You must add your web service to Web Application Firewall (WAF) before you can use WAF to protect it. This topic describes how to add web services to WAF 3.0.

Mode

You can add your web service to WAF 3.0 in CNAME record mode.The following table describes the CNAME record mode.

Mode Description Supported service Recommended scenario
Add a website in CNAME record mode You can change the DNS record to map the domain name that you want to protect to the CNAME assigned by WAF. This way, requests that are destined for the domain name are forwarded to WAF. Then, WAF blocks attack requests and forwards normal requests to your origin server.

If you add your web service to WAF in CNAME record mode, you must configure forwarding rules.

The web services whose domain names use HTTP or HTTPS to distribute content over specified ports. For more information, see View supported ports.

If you add your web service to WAF in CNAME record mode, you must add the domain name of your web service.

We recommend that you use the CNAME record mode only if your web service is not deployed on a cloud service instance such as an Application Load Balancer (ALB) instance.

CNAME record mode

In CNAME record mode, you must perform the following operations to add a domain name to WAF 3.0:

  1. Complete the Configure Listener and Change Forwarding Rule steps in the Add Domain Name wizard.

    In the Configure Listener step, you must specify information about the web service traffic that WAF monitors and protects. This information includes the domain name of the website, protocol type, and ports. In the Change Forwarding Rule step, you must specify the information based on which WAF forwards service requests to the origin server. This information includes the origin server address and load balancing algorithm. For more information, see Add a domain name.

  2. Allow access from back-to-origin CIDR blocks of WAF.

    If the origin server on which the domain name is deployed uses a third-party firewall, you must add the WAF back-to-origin IP address to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  3. Change the DNS record of the domain name to map the domain name to the CNAME that is provided by WAF. This way, your web service is protected by WAF. For more information, see Change the DNS record of a domain name.