Buying a Dedicated WAF Instance
If your service servers are deployed on Huawei Cloud, you can purchase dedicated WAF instances to protect important domain names or web services that have only IP addresses. To expand the protection capacities and eliminate single points of failure (SPOFs), buy an Elastic Load Balance (ELB) load balancer for your dedicated WAF instances.
Dedicated WAF instances are billed on a pay-per-use basis. You only pay for what you use.
You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.
Prerequisites
- The account used to log in to the WAF console must have the WAF Administrator or WAF FullAccess permission.
- You are advised to use a parent account to purchase dedicated WAF instances. If you want to use an IAM user to purchase dedicated WAF instances, you need to assign the IAM management permission to the IAM user.
- For first-time buyers, you need to assign IAM system role Security Administrator to them.
- For non-first-time buyers, you need to assign IAM system policy IAM ReadOnlyAccess or custom permissions to them. The permissions are as follows:
- iam:agencies:listAgencies
- iam:agencies:getAgency
- iam:permissions:listRolesForAgency
- iam:permissions:listRolesForAgencyOnProject
- iam:permissions:listRolesForAgencyOnDomain
For details, see Creating a User Group and Granting Permissions.
- A VPC has been created.
- The Organizations service is in open beta test (OBT). To use organization rules, apply for OBT.
Constraints
- Dedicated WAF instances cannot protect origin servers in the VPCs that are different from where those instances locate. To protect such origin servers, purchase dedicated WAF instances in the same VPC as that for origin servers.
- If you enable Anti-affinity, a maximum of five dedicated WAF instances can be created.
Specification Limitations
The specifications of a dedicated WAF instance cannot be modified.
Application Scenarios
Dedicated WAF instances are good choice if your service servers are deployed on Huawei Cloud and you plan to protect your website by adding its domain names or IP addresses to WAF.
This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.
Procedure
- Log in to the management console.
- Click in the upper left corner and choose Web Application Firewall under Security.
- In the upper right corner of the page, click Buy WAF.
- (Optional): Select an enterprise project from the Enterprise Project drop-down list.
This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members.
- Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
- The default option is available in the Enterprise Project drop-down list only after you purchase WAF under the logged-in account.
- On the Buy Web Application Firewall page, select Dedicated Mode for WAF Mode.
- Configure instance parameters by referring to Table 1.
- Confirm the product details and click Buy Now in the lower right corner of the page.
- Confirm the order details and click Pay Now.
- On the payment page, select a payment method and pay for your order.
- After the payment is successful, click Back to Dedicated Engine List. On the Dedicated Engine page, view the instance status.
Verification
It takes about 5 minutes to create a dedicated WAF instance. If the instance is in the Running status, the instance has been created successfully.
Related Operations
Managing Dedicated WAF Engines
This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance.
Authorizing WAF to Access Data in the VPC Your Website Resides
If you expect to use a dedicated WAF instance, authorize WAF to directly access data in the VPC by enabling certain security rules.
By purchasing a WAF dedicated instance, you agree to authorize WAF to enable such security rules. Currently, the security group rules listed in Table 2 will be automatically enabled for a dedicated WAF instance.
Protocol & Port |
Type |
Source Address |
Description |
---|---|---|---|
Inbound rules |
|||
TCP: 22 |
IPv4 |
100.64.0.0/10 |
WAF remote O&M |
Outbound rules |
|||
TCP: 9011 |
IPv4 |
100.125.0.0/16 |
WAF event logs reporting |
TCP: 9012 |
IPv4 |
100.125.0.0/16 |
WAF event logs reporting |
TCP: 9013 |
IPv4 |
100.125.0.0/16 |
WAF event logs reporting |
TCP: 9018 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
TCP: 9019 |
IPv4 |
100.125.0.0/16 |
WAF heartbeat logs reporting |
TCP: 4505 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
TCP: 4506 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
TCP: 50051 |
IPv4 |
100.125.0.0/16 |
WAF performance logs reporting |
TCP: 443 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.