WAF 3.0 supports three connection types: cloud native mode, CNAME connection, and Hybrid Cloud WAF connection. Each type determines what you can protect, how traffic flows through WAF, and which security features are available.
Choose a connection type
| Cloud native mode | CNAME connection | Hybrid Cloud WAF | |
|---|---|---|---|
| What you protect | Alibaba Cloud product instances (ALB, CLB, ECS, NLB, FC, MSE) | Domain names | Domain names or IP addresses |
| Best for | Connecting Alibaba Cloud instances in the same account without DNS changes; supports scenarios with domain names or only public IP addresses | Any domain name, including cross-account and multicloud deployments | On-premises WAF deployments — reverse proxy for moderate traffic and internal service protection; SDK integration for large traffic volumes with low latency requirements at a unified ingress gateway |
| How it works | SDK integration (ALB, MSE, FC) or transparent proxy (ECS, CLB, NLB) | Reverse proxy — DNS redirects traffic to WAF | Reverse proxy or SDK integration via a local protection cluster |
| Key limits | Same-account only (unless multi-account management is configured); no private or IPv6 ECS, CLB, or NLB instances | Must own and manage DNS records for the domain | Requires an Enterprise or Ultimate WAF subscription and Protection Nodes purchase |
Cloud native mode is the fastest way to protect Alibaba Cloud product instances. No DNS changes required — WAF integrates directly with the cloud product.
CNAME connection is the most flexible option. If you own a domain name and can manage its DNS records, you can use it regardless of where your origin server is hosted.
Hybrid Cloud WAF is for deployments that need WAF running locally — either to protect internal services with moderate traffic (reverse proxy) or to handle large traffic volumes with low latency at an existing ingress gateway (SDK integration).
How it works
Cloud native mode
The mechanism depends on which cloud product you connect.
ALB, MSE, and FC — SDK integration: The SDK is embedded in the cloud product. It extracts and inspects traffic directly, without WAF forwarding it. This avoids the compatibility and stability issues that an extra forwarding layer can introduce.
ECS, CLB, and NLB — transparent proxy: After you configure a traffic redirection port, the cloud product gateway automatically reroutes web traffic to WAF. WAF inspects it, blocks attacks, and forwards legitimate requests to the origin server.
CNAME connection
CNAME connection uses a reverse proxy. Point the domain's DNS record to the WAF CNAME address. All traffic for that domain is then redirected to WAF, which inspects it, blocks attacks, and forwards legitimate requests to the origin server.
Hybrid Cloud WAF connection
Two patterns are available:
Reverse proxy: Connect a domain name or IP address to WAF and point its DNS record to the WAF protection cluster. All traffic passes through the cluster for inspection.
SDK integration: Deploy the WAF SDK plugin on your unified ingress gateway (such as Nginx or APISIX). The plugin copies service traffic to the WAF protection cluster for inspection. WAF inspects the copied traffic but does not forward it — traffic forwarding stays with the ingress gateway. This separates traffic inspection from forwarding.
Feature support by connection type
| Feature | Cloud native (NLB, CLB, ECS) | Cloud native (ALB, MSE, FC) | CNAME connection | Hybrid Cloud WAF — reverse proxy | Hybrid Cloud WAF — SDK integration |
|---|---|---|---|---|---|
| Core web protection rules | Supported | Supported | Supported | Supported | Supported |
| Whitelist | Supported | Supported | Supported | Supported | Supported |
| IP blacklist | Supported | Supported | Supported | Supported | Supported |
| Custom rules | Supported | Supported | Supported | Supported | Supported |
| HTTP flood protection | Supported | Supported | Supported | Supported | Supported |
| Scan protection | Supported | Supported | Supported | Supported | Supported |
| Location blacklist | Supported | Supported | Supported | Supported | Supported |
| Web tamper proofing | Supported | ALB only | Supported | Not supported | Not supported |
| Data leakage prevention | Supported | Not supported | Supported | Supported | Not supported |
| Custom response | Supported | Supported | Supported | Supported | Supported |
| Bot management — automatic web SDK integration | Supported | Not supported | Supported | Supported | Supported |
| Major event support | Supported | Not supported | Supported | Not supported | Not supported |
| API security | Supported | ALB only | Supported | Supported | Supported |
| Peak traffic throttling | Supported | Not supported | Supported | Not supported | Supported |
Connect to WAF
Before you begin
Cloud native mode
The instance must be one of the supported types: Application Load Balancer (ALB), Classic Load Balancer (CLB), Elastic Compute Service (ECS), Network Load Balancer (NLB), Function Compute (FC), or Microservices Engine (MSE).
Without the multi-account management feature, only instances within the same account can be connected.
Private or IPv6 ECS, CLB, and NLB instances are not supported.
Some instances in certain regions are not supported.
CNAME connection
You must own the domain name and have permission to manage its DNS records.
You must verify domain name ownership, modify DNS records, and allow back-to-origin IP addresses.
Hybrid Cloud WAF connection
An Enterprise or Ultimate WAF subscription is required, along with a Protection Nodes purchase.
Reverse proxy: permission to manage DNS records for the domain name or IP address.
SDK integration: a unified ingress gateway (such as Nginx or APISIX) that you can manage independently.
Connection guides
Cloud native mode
CNAME connection
Enable WAF protection for a website using the CNAME connection method. After adding the domain name in the WAF console, add the WAF back-to-origin IP address ranges to your allowlist and update the DNS settings for the domain.
Hybrid Cloud WAF connection
FAQ
Can I connect cloud resources from other Alibaba Cloud accounts or other cloud providers?
Yes. Use the CNAME connection method. It has no restrictions on where the origin server is hosted — you only need to own the domain name and manage its DNS records.
Can I connect to WAF with only a public IP address and no domain name?
Yes. Cloud native mode supports connections without a domain name.
Can I connect an IPv6 website to WAF?
Cloud native mode for ECS, CLB, and NLB instances does not support IPv6. For IPv6 on these instances, use the CNAME connection method with an Enterprise or Ultimate WAF subscription, or a pay-as-you-go instance. In the More Settings section, select Enable IPv6. For details, see Enable WAF protection for a website using the CNAME connection method.
WAF does not support IPv6 websites in regions outside the Chinese mainland.
Can I use both cloud native mode and CNAME connection for the same domain name?
No. Each domain name can use only one connection method. Using both causes forwarding conflicts and protection failures.
To switch a domain from CNAME connection to cloud native mode: point the DNS record back to the origin server, wait for DNS resolution to converge, delete the CNAME connection configuration, then reconnect in cloud native mode.
Why can't I find the CLB, NLB, or ECS instance I want to connect?
| Cause | Action |
|---|---|
| The instance does not meet connection requirements | Check the limits in Limits for adding CLB instances, Limits for adding NLB instances, and Limits for adding ECS instances |
| The CLB instance has no listener | Add a listener: for Layer 7, see Add an HTTP listener and Add an HTTPS listener; for Layer 4, see Add a TCP listener |
| WAF has not synced the instance yet | Click Synchronize Assets in the upper-right corner of the Onboarding page |
How do I view asset connection status and sync assets?
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region (WAF 3.0 consoleChinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, click Onboarding.
At the top of the page, view the number of connected domain name assets and cloud product assets. You can also see the total number of instances that you own for each cloud product. If you have added or changed a cloud product instance, click Synchronize Assets in the upper-right corner to sync the changes immediately.
How do I connect a domain name that resolves to multiple cloud product instances?
Cloud native mode: Connect all relevant instances (such as all service ports of CLB instances) at the same time. WAF then directs traffic to all of them.
CNAME connection: Connect the domain name and configure the origin server with the IP addresses or CNAMEs of all relevant cloud product instances.
How do I connect multiple domain names that resolve to the same cloud product instance?
Cloud native mode: All domain names that resolve to a connected instance are automatically protected by the WAF default mitigation policy. To apply different protection rules to specific domain names, manually add them as protected objects. For details, see Manually add a protected object.
CNAME connection: Connect each domain name individually.