What is hybrid cloud access, How to deploy hybrid cloud access - Web Application Firewall

Hybrid cloud access extends WAF protection to services running outside Alibaba Cloud — on third-party public clouds, private clouds, or on-premises data centers. Instead of managing security separately for each environment, you get unified policy control, real-time rule synchronization, and centralized traffic visibility across all your deployments from a single WAF instance.

How it works

Hybrid cloud access deploys a local WAF cluster inside your network. The cluster receives protection rules, threat intelligence updates, and configuration from the Alibaba Cloud WAF console in real time. Two connection types are available depending on how your network is structured and how much traffic your services handle.

Choose a connection type

	Reverse proxy mode	SDK integration mode
How it works	WAF acts as a reverse proxy. DNS points to the WAF cluster endpoint, and all traffic passes through WAF before reaching your origin server.	An SDK plugin on your gateway copies traffic to the WAF cluster for inspection. WAF does not sit in the traffic path.
Traffic path	Client → WAF cluster → origin server	Client → gateway → origin server (SDK mirrors a copy → WAF cluster)
When to use	Network architecture can be modified; moderate traffic volume	Already have a unified gateway (Nginx, APISIX); high traffic volume; strict latency or stability requirements
Bypass behavior	Standard failover	Manual bypass available — when enabled, the SDK stops forwarding traffic to WAF immediately
Typical users	Internet portals, government, finance, media	Large-scale platforms with high concurrency and existing gateway infrastructure

Important

Once you select a cluster type, you cannot change it. Plan your deployment before creating the cluster.

If your traffic cannot be routed to the public cloud due to business requirements, or if you need unified protection across Alibaba Cloud and non-cloud environments simultaneously, hybrid cloud access supports both scenarios regardless of which connection type you choose.

Limitations

Hybrid cloud access does not support the web tamper-proofing feature.

Prerequisites

Before you begin, ensure that you have:

A subscription Enterprise or Ultimate WAF instance. Subscription Basic, Pro, and pay-as-you-go instances do not support hybrid cloud access. To purchase a qualifying instance, see Purchase a subscription WAF 3.0 instance.
The Additional Hybrid Cloud Protection Nodes specification purchased. A single protection node handles up to 5,000 QPS for HTTP services or 3,000 QPS for HTTPS services. Size your purchase based on expected traffic.
Servers prepared to host the cluster. See Plan cluster resources for the recommended number of servers and load balancers per deployment scenario.

A hybrid cloud cluster consists of management, storage, and protection components. Deploy different components on separate servers. If a component runs on multiple nodes, place a load balancer in front of those nodes.

Plan cluster resources

Select a deployment solution based on your reliability requirements.

Scenario	Deployment solution	Resources (default: HTTP ≤10,000 QPS or HTTPS ≤6,000 QPS)	Components
High security and stability — disaster recovery for both protection and management	Full disaster recovery deployment	5 servers + 2 load balancers	Storage: 1 server; Management: 2+ servers + 1 LB; Protection: 2+ servers + 1 LB
High service stability — disaster recovery for protection only	Protection disaster recovery deployment	3 servers + 1 load balancer	Management + Storage: 1 server; Protection: 2+ servers + 1 LB
Proof of concept — basic protection validation	Minimal cluster deployment	2+ servers	Management + Storage: 1 server; Protection: 1+ server

To scale beyond the defaults, add more protection nodes. Each additional node adds 5,000 QPS (HTTP) or 3,000 QPS (HTTPS) of capacity.

Step 1: Install the WAF client

The WAF client (vagent) runs on each server that will become a cluster node. vagent handles three functions:

Pulls WAF installation and upgrade images from Alibaba Cloud
Reports component health status to ensure cluster availability
Syncs forwarding configurations, mitigation rules, and threat intelligence from the cloud in real time

vagent is installed via RPM package on 64-bit Linux servers. Supported operating systems:

Distribution	Version
AliOS	3.2104
Tencent OS	3.1
CentOS	7
Red Hat	7
Kylin	V10 (x86)

Kernel version 4.10 or later is required.

CentOS 7 is no longer maintained. Existing vagent installations on CentOS 7 continue to work, but images are no longer updated.

Install vagent

Log on to the local server.Web Application Firewall 3.0 console
Get the latest vagent RPM package. Submit a ticketticketticketticketticketticketticket to request the download from a product technical expert.
Install the package.
```
sudo rpm -ivh t-yundun-vagent-xxxxxxx.xxxxx.rpm
```
Replace xxxxxxx.xxxxx with the version number of the downloaded file.
Verify the installed version.
```
rpm -qa | grep vagent
```
The output displays the installed vagent version. Confirm it matches the package you downloaded.

Configure the vagent connection. Open the configuration file.

Important

Express Connect mode requires an active Express Connect circuit. For the Chinese mainland, VPC-connected instances in China (Hangzhou), China (Shanghai), and China (Beijing) are supported. For other regions, submit a ticketticketticketticketticketticketticket. For regions outside the Chinese mainland, submit a ticketticketticketticketticketticketticket.

WAF region	Connection method	Endpoint
Chinese mainland	Internet	`wafopenapi.cn-hangzhou.aliyuncs.com`
Chinese mainland	Express Connect (private)	`wafopenapi.vpc-proxy.aliyuncs.com`
Outside the Chinese mainland	Internet	`wafopenapi.ap-southeast-1.aliyuncs.com`
Outside the Chinese mainland	Express Connect (private)	`wafopenapi-intl.vpc-proxy.aliyuncs.com`

sudo vi /home/admin/vagent/conf/vagent.toml

Press i to enter edit mode, then set the following fields:

domain="<endpoint>"            # Hybrid Cloud WAF service endpoint (see table below)
access_key_id="<your-ak-id>"   # Alibaba Cloud AccessKey ID
access_key_secret="<your-ak-secret>"  # Alibaba Cloud AccessKey secret

Select the endpoint based on your WAF region and connection method: Press Esc, then type :wq and press Enter to save and exit.

Start vagent.

sudo systemctl start vagent
sudo systemctl enable vagent

After enabling auto-start, you see the following confirmation:

Created symlink from /etc/systemd/system/multi-user.target.wants/vagent.service
to /usr/lib/systemd/system/vagent.service.

Verify the installation.
```
ps aux | grep AliYunDunWaf
```
If the AliYunDunWaf process appears in the output, vagent is running and has established a connection with the Alibaba Cloud WAF server. The server is ready to be added as a cluster node. If the process does not appear, check that each installation step completed successfully, then reinstall and restart vagent. If the issue persists, submit a ticketticketticketticketticketticketticket.

Manage vagent

Operation	Command
Stop	`sudo systemctl stop vagent`
Check status	`sudo systemctl status vagent`
View logs (systemd)	`sudo journalctl -u vagent`
View logs (file)	`tail /home/admin/vagent/logs/vagent.log`

Repeat this step on every server that will host a cluster node.

Step 2: Deploy a hybrid cloud cluster

On the WAF purchase page, configure Additional Hybrid Cloud Protection Nodes to match your capacity requirements.
Only subscription Enterprise and Ultimate instances support hybrid cloud access. A single cluster must have at least two protection nodes.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region — WAF 3.0 consoleWAF 3.0 consoleChinese Mainland or Outside Chinese Mainland.
In the left navigation pane, click Hybrid Clouds.
Click Add Cluster.

In the Basic information configuration step, set the following parameters and click Next.

Parameter	Description
Cluster name	A name for the cluster.
Cluster type	Select Reverse Proxy Mode or SDK Integration Mode. In SDK Integration Mode, enable Manual Bypass to immediately put the cluster into bypass state if the WAF cluster becomes unavailable — the SDK stops forwarding traffic to WAF. This setting cannot be changed after the cluster is created.
Protection nodes	The number of protection nodes in the cluster. The total across all clusters cannot exceed your purchased Additional Hybrid Cloud Protection Nodes specification.
Server port	Ports the cluster listens on. Default: 80, 8080, 443, 8443. Add additional ports as needed; press Enter after each port. The following ports are not supported: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, 4987. Add only ports required by your services.
Cluster access mode	Internet: connects to WAF over the Internet. Internal Network: connects over an Express Connect circuit (requires an active circuit).
Remarks	Optional notes.

In the Node group configuration step, click Add Node Group and add groups in the required order. Add node groups in one of the following sequences: Click Next after adding all required groups.

Method 1 (at least 3 groups): First add a Storage group, then at least one Management group, then at least one Protection group.
Method 2 (at least 2 groups): First add a Management And Storage group, then at least one Protection group.

Each node group requires a Server Load Balancer (SLB) device for load balancing and failover. If you do not have an SLB device, submit a ticketticketticketticketticketticketticket.

Parameter	Description
Node group name	A name for the node group.
Server IP address for load balancing	The public IP address of the SLB server bound to this group.
Node group type	Protection: the protection component; multiple allowed for disaster recovery. Management: the management component; multiple allowed for disaster recovery. Storage: the storage component; only one per cluster. Management And Storage: combined component; only one per cluster.
Region	Required for Protection node groups only. Select the region where the protection nodes are located.
Remarks	Optional notes.

On the Node group configuration page, click Add Node, set the following parameters, and click Save.

Parameter	Description
Server IP address	The public IP address of the local server.
Node name	A name for the node.
Region	The region where the node is located.
Server configuration	Displayed automatically based on server information.
Protection node group	The protection node group to assign this node to. The total nodes in the cluster cannot exceed the cluster's protection node specification. Add at least two nodes to each Protection group for active-active disaster recovery.

After the cluster is created, click Switch Cluster to select and manage it. From the cluster detail page:

View and edit basic information (cluster name, protection node count, service ports, remarks) in the Basic information section.
Add or modify node groups by clicking Node group configuration.
Add nodes by clicking Add Node.
Monitor node health:
- Node status: Normal — server is running. Abnormal — server is shut down. If abnormal, the node cannot provide WAF protection. Investigate and resolve the shutdown cause promptly.
- Application status: Normal — vagent is running. Abnormal — vagent has stopped. If abnormal, log on to the local server and check vagent's installation and running status. See Step 1: Install the WAF client.

Important

Do not delete the RAM user or permissions used for cluster deployment. If accidentally deleted, submit a ticketticketticketticketticketticketticket.

Step 3: Add services to WAF

The procedure varies by cluster type. Follow the section that matches the Cluster type you selected in Step 2.

Reverse proxy mode

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region.
In the left navigation pane, click Onboarding.
On the Hybrid Cloud tab, click Reverse Proxy, then click Add.

In the Configure listener step, set the following parameters and click Next. Additional HTTPS settings (optional):

HTTP/2: Enable if your website supports the HTTP/2 protocol. HTTP/2 uses the same port as HTTPS.
Enable HTTPS routing: Forces HTTP requests to redirect to HTTPS (port 443 by default) and enables HSTS. Available only when HTTP is not selected.
TLS version: The minimum TLS version WAF accepts. Higher versions improve security but reduce compatibility. Options: TLS 1.0 and later (default), TLS 1.1 and later, TLS 1.2 and later. To support TLS 1.3, select Support TLS 1.3.
Cipher suite: The cipher suites WAF accepts. Defaults to all supported suites. Select Custom cipher suite only if your backend requires specific cipher suites. See Supported WAF cipher suites for the full list.

Parameter	Description
Domain name/IP address	The domain name or IP address to protect. For domain names: exact-match (e.g., `www.aliyundoc.com`) or wildcard (e.g., `*.aliyundoc.com`). A wildcard domain matches all subdomains at the same level but does not match the primary domain or subdomains at different levels. If both an exact-match and a wildcard domain can match the same host, the exact-match domain's rules take precedence. For IP addresses: enter the IP address directly (e.g., `192.168.XX.XX`).
Protocol type	Select HTTP or HTTPS and enter the port number. The port must be within the cluster's listener port range. To add a port, see Step 2. For HTTPS, upload the SSL certificate (see certificate options below).
Layer 7 proxy	Select No if WAF receives requests directly from clients. Select Yes if another proxy (such as Anti-DDoS or CDN) sits in front of WAF, then configure Obtain source IP address to identify the real client IP.
Resource group	The resource group for this domain. Defaults to Default Resource Group.

HTTPS certificate options:

Option	When to use
Upload	Paste the certificate file content and private key directly. Supported input format: PEM. Convert other formats (PFX, P7B, CER, CRT) to PEM first using the Certificate Management Service format conversion tool. If the domain uses a certificate chain, concatenate all certificate files before uploading.
Select existing certificate	Use a certificate issued by Alibaba Cloud Certificate Management Service, or a third-party certificate already uploaded there.
Purchase certificate	Apply for a paid DV (Domain Validation) certificate directly. The certificate is automatically uploaded to WAF after issuance. For other certificate types, purchase through Certificate Management Service.

In the Configure forwarding rule step, set the following parameters and click Submit.

Parameter	Description
Node settings	Select a Protection node group and enter the origin server address (the IP address or domain name WAF forwards traffic to after inspection). Add up to 20 IP addresses — WAF automatically load-balances across them. Configure IPv4 only, IPv6 only, or both. If only IPv4 addresses are configured, all requests (including from IPv6 clients) are forwarded over IPv4. If only IPv6 addresses are configured, all requests are forwarded over IPv6. If you enter a domain name (such as a CNAME), only origin fetch over IPv4 is supported — WAF resolves and forwards to the IPv4 address only. To add multiple protection node groups, click Add protection node.
Public cloud disaster recovery	When enabled, traffic can fail over to the public cloud link if the hybrid cloud link fails. Point the DNS CNAME record to the public cloud CNAME before switching. Add an origin server address for the disaster recovery link.
Load balancing algorithm	Round-robin: distributes requests evenly across origin servers. IP hash: routes requests from the same client IP to the same origin server, which maintains session consistency but may cause uneven distribution.
Advanced HTTPS settings	Enable HTTP routing: sets the back-to-origin port (default: 80). Origin SNI: set to Same as the actual request host to use the Host header value, or Custom to specify a fixed SNI value.
Other advanced settings	X-Forwarded-Proto header: WAF automatically inserts this header to identify the protocol used between the client and WAF. Disable if your application cannot handle this header. Enable traffic tag: adds a custom header to requests that pass through WAF, so your origin server can distinguish WAF-inspected traffic. Timeout settings: connection timeout (default: 5s, range: 1–3600s), read timeout (default: 120s), write timeout (default: 120s). Retry back-to-origin requests: when enabled, WAF retries each origin server up to three times after a failed origin fetch. Origin keep-alive: when enabled, set max requests per connection (default: 1,000; range: 60–1,000) and idle timeout (default: 15s; range: 10–3,600s). Disabling keep-alive also disables WebSocket support.

Update the DNS record for your domain. If you use Alibaba Cloud DNS, see Change DNS settings.
- Change the DNS A record to point the domain to the protection node group IP address.
- If you enabled Public cloud disaster recovery, also add a DNS CNAME record pointing to the public cloud CNAME (for use when switching to the disaster recovery link).
Important
Before changing DNS, verify that WAF forwarding is working correctly by running a local verification test. Changing DNS before forwarding takes effect will interrupt your service. See Local verification.
DNS changes are required only when adding a domain name. Skip this step when adding an IP address.

After the service is added, WAF automatically creates a protected object and enables web core protection rules for it. Go to Protection Configuration > Protected Objects to view the protected object and configure mitigation policies. See Overview of mitigation settings.

SDK integration mode

In SDK integration mode, deploy an SDK plugin on your unified access gateway. The plugin mirrors service traffic to the WAF bypass cluster for inspection without affecting traffic forwarding.

To set up SDK integration, submit a ticketticketticketticketticketticketticket to get assistance from a product technical expert.

After the SDK and cluster are deployed:

View forwarding node status: Log on to the WAF 3.0 console, click Onboarding in the left navigation pane, then click SDK Integration on the Hybrid Cloud tab. The provisioning list shows the mapping between each forwarding node IP address and its cluster and protection node group, along with the node status.
Add a protected object: WAF does not automatically add protected objects in SDK integration mode. Go to the Protected Objects page in the WAF console and add the domain name or URL as a protected object. See Configure protected objects and protected object groups.
Configure mitigation policies: After adding the protected object, configure the mitigation policies for it. See Overview of mitigation settings.

What's next

Configure protection rules for your protected objects: Overview of mitigation settings
Change the DNS record for a domain: Change DNS settings
Convert certificate formats: Convert the format of a certificate