakou), China (Qingdao), China (Chengdu), China (Hong Kong), Singapore, Indonesia (Jakarta), Japan (Tokyo), Germany (Frankfurt), US (Silicon Valley), and US (Virginia).

Procedure

Important

Enabling WAF protection for the first time may restart the gateway service, breaking persistent connections and causing brief service interruptions or performance degradation. Perform this during off-peak hours. Protection rules take effect about five minutes after enablement.

  1. Access the console:

    Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region for your WAF instance (Chinese Mainland). In the navigation pane on the left, click Onboarding. Select the Cloud Native tab, and in the left-side cloud product type list, select Cloud-native API Gateway.

  2. Authorize the cloud product (first-time only):

    Click Authorize Now to complete authorization. The service-linked role AliyunServiceRoleForWAF is created and visible on the RAM console Identities > Roles page.

  3. Connect to Cloud-native API Gateway instance:

    1. Click Add. The page redirects to the Cloud-Native API Gateway console.

    2. In the navigation pane on the left, click Instance. Then, enable WAF protection.

      Enable Instance-Level Protection

      1. On the Instance page, click the target gateway in the Instance ID/Name column.

      2. On the Basic Information tab, in the Network Information area, click Enable WAF protection. In the panel that appears, select Continue to enable instance-level WAF protection (recommended).

      Enable Route-Level Protection

      1. On the Instance page, click API Management in the Actions column of the target gateway.

      2. On the API page, click the target API in the API Name column. Select the Policy Configurations tab.

      3. In the Inbound Processing area, click Enable Policy/Plug-in. Select the WAF Policy card.

      4. Click Enable Route-level WAF Protection (Recommended). In the dialog box that appears, click OK.

  4. Verify protection:

    When the WAF Protection status on the destination instance's Basic Information page displays Enabled, or the WAF status on the destination route's Policy Configurations page displays Enabled, integration is successful. To verify, enter your domain name with a web attack payload in a browser (for example, <your-domain-name>/alert(xss), where alert(xss) is an XSS test payload). A 405 blocking page confirms WAF is active.

What to do next

View and configure protection rules

After integration, WAF creates a protected object with the suffix -apig and enables Web Core Protection rules and other module rules by default. View these settings on the Protection Config > Protected Objects page. To customize rules, see Overview of Mitigation Settings.

Rollback (disable protection)

  • Temporarily disable WAF protection: If issues occur after integration (such as false positives), turn off the WAF Protection Status switch on the Protected Objects page. One-Click WAF Protection Disable Feature.

  • Cancel onboarding: To remove WAF protection from APIG instances, go to the Cloud-Native API Gateway console and click Instance to disable WAF protection.

    Disable Instance-level protection

    1. On the Instance page, click the target gateway in the Instance ID/Name column.

    2. On the Basic Information tab, in the Network Information area, click Disable WAF protection. In the panel that appears, select Continue to disable instance-level WAF protection (not recommended).

    Disable route-level protection

    1. On the Instance page, click API Management in the Actions column of the target gateway.

    2. On the API page, click the target API in the API Name column. Select the Policy Configurations tab.

    3. In the Inbound Processing area, click the image icon after Waf, and then in the pop-up dialog box click Delete.

    Important
    • After deactivation, WAF stops protecting service traffic and security reports no longer include data for that traffic.

    • For pay-as-you-go WAF instances, request processing fees stop after deactivation, but feature fees for the WAF instance and existing protection rules continue. To stop all WAF billing, Disable WAF.

Quotas and limits

  • Number of connected instances: Must not exceed the limit for your WAF edition.

    • Subscription WAF instances: Basic Edition: up to 300; Pro Edition: up to 600; Enterprise Edition: up to 2,500; Ultimate Edition: up to 10,000.

    • Pay-as-you-go WAF instances: up to 10,000.

  • Unsupported features:

    • Webpage tamper protection.

    • Data leakage prevention.

    • Automatic Web SDK integration in bot management web crawler protection scenarios.

FAQ

What are the differences between WAF cloud native integration and CNAME integration? Can they be used together?

WAF supports two integration types: cloud product integration and CNAME integration.

  • Cloud native integration (this topic): Integrates Alibaba Cloud product instances under the current account.

  • CNAME integration: Integrates domain names. Supports cross-account and cross-cloud scenarios.

The two methods cannot be used simultaneously — each domain supports only one. Duplicate configurations cause traffic forwarding conflicts that render protection ineffective. Overview of Integration.