All Products
Search

This Product

    Web Application Firewall:Enable WAF protection for an MSE instance

    Document Center

    Web Application Firewall:Enable WAF protection for an MSE instance

    Last Updated:Jan 17, 2024

    If a Microservices Engine (MSE) instance is configured for your web services, you can enable Web Application Firewall (WAF) 3.0 protection for the MSE instance. This topic describes how to enable WAF protection for an MSE instance.

    Background information

    MSE is an end-to-end microservices platform that is developed for mainstream open source microservices ecosystems. MSE provides the following modules: Microservices Registry, Cloud-native Gateway, and Microservices Governance. Microservices Registry supports the native Nacos engine, ZooKeeper engine, and Eureka engine. Cloud-native Gateway supports native Ingress and Envoy. Microservices Governance supports native Spring Cloud, Dubbo, and Sentinel and complies with OpenSergo. WAF 3.0 can be integrated into MSE to improve the O&M efficiency and security of your web services. This also helps ensure a seamless and interactive user experience.

    Limits

    You can add web services to WAF in cloud native mode only if your web services use the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), or Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

    • The MSE instance for which you want to enable WAF protection must reside in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Hong Kong), Singapore, and Malaysia (Kuala Lumpur).

    • You cannot enable the following features for MSE instances for which WAF protection is enabled:

      • Website tamper-proofing

      • Data leakage prevention

      • Automatic integration of the Web SDK in bot management for website protection

      • API security

    Prerequisites

    • A cloud-native gateway is created. For more information, see Create a cloud-native gateway.

    • If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.

      To view the number of protected objects that you can add to WAF, go to the Protected Objects page. image.png

    Enable WAF protection for an MSE instance

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. On the Cloud Native tab, click MSE in the left-side product type list.

    4. Click Add.

    5. Click Authorize Now to grant permissions to your WAF instance to access MSE.

      Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

      Note

      If your WAF instance is authorized to access MSE, skip this step.

      You are redirected to the MSE console.

    6. In the top navigation bar, select the region where the MSE instance for which you want to enable WAF protection resides. You can select China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), Singapore, Malaysia (Kuala Lumpur), or China (Hong Kong).

    7. Enable WAF protection.

      • Enable instance-level protection

        Find the gateway for which you want to enable WAF protection, move the pointer over the 未开启 icon in the WAF Protection column, and then click Enable Gateway Protection. You can also choose More > Enable WAF Protection in the Actions column. In the Enable WAF Protection dialog box, click OK.

      • Enable route-level protection

        1. Find the gateway for which you want to enable WAF protection, click the name of the gateway, and then choose Routes > Route Settings in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.

        2. Find the route for which you want to enable WAF protection and choose More > Enable Route Protection in the Actions column. Then, click OK.

    Manage WAF protection in the MSE console

    1. Log on to the MSE console. In the left-side navigation pane, choose Cloud-native Gateway > Gateways.

    2. In the top navigation bar, select the region where the MSE instance for which you want to enable WAF protection resides. You can select China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), Singapore, Malaysia (Kuala Lumpur), or China (Hong Kong).

    3. Manage WAF protection.

      • View MSE instances for which WAF protection is enabled

        In the instance list, you can view the MSE instances for which WAF protection is enabled. If the 已开启 icon is displayed on the right side of the name of an MSE instance, WAF protection is enabled for the MSE instance.

      • Disable WAF protection for an MSE instance

        After you disable WAF protection for an MSE instance, web service traffic that is generated on the MSE instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.

        Important

        You are no longer charged request processing fees. You are charged feature fees for the protection rules that you configured for the MSE instance. Before you disable WAF protection for an MSE instance, we recommend that you delete the protection rules that you configured for the instance. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic.

        • Disable instance-level protection

          Find the gateway for which you want to disable WAF protection, click the 已开启 icon in the WAF Protection column, and then click Disable Gateway Protection. You can also choose More > Disable WAF Protection in the Actions column. In the Disable WAF Protection dialog box, click OK.

        • Disable route-level protection

          1. Find the gateway for which you want to disable WAF protection, click the name of the gateway, and then choose Routes > Route Settings in the left-side navigation pane of the Basic Information page. You can also click Route Settings in the Actions column.

          2. Find the route for which you want to disable WAF protection and choose More > Disable Route Protection in the Actions column. Then, click OK.

    Manage WAF protection in the WAF console

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. Manage WAF protection.

      • View MSE instances for which WAF protection is enabled

        On the Cloud Native tab, click MSE in the left-side product type list.

      • Configure protected objects and protection rules

        After you enable WAF protection for an MSE instance, the MSE instance automatically becomes a protected object of WAF. The name of the protected object contains the -mse suffix. By default, basic protection rules are enabled for the protected object. On the Protected Objects page, you can view the protected object and configure protection rules for the protected object. To go to the Protected Objects page, click the ID of the MSE instance on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview. 防护对象

      • Remove an MSE instance from WAF

        After you remove an MSE instance from WAF, web service traffic that is generated on the instance is no longer protected by WAF, and WAF security reports no longer include the protection details of the web service traffic.

        Important

        After you remove an MSE instance from WAF, request processing fees are no longer incurred. You are charged feature fees for the protection rules that you configured for the MSE instance. Before you remove an MSE instance from WAF, we recommend that you delete the protection rules that you configured for the instance. For more information, see the "Billable items" section in the Overview topic and the "Protection module overview" section in the Protection configuration overview topic.

        1. Find the instance that you want to remove and click Remove in the Actions column.

          You are redirected to the Gateways page in the MSE console.

        2. Disable WAF protection in the MSE console. For more information, see Disable WAF protection for an MSE instance.