Enable WAF protection for an ALB instance - Web Application Firewall

If you configured an Application Load Balancer (ALB) instance for your web services, you can enable Web Application Firewall (WAF) 3.0 protection for the ALB instance to redirect web service traffic to WAF. This topic describes how to enable WAF protection for an ALB instance.

Background information

ALB is a load balancing service that operates at the application layer and supports protocols such as HTTP, HTTPS, and Quick UDP Internet Connections (QUIC). ALB provides high elasticity and can be scaled on demand to process large volumes of traffic at the application layer. For more information, see What is ALB?

WAF is integrated as an SDK module into the gateways of ALB. In this scenario, WAF listens to but does not forward service traffic. This helps improve the security and O&M efficiency of your web services and provides a better user experience.

The following figure shows the network architecture.

Limits

You can add web services to WAF in cloud native mode only if your web services use one of the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Before you can purchase WAF-enabled ALB instances, you must complete real-name verification.

The following table describes the regions in which WAF-enabled ALB instances are supported.

Area	Region
China	China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Asia Pacific	Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Singapore
Europe & Americas	Germany (Frankfurt), US (Silicon Valley), and US (Virginia)
Middle East	SAU (Riyadh)

You can upgrade only basic and standard ALB instances that are in the Running state to WAF-enabled ALB instances.
You cannot enable the following features for ALB instances that are added to WAF:
- Data leakage prevention
- Automatic integration of the Web SDK in bot management for website protection

Prerequisites

Your Alibaba Cloud account does not have a WAF instance or has a WAF 3.0 instance.
Note
- If your Alibaba Cloud account does not have a WAF instance, a pay-as-you-go WAF 3.0 instance is automatically purchased when you purchase a WAF-enabled ALB instance.
- If your Alibaba Cloud account has a WAF 2.0 instance, migrate your WAF 2.0 instance to WAF 3.0. For more information, see Migrate a WAF 2.0 instance to WAF 3.0.
If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.

Enable WAF protection

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click ALB in the left-side product list.
Click Add.
Click Authorize Now to authorize your WAF instance to access ALB.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.
Note
If your WAF instance is already authorized to access ALB, skip this step.
In the ALB console, enable WAF protection for an ALB instance.
- Purchase a WAF-enabled ALB instance
  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. On the Instances page, click Create ALB.
  4. On the Application Load Balancer page, configure the parameters, click Buy Now, and then complete the payment.
    This example describes only some of the parameters. For more information, see Create an ALB instance.
    Edition: Select WAF Enabled.
- Enable WAF protection for an existing ALB instance
  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.
  3. On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:
    - Method 1: Move the pointer over the icon next to the instance name and click Enable Protection in the WAF Protection section.
    - Method 2: Choose > Change Specification in the Actions column.
    - Method 3: Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section and click Enable Protection.
    - Method 4: Click the ID of the ALB instance. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click Enable Protection.
  4. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, select the Terms of Service, click Buy Now, and then complete the payment.

Manage WAF protection

Manage WAF protection in the WAF console

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
Manage WAF protection.
- On the Cloud Native tab, select ALB in the left-side product list.
- View protected objects and configure protection rules
  After you add an ALB instance to WAF, the instance becomes a protected object of WAF. The protected object name contains the -alb suffix. By default, basic protection rules are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the object. To go to the Protected Objects page, click the ID of the ALB instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
- Remove an ALB instance from WAF
  After you remove an ALB instance from WAF, service traffic that is generated on the instance is no longer protected by WAF. The protection details of service traffic are no longer included in WAF security reports.
  Important
  After WAF protection is disabled for an ALB instance, you are no longer charged request processing fees. You are charged feature fees for the protection rules that you configure. Before you remove an ALB instance from WAF, we recommend that you delete the protection rules that you configured. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic.
  1. Find the ALB instance that you want to remove from WAF and click Remove in the Actions column. In the Tips message, click Remove.
  2. In the Remove panel, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment.

Manage WAF protection in the ALB console

Log on to the ALB console.
In the top navigation bar, select the region where you want to create the ALB instance.

Manage WAF protection.

Operation	Procedure
Check whether WAF protection is enabled for an ALB instance	To check whether WAF protection is enabled for an ALB instance, use one of the following methods: Protection Enabled indicates that WAF protection is enabled for the ALB instance. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon. In the WAF Protection section, you can view the protection status. Method 2: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, view the value of the WAF Protection parameter in the Basic Information section. Method 3: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Protection tab, and view the protection status in the WAF Protection section.
View WAF security reports	To view WAF security reports, make sure that WAF protection is enabled for your ALB instance. Method 1: On the Instances page, find the ALB instance that you want to manage and move the pointer over the icon. In the WAF Protection section, click View WAF Security Report to go to the WAF 3.0 console, in which you can view security reports. Method 2: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click View WAF Security Report to the right of Security Protection in the Basic Information section to go to the Security Reports page of the WAF 3.0 console. Method 3: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click View WAF Security Report to go to the Security Reports page in the WAF console. For more information, see Security reports.
Disable WAF protection	After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and the WAF security reports no longer include the protection details of the ALB instance. Important After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. You are charged feature fees for the protection rules that you configure. Before you remove an ALB instance from WAF, we recommend that you delete the protection rules that you configured. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic. Method 1: On the Instances page, find the instance that you want to manage, move the pointer over the icon to the right of the instance name, and then click Disable WAF in the WAF Protection section. On the Application Load Balancer \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment. Method 2: On the Instances page, find the ALB instance that you want to manage, and choose > Change Specification in the Actions column. On the Application Load Balancer \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment. Method 3: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click Disable WAF on the right side of WAF Protection in the Basic Information section. On the Application Load Balancer \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment. Method 4: On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Protection tab. In the WAF Protection section, click Disable WAF. On the Application Load Balancer \| Upgrade/Downgrade page, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment.

FAQ

Check whether an ALB instance is protected by WAF

Enter the domain name that you added to WAF in the browser. If the domain name can be accessed, the domain name is protected by WAF.
Insert malicious SQL code, such as xxx.xxxx.com?id=1 and 1=1, into requests and check whether the requests are blocked. If the 405 Method Not Allowed error is returned, the requests are blocked.

Differences between the WAF 2.0 transparent proxy mode and WAF 3.0 cloud native mode

Differences:

WAF 2.0 transparent proxy mode: Ports are added to WAF and the gateways of cloud services automatically change routes to redirect traffic on the ports to WAF. WAF blocks malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster. In transparent proxy mode, requests pass through two gateways. You must configure the timeout period and the certificates for WAF and ALB or CLB.
WAF 3.0 cloud native mode: WAF is integrated as an SDK module into the gateways of cloud services. To prevent compatibility and stability issues, WAF does not forward traffic. In cloud native mode, requests pass through one gateway. This eliminates the need to synchronize certificates and settings between gateways, and prevents synchronization issues.

For more information, see Compare WAF 3.0 with WAF 2.0.

References

ALB documentation

For information about how to purchase a WAF-enabled ALB instance, see Create an ALB instance.
For information about the features of basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features.
For information about how to request a quota increase for a WAF-enabled ALB instance, see Limits.
For information about how to modify the configurations of an ALB instance, see Modify the configurations of ALB instances.
For information about how to change the edition of an ALB instance by calling the API, see UpdateLoadBalancerEdition.
For information about the billing rules of WAF-enabled ALB instances, see Instance fee.

WAF documentation

For information about how to purchase a subscription WAF 3.0 instance, see Purchase a subscription WAF 3.0 instance.
For information about how to purchase a pay-as-you-go WAF 3.0 instance, see Purchase a pay-as-you-go WAF 3.0 instance.
For information about the differences between WAF 3.0 and WAF 2.0 and the improvements in WAF 3.0, see Compare WAF 3.0 with WAF 2.0.