All Products
Search
Document Center

Web Application Firewall:Enable WAF protection for ECS instances

Last Updated:Jul 01, 2026

Protect public-facing ECS instances with WAF 3.0 by configuring a traffic forwarding port. WAF inspects and filters HTTP/HTTPS traffic on that port without changing your network architecture or DNS.

How it works

image

WAF intercepts traffic through a transparent proxy. Configure a traffic forwarding port on the ECS instance, and all HTTP/HTTPS traffic on that port routes through WAF. Malicious requests are blocked; legitimate ones pass to the origin. All domains on the specified port are protected, including IP-only services without a domain name.

Prerequisites

If your ECS instance does not meet the following requirements, use the CNAME connection type.

  • Public IP address: The instance must have a public IP address (fixed or EIP). NAT gateway-only instances are not supported.

  • Account: The ECS instance and WAF instance must belong to the same Alibaba Cloud account unless you configured multi-account management.

  • Region:

    • WAF instances in the Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao).

    • WAF instances outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Singapore.

Important

Adding an instance to WAF may cause a brief connection interruption lasting a few seconds. Perform this during off-peak hours and monitor your service afterward. Clients with automatic reconnection recover without business impact.

Quick start

  1. Go to the console:

    Log on to the Web Application Firewall 3.0 console. In the top menu bar, select a resource group and a region (Chinese Mainland or Outside Chinese Mainland). In the left-side navigation pane, click Onboarding. Select the Cloud Native tab. In the cloud product list on the left, select Elastic Compute Service (ECS).

  2. Authorize WAF to access cloud resources (first-time configuration):

    Follow the on-screen instructions and click Authorize Now to grant the required permissions. You can view the created AliyunServiceRoleForWAF service-linked role on the Identity Management > Roles page of the RAM console.

  3. Add an ECS instance:

    1. In the list on the right, find the target ECS instance and check its WAF protection status. In the Actions column, click Add Now. If you cannot find the instance, click Synchronize Assets in the upper-right corner of the page. If the instance is still not found, it does not meet the prerequisites.

    2. In the Select instances & ports to protect section, click Add Port in the Actions column. In the Add Port panel that appears, configure the settings based on your website's port and protocol type.

      Note

      You can add only one port at a time. To add multiple ports, repeat this step for each port.

      • Standard ports (default): Do not appear in the URL.

        • HTTP: For example, http://yourdomain.com uses port 80.

        • HTTPS: For example, https://yourdomain.com uses port 443.

      • Non-standard port: Appears after the domain name in the format domain name:port number.

        • HTTP: For example, http://yourdomain.com:8080 specifies port 8080.

        • HTTPS: For example, https://yourdomain.com:8443 indicates that port 8443 is used.

        Note

        Check your web server configuration file (such as nginx.conf) to confirm the port.

      HTTP website

      1. In the Port field, enter the port that your website uses.

      2. For Protocol Type, select HTTP.

      HTTPS website

      1. In the Port field, enter the port that your website uses.

      2. For Protocol Type, select HTTPS.

      3. To customize HTTP/2, TLS version, cipher suite, or Additional Certificate (for multiple certificates), see Enhance security for HTTPS. Otherwise, keep the default settings.

      4. In the Default Certificate section, select a method to upload the certificate:

        • Upload: Use this option if your certificate is not in Certificate Management Service (Original SSL Certificate).

        • Select Existing Certificate: Select a certificate that is issued by or uploaded to Certificate Management Service (Original SSL Certificate).

          Upload

          • Certificate Name: Enter a unique name for the certificate. The name cannot be the same as that of an existing certificate.

          • Certificate File: Open the certificate file in a text editor and paste the full content of the certificate in PEM, CER, or CRT format.

            Format example: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

            • Format conversion: If your certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.

            • Certificate chain: If an intermediate certificate is included, paste the server certificate followed by the intermediate certificate.

          • Private Key: Open the private key file in a text editor and paste the full content of the private key in PEM format.

            Format example: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

          Select existing certificate

          From the certificate drop-down list, select the certificate that you want to upload to WAF.

          Note

          If the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", the certificate chain has an issue. Verify that your certificate content is correct and complete, then re-upload it on the Certificate Management Service console. Upload, sync, and share SSL certificates.

    3. To configure settings for Layer 7 proxies (such as CDN) in front of WAF, X-Forwarded-Proto header control, and traffic tagging, see Obtain real client information. To configure back-to-origin timeouts and back-to-origin keep-alive, see Optimize the back-to-origin connection quality. Otherwise, click OK to apply the default settings.

  4. Verify protection:

    After setup, access your website and append a test payload to the URL (for example, http://yourdomain.com/alert(xss)). A 405 block page confirms WAF protection is active.

  5. View and configure protection rules:

    WAF creates a protected object named instance ID-port-asset type with default protection rules (such as web core protection) enabled. View it on the Protection Config > Protected Objects page. To customize rules (for example, whitelisting a specific IP address), see Protection Configuration Overview.

Important

Enhance security for HTTPS

Note

HTTPS-related settings can be configured only after you select HTTPS for Protocol Type on the Add Port page.

Parameter

Description

HTTP/2

Enables HTTP/2 for faster page loads and lower latency. Both listening and back-to-origin use HTTP/2 on the same HTTPS port. Enable only if your website supports HTTP/2 — otherwise the site becomes inaccessible.

TLS version

Defines the allowed TLS versions between clients and WAF. Higher versions improve security but reduce compatibility with older clients. For high-security scenarios, select TLS 1.2 or later.

Cipher suite

Sets the allowed encryption algorithms between clients and WAF. Strong cipher suites improve security but reduce compatibility with older clients. For high-security scenarios, select strong cipher suites.

Additional Certificate

If your ECS instance hosts HTTPS websites for multiple domains that a single certificate cannot cover, upload a certificate for each domain.

  • HTTP/2

    On the Add Port page, select HTTP/2 to enable this feature.

  • TLS version

    In the TLS Version section of the Add Port page, select an option.

    • TLS 1.0 and Later (Best Compatibility and Low Security)

    • TLS 1.1 and Later (High Compatibility and High Security): Older clients that use only the TLS 1.0 protocol cannot access your website.

    • TLS 1.2 and Later (High Compatibility and Best Security): This meets the latest security compliance requirements, but older clients that use only the TLS 1.0 or 1.1 protocol cannot access your website.

    • Support TLS 1.3: If your website supports the TLS 1.3 protocol, select this checkbox. By default, WAF does not listen for client requests that use TLS 1.3.

  • Cipher suite

    In the Cipher Suite section of the Add Port page, select an option.

    • All Cipher Suites (High Compatibility and Low Security)

    • Custom Cipher Suite (Select It based on protocol version. Proceed with caution.): If your website requires specific cipher suites, select this option and choose the required suites.

      Strong cipher suites

      Weak cipher suites

      • ECDHE-ECDSA-AES128-GCM-SHA256

      • ECDHE-ECDSA-AES256-GCM-SHA384

      • ECDHE-ECDSA-AES128-SHA256

      • ECDHE-ECDSA-AES256-SHA384

      • ECDHE-RSA-AES128-GCM-SHA256

      • ECDHE-RSA-AES256-GCM-SHA384

      • ECDHE-RSA-AES128-SHA256

      • ECDHE-RSA-AES256-SHA384

      • ECDHE-ECDSA-AES128-SHA

      • ECDHE-ECDSA-AES256-SHA

      • AES128-GCM-SHA256

      • AES256-GCM-SHA384

      • AES128-SHA256

      • AES256-SHA256

      • ECDHE-RSA-AES128-SHA

      • ECDHE-RSA-AES256-SHA

      • AES128-SHA

      • AES256-SHA

      • DES-CBC3-SHA

      Note
      • Cipher suite security note: ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384 cipher suites use ECDHE for key exchange, RSA for authentication, and AES-CBC encryption. Compared with cipher suites that use authenticated encryption modes such as AES-GCM, these have lower security and performance. Some security scanning tools may flag them as weak cipher suites. If this occurs, use a custom cipher suite and manually exclude these two suites.

      • Cipher suite naming conventions: WAF displays cipher suites in OpenSSL format, but some scanning tools may use IANA naming conventions. For example, ECDHE-ECDSA-AES256-SHA384 in OpenSSL corresponds to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 in IANA. To look up the mapping, visit ciphersuite.info or use another TLS cipher suite lookup tool.

  • Additional Certificate

    In the Additional Certificate section of the Add Port page, upload the certificate. The upload method is the same as the Default Certificate.

    Note

    When you add multiple additional certificates, all certificates must be valid. If any certificate has expired, the operation fails.

Obtain real client information

Parameter

Description

Is a Layer 7 proxy (such as Anti-DDoS Proxy or CDN) deployed in front of WAF?

If a Layer 7 proxy (such as CDN) is deployed in front of WAF, configure the Obtain Actual IP Address of Client so WAF can obtain the real client IP address for security analysis, such as displaying the Attacker IP Address in Security Reports.

Enable Traffic Tagging

Helps the origin server identify WAF-processed requests and obtain the real client IP address or source port.

Retrieve client protocol from the X-Forwarded-Proto header

WAF inserts the X-Forwarded-Proto header to identify the client's connection protocol to the nearest Layer 7 proxy. Configure this if your application processes this header.

  • Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF

    On the Add Now page, configure the settings in the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF section.

    No other proxy

    Indicates that requests are sent directly from clients to WAF.

    Other proxies

    Indicates that requests are forwarded to WAF from another layer 7 proxy. You must also specify the Obtain Actual IP Address of Client.

    • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client

      If you select this option, WAF obtains the source IP in the following order of precedence:

      1. The value of the X-Real-IP request header.

      2. If the X-Real-IP header does not exist, the first IP address in the X-Forwarded-For (XFF) header.

    • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery

      Note

      We recommend that you configure the upstream proxy service to write the source IP address to a specified header field, such as X-Real-IP or X-Client-IP. Using a specified header prevents attackers from bypassing WAF by spoofing the XFF header.

      In the Header Field box, enter one or more header fields. Press Enter after each field. WAF obtains the source IP in the following order of precedence:

      1. The specified Header Field, in the order entered.

      2. If none of the specified headers exist, the value of the X-Real-IP header.

      3. If the X-Real-IP header also does not exist, the first IP address in the XFF header.

    • Use the Client IP from the Proxy Protocol header as the client's source IP.: If an upstream proxy has Proxy Protocol enabled, you can select this option to extract the original client IP. This method transmits the source IP at the transport layer, so it cannot be spoofed at the HTTP layer. This method is ideal for scenarios that require a high degree of trust in the source IP. If the Proxy Protocol does not contain the client IP, WAF uses the IP address of the upstream proxy as the source IP.

  • Enable Traffic Tagging

    On the Add Now page, expand Advanced Settings, select Enable Traffic Tagging, and then configure the tag fields.

    • Custom Header: By configuring a Header Name and Header Value, WAF adds this header to back-to-origin requests to identify them as processed by WAF.

      For example, set WAF-TAG: Yes where WAF-TAG is the header name and Yes is the value. The origin server can use this header for validation or access control policies.

      Important

      Do not use standard HTTP header fields such as User-Agent. This overwrites the content of the standard header field with the custom value.

    • Originating IP Address: Configures the header field that contains the client's real source IP address. WAF records and passes this header to the origin server. The IP extraction rules match those in Is a Layer 7 proxy (such as Anti-DDoS Proxy or CDN) deployed in front of WAF?.

    • Source Port: Configures the header field that contains the client's real source port. WAF records and passes this header to the origin server.

  • Retrieve client protocol from the X-Forwarded-Proto header

    On the Add Now page, expand Advanced Settings and select Retrieve client protocol from the X-Forwarded-Proto header.

Optimize back-to-origin connection

Parameter

Description

Set read and write connection timeouts

Increase the WAF read and write connection timeout periods if your origin server processes requests slowly.

Back-to-origin keep-alive

Maintains persistent connections between WAF and the origin. If you encounter occasional 502 errors, ensure WAF keep-alive values do not exceed your origin server's settings.

  • Set read and write connection timeouts

    On the Add Now page, expand Advanced Settings and configure the following settings.

    • Read Timeout: Timeout for waiting for an origin server response. Increase for slow interfaces such as report exports or batch processing. Default: 120s. Range: 1s to 3,600s.

    • Write Timeout: Timeout for WAF to send a request to the origin server. Increase only if the origin is under extremely high load. Default: 120s. Range: 1s to 3,600s.

  • Origin Keep-alive

    Important

    If this feature is disabled, back-to-origin keep-alive connections will not support the WebSocket protocol.

    On the Add Now page, expand Advanced Settings. In the Origin Keep-alive section, enable this feature and configure the following settings.

    • Max Requests per Connection: Default: 1,000. Range: 60 to 1,000. Corresponds to Nginx keepalive_requests. Nginx documentation.

    • Idle Timeout: Default: 3,600s. Range: 10s to 3,600s. Corresponds to Nginx keepalive_timeout.

Control upload file size

Max Body Size (Ultimate Edition only)

  • Description: WAF supports file uploads up to 2 GB by default. The Ultimate Edition allows adjusting this limit.

  • Procedure: On the Add Now page, expand Advanced Settings and configure the Max Body Size. The default value is 2 GB, and the maximum is 10 GB. After configuration, you must also increase the Read Timeout and Write Timeout values.

Resource management

Resource Group

  • Description: Resource groups simplify management and permission configuration. If you do not specify one, the instance uses the Default Resource Group. Resource groups.

  • Procedure: On the Add Now page, in the Resource Group section, select a resource group for the instance from the drop-down list.

Daily operations

Update the forwarding port certificate

Update the certificate when it expires, is revoked, or changes.

Alibaba Cloud certificate

  1. Renew the SSL certificate on the Certificate Management Service (Original SSL Certificate) console. Renew an SSL certificate.

  2. On the Cloud Native tab, select Elastic Compute Service (ECS), locate the target instance, click the image.png icon, and then select Modify in the Actions column for the target port.

  3. In the Default Certificate section, select Select Existing Certificate, choose the new certificate, and then click OK.

External certificate

  1. Download the certificate file from the provider where you purchased it.

  2. On the Cloud Native tab, select Elastic Compute Service (ECS), find the target instance, click the image.png icon, and then select Modify in the Actions column for the target port.

  3. In the Default Certificate section, select Manual Upload, configure the certificate settings, and then click OK.

    • Certificate Name: Enter a unique name for the certificate. The name cannot be the same as that of an existing certificate.

    • Certificate File: Open the certificate file in a text editor and paste the full content of the certificate in PEM, CER, or CRT format.

      Format example: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

      • Certificate chain: If an intermediate certificate is included, paste the server certificate first, followed by the intermediate certificate.

      • Format conversion: If your certificate is in a format like PFX or P7B, use a certificate tool to convert it to the PEM format.

    • Private Key: Open the private key file in a text editor and paste the full content of the key in PEM format.

      Format example: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

Note
  • WAF displays an image.png icon when a certificate has less than 30 calendar days until expiry. Update the certificate promptly to avoid service disruptions.

  • To receive alerts by email or text message before a certificate expires, Set up notifications for SSL certificates.

  • To prevent interruptions from expired certificates, enable the certificate hosting service in Certificate Management Service (Original SSL Certificate), which automatically requests certificates before expiry. What is certificate hosting?

Remove protection

  • Temporarily disable WAF protection: If you encounter issues such as false positives after adding an instance, turn off the WAF Protection Status switch on the Protected Objects page. Disable WAF protection with one click.

  • Remove protection: If you no longer want to use WAF to protect an ECS instance, follow these steps to remove protection.

    1. On the Onboarding page, click the Cloud Native tab.

    2. Select Elastic Compute Service (ECS) and click the image.png icon for the target instance to view the ports that are protected by WAF.

    3. Click Remove. In the Remove dialog box, click OK.

Important
  • Service impact: Removing an instance from WAF may cause a brief connection interruption lasting a few seconds. Perform this during off-peak hours. Clients with automatic reconnection recover without business impact.

  • Re-adding protection: After removal, traffic is no longer protected. Click Add Now to reconfigure the traffic forwarding port.

  • Billing reminder: For pay-as-you-go WAF instances, charges include the instance, protection rules, and request processing fees. To stop billing, Disable WAF.

Re-add instance after changes

WAF binds to the ECS instance's public IP address. If the IP changes due to any of the following operations, the traffic forwarding port becomes invalid and traffic bypasses WAF, leaving the instance unprotected:

  • Releasing the ECS instance.

  • Changing the public IP address that is bound to the ECS instance.

  • Changing the zone of the ECS instance through a migration task.

To restore protection, add the modified ECS instance on the WAF console again.

Production best practices

Follow these practices when onboarding production ECS instances.

  • HTTPS configuration: Deploy certificates on your ECS instances with these configurations.

  • Phased rollout: First, add a non-production ECS instance during off-peak hours. After confirming that services run normally for a period, add the production ECS instance.

  • Check services: After onboarding, confirm your services run normally:

    • Check logs: Check for significant fluctuations in the percentage of 200 status codes in your logs and look for sudden spikes or drops in QPS. If you have enabled the WAF log service, see WAF logs.

    • Application monitoring: Check whether core application functions, such as user access and transactions, work as expected.

  • Maintenance: Continuously monitor for attacks and false positives.

    • Event handling: To stay informed about attacks and security events, check Security Reports and configure CloudMonitor notifications.

    • Rule tuning: To determine if legitimate business requests are blocked by mistake, continuously monitor attack logs and tune protection rules accordingly.

Quotas and limits

  • Port limits: The total number of traffic forwarding ports cannot exceed your WAF instance quota.

    • WAF subscription instance: Basic Edition (up to 300), Pro (up to 600), Enterprise (up to 2,500), and Ultimate (up to 10,000).

    • WAF pay-as-you-go instance: up to 10,000.

  • Anti-DDoS Proxy: If you use Anti-DDoS Proxy, traffic must pass through it before reaching WAF. Configure the Anti-DDoS Proxy instance in Website Config (Layer 7) mode.

  • Unsupported scenarios:

    • Protecting IPv6 websites on ECS instances.

    • Configuring forced HTTPS redirection in WAF.

    • Uploading GM/T (SM) algorithms certificates.

FAQ

Product features

Why can't I find the ECS instance that I want to add?

First, try clicking Synchronize Assets in the upper-right corner of the Onboarding page.

If the instance is still not found, it does not meet the prerequisites. For example, an ECS instance in a region outside the Chinese mainland requires a WAF instance for a region outside the Chinese mainland to use the Cloud Native onboarding method. Alternatively, use the CNAME connection type.

Can WAF protect non-web traffic such as FTP and SSH?

No. WAF protects only HTTP and HTTPS web traffic. It cannot protect traffic using other protocols such as FTP and SSH.

What ports are supported for the Cloud Native onboarding method?

The Cloud Native method supports any port from 1 to 65535. Port ranges supported by WAF.

Onboarding methods

Can a domain on an ECS instance use both Cloud Native and CNAME onboarding methods at the same time?

Not recommended. Each domain should use only one method — Cloud Native or CNAME. Using both causes forwarding conflicts. To switch from CNAME to Cloud Native: revert the DNS record to origin, wait for propagation, delete the CNAME configuration, then onboard via Cloud Native.

How do I add protection if a domain resolves to multiple ECS instances?

  • Use the Cloud Native method: Add each of these ECS instances individually to ensure that WAF directs traffic to all target instances.

  • Use the CNAME connection type: Add the domain by using the CNAME connection type and configure the public IP addresses of the multiple ECS instances as the origin addresses.

How do I add protection if multiple domains resolve to a single ECS instance?

  • Use the Cloud Native method: After you add the ECS instance, all domains on that instance are protected by default policies. To configure different protection rules for each domain, manually add each domain as a separate protected object. Add a protected object.

  • Use the CNAME connection type: Add each domain one by one.