Help Center/ Web Application Firewall/ User Guide/ Connecting Your Website to WAF/ Website Connection Overview
Updated on 2025-10-20 GMT+08:00
View PDF

Website Connection Overview

To use Web Application Firewall (WAF) to protect your web services, connect the web services to WAF first. WAF provides cloud CNAME and dedicated access modes for you. You can select an appropriate access method based on how your web services are deployed.

Access Description

You can use the following access methods: cloud mode - CNAME access and dedicated mode access.

Cloud Mode

  • How it works

    In cloud mode, DNS routes the protected domain name to the CNAME record of WAF. The web services for the domain name are routed to WAF. WAF checks received traffic, filters malicious attack traffic, and returns normal traffic to the origin server over back-to-source IP addresses.

    During this process, WAF works as a reverse proxy cluster. It checks and forwards traffic of the protected website.

  • Applicable scenarios

    Service servers are deployed on any cloud or in on-premises data centers.

  • Protected objects

    Domain names

Dedicated Mode

  • How it works

    In dedicated Mode, DNS routes the protected domain name to the EIP bound to the load balancer configured for the dedicated engine. In this way, the web service traffic for the domain name is routed to WAF. WAF detects and filters out malicious attack traffic and returns normal traffic to the origin server through back-to-source IP addresses or IP address ranges of the dedicated engine.

    During this process, WAF works as a reverse proxy cluster. It forwards and checks traffic of the protected website.

  • Applicable scenarios

    Large enterprise websites with service servers deployed on Huawei Cloud and requiring custom protection rules.

  • Protected objects

    Domain names, public IP addresses, and private IP addresses

Constraints

There are some restrictions on using different access modes.

Table 1 Restrictions on different access methods

Item

Cloud Mode - CNAME Access

Dedicated Mode

Domain name restrictions
  • A domain name can only be added to WAF once in cloud mode.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

  • Only the domain names that have been registered with Internet Content Provider (ICP) licenses can be added to WAF.
  • The wildcard domain name * can be added to WAF. When the domain name is set to *, only non-standard ports except 80 and 443 can be protected.
  • A protected object can only be added to WAF once.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

ELB load balancer restrictions

--

Only dedicated ELB load balancers can be used for dedicated WAF instances. For details, see Load Balancer Types.

Service edition restrictions
  • Only the professional and enterprise editions support IPv6 protection, HTTP2, and load balancing algorithms.
  • If you are using WAF standard edition, only System-generated policy can be selected for Policy.
  • Only the professional and enterprise editions allow you to specify a custom policy for Policy.

--

Certificate restrictions
  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.
  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.

Protocol restrictions
  • WAF supports the WebSocket protocol, which is enabled by default.

    Only WebSocket requests can be forwarded. It is not supported during traffic detection.

  • HTTP/2 can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol.
    • To make Server Configuration works, there must be at least one server configuration record with Client Protocol set to HTTPS.
    • HTTP/2 can work only when the client supports TLS 1.2 or earlier versions.

WAF supports the WebSocket protocol, which is enabled by default.

Only WebSocket requests can be forwarded. It is not supported during traffic detection.

Protection policy restrictions

A protected website domain name can use only one policy.

A protected website domain name can use only one policy.

Specification restrictions

After your website is connected to WAF, you can upload a file no larger than 1 GB each time.

After your website is connected to WAF, you can upload a file no larger than 1 GB each time.