Web Application Firewall (WAF) can be integrated with the Resource Directory service of Resource Management as a trusted service. Multiple Alibaba Cloud accounts can be invited to join a resource directory as members. You can specify a member as the delegated administrator account to access the cloud resources of all members in the resource directory. This way, you can manage resources in a centralized manner. This topic describes how to use the multi-account management feature.
Limitations
A WAF instance of the Enterprise or Ultimate edition must be purchased. Other WAF editions do not support the multi-account management feature.
A management account and members must belong to the same resource directory and enterprise entity. The enterprise entity must pass the enterprise real-name verification.
A member cannot be used to purchase a WAF instance. If a running WAF instance belongs to a member, you must release the instance before you can use the multi-account management feature.
After you add the cloud resources of a member to a WAF instance that belongs to the delegated administrator account, you can view protection configurations, overview data, and security reports in the WAF console only by using the delegated administrator account.
If you use the delegated administrator account to delete a member, the system automatically removes the cloud resources of the member from WAF.
Procedure
Before you can use the multi-account management feature to add multiple members for centralized management, you must enable a resource directory, specify a delegated administrator account, and invite members to join the resource directory.
Step 1: Enable a resource directory
Before you use the multi-account management feature, you must add multiple Alibaba Cloud accounts to a resource directory. For more information about Resource Directory, see Resource Directory overview.
Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. The Alibaba Cloud account is the management account of the resource directory. For more information, see Enable a resource directory.
Step 2: Invite members
After an Alibaba Cloud account is invited to join a resource directory, the account becomes a member of the resource directory. You can specify the invited member as a delegated administrator account.
Log on to the Resource Management console and use the management account to invite members. For more information, see Create a folder and Invite an Alibaba Cloud account to join a resource directory.
If no accounts are available for you to invite, you can create a member. For more information, see Create a member.
Step 3: Add a delegated administrator account
Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements. You can use a delegated administrator account to access the multi-account management feature and perform management operations within the resource directory. For more information, see Manage a delegated administrator account.
Step 4: Add members
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose .
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select the members that you want to add and move the members from the Available Members section to the Selected Members section.
In the Selected Members section, select the members and click OK.
Step 5: Add the cloud resources of members to WAF
The method that you can use to add cloud resources to WAF varies based on the cloud service.
Cloud service | Method |
Application Load Balancer (ALB) | Enable WAF protection for the cloud resources of a member in the ALB console of the member. |
Layer 7 Classic Load Balancer (CLB) | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
Layer 4 CLB | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
Elastic Compute Service (ECS) | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
Microservices Engine (MSE) | You can enable WAF protection for the cloud resources of a member in the MSE console of the member. Then, you can view the added cloud resources on the Cloud Native tab of the Website Configuration page in the WAF console. |
Function Compute | You can enable WAF protection for the cloud resources of a member in the Function Compute console of the member. Then, you can view the added cloud resources on the Cloud Native tab of the Website Configuration page in the WAF console. |
Serverless App Engine (SAE) | You can enable WAF protection for the cloud resources of a member in the SAE console of the member. Then, you can view the added cloud resources on the Cloud Native tab of the Website Configuration page in the WAF console. |