If you use a Web Application Firewall (WAF) 2.0 instance, you can use the self-service migration tool that is provided by Alibaba Cloud to migrate the WAF 2.0 instance to WAF 3.0 in the WAF 2.0 console. This topic describes the limits, instructions, and procedure for instance migration.
The self-service migration tool is in canary release.
If WAF 3.0 Migration Portal is displayed in the left-side navigation pane of the WAF 2.0 console, you can use the self-service migration tool to migrate your WAF 2.0 instance to WAF 3.0.
If WAF 3.0 Migration Portal is not displayed in the left-side navigation pane of the WAF 2.0 console and you want to immediately migrate your WAF 2.0 instance to WAF 3.0, submit a migration application to your account manager.
Limits
The WAF 2.0 instance that you want to migrate to WAF 3.0 must meet the following requirements:
The WAF 2.0 instance is a Hybrid Cloud Exclusive Edition instance or your web services are added to the WAF 2.0 instance in CNAME record mode or transparent proxy mode. If your web services are added to the WAF 2.0 instance in transparent proxy mode, your origin server must be deployed on a Layer 7 Classic Load Balancer (CLB), Layer 4 CLB, or Elastic Compute Service (ECS) instance.
NoteIf your origin server is deployed on an Application Load Balancer (ALB) instance and the instance is added to WAF in transparent proxy mode, you cannot use the self-service migration tool to migrate your WAF 2.0 instance to WAF 3.0. You can migrate the WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations. For more information, see Can I migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode?
Alibaba Cloud performs operations such as asset synchronization from 00:00 to 03:00 every day. We recommend that you do not migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode during this period of time.
The edition of the WAF 2.0 instance is Subscription Pro, Subscription Business, Subscription Enterprise, or Hybrid Cloud Exclusive.
The data visualization feature is disabled for the WAF 2.0 instance and no customized features are enabled for the WAF 2.0 instance.
The WAF 2.0 instance does not expire in the next 15 days.
The WAF 2.0 instance belongs to an Alibaba Cloud account and the account does not have overdue payments.
To view the details of the account, move the pointer over the profile picture in the upper-right corner of the WAF 2.0 console.
Instructions
Migration process
After you migrate a domain name that is added to WAF 2.0 in transparent proxy mode to WAF 3.0, the domain name becomes a custom protected object of WAF 3.0 that is added to WAF 3.0 in cloud native mode.
After you migrate a WAF 2.0 Hybrid Cloud Exclusive instance to WAF 3.0, a protected object is automatically created for traffic that is protected by the WAF 2.0 instance and the protected object is added to WAF 3.0 in hybrid cloud reverse proxy mode.
Procedure
Before you migrate a WAF 2.0 instance to WAF 3.0, disable auto-renewal for the WAF 2.0 instance to prevent repeated auto-renewals.
If your WAF 2.0 instance expires in the next 15 days, we recommend that you manually renew your instance for a one-month period to prevent instance expiration within the migration window period.
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the lower part of the left-side navigation pane, click WAF 3.0 Migration Portal.
If your WAF 2.0 instance meets the requirements that are described in the "Limits" section of this topic, the Migration Instructions panel appears. In the Migration Instructions panel, read the instructions and click I understand the migration instructions and agree to proceed with the migration..
If your instance does not meet the requirements that are described in the "Limits" section of this topic, the Error message appears. You can troubleshoot the error based on the error message. If you have questions, join the DingTalk group (group ID: 34657699) for technical support.
If a domain name is added to WAF 2.0 in transparent proxy mode, bind the domain name to the corresponding cloud service.
On the Migration Tool page, select a migration method. You can select One-click Full Migration, Rule Migration, or Manual Batch Migration. Then, click Start Migration.
ImportantIf you select Rule Migration, you must select one or more protection rule modules that you want to migrate. You can select multiple protection rule modules.
After you click Start Migration, you cannot modify the protection rule modules to be migrated. Be sure to select the correct protection rule modules to migrate on the Migration Tools page.
In the Note message that appears after you click Start Migration, click OK.
ImportantAfter you click OK, the migration window period starts. The system performs a precheck for the migration. The migration requires approximately 15 minutes to complete. Do not close or refresh the current page during this period.
In the The WAF 3.0 instance is created. message, click OK.
Switch to the WAF 3.0 console and check whether the automatic migration of configuration items is complete. For information about the automatically migrated configuration items, see Migration process.
Switch to the WAF 2.0 console. On the Migration Tools page, check the migration status of domain names.
One-click full migration
If the migration status of all domain names is Migrated, all configurations of the domain names are automatically migrated to WAF 3.0.
NoteIf the migration fails, the WAF instance is rolled back to WAF 2.0. In the Rollback Completed dialog box, you can view the cause of the migration failure.
Rule migration and manual batch migration
If the migration status of a domain name is Not Migrated, specific configurations of the domain name were not automatically migrated to WAF 3.0 and you must manually migrate the configurations.
Manually migrate forwarding configurations. This operation is required only if you select the Rule Migration or Manual Batch Migration method.
Rule migration
Migrate the forwarding configurations of domain names
To migrate the forwarding configurations of a domain name, find the domain name and click Migrate to WAF 3.0 in the Actions column.
To migrate the forwarding configurations of multiple domain names at the same time, select the domain names and click Batch Migrate to WAF 3.0 below the domain name list.
If the migration is successful, the migration status of the domain names is changed to Migrated.
Associate protection templates with protected objects
In the left-side navigation pane, click Switch to WAF 3.0.
In the WAF 3.0 console, associate the migrated protection templates with protected objects.
In the left-side navigation pane, choose . Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
NoteIf you want to associate a bot management rule with protected objects, choose Find the bot management rule that you want to associate with specific protected objects and click the icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
in the left-side navigation pane.
Manual batch migration
Migrate the forwarding configurations of domain names
To migrate the forwarding configurations of a domain name, find the domain name and click Migrate to WAF 3.0 in the Actions column.
To migrate the forwarding configurations of multiple domain names at the same time, select the domain names and click Batch Migrate to WAF 3.0 below the domain name list.
If the migration is successful, the migration status of the domain names is changed to Migrated.
Create protection templates and protection rules
Switch to the WAF 3.0 console and create protection templates and protection rules. For more information, see Protection configuration.
Associate protection templates with protected objects
In the left-side navigation pane, click Switch to WAF 3.0.
In the WAF 3.0 console, associate the migrated protection templates with protected objects.
In the left-side navigation pane, choose . Find the protection rule that you want to associate with specific protected objects and click Edit in the Actions column. In the Apply To section, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
NoteIf you want to associate a bot management rule with protected objects, choose Find the bot management rule that you want to associate with specific protected objects and click the icon. In the Configure Effective Scope step, move the protected objects with which you want to associate the protection rule from the Objects to Select section to the Selected Objects section.
in the left-side navigation pane.
Switch to the WAF 3.0 console and check whether the migrated configurations are effective and whether your business runs as expected.
If the migrated configurations and web services do not run as expected, find the domain name that was migrated and click Roll Back to WAF 2.0 in the Actions column to roll back the domain name and the corresponding configurations. You can also select multiple domain names and click Batch Roll Back to WAF 2.0 to roll back multiple domain names and configurations to WAF 2.0.
NoteAfter the configurations of the domain names that were migrated by using the one-click full migration method are rolled back to WAF 2.0, you can click Migrate to WAF 3.0 in the Actions column on the Migration Tools page to remigrate the configurations to WAF 3.0. Only the forwarding configurations of the domain names are migrated to WAF 3.0. After the migration is complete, configure protection rules for the domain names.
Click Confirm Migration Completion.
After the migration is complete, your WAF 2.0 instance is released and you can use the new WAF 3.0 instance in the WAF 3.0 console.
ImportantClick Confirm Migration Completion within 15 days after the migration is complete. If you do not click Confirm Migration Completion within 15 days after the migration, the migrated domain names and configurations are rolled back to WAF 2.0. If you remigrate your WAF 2.0 instance to WAF 3.0, the migration process is restarted.
What to do next
After the migration is complete, you must perform the following operations before you can use WAF 3.0:
Configure API operations
WAF 3.0 provides new API operations. You must configure the API operations. For more information, see List of operations by function.
Grant permissions to RAM users
You must grant RAM users permissions on different API operations. For more information, see RAM authorization.
Reconfigure Terraform
You must reconfigure Terraform. For more information, see Terraform Registry (domain) and Terraform Registry (instance).
Configure resource groups
Resource groups cannot be migrated so that you must reconfigure resource groups. For more information, see Add a domain name to WAF.
Use CloudMonitor to configure monitoring and alerting
You must reconfigure monitoring and alerting for security events and service metrics. For more information, see Configure CloudMonitor notifications.
Configure log settings
To reconfigure log settings, perform the following operations:
Configure log fields, the storage type, the log collection status, the log storage period, and the log storage capacity. For more information, see Configure log settings and manage log storage capacity.
Enable or disable the Simple Log Service for WAF feature. For more information, see Enable or disable the Log Service for WAF feature.
Enable auto-renewal for the new WAF 3.0 instance
If auto-renewal is enabled for the WAF 2.0 instance, you must enable auto-renewal for the new WAF 3.0 instance after migration. If you do not enable auto-renewal for the WAF 3.0 instance, the instance is released 15 days after the instance expires. For more information, see Renewal policy.
Operations triggered by the product code change
After the migration is complete, the product code of the WAF instance is changed. If you have questions that are related to the preceding change, contact your account manager.
FAQ
Can I migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode?
Yes, you can migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode. If your origin server is deployed on a Layer 7 CLB, Layer 4 CLB, or ECS instance and the instance is added to WAF 2.0 in transparent proxy mode, you can use the self-service migration tool to migrate the WAF 2.0 instance to WAF 3.0. If your origin server is deployed on an ALB instance and the instance is added to WAF 2.0 in transparent proxy mode, you cannot use the self-service migration tool to migrate your WAF 2.0 instance to WAF 3.0. You can migrate the WAF 2.0 instance to WAF 3.0 only after you disable traffic redirection and delete the access configurations. To disable traffic redirection and delete the access configurations, perform the following steps:
On the Servers tab of the Website Access page, find the port that is added to WAF 2.0 in transparent proxy mode and click Disable Traffic Redirection in the Actions column.
On the Domain Names tab, find the domain name that is added to WAF 2.0 in transparent proxy mode and click Delete in the Actions column.
Migrate the WAF 2.0 instance. For more information, see the "Procedure" section in this topic.
Add the migrated instance to WAF 3.0. For more information, see Cloud native mode.
Can I migrate a WAF 2.0 Exclusive Edition instance?
No, you cannot migrate a WAF 2.0 Exclusive Edition instance. WAF 3.0 does not support Exclusive Edition.
Am I charged for migration operations?
No, you are not charged for migration operations. You are charged when you renew your subscription WAF instance.
Can I migrate a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance?
No, you cannot migrate a WAF 2.0 Business Edition instance to a WAF 3.0 Pro Edition instance.
Can I migrate a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance?
No, you cannot migrate a WAF 2.0 Pro Edition instance to a WAF 3.0 Enterprise Edition instance. You can migrate a WAF 2.0 Pro Edition instance to a WAF 3.0 Pro Edition instance. If you want to use a WAF 3.0 Enterprise Edition instance, you can upgrade the edition of the new WAF 3.0 instance after migration. For more information, see Upgrade or downgrade a WAF instance.
Can I add a domain name to my WAF 2.0 instance within the migration window period and then resume the migration task?
No, you cannot add a domain name to your WAF 2.0 instance within the migration window period and then resume the migration task. You cannot add, remove, or modify domain names on the Website Access page within the migration window period. If you want to add a domain name to the WAF 2.0 instance that is being migrated, you must cancel the migration task before you add the domain name to the WAF 2.0 instance. Then, remigrate your WAF 2.0 instance.
After you cancel the migration task, the system deletes the new WAF 3.0 instance and the corresponding configurations and terminates the migration process.