If Microservices Engine (MSE) is enabled for your web services, you can enable Web Application Firewall (WAF) 3.0 protection for your MSE instance to redirect web service traffic to WAF 3.0. This topic describes how to enable WAF protection for an MSE instance.

Background information

MSE is an end-to-end microservices platform that is developed for mainstream open source microservices ecosystems in the industry. MSE provides the following modules: Microservices Registry, Cloud-native Gateway, and Microservices Governance. Microservices Registry supports the native Nacos engine, ZooKeeper engine, and Eureka engine. Cloud-native Gateway supports native Ingress and Envoy. Microservices Governance supports native Spring Cloud, Dubbo, and Sentinel, and complies with OpenSergo. WAF 3.0 can be integrated into MSE cloud-native gateways to improve the security and O&M efficiency of your web services and provide a smoother interactive experience.

Prerequisites

A cloud-native gateway is created. For more information, see Create a cloud-native gateway.

Enable WAF protection

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. On the Cloud Native tab, select MSE in the product type list on the left side.
  4. Click Add.
    Then, you are redirected to the Gateway list page in the MSE console.
  5. In the top navigation bar, select the region where your cloud-native gateway is deployed.
    Note The MSE instances that you want to add to WAF in cloud native mode must reside in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), and China (Hong Kong).
  6. Enable WAF protection.
    • Enable instance-level protection

      Find the gateway for which you want to enable WAF protection and move the pointer over the icon icon in the Security column. In the hoverbox that appears, click Open Gateway instance protection. You can also choose Select > Enable WAF protection in the Actions column and click OK in the dialog box that appears.

    • Enable route-level protection
      1. Find the gateway for which you want to enable WAF protection and click the name of the gateway. In the left-side navigation pane of the Basic Information page, click Routes or click Router Configuration in the Actions column.
      2. Find the route for which you want to enable WAF protection and choose Select > Enable Route Protection in the Actions column. Then, click OK.
    After you enable WAF protection for an MSE instance, the instance is displayed on the Protected Objects page in the WAF console. To go to the Protected Objects page, you can click the MSE instance on the Cloud Native tab of the Website Configuration page. The suffix of the protected object name of the MSE instance is -mse. Basic protection rules are automatically enabled for the MSE instance. You can configure protection rules for the MSE instance on the Protected Objects page. For more information, see Protection configuration overview.

Manage WAF protection in the MSE console

  1. Log on to the MSE console. In the left-side navigation pane, choose Cloud-native Gateway > Gateways.
  2. In the top navigation bar, select the region where your cloud-native gateway is deployed.
    Note The MSE instances that you want to add to WAF in cloud native mode must reside in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), and China (Hong Kong).
  3. Manage WAF protection.
    • View MSE instances for which WAF protection is enabled

      In the instance list, you can view the MSE instances for which WAF protection is enabled. If the Activated icon is displayed on the right side of an instance name, it indicates that the MSE instance is protected by WAF.

    • Disable WAF protection for an MSE instance
      After you disable WAF protection for an MSE instance, the web service traffic that is generated on the MSE instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.
      Important After you disable WAF protection for an MSE instance, request processing fees are no longer incurred, but you are still charged feature fees for the protection rules that you configured. We recommend that you delete the protection rules that you configured before you disable WAF protection for an MSE instance. For more information, see Billable items and Protection module overview.
      • Disable instance-level protection

        Find the gateway for which you want to disable WAF protection and move the pointer over the Activated icon in the Security column. In the hoverbox that appears, click Turn off gateway instance protection. You can also choose Select > Turn off WAF protection in the Actions column. Then, click OK.

      • Disable route-level protection
        1. Find the gateway for which you want to disable WAF protection and click the name of the gateway. In the left-side navigation pane of the Basic Information page, click Routes. You can also click Router Configuration in the Actions column.
        2. Find the route for which you want to disable WAF protection and choose Select > Disable in the Actions column. Then, click OK.

Manage WAF protection in the WAF console

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. Manage WAF protection.
    • View MSE instances for which WAF protection is enabled

      On the Cloud Native tab, click MSE in the product type list on the left side.

    • Configure protected objects and protection rules
      Click the name of the MSE instance that you want to view. On the Protected Objects page, you can view the protected MSE instance and the protection rules. For more information, see Product configuration.
      Note
      • The value of the Asset Type parameter of a cloud service instance that is added to WAF in cloud native mode is the abbreviation of the cloud service. For example, the value of the Asset Type parameter for an MSE instance is mse, and the Domain Name parameter is left empty.
      • You cannot configure website tamper-proofing rules, data leakage prevention rules, bot management rules, or the API security module for MSE instances that are added to WAF.
    • Disable WAF protection for an MSE instance
      After you disable WAF protection for an MSE instance, the web service traffic that is generated on the MSE instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.
      Important After you disable WAF protection for an MSE instance, request processing fees are no longer incurred, but you are charged feature fees for the protection rules that you configured. We recommend that you delete the protection rules that you configured before you disable WAF protection for an MSE instance. For more information, see Billable items and Protection module overview.
      1. Find the instance that you want to remove and click Remove in the Actions column.

        Then, you are redirected to the Gateway list page in the MSE console.

      2. Disable WAF protection in the MSE console. For more information, see Disable WAF protection for an MSE instance in the preceding section.