If you created a Classic Load Balancer (CLB) instance, created an HTTP or HTTPS listener, and specified listener ports, you can add the ports to Web Application Firewall (WAF) to redirect traffic on the ports to WAF. This topic describes how to add a Layer 7 CLB instance to WAF.
Background information
After you add Elastic Compute Service (ECS) instances that are deployed in the same region to a CLB instance, CLB uses virtual IP addresses to combine the ECS instances into a high-performance, highly available server pool. Then, CLB forwards inbound requests to the ECS instances based on forwarding rules. For more information, see What is CLB?
You can add a Layer 7 CLB instance to WAF. After you add a Layer 7 CLB instance to WAF, all traffic of the CLB instance is redirected to WAF by using a specified gateway. WAF filters out malicious traffic and forwards normal traffic to the CLB instance. The following figure shows the network architecture.
Limits
You can add web services to WAF in cloud native mode only if your web services use the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), or Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
Item | Description |
Supported instances | To add an instance to WAF, the instance must meet the following requirements:
|
Supported regions |
|
Number of traffic redirection ports | The limits on the number of traffic redirection ports are the same as the limits on the number of protected objects.
|
TLS security policies | If HTTPS traffic redirection ports are configured, only built-in Transport Layer Security (TLS) security policies are supported. If custom TLS security policies are configured for the ports, you cannot add the ports to WAF. For more information, see TLS security policies. |
Services that are protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF | If you want to protect your web services by using Anti-DDoS Pro or Anti-DDoS Premium and WAF, you can add the web services to WAF in transparent proxy mode only if you add the web services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name. |
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
A CLB instance that meets the preceding limits is created. An HTTP or HTTPS listener is created. For more information, see the "Limits" section in this topic. For information about how to create an HTTP or HTTPS listener, see Add an HTTP listener and Add an HTTPS listener.
If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Add traffic redirection ports
The first time you add an instance to WAF, web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
If you perform the following operations after you add a Layer 7 CLB instance to WAF, traffic redirection ports are automatically removed from WAF. If you do not re-add the ports to WAF, traffic on the ports is not redirected to WAF.
Change the public IP address of the instance
Replace the certificate that is bound to a traffic redirection port with a certificate that is not purchased by using Certificate Management Service (formerly SSL Certificates Service)
Enable mutual authentication
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click CLB(HTTP/HTTPS) in the left-side product list.
Click Add.
Click Authorize Now to authorize your WAF instance to access CLB.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf your WAF instance is already authorized to access CLB, skip this step.
In the Configure Instance - Layer 7 CLB Instance panel, configure the parameters. The following table describes the parameters.
Parameter
Related operations
Select the instance and port to be added.
Synchronize Instances
If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list.
Add Port
Find the instance that you want to add to WAF and click Add Port in the Actions column.
Select the HTTP or HTTPS ports that you want to add and click OK.
ImportantIf you want to add an HTTPS port, make sure that the certificate that is configured for the port is purchased by using Alibaba Cloud Certificate Management Service (formerly SSL Certificates Service) or uploaded to Certificate Management Service (formerly SSL Certificates Service). Otherwise, the instance may fail to be added to WAF. For more information, see What do I do if an error message indicating that the certificate is incomplete is displayed when I add an HTTPS traffic redirection port?
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF
Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Valid values: Yes and No.
By default, No is selected. This value specifies that WAF receives requests that are sent from clients. The requests are not forwarded by proxies.
NoteWAF uses the IP address that is used to establish connections with WAF as the IP address of a client. WAF obtains the IP address from the
REMOTE_ADDR
field of the request.If Layer 7 proxies are deployed in front of WAF, select Yes. This value specifies that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. To ensure that WAF can obtain the actual IP addresses of clients for security analysis, configure the Obtain Actual IP Address of Client parameter.
Resource Group
Select the resource group to which you want to add the CLB instance from the drop-down list. If you do not select a resource group, the instance is added to the default resource group.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
Advanced Settings
Select the CLB instance that you want to add to WAF and click OK.
After you add a CLB instance to WAF, the CLB instance becomes a protected object of WAF. The name of the protected object is in the following format: Instance ID-Port-Asset type. By default, basic protection rules are enabled for the CLB instance. On the Protected Objects page, you can configure protection rules for the protected object. To go to the Protected Objects page, click the CLB instance that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
Related operations
View origin servers and manage traffic redirection ports
After you add a CLB instance to WAF, you can view the protection details of the origin servers and disable traffic redirection or delete traffic redirection ports in urgent disaster recovery scenarios.
On the Website Configuration page, click the Cloud Native tab.
Click CLB(HTTP/HTTPS) in the left-side product list. Find the CLB instance whose traffic redirection ports you want to view and click the icon to the left of the instance name to view the ports that are added to WAF.
View port details: Click Port Details to view information about the port, protocol, and certificate, and then configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF, Enable Traffic Mark (Advanced Settings), and Back-to-origin Keep-alive Requests (Advanced Settings) parameters.
Remove ports: Click Remove and then click OK in the Remove message.
ImportantAfter you remove a traffic redirection port from WAF, traffic on the port is no longer protected by WAF. To re-add the port to WAF, click Add. For more information, see Add traffic redirection ports.
Update the SSL certificate that is bound to a traffic redirection port
If the SSL certificate that is bound to a traffic redirection port is about to expire or the certificate was changed, you must update the certificate.
If the remaining validity period of the certificate is less than 30 days, is displayed in the domain name list. This indicates that your SSL certificate is about to expire. You must update the certificate at the earliest opportunity.
If you want to receive notifications when the certificate is about to expire, log on to the Certificate Management Service console. Find the certificate that is about to expire and click the icon in the Notification Reminder column. On the Notification page, enable and configure a notification policy for the certificate.
To prevent service interruptions that are caused by certificate expiration, enable the certificate hosting feature of Certificate Management Service (formerly SSL Certificates Service). If you enable this feature for a certificate, the system automatically applies for a new certificate. For more information, see Certificate Management Service overview.
To update the SSL certificate that is bound to a traffic redirection port, perform the following steps:
Renew the certificate or upload the certificate to Certificate Management Service (formerly SSL Certificates Service). For more information, see Certificate renewal or Upload an SSL certificate.
Synchronize the SSL certificate to your Layer 7 CLB instance.
In the Certificate Management Service (formerly SSL Certificates Service) console, deploy the SSL certificate to your Layer 7 CLB instance. For more information, see Deploy certificates to Alibaba Cloud services.
In the Server Load Balancer console, update the SSL certificate. For more information, see Replace a certificate.
After you update the SSL certificate that is bound to your Layer 7 CLB instance, the certificate is automatically synchronized to WAF. If the certificate is not automatically synchronized to WAF, perform the following steps to manually synchronize the certificate to WAF:
On the Cloud Native tab of the Website Configuration page, click CLB(HTTP/HTTPS) in the left-side product list. Then, click Add.
In the Configure Instance - Layer 7 CLB Instance panel, click Synchronize Instances to synchronize the updated certificate.
If the new certificate that is bound to a traffic redirection port is a third-party certificate, the traffic redirection port is automatically removed from WAF. After you change the certificate, re-add the port to WAF. For more information, see Add traffic redirection ports.