Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports

Application Scenarios

This topic walks you through how to combine dedicated WAF instances and layer-7 load balancers to protect your services over non-standard ports that cannot be protected with WAF alone. For ports supported by WAF, see Ports Supported by WAF.

Architecture

The following procedure describes how WAF and ELB together protect www.example.com:9876. Port 9876 is a non-standard port WAF alone cannot protect.

Click to enlarge

Advantages

This solution makes it possible for WAF to protect your services over any ports.

Resource and Cost Planning

**Table 1** Resources and costs
Resource	Description	Monthly Fee
Elastic Load Balance (ELB)	Billing mode: Yearly/Monthly Instance type: Dedicated Specifications: application type (HTTP/HTTPS); small II Billed By: Bandwidth Bandwidth: 10 Mbit/s	For details about billing rules, see Billing Description.
Web Application Firewall	Dedicated mode: Billing Mode: Select Pay-per-use. Number of domain names that can be protected: 2,000 Specifications: WI-500. Referenced performance: HTTP services: 5,000 QPS (recommended) HTTPS services: 4,000 QPS (recommended) WebSocket service - Maximum concurrent connections: 5,000 Maximum WAF-to-server persistent connections: 60,000 Specifications: WI-100. Referenced performance: HTTP services: 1,000 QPS (recommended) HTTPS services: 800 QPS (recommended) WebSocket service - Maximum concurrent connections: 1,000 Maximum WAF-to-server persistent connections: 60,000	-

Prerequisites

You have purchased a dedicated layer-7 load balancer. For details about load balancer types, see Differences Between Dedicated and Shared Load Balancers.

Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network (TCP/UDP) load balancer, make sure your dedicated WAF instance has been upgraded to the latest version (version later than 202304). You can check the version you are using in the Version column of the target dedicated WAF instance on the Dedicated Engine page.
You have purchased a dedicated WAF instance.
Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
You can configure your security group as follows:
- Inbound rules
  Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows TCP and port 80.
- Outbound rules
  Retain the default settings. All outgoing network traffic is allowed by default.

Procedure

Log in to the WAF console.
In the navigation pane on the left, click Website Settings.
Click Add Website.
Connect www.example.com to WAF by referring to Adding a Website to WAF (Dedicated Mode). Select any non-standard port as the protected port, for example, port 86, set Server Port to 9876, and set Proxy Your Website Uses to Layer-7 proxy.

After the preceding configurations are complete, you can view the domain name access information in the domain name list. At this time, Access Mode is Dedicated, and Access Status is Inaccessible.
Add listeners and backend server groups to the load balancer.
1. Click in the upper left corner of the page and choose Elastic Load Balance under Networking to go to the Load Balancers page.
2. Click the name of the load balancer in the Name column to go to the load balancer details page.
3. Click the Listeners tab and then click Add Listener. On the displayed page, configure the listener. In the Frontend Port text box, enter the port you want to protect. In this case, enter 9876.
  Figure 1 Configuring a listener
4. Click Next: Configure Request Routing Policy.
  - If you select Weighted round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.
  - For details about ELB traffic distribution policies, see Load Balancing Algorithms.
  Figure 2 Configuring a backend server group
5. Click Next: Add Backend Server and click Next: Confirm. Confirm the listener, backend server group, and backend server information, and click Submit.
After the configuration is complete, you can view the added listener and backend server group on the Listeners tab.
Add the WAF instance to the load balancer.
1. Choose Security > Web Application Firewall to go to the Dashboard page.
2. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
  Figure 3 Dedicated engine list
3. Locate the row containing the WAF instance. In the Operation column, click More > Add to ELB.
4. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group based on Step 5.
  Figure 4 Add to ELB
5. Click . Then, configure service port for the WAF instance. In this example, configure Backend Port to 86, which is the one we configured in Step 4.
  Figure 5 Configuring Backend Port
6. Click .
Bind an EIP to a Load Balancer.
Whitelist IP addresses of your dedicated WAF instances.

Operation Result Verification

After the preceding configurations are complete, you can perform the following operations to check whether WAF forwarding and ELB traffic distribution are normal.
1. Testing a Dedicated WAF Instance
2. Testing the Dedicated WAF Instance and Dedicated ELB Load Balancer
You can enter the domain name in the address box of a browser to test whether the domain name can be accessed. You can also manually simulate simple web attack commands to check whether WAF protection takes effect.

Parent topic: Website Access Configuration

Previous topic: Combining CDN and WAF to Get Improved Protection and Load Speed

Next topic: Website Protection Configuration Suggestions