Overview - Web Application Firewall - Alibaba Cloud Documentation Center

If you want to use Web Application Firewall (WAF) to protect your web services, you must add your web services to WAF. You can add your web services to WAF 3.0 in cloud native mode or CNAME record mode. You can select a mode based on the deployment of your web services. This topic describes the implementation, recommended scenarios, added objects, and access methods of the cloud native mode and CNAME record mode.

Comparison

Type	Cloud native mode		CNAME record mode
Implementation	WAF is integrated as an SDK module into the gateways of cloud services to detect and protect traffic. WAF does not forward traffic to prevent compatibility and reliability issues.	The traffic redirection ports are added to WAF. The gateways of the instances automatically redirect web service traffic to WAF. Then, WAF filters out malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster.	To use the CNAME record mode, you must update your CNAME record with your Domain Name System (DNS) provider to map your domain name to the CNAME that is provided by WAF. This routes requests that are bound for your domain name to WAF. Then, WAF filters out malicious requests and forwards normal requests to the origin server. WAF detects and forwards requests as a reverse proxy cluster.
Recommended scenarios	If you use Alibaba Cloud Application Load Balancer (ALB), Microservices Engine (MSE), or Function Compute for your web services, we recommend that you add your web services to WAF in cloud native mode.	If you use Alibaba Cloud Classic Load Balancer (CLB) or Elastic Compute Service (ECS) for your web services, we recommend that you add your web services to WAF in cloud native mode.	If you do not use ALB, MSE, Function Compute, CLB, or ECS for your web services, you can add your web services to WAF in CNAME record mode.
Added objects	ALB or MSE instances, including all domain names that are deployed on the instances. Custom domain names in Function Compute, including all functions that are bound to the custom domain names.	CLB or ECS instances, including all domain names that are deployed on the instances.	Domain names.
Access methods	In the ALB or MSE console, enable WAF protection for instances or domain names. For more information, see Add an ALB instance to WAF and Add an MSE instance to WAF. In the Function Compute console, enable WAF protection for a custom domain name in Function Compute. For more information, see Add a custom domain name in Function Compute to WAF.	In the WAF console, add the traffic redirection ports of CLB instances or ECS instances to WAF. For more information, see Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF.	Add a domain name to WAF and configure listeners and forwarding rules. For more information, see Add a domain name to WAF. Modify the DNS record of the domain name. For more information, see Change the DNS record of a domain name. Allow access from back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.