Protected objects and protected object groups are units for which protection rules take effect. You can associate a protected object or protected object group with a protection template to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.
Background information
Protected objects
A protected object is the smallest unit for which WAF protection rules take effect. A protected object can be a cloud service instance or a domain name.
To add a protected object to WAF, you can use one of the following methods:
Automatic addition: After you add an instance or a domain name to WAF, the instance or domain name is automatically added to WAF as a protected object.
Manual addition: If you want to configure protection rules for one or more domain names that are hosted on an Application Load Balancer (ALB) instance, Classic Load Balancer (CLB) instance, or Elastic Compute Service (ECS) instance, you can manually add the domain names to WAF as protected objects. For more information, see Manually add protected objects.
In different access modes, you can use different methods to add protected objects to WAF.
Access mode | Automatic addition | Manual addition | Limits |
Cloud native mode (Add an ALB instance to WAF) | ALB instances that are added to WAF are automatically added to WAF as protected objects. | Domain names that are hosted on ALB instances can be manually added to WAF as protected objects. |
|
Cloud native mode (Add an MSE instance to WAF) | Microservices Engine (MSE) instances that are added to WAF, including all routes that are hosted on MSE instances, are automatically added to WAF as protected objects. | Manual addition is not supported. | |
Cloud native mode (Add a custom domain name in Function Compute to WAF) | Custom domain names in Function Compute that are added to WAF are automatically added to WAF 3.0 as protected objects. | Manual addition is not supported. | |
Cloud native mode (Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF) | CLB or ECS instances that are added to WAF are automatically added to WAF as protected objects. | Domain names that are hosted on CLB or ECS instances can be manually added to WAF as protected objects. | |
Domain names that are added to WAF in CNAME record mode or hybrid cloud reverse proxy mode are automatically added to WAF as protected objects. | Manual addition is not supported. | ||
Automatic addition is not supported. | Domain names that are added to WAF in hybrid cloud SDK-based traffic mirroring mode can be manually added to WAF as protected objects. |
Protected object groups
A protected object group is a group of protected objects. A protected object group is a unit for which WAF protection rules take effect. You can add multiple protected objects to a protected object group and configure protection rules for the protected object group. The protection rules take effect for all protected objects in the group.
A protected object can belong to only one protected object group.
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
If you want to manually add a domain name that is hosted on a CLB or an ECS instance and resides in the Chinese Mainland to WAF as a protected object, you must apply for an Internet Content Provider (ICP) filing for the domain name.
NoteWhen you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you specify.
Manually add protected objects
If you want to configure protection rules for domain names that meet the following conditions, perform the following steps to manually add the domain names to WAF as protected objects:
The domain names are hosted on ALB, CLB, or ECS instances that are added to WAF in cloud native mode.
The domain names are added to WAF in hybrid cloud SDK-based traffic mirroring mode.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protected Objects tab, click Add Protected Object.
In the Add Protected Object dialog box, configure the parameters based on the value of the Protected Object Type parameter and click OK.
Cloud services
If you want to add a domain name that is hosted on an ALB, CLB, or ECS instance to WAF as a protected object, set the Protected Object Type parameter to Cloud Service. Then, configure the parameters. The following table describes the parameters.
Parameter
Description
Domain Name
The domain name that you want to add to WAF. You can enter an exact-match domain name, such as
www.aliyundoc.com
, or a wildcard domain name, such as*.aliyundoc.com
.NoteIf you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchaliyundoc.com
.WAF does not match domain names at levels that are different from the level of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchwww.example.aliyundoc.com
.WAF automatically matches all domain names at the same level as the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF matches subdomain names such aswww.aliyundoc.com
andexample.aliyundoc.com
.If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
Cloud Service
The cloud service on which the origin server is deployed. Valid values:
ALB
CLB4: Layer 4 CLB service
CLB7: Layer 7 CLB service
ECS
Instances
The ID of the cloud service instance. This parameter is required only if you set the Cloud Service parameter to ALB.
NoteIf no ALB instances are added to WAF, add an ALB instance to WAF. For more information, see Add an ALB instance to WAF.
Add to Protected Object Group
The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time.
After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter.
NoteIf no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add a protected object to the protected object group. For information about how to create a protected object group, see Create a protected object group.
Hybrid cloud SDK-based traffic mirroring mode
If you want to add a domain name that is added to WAF 3.0 in hybrid cloud SDK-based traffic mirroring mode as a protected object, set the Protected Object Type parameter to Hybrid Cloud. Then, configure the parameters. The following table describes the parameters.
Parameter
Description
Protected Object Name
The name of the protected object that you want to add to WAF.
Domain Name
The domain name that you want to add to WAF. You can enter an exact match domain name, such as
www.aliyundoc.com
, or a wildcard domain name, such as*.aliyundoc.com
.NoteIf you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchaliyundoc.com
.WAF does not match domain names at levels that are different from the level of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchwww.example.aliyundoc.com
.WAF automatically matches all domain names at the same level as the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF matches subdomain names such aswww.aliyundoc.com
andexample.aliyundoc.com
.If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
URL
The URL that you want to add to WAF.
Add to Protected Object Group
The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time.
After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter.
NoteIf no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add a protected object to the protected object group. For information about how to create a protected object group, see Create a protected object group.
After you add a protected object to a protected object group, you can view and manage the protected object in the protected object list. For more information, see Manage protected objects.
Create a protected object group
You can create protected object groups, associate protected objects with protected object groups, and configure protection rules for multiple protected objects at the same time.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protected Object Group tab, click Create.
In the Create Protected Object Group dialog box, configure the Name, Associate with Protected Object, and Description parameters. Then, click OK.
NoteOnly protected objects that do not belong to a protected object group and use the default protection rule template are displayed in the Objects to Select section.
If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you add the protected object to another protected object group. For more information, see Modify a protected object group.
After you create a protected object group, you can manage the protected object group on the Protected Object Group tab. For more information, see Manage protected object groups.
Manage protected objects
On the Protected Objects tab, you can view and manage protected objects.
Feature | Description | |
Settings | Configure Client IP Address | If a Layer 7 proxy is deployed in front of WAF, you can specify the method that you want WAF to use to obtain the IP addresses of clients. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. This way, WAF can obtain the actual IP addresses of clients, match requests with corresponding protection rules, such as IP address blacklist rules, and display information on security reports, such as source IP addresses. Find the protected object that you want to manage and click Settings in the Actions column. In the Settings dialog box, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF and Obtain Actual IP Address of Client parameters. For more information, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter. Note
|
Cookie Settings |
| |
View and configure protection rules | Find the protected object for which you want to configure protection rules and click View Protection Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object. Note
| |
Add to a protected object group | Find the protected object that you want to add to a protected object group and choose in the Actions column.If you want to add multiple protected objects to a protected object group at the same time, select the protected objects and click Add to Protected Object Group below the list. | |
View protection logs | Find the protected object whose protection logs you want to view and choose Enable or disable the Log Service for WAF feature. in the Actions column. You are redirected to the Log Service page. On the Log Service page, you can enable the log collection feature for the protected object and view the protection logs of the protected object. For more information, see | |
Remove a protected object | Find the protected object that you want to remove from WAF and choose in the Actions column.Note
| |
Add tags to or remove tags from protected objects | You can use tags to search for specific resources in the WAF console.
|
Manage protected object groups
On the Protected Object Group tab, you can view and manage protected object groups.
Feature | Description | |
Modify protected object groups | Find the protected object group that you want to modify and click Edit in the Actions column. Move the protected objects from the Objects to Select section to the Selected Protected Object Groups section or from the Selected Protected Object Groups section to the Objects to Select section. Note
| |
View and configure protection rules | Find the protected object group for which you want to configure protection rules and click Configure Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object group. If you configure a protection rule for a protected object group, the rule takes effect for all protected objects in the group. | |
Delete protected object groups | Find the protected object group that you want to delete and click Delete in the Actions column. Note If you delete a protected object group, all protected objects in the group are disassociated from the group and a default protection template is applied to the protected objects. |