Configure protection rules for the traffic spike throttling module to ensure service availability during promotions - Web Application Firewall

Web Application Firewall (WAF) provides the traffic spike throttling module. You can use this module to prevent servers from being overwhelmed by traffic spikes during promotions. You can configure the module to allow only specific requests to the servers based on the queries per second (QPS) limit or percentage limit that you specify. This topic describes how to configure protection rules for the traffic spike throttling module.

Prerequisites

A subscription WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance. The traffic spike throttling module is a value-added service and is available only in the Pro, Enterprise, and Ultimate editions of WAF. Make sure that your WAF edition supports the module.
Web services are added to the WAF 3.0 instance as protected objects. For more information, see Configure protected objects and protected object groups.
Note
The traffic spike throttling module does not support protected objects that are added to WAF by using the cloud native mode (ALB, MSE, FC).

Template types

The traffic spike throttling module supports the following types of protection templates:

Protection template	Description	Protected objects
Default protection template	WAF does not provide an initial default protection template. You need to manually create one.	When you create a default protection template, all protected objects and protected object groups to which no custom protection templates are applied are automatically selected. Protected objects that are added later are also automatically added to the default protection template. You can manually adjust the selection.
Custom protection template	You need to manually create custom protection templates.	You need to configure the Apply To parameter. A custom protection template takes effect only on the protected objects and protected object groups that are associated with the template.

Create a protection template

The traffic spike throttling module does not provide an initial default protection template. If you want to enable traffic spike throttling rules, you must create a protection template.

Step 1: Create a protection template of the traffic spike throttling module

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region. In the left-side navigation pane, choose Protection Configuration > Core Web Protection. In the Traffic Spike Throttling section of the page that appears, click Create Template.

In the Create Template - Traffic Spike Throttling panel, configure the parameters and click OK.

Parameter	Description
Template Name	Specify a name for the template. The name must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save As Default Template	Specify whether to set the template as the default template for the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. A default template is applied to all protected objects and protected object groups to which no custom protection templates are applied (including those that are added later or removed from custom protection templates). You can also manually remove them from the default template.
Rule Configuration	Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the traffic spike throttling module.
Apply To	Select the Protected Objects and Protected Object Groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups. If you set a default protection template, all protected objects and protected object groups to which no traffic spike throttling protection templates are applied are automatically selected. If you do not set a default template, no protected objects or protected object groups are automatically selected. You can manually modify the selection of protected objects.

Step 2: Add protection rules to a protection template of the traffic spike throttling module

A protection template takes effect only after you add protection rules to the template.

In the Traffic Spike Throttling section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column. In the Create Rule dialog box, configure the parameters and click OK.

Parameter	Description
Rule Name	Specify a name for the rule. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition	Specify the characteristics of requests that you want the rule to match. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is matched only if all match conditions are met. Each match condition consists of the Match Field, Logical Operator, and Match Content parameters. Examples: Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to `/login.php`. If the URI of a request contains `/login.php`, the request matches the rule. Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to `192.1X.XX.XX`. If a request is sent from a client whose IP address is `192.1.XX.XX`, the request matches the rule. For more information about the match fields and logical operators, see Match conditions.
Access Source That Belongs To Following Regions	WAF obtains the source IP addresses of requests to identify the traffic sources. If you do not select this check box, WAF does not identify the traffic sources of protected objects on which the rule takes effect. If you select this check box, you can select regions on the China and Outside China tabs. If the traffic sources of requests are regions that are not selected, WAF does not match the requests against the rule.
Throttling Mode	QPS: You can specify a maximum QPS to limit traffic that is allowed to reach servers. If you want to strictly limit the number of requests to ensure server stability, we recommend that you select this mode. Percentage: You can specify a request percentage to limit traffic that is allowed to reach servers. If you want to dynamically limit the number of requests to handle traffic spikes, we recommend that you select this mode.
Throttling Threshold	QPS limit Specify a maximum QPS to limit the maximum number of requests that are allowed per second. For example, if you set the maximum QPS to 1,000, up to 1,000 requests can be processed per second. Note In actual scenarios, approximately 10% fluctuation in the maximum QPS is allowed due to the complexity of technical implementation and dynamic changes to system environments. The fluctuation is acceptable to throttling algorithms. This helps balance system performance and throttling precision. We recommend that you regularly monitor the actual QPS and adjust the QPS limit to optimize throttling performance. Percentage limit Specify a percentage to limit the maximum percentage of requests that are allowed. For example, if you set the percentage to 50%, only half of the requests are allowed. The other half of the requests are blocked.
Action	Select the action that you want WAF to perform on the requests that match the rule. Valid values: Block: blocks a request that matches the rule and returns a block page to the client that initiates the request. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure protection rules for the custom response module to configure custom block pages. Monitor: records a request that matches the rule in a log and does not block the request. You can query the logs of requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked. Important You can query logs only if the Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature.
Effective Mode	Permanently Effective: After the rule is enabled, the rule permanently takes effect until it is manually disabled. This mode is suitable for long-term and stable throttling. Fixed Schedule: The rule takes effect only within the time range that you specify. This mode is suitable for short-term throttling or throttling within a specific time range. You can select the required time zone for the Time Zone parameter and add multiple time ranges for the Effective Mode parameter. Recurring Schedule: The rule periodically takes effect within the specified time range on the specified days of the week. This mode is suitable for throttling on regular activities or during peak hours. You can select a time zone and multiple days of the week.

Note

Example 1: You want to limit the maximum number of requests per second to 1,000 for a long period of time, use a permanently effective protection rule, implement throttling only on requests from the state of Ohio in the United States, and block requests that match the rule.

Rule Name: Long-term QPS Throttling
Effective Mode: Permanently Effective
Maximum QPS: 1,000
Source region: Outside China > North America > United States > Ohio
Action: Block

Example 2: During promotions, you want to limit the maximum number of requests per second to 1,000 from 09:00 on a day of a month of a year to 18:00 on a day of a month of a year, implement throttling on requests whose URI contains shopping and whose traffic source is all regions in China, and block the matched requests.

Rule Name: Promotion Throttling
Effective Mode: Fixed Schedule
Match Field: URI Contains shopping
Effective Period: from 09:00 on a day of a month of a year to 18:00 on a day of a month of a year
Maximum QPS: 1,000
Source region: all regions in China
Action: Block

Example 3: You want to limit the maximum number of requests per second to 1,000 from 09:00 to 18:00 on each weekend, implement throttling only on requests from Hong Kong (China), and monitor the matched requests.

Rule Name: Weekend Throttling
Effective Mode: Recurring Schedule
Duration: from 09:00 to 18:00 every Saturday and Sunday
Maximum QPS: 1,000
Time Zone: the time zone of your business or server
Source region: China (Hong Kong)
Action: Monitor

Modify a protection template

Business or project requirements change over time. You can modify protection templates to meet changing requirements. The modification helps improve system and process efficiency and performance, and reduce resource waste.

Enable and disable a protection template

After you create a protection template, you can turn on or turn off the switch in the Status column to enable or disable the template.

Edit a protection template

Find the protection template that you want to manage and click Edit in the Actions column. After you modify the settings, click OK.

Delete a protection template

You can delete a protection template that you no longer require. Before you delete a protection template, make sure that the template is not associated with protected objects. To delete a protection template, find the template and click Delete in the Actions column. In the message that appears, click OK.

Important

After a protection template is deleted, the system automatically applies the default template to the protected objects that were previously associated with the deleted protection template.
If you delete a default template and the template is associated with protected objects, the protected objects are no longer protected by the traffic spike throttling module.