Interconnecting with WAF
To protect API Gateway and your backend servers from malicious attacks, deploy Web Application Firewall (WAF) between API Gateway and the external network.
(Recommended) Solution 1: Register API Group Debugging Domain Name on WAF and Use the Domain Name to Access the Backend Service
API groups provide services using domain names for high scalability.
- Create an API group in a gateway, record the domain name, and create an API in the group.
Figure 2 Creating an API group and recording the subdomain name
Figure 3 Creating an API
- Go to the WAF console, and add a domain name by configuring Server Address as the API group domain name and adding a certificate. For details, see section "Connection Process (Cloud Mode)" in the Web Application Firewall User Guide.
You can use a public network client to access WAF with its domain name. WAF then uses the same domain name to forward your requests to API Gateway. There is no limit on the number of requests that API Gateway can receive for the domain name.
- On the gateway details page, bind the domain name to the API group.
- Enable real_ip_from_xff and set the parameter value to 1.
When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.
Solution 2: Forward Requests Through the DEFAULT Group and Use Gateway Inbound Access Address to Access the Backend Service from WAF
- View the inbound access addresses of your gateway. There is no limit on the number of times the API gateway can be accessed using an IP address.
- VPC Ingress Address: VPC access address
- EIP: public network access address
- Create an API in the DEFAULT group.
- Go to the WAF console, add a domain name by configuring Server Address as an inbound access address of your API gateway and adding a certificate, and then copy the WAF back-to-source IP addresses. For details, see .
- If WAF and your gateway are in the same VPC, set Server Address to the VPC access address.
- If your gateway is bound with an EIP, set Server Address to the EIP.
- On the gateway details page, bind the domain name to the DEFAULT group.
- Enable real_ip_from_xff and set the parameter value to 1.
When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.