All Products
Search

This Product

    Web Application Firewall:Add an ALB instance to WAF

    Document Center

    Web Application Firewall:Add an ALB instance to WAF

    Last Updated:Mar 20, 2023

    If an Application Load Balancer (ALB) instance is configured for your web services, you can add the ALB instance to Web Application Firewall (WAF) 3.0 to protect your web services. This topic describes how to add an ALB instance to WAF 3.0.

    Background information

    ALB is a load balancing service that runs at the application layer and supports protocols such as HTTP, HTTPS, and Quick UDP Internet Connections (QUIC). ALB is highly elastic and can scale on demand to process large volumes of Layer 7 traffic. WAF 3.0 is integrated as an SDK module into ALB to detect and protect traffic. In this mode, WAF does not forward service traffic. This helps improve the efficiency of your security O&M on your web services and provides a better user experience.

    Limits

    • Before you purchase WAF-enabled ALB instances, you must complete real-name verification.

    • WAF-enabled ALB instances are supported in the following regions:

      AreaRegion
      ChinaChina (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
      Asia PacificPhilippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and India (Mumbai)
      Europe and AmericasGermany (Frankfurt), US (Silicon Valley), and US (Virginia)

    • Only standard and basic ALB instances that are in the Running state can be upgraded to WAF-enabled ALB instances in the Server Load Balancer (SLB) console or by calling the UpdateLoadBalancerEdition operation.

    • You cannot enable the following features for ALB instances that are added to WAF:

      • Website tamper-proofing

      • Data leakage prevention

      • Automatic integration of the Web SDK in bot management for website protection

      • API security

    Prerequisites

    No WAF instances are activated within your Alibaba Cloud account or a WAF 3.0 instance is activated.

    Note

    • If no WAF instances are activated within your Alibaba Cloud account, a pay-as-you-go WAF 3.0 instance is activated after you purchase a WAF-enabled ALB instance.

    • If a WAF 2.0 instance is activated within your Alibaba Cloud account, you can use one of the following methods to activate a WAF 3.0 instance.

    Add an ALB instance to WAF

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

    2. In the left-side navigation pane, click Website Configuration.

    3. On the Cloud Native tab, click ALB in the left-side product list.

    4. Click Add.

    5. In the top navigation bar, select the region where you want to create the ALB instance.
    6. On the Instances page, find the ALB instance that you want to manage and use one of the following methods to enable WAF protection:
      • Method 1: Move your pointer over the WAF protection disabled icon next to the instance name and click Enable Protection in the WAF Protection message.
      • Method 2: Choose Choose > Upgrade Edition in the Actions column.
      • Method 3: Click the ID of the ALB instance. On the Instance Details tab, find WAF Protection in the Basic Information section, and click Enable Protection.
      • Method 4: Click the ID of the ALB instance. On the Instance Details tab, click the Security Protection tab. Then, click Enable Protection.
    7. On the Application Load Balancer | Upgrade/Downgrade page, set Edition to WAF Enabled, click Buy Now, and then complete the payment.

    Manage WAF protection

    Manage WAF protection in the WAF console

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

    2. In the left-side navigation pane, click Website Configuration.

    3. Manage WAF protection.

      • View an ALB instance that is protected by WAF

        On the Cloud Native tab, click ALB in the left-side product list.

      • View protected objects and protection rules

        After you add an ALB instance to WAF, the ALB instance becomes a protected object of WAF and the suffix of the protected object name is -alb. By default, basic protection rules are enabled for the protected object. To go to the Protected Objects page, click the ID of the ALB instance on the Cloud Native tab of the Website Configuration page. On the Protected Objects page, you can view the protected object and configure protection rules for the protected object. For more information, see Protection configuration overview.

        image

      • Remove an ALB instance from WAF

        After you remove an ALB instance from WAF, the service traffic that is generated on the ALB instance is no longer protected by WAF, and the protection details of the service traffic are no longer included in WAF security reports.

        Important

        After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, you are charged feature fees for the protection rules that you configured. Before you remove an ALB instance from WAF, we recommend that you delete the protection rules that you configured. For more information, see the "Billable items" section in the Billing rules overview topic and the "Protection module overview" section in the Protection configuration overview topic.

        1. Find the ALB instance that you want to remove from WAF and click Remove in the Actions column. In the Tips message, click Remove.

        2. In the Remove panel, set the Edition (Instance Fee) parameter to Standard, click Buy Now, and then complete the payment.

    Manage WAF protection in the ALB console

    1. Log on to the ALB console.

    2. In the top navigation bar, select the region where you want to create the ALB instance.

    3. Manage WAF protection.

      Operation

      Procedure

      Check whether an instance has WAF protection enabled

      Use one of the following methods to check whether an instance has WAF protection enabled:

      Method 1: On the Instances page, find the ALB instance that you want to manage and move your pointer over the Protection Disabled icon. In the WAF Protection section, you can view the protection status.

      Method 2:

      1. On the Instances page, find the ALB instance that you want to manage and click its ID.

      2. On the Instance Details tab, view the value of the WAF Protection parameter in the Basic Information section.

      Method 3:

      1. On the Instances page, find the ALB instance that you want to manage and click its ID.

      2. On the Instance Details tab, click the Security Protection tab, and view the protection status in the WAF Protection section.

      View security reports

      You can view the security reports of WAF to check the protection status of your ALB instance.

      Method 1: On the Instances page, find the ALB instance that you want to manage and move your pointer over the Protection Disabled icon. In the WAF Protection section, click View WAF Security Report to go to the WAF 3.0 console, where you can view security reports.

      Method 2:

      1. On the Instances page, find the ALB instance that you want to manage and click its ID.

      2. On the Instance Details tab, find the Basic Information section, and click View WAF Security Report on the right side of WAF Protection. You are redirected to the WAF 3.0 console, where you can view security reports.

      Method 3:

      1. On the Instances page, find the ALB instance that you want to manage and click its ID.

      2. On the Instance Details tab, click the Security Protection tab and view the protection status in the WAF Protection section.

      For more information, see Security reports.

      Disable WAF protection

      After you disable WAF protection for an ALB instance, the ALB instance is no longer protected by WAF, and the WAF security reports no longer include the protection details about the ALB instance.

      Important

      After WAF protection is disabled for an ALB instance, WAF no longer charges request processing fees. However, existing protection rules still incur fees. We recommend that you delete the protection rules before you disable WAF protection for your ALB instance. For more information, see Billable items and Protection module overview.

      Method 1:

      1. On the Instances page, find the ALB instance that you want to manage, move the pointer over the Protection Disabled icon, and click Disable WAF in the WAF Protection section.

      2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.

      Method 2:

      1. On the Instances page, find the ALB instance that you want to manage, and choose Choose > Upgrade Edition in the Actions column.

      2. On the Application Load Balancer | Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.

      Method 3:

      1. On the Instances page, find the ALB instance that you want to manage and click its ID.

      2. On the Instance Details tab, find the Basic Information section, and click Disable WAF on the right side of WAF Protection.

      3. On the Application Load Balancer | Upgrade/Downgrade page, set Edition (Instance Fee) to Standard, click Buy Now, and then complete the payment.