Buying a Dedicated WAF Instance
If your service servers are deployed on Huawei Cloud, you can purchase dedicated WAF instances to protect important domain names or web services that have only IP addresses. To expand the protection capacities and eliminate single points of failure (SPOFs), buy an Elastic Load Balance (ELB) load balancer for your dedicated WAF instances.
Dedicated WAF instances are billed on a pay-per-use basis. You only pay for what you use.
You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.
Prerequisites
- The account used to log in to the WAF console must have the WAF Administrator or WAF FullAccess permission.
- You are advised to use a parent account to purchase dedicated WAF instances. If you want to use an IAM user to purchase dedicated WAF instances, you need to assign the IAM management permission to the IAM user.
- For first-time buyers, you need to assign IAM system role Security Administrator to them.
- For non-first-time buyers, you need to assign IAM system policy IAM ReadOnlyAccess or custom permissions to them. The permissions are as follows:
- iam:agencies:listAgencies
- iam:agencies:getAgency
- iam:permissions:listRolesForAgency
- iam:permissions:listRolesForAgencyOnProject
- iam:permissions:listRolesForAgencyOnDomain
For details, see Creating a User Group and Granting Permissions.
- A VPC has been created.
- The Organizations service is in open beta test (OBT). To use organization rules, apply for OBT.
Constraints
- If dedicated WAF instances and origin servers they protect are not in the same VPC, you can use a VPC peering connection to connect two VPCs. This method is not recommended as VPC peering connections may be not stable enough sometimes.
- If you enable Anti-affinity, a maximum of five dedicated WAF instances can be created.
Specification Limitations
The specifications of a dedicated WAF instance cannot be modified.
Application Scenarios
Dedicated WAF instances are good choice if your service servers are deployed on Huawei Cloud and you plan to protect your website by adding its domain names or IP addresses to WAF.
This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.
Buying a Dedicated WAF Instance
- Log in to the management console.
- Click in the upper left corner and choose Web Application Firewall under Security.
- In the upper right corner of the page, click Buy WAF.
- (Optional): Select an enterprise project from the Enterprise Project drop-down list.
This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members.
- Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
- The default option is available in the Enterprise Project drop-down list only after you purchase WAF under the logged-in account.
- On the Buy Web Application Firewall page, select Dedicated Mode for WAF Mode.
- Configure instance parameters by referring to Table 1.
Table 1 Parameters of a dedicated WAF instance Parameter
Description
Example Value
Basic settings
Billing mode
Only the pay-per-use billing mode is supported.
Pay-per-use billing
Region
Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster and reduce latency, select the region nearest to your services.
-
General AZ
Select an AZ in the selected region.
NOTE:After an AZ is selected, it cannot be changed after the purchase.
-
Edition and specifications
Edition selection
Specifications WI-500 and WI-100 are available.
- Specifications: WI-500. Referenced performance:
- HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000.
- HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000.
- WebSocket service - Maximum concurrent connections: 5,000
- Maximum WAF-to-server persistent connections: 60,000
- Specifications: WI-100. Referenced performance:
- HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000.
- HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600
- WebSocket service - Maximum concurrent connections: 1,000
- Maximum WAF-to-server persistent connections: 60,000
WI-500
WAF Instance Type
Select a WAF instance type. Only Network interface is available now.
The WAF instance will be connected to your network through a VPC network interface. Only dedicated load balancers can be used for this type of instance. For details, see Website Connection Process (Dedicated Mode).
Network Interface
Network settings
VPC
Select the VPC to which the origin server belongs.
-
Subnet
Select a subnet configured in the VPC.
-
Security Group
Select a security group in the region or click Manage Security Group to go to the VPC console and create a security group. After you select a security group, the WAF instance will be protected by the access rules of the security group.
NOTICE:- You can configure your security group as follows:
- Inbound rules
Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80.
- Outbound rules
Retain the default settings. All outgoing network traffic is allowed by default.
- Inbound rules
- If your dedicated WAF instance and origin server are not in the same VPC, enable communications between the instance and the subnet of the origin server in the security group.
-
Usage Settings
Quantity
Set the number of WAF instances you want to purchase.
You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.
2
(Optional) Advanced Settings
Instance Name Prefix
Set a prefix of the WAF instance name. If you expect to purchase multiple instances, the prefix to each instance name is the same.
WAF
Enterprise Project
This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members.
NOTE:- Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
- The default option is available in the Enterprise Project drop-down list only after you purchase WAF under the logged-in account.
default
Tag
TMS's predefined tag function is recommended for adding the same tag to different cloud resources.
If your organization has configured a tag policy for Web Application Firewall (WAF), you need to add tags to dedicated WAF instances based on the tag policy rules. If a tag does not comply with the policies, dedicated WAF instance may fail to be created. Contact your organization administrator to learn more about tag policies.
-
Authorization
This parameter is available first time you purchase a WAF instance. After you enable the authorization, WAF will create an agency in IAM on behalf of you to grant itself related permissions.
-
Anti-affinity
- If you enable this function, a maximum of five dedicated WAF instances can be created.
- If you enable this function, dedicated instances will be deployed on different physical servers as much as possible to improve service reliability.
-
- Specifications: WI-500. Referenced performance:
- Confirm the product details and click Buy Now in the lower right corner of the page.
If you want to use the content moderation check service, click Buy Now to go to the purchase page.
- Check the order details and read the Huawei Cloud WAF Disclaimer. Then, check the box next to "I have read and agree to the WAF Disclaimer" and click Pay Now.
- On the payment page, select a payment method and pay for your order.
- After the payment is successful, click Back to Dedicated Engine List. On the Dedicated Engine page, view the instance status.
Verification
It takes about 5 minutes to create a dedicated WAF instance. If the instance is in the Running status, the instance has been created successfully.
Related Operations
Managing Dedicated WAF Engines
This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance.
Authorizing WAF to Access Data in the VPC Your Website Resides
If you expect to use a dedicated WAF instance, authorize WAF to directly access data in the VPC by enabling certain security rules.
By purchasing a WAF dedicated instance, you agree to authorize WAF to enable such security rules. Currently, the security group rules listed in Table 2 will be automatically enabled for a dedicated WAF instance.
Protocol & Port |
Type |
Source Address |
Description |
---|---|---|---|
Inbound rules |
|||
TCP: 22 |
IPv4 |
100.64.0.0/10 |
WAF remote O&M |
Outbound rules |
|||
TCP: 9011 |
IPv4 |
100.125.0.0/16 |
WAF event logs reporting |
TCP: 9012 |
IPv4 |
100.125.0.0/16 |
WAF event logs reporting |
TCP: 9013 |
IPv4 |
100.125.0.0/16 |
WAF event logs reporting |
TCP: 9018 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
TCP: 9019 |
IPv4 |
100.125.0.0/16 |
WAF heartbeat logs reporting |
TCP: 4505 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
TCP: 4506 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
TCP: 50051 |
IPv4 |
100.125.0.0/16 |
WAF performance logs reporting |
TCP: 443 |
IPv4 |
100.125.0.0/16 |
WAF policy synchronization |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.