Help Center/ Anti-DDoS Service/ Best Practices/ Best Practices of Cloud Native Anti-DDoS (CNAD) Advanced/ Using WAF, ELB, and CNAD Advanced to Improve Website Service Security
Updated on 2024-12-24 GMT+08:00
View PDF
Share

Using WAF, ELB, and CNAD Advanced to Improve Website Service Security

Application Scenarios

Huawei Cloud Web Application Firewall (WAF) detects HTTP and HTTPS requests to identify and block attacks such as SQL injection, cross-site scripting (XSS), web shells, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF), ensuring web service security and stability.

CNAD Advanced provides layer-4 DDoS attack defense for website services connected to WAF (cloud mode - ELB access). It offers dual protection through CNAD Advanced and cloud WAF (ELB access), defending against layer-4 DDoS attacks, layer-7 web attacks, and CC attacks, significantly enhancing the security and stability of website services.

Architecture

With a CNAD Advanced and a cloud WAF instance in place, the WAF engine inspects all incoming traffic. It filters out malicious activities such as DDoS, web, and CC attacks, ensuring that only legitimate traffic reaches your origin server.

Figure 1 CNAD Advanced collaborates with WAF

Limitations and Constraints

Only website services that have been connected to cloud WAF (ELB access) are supported. For details, see Connecting Your Website to WAF (Cloud Mode - Load Balancer Access).

Resource and Cost Planning

Resource

Description

Quantity

Cost

Cloud WAF (ELB access)

Connected to websites for defense against web and CC attacks.

1

For details about WAF billing modes and standards, see WAF Billing Overview .

CNAD Advanced

Protects website services connected to WAF against DDoS attacks.

1

For details about CNAD Advanced billing modes and standards, see Billing Overview.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the ELB console.
  4. Locate the row that contains the load balancer bound to the WAF instance, and obtain the EIP of the load balancer.

    Figure 2 Copying the EIP

  1. Buy a CNAD Advanced instance in the region where the EIP bound to the load balancer resides.
  1. Click in the upper left corner of the page and choose Security & Compliance > DDoS Mitigation.
  2. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Instances. The Instances page is displayed.
  3. In the upper right corner of the target instance box, click Add Protected Object.
  4. Search for the EIP of the load balancer in 4, set it as a protected object, and click Next.

    Figure 3 Adding a protected object

  5. Select a protection policy for the added IP address and click OK.

    Figure 4 Policy

    After adding a protected object, you can configure a protection policy for it. For details, see Adding a Protection Policy.