All Products
Search
Document Center

Web Application Firewall:Migrate a WAF 2.0 instance to WAF 3.0

Last Updated:Feb 22, 2024

If you use a Web Application Firewall (WAF) 2.0 instance, you can use the self-service migration tool that is provided by Alibaba Cloud to migrate the WAF 2.0 instance to WAF 3.0 in the WAF 2.0 console. This topic describes the limits, instructions, and procedure for instance migration.

Important

The self-service migration tool is in canary release.

  • If WAF 3.0 Migration Portal is displayed in the left-side navigation pane of the WAF 2.0 console, you can use the self-service migration tool to migrate your WAF 2.0 instance to WAF 3.0.

  • If WAF 3.0 Migration Portal is not displayed in the left-side navigation pane of the WAF 2.0 console and you want to immediately migrate your WAF 2.0 instance to WAF 3.0, submit a migration application to your account manager.

Limits

The WAF 2.0 instance that you want to migrate to WAF 3.0 must meet the following requirements:

  • The WAF 2.0 instance is a Hybrid Cloud Exclusive Edition instance or your web services are added to the WAF 2.0 instance in CNAME record mode or transparent proxy mode. If your web services are added to the WAF 2.0 instance in transparent proxy mode, your origin server must be deployed on a Layer 7 Classic Load Balancer (CLB), Layer 4 CLB, or Elastic Compute Service (ECS) instance.

    Note

    If your origin server is deployed on an Application Load Balancer (ALB) instance and the instance is added to WAF in transparent proxy mode, you cannot migrate your WAF 2.0 instance to WAF 3.0 by using the self-service migration tool. You can migrate the WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations. For more information, see Can I migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode?

  • Alibaba Cloud performs operations such as asset synchronization from 00:00 to 03:00 every day. We recommend that you do not migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode during this period of time.

  • The edition of the WAF 2.0 instance is Subscription Pro, Subscription Business, Subscription Enterprise, or Hybrid Cloud Exclusive.

  • The data visualization feature is disabled for the WAF 2.0 instance and no customized features are enabled for the WAF 2.0 instance.

  • The WAF 2.0 instance does not expire in the next 15 days.

  • The WAF 2.0 instance belongs to an Alibaba Cloud account and the account does not have overdue payments.

    To view the details of the account, move the pointer over the profile picture in the upper-right corner of the WAF 2.0 console. image.png

Instructions

Impacts on business

You can migrate a WAF 2.0 instance to WAF 3.0 without service interruptions.

Note

After you migrate the instance, the CNAME provided by the WAF 2.0 instance and the configured back-to-origin addresses remain unchanged. On the CNAME Record tab of the Website Configuration page in the WAF 3.0 console, you can view the migrated domain names, CNAMEs assigned to the domain names, and origin server addresses.

Migration methods

  • One-click Full Migration

    After the migration starts, the system checks whether your configurations meet the migration requirements. If your configurations meet the migration requirements, the system creates a WAF 3.0 instance and migrates all forwarding configurations and protection configurations to the WAF 3.0 instance.

    Use scenario: A small number of domain names are added to your WAF 2.0 instance and you want to migrate your WAF 2.0 instance to WAF 3.0 with one click.

  • Rule Migration

    After the migration starts, the system checks whether the protection rules of the protection rule modules that you selected can be migrated. If the protection rules can be migrated, the system creates a WAF 3.0 instance and migrates the protection rules to WAF 3.0. The protection performance of the protection rules is not affected. You must manually migrate the forwarding configurations of the specified domain names, create protection templates, add protection rules to the templates, and then associate the templates with protected objects.

    Use scenario: You want to migrate protection rules in batches and view traffic statistics.

  • Manual Batch Migration

    After the migration starts, the system creates a WAF 3.0 instance and does not migrate forwarding configurations or protection configurations to the WAF 3.0 instance. You must manually migrate the forwarding configurations of the specified domain names, create protection templates, add protection rules to the templates, and then associate the templates with protected objects.

    Use scenario: A large number of domain names are added to your WAF 2.0 instance or complex protection rules are configured. You want to migrate the domain names to WAF 3.0 in batches and view traffic statistics.

Amount of time required for the migration

The time required for the migration is approximately 15 minutes, during which a WAF 3.0 instance is created and forwarding configurations and protection configurations are migrated.

Compared with the manual batch migration and rule migration methods, the one-click full migration method requires more time to complete because of complex prechecks.

Migration window

  • Duration

    After the migration starts, you can perform migration operations within a 15-day migration window period. After you click Confirm Migration Completion, you cannot perform migration operations.

    You can view the remaining duration of the migration window period on the Migration Tool page. image

  • Operations that can be performed

    • View traffic statistics.

    • Migrate domain names in batches.

    • Switch between the WAF 2.0 console and the WAF 3.0 console.

    • Configure protection rules in the WAF 3.0 console and check whether the new WAF 3.0 instance protects your web services as expected.

    • Roll back to WAF 2.0.

    • Confirm that the migration is complete or cancel the migration task.

  • Operations that cannot be performed

    • You cannot renew, upgrade, downgrade, or unsubscribe from your WAF instance in the WAF console or the User Center. If you perform the preceding operations on your WAF instance, the instance may be released and fees may fail to be refunded.

    • You cannot enable or disable the website tamper-proofing or data leakage prevention feature.

    • You cannot modify the forwarding configurations in WAF 2.0 or WAF 3.0.

  • Note

    • If you create an alert rule for the new WAF 3.0 instance within the migration window period, you receive alerts only in the WAF 2.0 console.

    • If you do not click Confirm Migration Completion within the migration window period, your WAF instance and the corresponding configurations are rolled back to WAF 2.0. The new WAF 3.0 instance and the corresponding configurations are deleted.

    • After the migration is complete, you can use your WAF instance only in the WAF 3.0 console. Before you click Confirm Migration Completion, make sure that you do not require other migration operations.

Comparison between WAF 2.0 and WAF 3.0

Editions and features

If the edition of your WAF 2.0 instance is Subscription Pro, the new WAF 3.0 instance runs Subscription Pro Edition. If the edition of your WAF 2.0 instance is Subscription Business, the new WAF 3.0 instance runs Subscription Enterprise Edition. If the edition of your WAF 2.0 instance is Subscription Enterprise, the new WAF 3.0 instance runs Subscription Ultimate Edition. The WAF 2.0 instance and the WAF 3.0 instance use the same billing method. WAF 3.0 improves and integrates specific features on top of WAF 2.0.

  • The intelligent rule hosting feature of the protection rules engine and the slider CAPTCHA verification feature in custom rules are disabled for subscription WAF 3.0 Pro Edition instances. To use the preceding features, upgrade the edition of the WAF 3.0 instance from Pro to Enterprise or Ultimate. For more information, see Upgrade or downgrade a WAF instance.

  • WAF 3.0 provides the following features that are not supported by WAF 2.0: protection templates, custom response rules, major event protection, and the advanced asset center. After the migration is complete, you can configure the features based on your business requirements. For more information, see Configure custom response rules to configure custom block pages, Major event protection, and Asset center.

  • Hybrid Cloud Exclusive Edition is not supported in WAF 3.0. A WAF 2.0 Hybrid Cloud Exclusive Edition instance can be migrated only to a subscription WAF 3.0 Ultimate Edition instance.

    Examples:

    Scenario

    Before migration

    After migration

    Scenario 1

    Your WAF 2.0 instance runs Hybrid Cloud Exclusive Edition and you did not purchase additional quotas for protection nodes or domain names. This edition provides a quota of 2 protection nodes and 200 domain names.

    The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, 1 additional protection node, and 200 domain names.

    Scenario 2

    Your WAF 2.0 instance runs Hybrid Cloud Exclusive Edition and you purchased an additional quota of x protection nodes. This edition provides a quota of 2 protection nodes and 200 domain names.

    The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, 1 additional protection node, x additional protection nodes, and 200 domain names.

    Scenario 3

    Your WAF 2.0 instance runs Enterprise Edition and you purchased an additional quota of x protection nodes.

    The new WAF 3.0 instance runs Ultimate Edition and provides a quota of 1 default protection node, x additional protection nodes, and 200 domain names.

    Scenario 4

    Your WAF 2.0 instance runs Business Edition and you purchased an additional quota of x protection nodes.

    The new WAF 3.0 instance runs Enterprise Edition and provides a quota of 1 default protection node, x additional protection nodes, and 200 domain names.

Fees

Note

You are not charged for the migration operations.

The total fees for your instance may change due to the differences between the editions and the supported features of WAF 2.0 and WAF 3.0. The fees change when you renew your instance after the migration is complete. For information about WAF 3.0 pricing, visit the WAF 3.0 buy page.

Important
  • After your WAF 2.0 instance is migrated to WAF 3.0, fees cannot be refunded if you unsubscribe from or downgrade your WAF instance before you renew the instance.

  • If you downgrade your WAF instance, you are charged for the downgrade based on the specifications of your WAF instance.

The sandbox, burstable QPS (pay-as-you-go), and traffic billing protection features

The sandbox feature is a special mechanism of WAF 3.0. If the peak queries per second (QPS) of a subscription WAF 3.0 instance exceeds the QPS quota, the WAF instance may be added to a sandbox. After a WAF instance is added to a sandbox, the service-level agreement (SLA) is no longer guaranteed and service access exceptions may occur, such as packet loss, rate limiting, limited connections, failed protection, log data exceptions, report data exceptions, access timeout, traffic scrubbing that is triggered due to DDoS attacks, and blackhole filtering. For more information, see The sandbox feature.

Note

The system does not add the instance to a sandbox within the migration window period.

  • Subscription instances

    After the migration is complete, the QPS of the WAF instance may exceed the sum of the default QPS quota of the current edition and the additional QPS quota that you purchase. If the QPS exceeds the sum, the instance may be added to a sandbox. For more information, see Burstable QPS (pay-as-you-go).

    After the migration is complete, the QPS of the WAF instance may exceed the QPS quota that is supported by the current edition. If the quota is exceeded, the instance may be added to a sandbox.

    To prevent the WAF instance from being added to a sandbox, you can upgrade the edition, purchase extended QPS, or enable the burstable QPS (pay-as-you-go) feature.

  • Pay-as-you-go instances

    If the peak QPS of a pay-as-you-go WAF instance exceeds the specified threshold for traffic billing protection, the WAF instance is added to a sandbox to prevent high costs. Bills are not generated for the hour when the WAF instance is added to a sandbox. For more information, see Traffic billing protection.

    The following section describes the maximum thresholds for traffic billing protection that are supported by a pay-as-you-go WAF instance. By default, the threshold for traffic billing protection of a pay-as-you-go WAF instance is set to the maximum value.

    • Chinese mainland: 100,000 QPS.

    • Outside the Chinese mainland: 10,000 QPS.

    • If the maximum quota cannot meet your business requirements, contact your account manager or solution architect.

    If the peak QPS of the WAF instance is less than the specified threshold for traffic billing protection, the WAF instance is removed from the sandbox. You can change the threshold for traffic billing protection based on your business requirements.

Simple Log Service

  • After the migration starts, the system creates a Logstore for the new WAF 3.0 instance. The Logstore of the WAF 2.0 instance is retained.

    Important
    • If you use the manual batch migration or rule migration method, no Logstores are automatically created for the new WAF 3.0 instance. To use Simple Log Service, you must manually enable Simple Log Service for WAF after domain names are migrated from WAF 2.0 to WAF 3.0.

    • Within the migration window, you can view the Logstore of your WAF 2.0 instance in the WAF 2.0 console. After the migration is complete, you can view the Logstore of your WAF 2.0 instance only in the Simple Log Service console. For more information, see Query and analyze logs.

  • When the retention period elapses, the logs that are stored in the Logstore of the WAF 2.0 instance are deleted. The logs that have the earliest expiration date are deleted first. If you want to retain WAF 2.0 logs, back up the logs at the earliest opportunity. For more information, see Download logs.

  • By default, WAF 3.0 logs are stored for 180 days. You can change the storage period in the Simple Log Service console.

Required reconfiguration operations

After the migration is complete, reconfigure API operations, Terraform, resource groups, monitoring and alerting, and the Simple Log Service for WAF feature. You must also grant Resource Access Management (RAM) users permissions on API operations, renew your WAF instance at the earliest opportunity, and troubleshoot issues caused by the product code change. For more information, see What to do next.

Migration process

image
  • After you migrate a domain name that is added to WAF 2.0 in transparent proxy mode to WAF 3.0, the domain name becomes a custom protected object of WAF 3.0 that is added to WAF 3.0 in cloud native mode.

  • After you migrate a WAF 2.0 Hybrid Cloud Exclusive instance to WAF 3.0, a protected object is automatically created for traffic that is protected by the WAF 2.0 instance and the protected object is added to WAF 3.0 in hybrid cloud reverse proxy mode.

Procedure

Important
  • Before you migrate a WAF 2.0 instance to WAF 3.0, disable auto-renewal for the WAF 2.0 instance to prevent repeated auto-renewals.

  • If your WAF 2.0 instance expires in the next 15 days, we recommend that you manually renew your instance for a one-month period to prevent instance expiration within the migration window period.

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the lower part of the left-side navigation pane, click WAF 3.0 Migration Portal.

    • If your WAF 2.0 instance meets the requirements that are described in the "Limits" section of this topic, the Migration Instructions panel appears. In the Migration Instructions panel, read the instructions and click I understand the migration instructions and agree to proceed with the migration.

    • If your instance does not meet the requirements that are described in the "Limits" section of this topic, the Error message appears. You can troubleshoot the error based on the error message. If you have questions, join the DingTalk group (group ID: 34657699) for technical support.

  3. If a domain name is added to WAF 2.0 in transparent proxy mode, bind the domain name to the corresponding cloud service.

    image.png

  4. On the Migration Tool page, select a migration method. You can select One-click Full Migration, Rule Migration, or Manual Batch Migration. Then, click Start Migration.

    Important

    If you select Rule Migration, you must select one or more protection rule modules that you want to migrate. You can select multiple protection rule modules.

    After you click Start Migration, you cannot modify the protection rule modules that you want to migrate. Make sure that you select the protection rule modules based on your business requirements on the Migration Tools page.

    image.png

  5. In the Note message that appears after you click Start Migration, click OK.

    Important

    After you click OK, the migration window period starts. The system performs a precheck for the migration. The migration requires approximately 15 minutes to complete. Do not close or refresh the current page.

  6. In the The WAF 3.0 instance is created. message, click OK.

    • Switch to the WAF 3.0 console and check whether the configuration items are automatically migrated. For information about the automatically migrated configuration items, see Migration process.

    • Switch to the WAF 2.0 console. On the Migration Tools page, check the migration status of domain names.

      One-click full migration

      If the migration status of all domain names is Migrated, all configurations of the domain names are automatically migrated to WAF 3.0. image.png

      Note

      If the migration fails, the WAF instance is rolled back to WAF 2.0. In the Rollback Completed dialog box, you can view the cause of the migration failure.

      Rule migration and manual batch migration

      If the migration status of a domain name is Not Migrated, specific configurations of the domain name are not automatically migrated to WAF 3.0 and you must manually migrate the configurations. image.png

  7. Manually migrate forwarding configurations. This operation is required only if you select the rule migration or manual batch migration method.

    Rule migration

    • Migrate the forwarding configurations of domain names

      • To migrate the forwarding configurations of a domain name, find the domain name and click Migrate to WAF 3.0 in the Actions column.

      • To migrate the forwarding configurations of multiple domain names at the same time, select the domain names and click Batch Migrate to WAF 3.0 below the domain name list.

        If the migration is successful, the migration status of the domain names is changed to Migrated. image

    • Associate protection templates with protected objects

      1. In the left-side navigation pane, click Switch to WAF 3.0.

      2. In the WAF 3.0 console, associate the migrated protection templates with protected objects.

        In the left-side navigation pane, choose Protection Configuration > Protection Rules. Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

        Note

        If you want to associate a bot management rule with protected objects, choose Protection Configuration > Scenario-specific Protection > Bot Management in the left-side navigation pane. Find the bot management rule that you want to associate with specific protected objects and click the image.png icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

    Manual batch migration

    • Migrate the forwarding configurations of domain names

      • To migrate the forwarding configurations of a domain name, find the domain name and click Migrate to WAF 3.0 in the Actions column.

      • To migrate the forwarding configurations of multiple domain names at the same time, select the domain names and click Batch Migrate to WAF 3.0 below the domain name list.

        If the migration is successful, the migration status of the domain names is changed to Migrated. image

    • Create protection templates and protection rules

      Switch to the WAF 3.0 console and create protection templates and protection rules. For more information, see Protection configuration.

    • Associate protection templates with protected objects

      1. In the left-side navigation pane, click Switch to WAF 3.0.

      2. In the WAF 3.0 console, associate the migrated protection templates with protected objects.

        In the left-side navigation pane, choose Protection Configuration > Protection Rules. Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

        Note

        If you want to associate a bot management rule with protected objects, choose Protection Configuration > Scenario-specific Protection > Bot Management in the left-side navigation pane. Find the bot management rule that you want to associate with specific protected objects and click the image.png icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.

  8. Switch to the WAF 3.0 console and check whether the migrated configurations take effect and whether your business runs as expected.

    If the migrated configurations and web services do not run as expected, find the domain name that is migrated and click Roll Back to WAF 2.0 in the Actions column to roll back the domain name and the corresponding configurations. You can also select multiple domain names and click Batch Roll Back to WAF 2.0 to roll back multiple domain names and configurations to WAF 2.0.

    Note

    After the configurations of the domain names that are migrated by using the one-click full migration method are rolled back to WAF 2.0, you can click Migrate to WAF 3.0 in the Actions column on the Migration Tools page to remigrate the configurations to WAF 3.0. Only the forwarding configurations of the domain names are migrated to WAF 3.0. After the migration is complete, configure protection rules for the domain names.

  9. Click Confirm Migration Completion.

    After the migration is complete, your WAF 2.0 instance is released and you can use the new WAF 3.0 instance in the WAF 3.0 console.

    Important

    Click Confirm Migration Completion within 15 days after the migration is complete. If you do not click Confirm Migration Completion within 15 days after the migration, the migrated domain names and configurations are rolled back to WAF 2.0. If you remigrate your WAF 2.0 instance to WAF 3.0, the migration process is restarted.

What to do next

After the migration is complete, you must perform the following operations before you can use WAF 3.0:

  • Configure API operations

    WAF 3.0 provides new API operations. You must configure the API operations. For more information, see List of operations by function.

  • Grant permissions to RAM users

    You must grant RAM users permissions on different API operations. For more information, see RAM authorization.

  • Reconfigure Terraform

    You must reconfigure Terraform. For more information, see Terraform Registry (domain) and Terraform Registry (instance).

  • Configure resource groups

    Resource groups cannot be migrated and you must reconfigure resource groups. For more information, see Add a domain name to WAF.

  • Use CloudMonitor to configure monitoring and alerting

    You must reconfigure monitoring and alerting for security events and service metrics. For more information, see Configure CloudMonitor notifications.

  • Configure log settings

    To reconfigure log settings, perform the following operations:

  • Enable auto-renewal for the new WAF 3.0 instance

    If auto-renewal is enabled for the WAF 2.0 instance, you must enable auto-renewal for the new WAF 3.0 instance after migration. If you do not enable auto-renewal for the WAF 3.0 instance, the instance is released 15 days after the instance expires. For more information, see Renewal policy.

  • Operations triggered by the product code change

    After the migration is complete, the product code of WAF is changed. If you have questions that are related to the preceding change, contact your account manager.

FAQ

Can I migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode?

Yes, you can migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode. If your origin server is deployed on a Layer 7 CLB, Layer 4 CLB, or ECS instance and the instance is added to WAF 2.0 in transparent proxy mode, you can use the self-service migration tool to migrate the WAF 2.0 instance to WAF 3.0. If your origin server is deployed on an ALB instance and the instance is added to WAF 2.0 in transparent proxy mode, you cannot migrate your WAF 2.0 instance to WAF 3.0 by using the self-service migration tool. You can migrate the WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations. To disable traffic redirection and delete the access configurations, perform the following steps:

  1. On the Servers tab of the Website Access page, find the port that is added to WAF 2.0 in transparent proxy mode and click Disable Traffic Redirection in the Actions column. image

  2. On the Domain Names tab, find the domain name that is added to WAF 2.0 in transparent proxy mode and click Delete in the Actions column. image

  3. Migrate the WAF 2.0 instance. For more information, see the "Procedure" section in this topic.

  4. Add the migrated instance to WAF 3.0. For more information, see Cloud native mode.

Can I migrate a WAF 2.0 Exclusive Edition instance?

No, you cannot migrate a WAF 2.0 Exclusive Edition instance. WAF 3.0 does not support Exclusive Edition.

Am I charged for migration operations?

No, you are not charged for migration operations. You are charged when you renew your subscription WAF instance.

Can I migrate a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance?

No, you cannot migrate a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance.

Can I migrate a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance?

No, you cannot migrate a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance. You can migrate a WAF 2.0 Pro Edition instance to a WAF 3.0 Pro Edition instance. If you want to use a WAF 3.0 Enterprise Edition instance, you can upgrade the edition of the new WAF 3.0 instance after migration. For more information, see Upgrade or downgrade a WAF instance.

Can I add a domain name to my WAF 2.0 instance within the migration window period and then resume the migration task?

No, you cannot add a domain name to your WAF 2.0 instance within the migration window period and then resume the migration task. You cannot add, remove, or modify domain names on the Website Access page within the migration window period. If you want to add a domain name to the WAF 2.0 instance that is being migrated, you must cancel the migration task before you add the domain name to WAF 2.0. Then, remigrate your WAF 2.0 instance.

Note

After you cancel the migration task, the system deletes the new WAF 3.0 instance and the corresponding configurations and terminates the migration process.

References