If you use a Web Application Firewall (WAF) 2.0 instance, you can use the self-service upgrade tool that is provided by Alibaba Cloud to upgrade the WAF 2.0 instance to WAF 3.0 in the WAF 2.0 console. This topic describes the limits, instructions, and procedure for the upgrade.
The self-service upgrade tool is in canary release.
If WAF3.0 Upgrade Portal is displayed in the left-side navigation pane of the WAF 2.0 console, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0.
If WAF3.0 Upgrade Portal is not displayed in the left-side navigation pane of the WAF 2.0 console and you want to upgrade your WAF 2.0 instance to WAF 3.0, submit an upgrade application to your account manager.
Limits
The WAF 2.0 instance that you want to upgrade to WAF 3.0 must meet the following requirements:
The WAF 2.0 instance is a Hybrid Cloud Exclusive Edition instance, or your web services are added to the WAF 2.0 instance in CNAME record mode or transparent proxy mode. If your web services are added to the WAF 2.0 instance in transparent proxy mode, your origin server must be deployed on a Layer 7 Classic Load Balancer (CLB), Layer 4 CLB, or Elastic Compute Service (ECS) instance.
NoteIf your origin server is deployed on an Application Load Balancer (ALB) instance, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations for the ALB instance. For more information, see Can I upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode?
Alibaba Cloud performs operations such as asset synchronization from 00:00 to 03:00 every day. We recommend that you do not upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode during this period.
The edition of the WAF 2.0 instance is Subscription Pro Edition, Subscription Business Edition, Subscription Enterprise Edition, or Hybrid Cloud Exclusive Edition.
The data visualization feature is disabled for the WAF 2.0 instance and no customized features are enabled for the WAF 2.0 instance.
The WAF 2.0 instance does not expire in the next 15 days.
The WAF 2.0 instance belongs to an Alibaba Cloud account that does not have overdue payments.
To view the details of the account, move the pointer over the profile picture in the upper-right corner of the WAF 2.0 console.
Instructions
Upgrade process
After you upgrade a domain name that is added to WAF 2.0 in transparent proxy mode to WAF 3.0, the cloud service instance on which the domain name is hosted becomes a custom protected object of WAF 3.0 that is added to WAF 3.0 in cloud native mode.
After you upgrade a WAF 2.0 Hybrid Cloud Exclusive instance to WAF 3.0, a protected object is automatically created for traffic that is protected by the WAF 2.0 instance and is added to WAF 3.0 in hybrid cloud reverse proxy mode.
Procedure
Before you upgrade a WAF 2.0 instance to WAF 3.0, disable auto-renewal for the WAF 2.0 instance to prevent repeated auto-renewals.
If your WAF 2.0 instance expires within the upgrade window, we recommend that you manually renew your instance for one month to prevent instance expiration.
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the lower part of the left-side navigation pane, click WAF3.0 Upgrade Portal.
If your WAF 2.0 instance meets the requirements that are described in the "Limits" section of this topic, read the instructions and click I understand the upgrade instructions and agree to proceed with the upgrade. in the Upgrade Instructions panel.
If your instance does not meet the requirements that are described in the "Limits" section of this topic, the Error message appears. You can fix the error based on the error message. If you have questions, join the DingTalk group (group ID: 34657699) for technical support.
If a domain name is added to WAF 2.0 in transparent proxy mode, bind the domain name to the corresponding cloud service.
On the Upgrade Tool page, select an upgrade method. You can select One-click Upgrade, Rule Upgrade, or Manual Batch Upgrade. Then, click Start Migration.
ImportantIf you select Rule Upgrade, you can select one or more protection rule modules that you want to upgrade.
You can select the protection rules that you want to upgrade only on the Upgrade Tools page.
In the Note message, click OK.
ImportantAfter you click OK, the upgrade window starts. The upgrade requires approximately 15 minutes to complete. Do not close or refresh the current page during this period.
In the The WAF 3.0 instance is created. message, click OK.
Switch to the WAF 3.0 console and check whether the automatic upgrade of configuration items is complete. For information about the automatically upgraded configuration items, see Upgrade process.
Switch to the WAF 2.0 console. On the Upgrade Tools page, check the upgrade status of domain names.
One-click upgrade
If the upgrade status of all domain names is Upgraded, all configurations of the domain names are automatically upgraded to WAF 3.0.
NoteIf the upgrade fails, the WAF instance is rolled back to WAF 2.0. In the Rollback Completed dialog box, you can view the cause of the upgrade failure.
Rule upgrade and manual batch upgrade
If the upgrade status of a domain name is Not Upgraded, specific configurations of the domain name are not automatically upgraded to WAF 3.0. You must manually upgrade the configurations.
Manual upgrade configurations. This operation is required only if you select the Rule Upgrade or Manual Batch Upgrade method.
Rule upgrade
Upgrade the forwarding configurations of domain names
To upgrade the forwarding configurations of a domain name, find the domain name and click Upgrade to WAF 3.0 in the Actions column.
To upgrade the forwarding configurations of multiple domain names at the same time, select the domain names in the domain name list and click Batch Upgrade to WAF 3.0 below the list.
If the upgrade is successful, the upgrade status of the domain names is changed to Upgraded.
Associate protection templates with protected objects
In the left-side navigation pane, click Switch to WAF 3.0.
In the WAF 3.0 console, associate the upgraded protection templates with protected objects.
In the left-side navigation pane, choose . Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
NoteIf you want to associate a bot management rule with protected objects, choose Find the bot management rule that you want to associate with specific protected objects and click the
in the left-side navigation pane.icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
Manual batch upgrade
Upgrade the forwarding configurations of domain names
To upgrade the forwarding configurations of a domain name, find the domain name and click Upgrade to WAF 3.0 in the Actions column.
To upgrade the forwarding configurations of multiple domain names at the same time, select the domain names in the domain name list and click Batch Upgrade to WAF 3.0 below the list.
If the upgrade is successful, the upgrade status of the domain names is changed to Upgraded.
Create protection templates and protection rules
Switch to the WAF 3.0 console and create protection templates and protection rules. For more information, see Protection configuration.
Associate protection templates with protected objects
In the left-side navigation pane, click Switch to WAF 3.0.
In the WAF 3.0 console, associate the upgraded protection templates with protected objects.
In the left-side navigation pane, choose . Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
NoteIf you want to associate a bot management rule with protected objects, choose Find the bot management rule that you want to associate with specific protected objects and click the
in the left-side navigation pane.icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
Switch to the WAF 3.0 console and check whether the upgraded configurations are effective and whether your business runs as expected.
If the upgraded configurations are ineffective or your business does not run as expected, find the upgraded domain name and click Roll Back to WAF 2.0 in the Actions column to roll back the domain name and the corresponding configurations. You can also select multiple domain names and click Batch Roll Back to WAF 2.0 to roll back the domain names and configurations to WAF 2.0 at the same time.
NoteAfter the configurations of the domain names that were upgraded by using the one-click upgrade method are rolled back to WAF 2.0, you can click Upgrade to WAF 3.0 in the Actions column on the Upgrade Tools page to re-upgrade the configurations to WAF 3.0. Only the forwarding configurations of the domain names are upgraded to WAF 3.0. After the upgrade is complete, configure protection rules for the domain names.
Click Confirm Upgrade Completion.
After the upgrade is complete, your WAF 2.0 instance is released and you can use the new WAF 3.0 instance in the WAF 3.0 console.
ImportantClick Confirm Upgrade Completion within the upgrade window. If you do not click Confirm Upgrade Completion within the upgrade window period, the upgraded domain names and configurations are rolled back to WAF 2.0. If you re-upgrade your WAF 2.0 instance to WAF 3.0, the upgrade process restarts.
What to do next
After the upgrade is complete, you must perform the following operations before you can use WAF 3.0:
Configure API operations
WAF 3.0 provides new API operations. You must configure the API operations. For more information, see List of operations by function.
Grant permissions to RAM users
You must grant RAM users permissions on different API operations. For more information, see RAM authorization.
Reconfigure Terraform
You must reconfigure Terraform. For more information, see Terraform Registry (domain) and Terraform Registry (instance).
Reconfigure resource groups
Resource groups cannot be upgraded. You must reconfigure resource groups. For more information, see Add a domain name to WAF.
Use CloudMonitor to reconfigure monitoring and alerting
You must reconfigure monitoring and alerting for security events and service metrics. For more information, see Configure CloudMonitor notifications.
Reconfigure log settings
To reconfigure log settings, perform the following operations:
Configure log fields and the log storage type, log collection status, log storage period, and log storage capacity. For more information, see Configure log settings and manage log storage capacity.
Enable or disable the Simple Log Service for WAF feature. For more information, see Enable or disable the Log Service for WAF feature.
Operations triggered by the product code change
After the upgrade is complete, the product code of the WAF instance is changed. If you have questions that are related to the preceding change, contact your account manager.
FAQ
Can I upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode?
Yes, you can upgrade a WAF 2.0 instance to which domain names are added in transparent proxy mode. If your origin server is deployed on a Layer 7 CLB, Layer 4 CLB, or ECS instance and the instance is added to WAF 2.0 in transparent proxy mode, you can use the self-service upgrade tool to upgrade the WAF 2.0 instance to WAF 3.0. If your origin server is deployed on an ALB instance and the instance is added to WAF 2.0 in transparent proxy mode, you can use the self-service upgrade tool to upgrade your WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations for the ALB instance. You can upgrade the WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations. To disable traffic redirection and delete the access configurations, perform the following steps:
On the Servers tab of the Website Access page, find the port that is added to WAF 2.0 in transparent proxy mode and click Disable Traffic Redirection in the Actions column.
On the Domain Names tab, find the domain name and click Delete in the Actions column.
Upgrade the WAF 2.0 instance. For more information, see the "Upgrade process" section of this topic.
Add the upgraded instance to WAF 3.0. For more information, see Cloud native mode.
Can I upgrade a WAF 2.0 Exclusive Edition instance to WAF 3.0?
No, you cannot upgrade a WAF 2.0 Exclusive Edition instance to WAF 3.0. WAF 3.0 does not support Exclusive Edition.
Am I charged for upgrade operations?
No, you are not charged for upgrade operations. If you use a subscription WAF instance, you are charged only if you renew your WAF instance.
Can I upgrade a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance?
No, you cannot upgrade a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance.
Can I upgrade a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance?
No, you cannot upgrade a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance. However, you can upgrade a WAF 2.0 Pro Edition instance to a WAF 3.0 Pro Edition instance. If you want to use a WAF 3.0 Enterprise Edition instance, you can upgrade the edition of the new WAF 3.0 instance. For more information, see Upgrade or downgrade a WAF instance.
Can I add a domain name to my WAF 2.0 instance within the upgrade window period and then resume the upgrade task?
No, you cannot add a domain name to your WAF 2.0 instance within the upgrade window and then resume the upgrade task. You cannot add, remove, or modify domain names on the Website Access page within the upgrade window. Before you add a domain name to the WAF 2.0 instance that is being upgraded, you must cancel the upgrade task. Then, you must restart the upgrade task for the WAF 2.0 instance.
After you cancel the upgrade task, the system deletes the new WAF 3.0 instance and the corresponding configurations and terminates the upgrade process.