Web Application Firewall (WAF) can be integrated with the Resource Directory service of Resource Management as a trusted service. Multiple Alibaba Cloud accounts can be invited to join a resource directory as members. You can specify a member as a delegated administrator account to access the cloud resources of all members in the resource directory. This enables centralized resource management. This topic describes how to use the multi-account management feature.
Limits
You must use a Web Application Firewall (WAF) instance that runs the Enterprise or Ultimate edition. Other editions do not support the multi-account management feature.
A management account and members must belong to the same resource directory and enterprise entity. The enterprise entity must pass the enterprise real-name verification.
If you use a management account to purchase a WAF instance in the Chinese mainland, members cannot separately purchase a WAF instance in the Chinese mainland. However, members can purchase a WAF instance outside the Chinese mainland. If a running WAF instance belongs to a member, you must release the instance before you can use the multi-account management feature.
After you add the cloud resources of a member to a WAF instance that belongs to the delegated administrator account, you can view protection configurations, overview data, and security reports in the WAF console only by using the delegated administrator account.
If you use the delegated administrator account to delete a member, the system automatically removes the cloud resources of the member from WAF.
Configuration process
Before you can use the multi-account management feature to add multiple members for centralized management, you must enable a resource directory, specify a delegated administrator account for WAF, and invite members to join the resource directory. Then, add the members to the feature in the WAF console.
Step 1: Enable a resource directory
Before you can use the multi-account management feature, you must add multiple Alibaba Cloud accounts to a resource directory. For more information, see What is Resource Directory?.
Log on to the Resource Management console by using an Alibaba Cloud account and enable a resource directory. The Alibaba Cloud account is used as the administrator account of the resource directory. For more information, see Enable a resource directory.
Step 2: Invite members
After an Alibaba Cloud account is invited to join a resource directory, the account becomes a member of the resource directory. You can specify the invited member as a delegated administrator account.
Log on to the Resource Management console and use the administrator account to invite members. For more information, see Create a folder and Invite an Alibaba Cloud account to join a resource directory.
If no accounts are available for you to invite, you can create a member. For more information, see Create a member.
Step 3: Add a delegated administrator account
Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements. You can use a delegated administrator account to access the multi-account management feature and perform management operations within the resource directory. For more information, see Manage a delegated administrator account.
Step 4: Add members
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Multi-account Management.
On the Multi-account Management page, click Add Member.
In the Add Member dialog box, select the members that you want to add and move the members from the Available Members section to the Selected Members section.
In the Selected Members section, select the members and click OK.
Step 5: Connect cloud product Assets of member accounts
The method that you can use to add cloud resources to WAF varies based on the cloud service.
Cloud service | Method |
ALB | You can connect to the service in the ALB console of a member account. The instance will then appear in the ALB instance list for cloud native mode. |
Layer 7 CLB | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
Layer 4 CLB | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
ECS | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
MSE | You can view instances connected from the MSE console of a member account in the cloud native mode MSE instance list. |
FC | Onboard the service in the FC console of a member account. After the service is onboarded, you can view the instance in the cloud native mode FC instance list. |
SAE | After connecting to SAE from the console of a member account, you can view the instance in the cloud native mode SAE instance list. |
NLB | The cloud resources of a member are automatically synchronized to the delegated administrator account. You can add the resources to WAF in the WAF console of the delegated administrator account. |
APIG | Onboard a service in the APIG console of a member account. After the service is onboarded, you can view it in the APIG instance list for cloud native mode. |