How to add an ECS instance to WAF - Web Application Firewall

If your web services are deployed on an Elastic Compute Service (ECS) instance, you can add the ECS instance to Web Application Firewall (WAF). WAF monitors and filters inbound and outbound traffic on the ports of the ECS instance to enhance the security of your web services. This topic describes how to add an ECS instance to WAF.

Background information

ECS is an IaaS offering by Alibaba Cloud that provides high-performance, reliable, and scalable computing capacity in the cloud. ECS eliminates the need for upfront investment in IT hardware. This way, you can deploy applications in an efficient manner. ECS allows you to scale resources based on changes in requirements and traffic spikes. For more information, see What is ECS?.

You can add an ECS instance to WAF for protection. After you add an ECS instance to WAF, all web traffic of the instance is routed to WAF by using a specific gateway for inspection. WAF filters out malicious traffic and forwards normal traffic to the ECS instance. The following figure shows the network architecture.

Limits

You can add web services to WAF in cloud native mode only if your web services use one of the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Item	Description
Supported instances	To add an instance to WAF, the instance must meet the following requirements: The instance is an Internet-facing instance. The instance does not use IPv6. Mutual authentication is disabled for the instance.
Supported regions	Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao). Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
Number of traffic redirection ports	The limits on the number of traffic redirection ports are the same as the limits on the number of protected objects. Subscription WAF instances: 300 for Basic Edition, 600 for Pro Edition, 2,500 for Enterprise Edition, and 10,000 for Ultimate Edition. Pay-as-you-go WAF instances: 10,000.
Supported ports	Standard and non-standard ports from port 0 to 65535 are supported. For more information, see View supported ports.
Services protected by Anti-DDoS Proxy and WAF	If you want to protect your web services by using Anti-DDoS Proxy and WAF, you can add the web services to WAF in transparent proxy mode only if you add the web services to Anti-DDoS Proxy by adding a domain name.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
An ECS instance that complies with the preceding usage limits is created. For more information, see the "Limits" section in this topic. For information about how to create an ECS instance, see Create an instance.
If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.

Add traffic redirection ports

Important

The first time you add an instance to WAF, web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
If you perform the following operations after you add an ECS instance to WAF, the traffic redirection ports are automatically removed from WAF. If you do not re-add the ports to WAF, traffic on the ports is not filtered by WAF.
- Change the public IP address associated with the instance
- Create a migration task and change the zone
If you add an ECS instance to WAF, traffic that is destined for the elastic IP address (EIP) or public IP address associated with the ECS instance is redirected to WAF.
If you disassociate an EIP from the ECS instance, traffic redirection is automatically disabled.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab of the Website Configuration page, click ECS in the left-side cloud service list.
Click Add.
Click Authorize Now to authorize your WAF instance to access ECS.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.
Note
If you already authorized your WAF instance to access ECS, skip this step.

In the Configure Instance - ECS Instance panel, configure the parameters. The following table describes the parameters.

Parameter	Operation
Select the instance and port to be added.	Synchronize Instances If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list. Add Port Find the instance that you want to add to WAF and click Add Port in the Actions column. Enter the number of the port that you want to add to WAF and press the Enter key. The port number must be supported by WAF. You can click View Port Range to view the HTTP and HTTPS ports supported by WAF. For more information, see View supported ports. Select the protocol type for the port that you want to add to WAF. Valid values: HTTP and HTTPS. If you select HTTPS, you must upload a certificate. Note The total number of default and additional certificates that you upload cannot exceed 10. Default Certificate Upload Click Upload and configure the Certificate Name, Certificate File, and Private Key parameters. The value of the Certificate File parameter is in the `-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----` format and the value of the Private Key parameter is in the `-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----` format. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in a format other than the preceding formats, such as PFX or P7B, convert the certificate file into the PEM format before you use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console to use a tool to convert the file format. For information about how to convert file formats, see Convert the format of a certificate If a domain name is associated with multiple SSL certificates or a certificate chain, combine the text content of the certificate files and upload the combined text content. Select Existing Certificate If your certificate meets one of the following conditions, you can select a certificate that you want to upload to WAF from the certificate list: The certificate is issued by Alibaba Cloud Certificate Management Service. The certificate is a third-party certificate that is uploaded to Alibaba Cloud Certificate Management Service. Important If you select an existing certificate and the "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected." error message appears, click Cloud Security - Certificates Service and upload the certificate in the Certificate Management Service console. For more information, see Upload an SSL certificate. Additional Certificate If you configured the instance to allow traffic from multiple domain names over HTTPS, click Additional Certificate to import the certificates of the domain names. The parameters that are used to upload an additional certificate and a default certificate are the same. For more information, see the description of the Default Certificate parameter in this topic. If you select HTTPS, you can click Advanced Settings to configure the following advanced settings: TLS Version Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses a version of the TLS protocol that is not supported, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you select a TLS version based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access your website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen to traffic that is sent by using TLS 1.3. Cipher Suite Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that are not supported, WAF blocks requests that are sent from the client. Default value: All Cipher Suites (High Compatibility and Low Security). If your website supports only specific cipher suites, we recommend that you set this parameter to a different value. Valid values: All Cipher Suites (High Compatibility and Low Security). Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suites. WAF blocks requests that are sent from clients that use other cipher suites.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF, such as Anti-DDoS Proxy and Alibaba Cloud CDN. Valid values: Yes and No. By default, No is selected. This value specifies that WAF receives requests that are sent from clients. The requests are not forwarded by proxies. Note WAF uses the IP address that is used to establish connections with WAF as the IP address of a client. WAF obtains the IP address from the `REMOTE_ADDR` field of the request. If Layer 7 proxies are deployed in front of WAF, select Yes. This value specifies that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. To ensure that WAF can obtain the actual IP addresses of clients for security analysis, configure the Obtain Actual IP Address of Client parameter. Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the `X-Forwarded-For` field as the actual IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use proxies that contain the IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, include the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF inspection. This enhances the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Resource Group	Select the resource group to which you want to add the ECS instance from the drop-down list. If you do not select a resource group, the ECS instance is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
Advanced Settings	Enable Traffic Mark If you select Enable Traffic Mark, requests that pass through WAF are labeled. This way, your origin server can obtain the actual IP addresses or ports of clients. If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark. This way, the origin server can check whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and the request is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and the request is blocked. You can configure the following types of header fields: Custom Header If you want to add a custom header field, configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data. For example, you can add the `ALIWAF-TAG: Yes` custom header field to label the requests that pass through WAF. In this example, the name of the header field is `ALIWAF-TAG` and the value of the header field is `Yes`. Originating IP Address You can configure a custom header field to record the actual IP addresses of clients. This way, your origin server can obtain the actual IP addresses of clients. For information about how WAF obtains the actual IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic. Source Port You can configure a custom header field to record the ports of clients. This way, your origin server can obtain the actual ports of clients. Important We recommend that you do not specify a standard HTTP header field, such as User-Agent. If you specify a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. Click Add Mark to specify a header field. You can specify up to five header fields. Back-to-origin Keep-alive Requests If the persistent connection between WAF and your origin server times out, you can configure the timeout period for persistent connections, the number of reused persistent connections, and the timeout period for idle persistent connections. Read Connection Timeout Period: the amount of time that WAF waits for a response from the origin server. If the timeout period is exceeded, WAF closes the connection. Valid values: 1 to 3600. Default value: 120. Unit: seconds. Write Connection Timeout Period: the amount of time that is required for requests to be forwarded to the origin server. If the timeout period is exceeded, the origin server closes the connection. Valid values: 1 to 3600. Default value: 120. Unit: seconds. Back-to-origin Keep-alive Requests: If you want to configure the number of reused persistent connections or the timeout period for idle persistent connections, turn on Back-to-origin Keep-alive Requests and configure the following parameters: Reused Keep-alive Requests: the number of requests that WAF can send to the origin server or the number of responses that WAF can receive from the origin server at the same time. Valid values: 60 to 1000. Default value: 1000. Timeout Period of Idle Keep-alive Requests: the timeout period for idle persistent connections. Valid values: 10 to 3600. Default value: 3600. Unit: seconds.

Select the ECS instance that you want to add to WAF and click OK.
After you add an ECS instance to WAF, the instance automatically becomes a protected object of WAF. The name of the protected object is in the following format: Instance ID-Port number-Asset type. By default, basic protection rules are enabled for the protected object. You can configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the ID of the ECS instance that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.

Other operations

View origin servers and manage traffic redirection ports

After you add an ECS instance to WAF, you can view the protection details of the origin servers and forcibly disable traffic redirection or delete traffic redirection ports in emergency disaster recovery scenarios.

On the Website Configuration page, click the Cloud Native tab.
In the left-side cloud service list, click ECS. Find the ECS instance whose traffic redirection ports you want to view and click the icon to the left of the instance name to view the ports that are added to WAF.
- View port details: Click Port Details in the Actions column to view information about the port, protocol, and certificate. Then, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF, Enable Traffic Mark (Advanced Settings), and Back-to-origin Keep-alive Requests (Advanced Settings) parameters.
- Remove ports: Click Remove in the Actions column. In the Remove message, click OK.
  Important
  After you remove a traffic redirection port from WAF, traffic on the port is no longer protected by WAF. To re-add the port to WAF, click Add. For more information, see Add traffic redirection ports.

Update the SSL certificate bound to a traffic redirection port

If the SSL certificate that is bound to a traffic redirection port is about to expire or the certificate is changed, you must update the certificate.

Note

If the remaining validity period of the certificate is less than 30 days, is displayed in the domain name list. This indicates that your SSL certificate is about to expire. You must update the certificate at the earliest opportunity.
If you want to receive notifications when the certificate is about to expire, log on to the Certificate Management Service console. Find the certificate that is about to expire and click the icon in the Notification Reminder column. On the Notification page, enable and configure a notification policy for the certificate.
To prevent service interruptions that are caused by certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate. For more information, see Certificate Management Service overview.

To update the SSL certificate that is bound to a traffic redirection port, perform the following steps:

Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload an SSL certificate.
Synchronize the certificate to WAF.
- In the Certificate Management Service console, deploy the certificate to WAF. For more information, see Deploy certificates to Alibaba Cloud services.
- Update the certificate in the WAF console.
  1. On the Cloud Native tab, click ECS in the left-side cloud service list. Find the instance that you want to manage and click the icon. Find the traffic redirection port whose certificate you want to update and click Modify in the Actions column.
  2. In the Default Certificate dialog box, select Select Existing Certificate, and then select the new certificate from the drop-down list.

FAQ

Why am I unable to find the CLB or ECS instance that I want to add to WAF on the Website Configuration page?