Web Application Firewall:Overview

The supported security features vary by connection type, as shown in the following table:

• Cloud native mode:

  • Enable WAF protection for an ALB instance

  • Enable WAF protection for a CLB instance

  • Enable WAF protection for an NLB instance

  • Enable WAF protection for an ECS instance

  • Enable WAF protection for an MSE cloud-native gateway instance

  • Enable WAF protection for a Function Compute function

• CNAME connection:

  For more information, see Enable WAF protection for a website using the CNAME connection method. After you add a domain name in the WAF console, you must add the WAF back-to-origin IP address ranges to your allowlist and modify the DNS settings for the domain name.

• Hybrid Cloud WAF connection (reverse proxy, SDK integration):

  For more information, see Hybrid Cloud WAF connection.

Cloud native mode

When you connect ALB, FC, MSE instances, WAF uses SDK integration. The software development kit (SDK) is embedded in the cloud product. It extracts, inspects, and protects traffic. WAF does not forward traffic. This method avoids the compatibility and stability issues that can arise from an additional forwarding layer.

When you connect ECS, CLB, or NLB instances, WAF uses a transparent proxy. After you configure a traffic redirection port, the cloud product gateway automatically changes the route to redirect web service traffic to WAF. WAF inspects the traffic, blocks attacks, and forwards legitimate requests to the origin server.

CNAME connection

This method uses a reverse proxy. You add a domain name and point its DNS record to the WAF CNAME address. This redirects all web traffic for the domain name to WAF. WAF inspects the traffic, blocks attacks, and forwards legitimate requests to the origin server.

Hybrid Cloud WAF connection

The Hybrid Cloud WAF connection method offers two patterns: reverse proxy and SDK integration.

• Reverse proxy mode: You connect a website domain name or IP address to WAF and then point its DNS record to the WAF protection cluster. All traffic then passes through the cluster for security inspection.

• SDK integration mode: You deploy the SDK plugin on your unified ingress gateway. The plugin copies service traffic to the WAF protection cluster. WAF inspects the copied traffic but does not forward it. This architecture separates traffic inspection from forwarding.

Can I connect cloud resources from other Alibaba Cloud accounts or other cloud providers to WAF?

Yes. If you own a website domain name and can manage its DNS records, you can use the CNAME connection method. This method does not have restrictions on the location of the origin server.

Can I connect to WAF if I only have a public IP address but no domain name?

Yes, you can. You can use the cloud native mode because this connection type does not require a domain name.

Can I connect an IPv6 website to WAF?

Yes. However, the cloud native mode for ECS, CLB, and NLB instances does not support IPv6 websites. For these instances, you must use the CNAME connection method. To do this, you must activate a subscription to an Enterprise or Ultimate WAF instance, or use a pay-as-you-go WAF instance. Then, in the More Settings section, select Enable IPv6. For more information, see Enable WAF protection for a website using the CNAME connection method.

WAF does not support connecting IPv6 websites in regions outside the Chinese mainland.

Can I use both the cloud native mode and the CNAME connection method for the same domain name?

No, you cannot. This is not recommended because each domain name can use only one connection method. Using both methods for the same domain name causes forwarding conflicts and protection failures. If you want to switch a domain name from a CNAME connection to the cloud native mode, you must first point the DNS record back to the origin server. After the DNS resolution converges, delete the CNAME connection configuration for the domain name. Then, reconnect the domain name in cloud native mode.

Why can't I find the CLB, NLB, or ECS instance that I want to connect on the configuration page?

How do I view asset connection status and manually sync assets?

Follow these steps to view the connection status of your assets.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, click Onboarding.

3. At the top of the page, you can view the number of connected domain name assets and cloud product assets. You can also see the total number of instances that you own for each cloud product. If you have added or changed a cloud product instance, click Sync Asset in the upper-right corner to immediately sync the changes to WAF.

How do I connect a domain name that resolves to multiple cloud product instances?

Cloud native mode: Connect all the relevant cloud product instances, such as the service ports of CLB instances, at the same time. This allows WAF to direct traffic to all of them.

CNAME connection method: Connect the domain name using the CNAME connection method and configure the origin server with the IP addresses or CNAMEs of all relevant cloud product instances.

How do I connect multiple domain names that resolve to the same cloud product instance?

In cloud native mode, when you add a cloud product instance, all domain names that resolve to the instance are protected by the WAF default mitigation policy. However, if you want to configure different protection rules for specific domain names, you must manually add those domain names as protected objects. For more information, see Manually add a protected object.

CNAME connection method: You must connect each domain name individually.