Web Application Firewall (WAF) provides a self-service tool in the console to upgrade WAF 2.0 instances to WAF 3.0. This topic covers the prerequisites, post-upgrade changes, and upgrade procedure.
The self-service upgrade tool is being rolled out in batches. Follow the steps below to upgrade:
-
Direct upgrade: If the WAF3.0 Upgrade Portal button is displayed at the bottom of the left navigation pane in the Web Application Firewall console, click it to perform a self-service upgrade.
-
Apply for upgrade: If the button is not displayed and you need to upgrade urgently, contact your account manager to submit an upgrade application.
Prerequisites
-
Instances that use transparent proxy mode for Application Load Balancer (ALB) cannot be directly upgraded. If you have such instances, disable traffic redirection, delete the domain name configuration, and then perform a self-service upgrade. For more information, see the FAQ section below.
-
Alibaba Cloud synchronizes cloud product assets daily from 00:00 to 03:00. Avoid upgrading instances that use transparent proxy mode during this window.
-
The instance edition is a subscription Pro, Enterprise, or Ultimate edition, a Hybrid Cloud WAF Exclusive edition.
-
The instance does not use the data visualization service or have custom features enabled.
-
The instance will not expire within 15 days, and your account has no overdue payments.
-
The upgrade operation requires full WAF permissions (AliyunYundunWAFFullAccess).
Before you upgrade
Impact on services
-
Business continuity: The upgrade is smooth and does not cause service interruptions. After the upgrade, the CNAME address provided by WAF 2.0 and the configured origin URLs remain unchanged. View the related information in the CNAME access list.
-
Upgrade duration: The upgrade takes approximately 15 minutes. The one-click full upgrade method usually takes longer than the manual batch upgrade method because it includes a comprehensive system precheck.
Changes after the upgrade
Upgrade process
Description of connected object upgrades:
-
When you upgrade a domain name that uses transparent proxy mode, WAF upgrades the traffic from the redirection ports of the bound cloud product instances (Layer 7 SLB, Layer 4 SLB, or ECS) to the corresponding cloud product integration. WAF also adds the instances as protected objects and the domain name as a custom protected object.
-
When you upgrade traffic for a hybrid cloud integration, WAF reconfigures the traffic to use hybrid cloud reverse proxy mode by default and generates a protected object.
Canary release:
-
When you select manual batch upgrade, you can enable the canary release feature for domain names. Canary release routes a portion of traffic to WAF 3.0. Choose the proportion of traffic to route to the new version, gradually increasing it until all traffic is directed to WAF 3.0.
-
Supported canary release proportions are: 1%, 5%, 10%, 20%, 30%, 50%, 70%, 90%, and 100%. Custom proportions are not supported. You can only increase the canary release proportion (for example, from 10% to 20%), not decrease it.
Data leakage prevention (DLP) does not support canary release. When a migration task is active, DLP hit records are logged in WAF 3.0.
Procedure
Log on to the Web Application Firewall console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance. At the bottom of the left navigation pane, click WAF3.0 Upgrade Portal.
-
If your instance meets the upgrade requirements, review and select the acknowledgment in the Upgrade Instructions panel, then click I understand the upgrade instructions and agree to proceed with the upgrade. to go to the Upgrade Tool page to start the upgrade.
-
If your instance does not meet the upgrade requirements, WAF displays an Error prompt. Follow the instructions in the prompt to resolve the issue.
Step 1: Bind traffic (transparent proxy mode only)
If you have domain names that use transparent proxy mode, the Bind Traffic to Cloud Service page appears. You must bind the domain name to the corresponding cloud product (ECS, CLB (TCP), or CLB (HTTP/HTTPS)). If you are not sure which cloud product type your domain name corresponds to, follow these steps to confirm:
-
Use Network Diagnostic Analysis, select Network Diagnostic Analysis, enter the domain name, and find and copy the public IP address from the DNS service provider analysis results section.
-
Go to the ECS console - Instances and the Classic Load Balancer (CLB) console. Select the region and resource group, and find the instance corresponding to the public IP address you copied.
-
If it is an ECS instance, select ECS.
-
If it is a CLB instance with a TCP listener, select CLB(TCP).
-
If it is a CLB instance with an HTTP or HTTPS listener, select CLB(HTTP/HTTPS).
-
-
After making your selection, click Continue Upgrade.
Step 2: Upgrade precheck
The upgrade precheck tool verifies whether the current instance meets the upgrade conditions. After the initial check, view the most recent check time and result on the upgrade tool page. If the check fails, fix the reported issue based on the on-page instructions, then return to this page to rerun the check.
The precheck evaluates factors such as instance expiration time, rule count, and access method to determine whether the instance meets upgrade requirements. After the check passes, the page displays the supported upgrade methods, including One-click full upgrade, Manual batch upgrade: rule migration, and Manual batch upgrade: no rule migration. To refresh the check results, click Recheck.
Step 3: Select an upgrade method
The upgrade tool provides three upgrade methods. Select the one that suits your needs:
|
Migration method |
One-click full upgrade |
Manual batch upgrade: rule migration |
Manual batch upgrade: no rule migration |
|
Applicable scenarios |
|
|
|
|
Upgrade mode |
The system prechecks whether full upgrade is supported. If the check passes, it automatically creates a WAF 3.0 instance and upgrades both the forwarding configuration and protection rules to WAF 3.0. |
The system prechecks whether the selected protection modules support upgrade. If the check passes, it automatically creates a WAF 3.0 instance and upgrades the protection rules. You must manually upgrade the forwarding configuration. |
The system automatically creates a WAF 3.0 instance but does not perform any automatic upgrade. You must manually upgrade the forwarding configuration and reconfigure non-default protection rules in the WAF 3.0 console. |
-
On the Upgrade Tool page, select One-click Upgrade, Rule-incorporated Manual Batch Upgrade, or Rule-free Manual Batch Upgrade, and click Start Migration.
ImportantIf you select Rule-incorporated Manual Batch Upgrade, you must select the protection rules to upgrade. Multiple selections are supported. You can only select the rules to upgrade on the current page. Carefully evaluate your business requirements before starting the migration.
-
In the dialog box that appears, click OK. The instance starts the automatic upgrade, which takes approximately 15 minutes. Keep the current page open and do not refresh it.
NoteIf the upgrade fails, the instance automatically rolls back to WAF 2.0. View the failure reason in the Rollback Completed dialog box.
-
After WAF completes the automatic upgrade, click OK in the The WAF 3.0 instance is created. dialog box to enter the upgrade window.
Step 4: Complete the migration within the upgrade window
The upgrade window is the entire period during which upgrade operations are allowed, lasting 15 days in total. View the remaining time on the Upgrade Tools page.
Perform operations based on the selected upgrade method:
One-click full upgrade
-
If you selected One-click Upgrade in the previous step, the Upgrade Status for all domain names and servers on the Upgrade Tools page is Not Upgraded, indicating that all configurations for domain names and cloud product instances connected to WAF have been automatically upgraded to WAF 3.0. On the Upgrade Tool page, the Domain Name List shows the access type and upgrade status of each domain name. After the upgrade is complete, the status displays as Upgraded.
-
Verify that the service traffic for each connected object is normal. Check whether the ratio of HTTP 200 status codes in the logs has significant fluctuations, or whether the QPS has sudden spikes or drops. If you have enabled the WAF 3.0 log service, refer to Query logs for investigation.
-
Click Switch to WAF 3.0 in the lower-left corner of the page and perform the following checks:
-
In the left-side navigation pane, click Onboarding to check the asset onboarding status.
-
In the left-side navigation pane, choose , and verify that the protection template and its protected objects meet your business requirements.
-
-
After you confirm that everything is normal, go to the Upgrade Tools page and click Confirm Upgrade Completion. The WAF 2.0 instance is released. You must then use the WAF 3.0 console for security protection.
Note-
If you find that the service is not working correctly, go to the Upgrade Tools page. In the Actions column for the affected object, click Roll Back to WAF 2.0 to roll back the domain name or server to WAF 2.0.
-
After rolling back to WAF 2.0, you can later return to the upgrade tool page and click Upgrade to WAF 3.0 in the Actions column for the target object to upgrade to WAF 3.0. In this case, the system upgrades only the forwarding configuration for that object. You must manually associate the corresponding protection policy template with the object.
-
In extreme cases, if the service is still abnormal after the rollback, click Cancel Upgrade in the upper-right corner of the page to abandon the upgrade and revert all configurations to their pre-upgrade state.
-
Manual batch upgrade: rule migration
-
If you selected Rule-incorporated Manual Batch Upgrade in the previous step, the Upgrade Status for all domain names and servers on the Upgrade Tools page is Not Upgraded, and you must proceed with the manual upgrade.
-
Select one or more domain names or cloud product instances to manually upgrade until all domain names and cloud product instances show Upgraded. The following two upgrade methods are supported:
-
Direct upgrade: In the Actions column, click Canary Release. In the dialog box that appears, click OK.
-
Canary upgrade: In the Actions column, click Canary Release and select the proportion of traffic to route to the new version, gradually increasing it until all traffic is directed to WAF 3.0. When the canary upgrade progress reaches 100%, the upgrade status changes to Upgraded.
-
-
Verify that the service traffic for each connected object is normal. Check whether the ratio of HTTP 200 status codes in the logs has significant fluctuations, or whether the QPS has sudden spikes or drops. If you have enabled the WAF 3.0 log service, refer to Query logs for investigation.
Note-
If you find that the service is not working correctly, go to the Upgrade Tools page. In the Actions column for the affected object, click Roll Back to WAF 2.0 to roll back the domain name or server to WAF 2.0.
-
After rolling back to WAF 2.0, you can later return to the upgrade tool page and click Upgrade to WAF 3.0 in the Actions column for the target object to upgrade to WAF 3.0. In this case, the system upgrades only the forwarding configuration for that object. You must manually associate the corresponding protection policy template with the object.
-
In extreme cases, if the service is still abnormal after the rollback, click Cancel Upgrade in the upper-right corner of the page to abandon the upgrade and revert all configurations to their pre-upgrade state.
-
-
After all domain names and cloud product instances are upgraded, and you confirm that the service traffic and protection configurations meet your expectations, go to the Upgrade Tools page and click Confirm Upgrade Completion. The WAF 2.0 instance is released. You must then use the WAF 3.0 console for security protection.
Manual batch upgrade: no rule migration
-
If you selected Rule-free Manual Batch Upgrade in the previous step, the Upgrade Status for all domain names and servers on the Upgrade Tools page is Not Upgraded, and you must proceed with the manual upgrade.
-
Select one or more domain names or cloud product instances to manually upgrade until all domain names and cloud product instances show Upgraded. The following two upgrade methods are supported:
-
Direct upgrade: In the Actions column, click Upgrade to WAF 3.0. In the dialog box that appears, click OK.
-
Canary upgrade: In the Actions column, click Canary Release and select the proportion of traffic to route to the new version, gradually increasing it until all traffic is directed to WAF 3.0. When the canary upgrade progress reaches 100%, the upgrade status changes to Upgraded.
-
-
Verify that the service traffic for each connected object is normal. Check whether the ratio of HTTP 200 status codes in the logs has significant fluctuations, or whether the QPS has sudden spikes or drops. If you have enabled the WAF 3.0 log service, refer to Query logs for investigation.
Note-
If you find that the service is not working correctly, go to the Upgrade Tools page. In the Actions column for the affected object, click Roll Back to WAF 2.0 to roll back the domain name or server to WAF 2.0.
-
After rolling back to WAF 2.0, you can later return to the upgrade tool page and click Upgrade to WAF 3.0 in the Actions column for the target object to upgrade to WAF 3.0. In this case, the system upgrades only the forwarding configuration for that object. You must manually associate the corresponding protection policy template with the object.
-
In extreme cases, if the service is still abnormal after the rollback, click Cancel Upgrade in the upper-right corner of the page to abandon the upgrade and revert all configurations to their pre-upgrade state.
-
-
Click Switch to WAF 3.0 in the lower-left corner of the page. Refer to the WAF 2.0 protection configurations to create WAF 3.0 protection templates and rules, and configure the corresponding protected objects. For more information, see Protection configuration overview.
-
After all domain names and cloud product instances are upgraded, and you confirm that the service traffic and protection configurations meet your expectations, go to the Upgrade Tools page and click Confirm Upgrade Completion. The WAF 2.0 instance is released. You must then use the WAF 3.0 console for security protection.
Confirm the upgrade promptly after completion. If you do not click Confirm Upgrade Completion before the 15-day upgrade window expires, the instance and its configurations roll back to WAF 2.0. The automatically created WAF 3.0 instance is released, and the protection configurations created during the window are deleted. If you still need to upgrade, you must start the process over.
What's next
After the upgrade, if you previously configured the following services in WAF 2.0, perform additional operations in WAF 3.0:
-
Configure the log service
Reconfigure the following information for the log service:
-
Configure log fields, storage type, collection status for protected objects, log storage duration, and log capacity. For more information, see Log management overview.
-
Enable or disable the log service. For more information, see Enable or disable log service.
-
-
Configure CloudMonitor and alerts
WAF 3.0 uses new event and metric monitoring items that require reconfiguration. For more information, see Configure CloudMonitor notifications.
-
Configure RAM permissions
Reconfigure RAM permissions for OpenAPI operation-level permission management. For more information, see RAM authorization.
-
Configure Terraform
Terraform must be reconfigured. For more information, see Terraform Registry (domain name) and Terraform Registry (instance).
-
Configure OpenAPI
WAF 3.0 uses new OpenAPI operations. For more information, see API overview.
-
Configure resource groups
Resource groups do not support upgrade and must be reconfigured. For more information, see Add a domain to WAF via CNAME.
-
Operations triggered by product code changes
After the upgrade, the product code for WAF changes. If your instance requires commercial changes due to this, contact your account manager.
FAQ
Can instances with transparent proxy traffic redirection be upgraded?
Yes. WAF supports self-service upgrades for transparent proxy instances (Layer 7 SLB, Layer 4 SLB, and ECS) to WAF 3.0. However, transparent proxy (ALB) traffic does not support self-service upgrades. First disable ALB traffic redirection, delete the domain name configuration, and then proceed with the upgrade. Follow the steps below:
-
Go to page. On the Servers tab, in the Actions column for the instance port, click Disable Traffic Redirection.
-
On the Domain Names tab, in the Actions column for the domain name, click Delete.
-
Upgrade the WAF instance. For more information, see Upgrade operations.
-
Reconnect ALB traffic to WAF 3.0. For more information, see Cloud native mode.
Can exclusive edition instances be upgraded?
Yes. Contact your account manager for details.
Are any fees incurred during the upgrade?
No. After the upgrade is complete, subscription instances incur fees at the next renewal. For more information, see Fee changes.
Can a WAF 2.0 Enterprise Edition be upgraded to a WAF 3.0 Pro Edition, or a WAF 2.0 Pro Edition be upgraded to WAF 3.0 Enterprise Edition?
No. Subscription instances only support same-edition upgrades. A WAF 2.0 Pro Edition can only be upgraded to a WAF 3.0 Pro Edition. To use the Enterprise Edition, upgrade to the Enterprise Edition after completing the initial upgrade. For more information, see Upgrade an instance.
Can I add a new domain name in WAF 2.0 during the upgrade window and then continue the upgrade?
No. During the upgrade window, Website Access is grayed out and does not support adding new domain names, deleting existing ones, or modifying any forwarding configurations for connected domain names. If you need to add a domain name to WAF 2.0 during the upgrade window, abandon the upgrade first, add the domain name, and then restart the upgrade process.
After you abandon the upgrade, the system deletes the WAF 3.0 instance and its configurations, and exits the upgrade process.