Overview

The supported security features vary by connection method. For more information, see the following table.

• Cloud native mode:

  • Enable WAF protection for an ALB instance

  • Enable WAF protection for a CLB instance

  • Enable WAF protection for an NLB instance

  • Enable WAF protection for an ECS instance

  • Enable WAF protection for a cloud-native API gateway instance

  • Enable WAF protection for a Microservices Engine (MSE) cloud-native gateway instance

  • Enable WAF protection for a custom domain name of Function Compute

• CNAME connection:

  For more information, see Add a domain name to WAF by using the CNAME connection method. After you add a domain name on the WAF console, you must add the WAF back-to-origin IP address ranges to your allowlist and modify the DNS settings for the domain name.

• Hybrid Cloud WAF connection (reverse proxy or SDK integration):

  For more information, see Add a service to Hybrid Cloud WAF.

Cloud native mode

When you use cloud native mode to connect instances of ALB, FC, MSE or APIG, WAF uses SDK integration. An SDK embedded in the cloud product extracts, inspects, and protects traffic. Because WAF does not participate in traffic forwarding, this method avoids compatibility and stability issues from an additional forwarding layer.

When you use cloud native mode to connect instances of ECS, CLB, or NLB, WAF uses a transparent proxy. After you configure a traffic redirection port, the cloud product's gateway automatically modifies the route to redirect web traffic to WAF. WAF blocks attack traffic and forwards legitimate requests to the origin server, participating in both traffic forwarding and protection.

CNAME connection

This method uses a reverse proxy. After adding a domain name, you point its DNS record to the WAF CNAME address, which redirects all its web traffic to WAF. WAF then inspects the traffic, blocks attacks, and forwards legitimate requests to the origin server.

Hybrid Cloud WAF connection

The Hybrid Cloud WAF connection method offers two modes: reverse proxy and SDK integration.

• Reverse proxy mode: You connect a website domain name or IP address to WAF and then point its DNS record to the WAF protection cluster. All traffic then passes through the cluster for security inspection.

• SDK integration mode: A plugin deployed on your unified ingress gateway copies service traffic to the WAF protection cluster for inspection. WAF does not forward the traffic, thereby separating the inspection process from the traffic forwarding path.

Cross-cloud and cross-account connections

Yes. If you own a domain name and can modify its DNS records, you can use the CNAME connection method. This method works regardless of your origin server's location.

Connecting with only a public IP

Yes. You can use the cloud native mode, which does not require a domain name.

Connecting IPv6 websites

IPv6 support depends on the connection method:

• Cloud product connection (ECS, CLB, and NLB instances): IPv6 websites are not supported. To protect IPv6 workloads, you must use the CNAME connection method. Subscribe to a subscription Enterprise or Ultimate edition, or a pay-as-you-go edition of WAF, and enable More Settings to turn on IPv6 protection. For detailed steps, see Add a domain name to WAF by using the CNAME connection method.

• Cloud product connection (instances other than ECS, CLB, and NLB): If the corresponding cloud product instance supports IPv6, WAF also supports IPv6.

• WAF Outside Chinese Mainland: When using the CNAME connection method, IPv6 websites are not supported.

Using both cloud native and CNAME connections

No. A domain name can use only one connection method at a time. Using both simultaneously will cause forwarding conflicts and protection failures. To switch a domain from CNAME connection to cloud native mode, you must first point its DNS record back to the origin server. After the DNS change propagates, delete the CNAME connection configuration and then add the domain name again in cloud native mode.

Instance not found during configuration

Viewing and syncing asset status

Follow these steps to view the connection status of your assets.

1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

2. In the left navigation pane, click Onboarding.

3. At the top of the page, you can view the number of connected domain name assets and cloud product assets. You can also view the total number of instances that you own for each cloud product. If you recently added or modified a cloud product instance, click Synchronize Assets in the upper-right corner to update WAF immediately.

Connecting a domain to multiple instances

cloud native mode: Connect all relevant cloud product instances, such as the service ports of CLB instances, at the same time to ensure WAF can redirect traffic to all of them.

CNAME connection: Add the domain name by using the CNAME connection method and configure the origin server with the IP addresses or CNAMEs of all relevant cloud product instances.

Connecting multiple domains to one instance

cloud native mode: After you add the cloud product instance, WAF protects all associated domain names with its default policy. If you want to configure different protection rules for specific domain names, you must manually add the domain names as protected objects. For more information, see Manually add a protected object.

CNAME connection: You must add each domain name one by one.

Integration with other products and traffic flow

Yes, WAF can be deployed together with other cloud products. The traffic flow depends on your chosen connection method (CNAME or cloud native mode), as illustrated in the following figures.