Website Connection Overview

To use Web Application Firewall (WAF) to protect your web services, the services must be connected to WAF. WAF provides three access modes for you to connect web services to WAF: cloud CNAME, cloud load balancer, and dedicated access modes. You can select a proper access method based on how your web services are deployed. This topic describes how WAF works in different access modes, their differences, and when to use them.

Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued.

Application Scenarios

WAF provides the following access modes for you to connect websites to WAF.

Cloud mode - CNAME access mode
- Service servers are deployed on any cloud or in on-premises data centers.
- Protected objects: domain names
- Connecting a Website to WAF (Cloud Mode - CNAME Access)
Cloud mode - Load balancer access mode
- Service servers are deployed on Huawei Cloud.
  This mode suitable for large enterprise websites having high security requirements on service stability.
- Protected object: domain names or IP addresses (public or private IP addresses)
- Connecting a Website to WAF (Cloud - ELB Load Balancer Access Mode)
Dedicated mode
- Service servers are deployed on Huawei Cloud.
  This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.
- Protected object: domain names or IP addresses (public or private IP addresses)
- Connecting a Website to WAF (Dedicated Mode)

Constraints

There are some restrictions on using different access modes.

When you connect your website to WAF in cloud CNAME access mode, pay attention to the following restrictions.

Constraint	Description
Domain name	A domain name can only be added to WAF once in cloud mode. Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF. Only the domain names that have been registered with Internet Content Provider (ICP) licenses can be added to WAF.
Service edition	Only the professional and platinum editions support IPv6 protection, HTTP2, and load balancing algorithms. If you are using WAF standard edition, only System-generated policy can be selected for Policy.
Certificate	Only .pem certificates can be used in WAF. Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.
WebSocket protocol	WAF supports the WebSocket protocol, which is enabled by default. WebSocket request inspection is enabled by default if Client Protocol is set to HTTP. WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.
HTTP/2	HTTP/2 can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol. To make Server Configuration works, there must be at least one server configuration record with Client Protocol set to HTTPS. HTTP/2 can work only when the client supports TLS 1.2 or earlier versions.
Limitation	After your website is connected to WAF, you can upload a file no larger than 1 GB each time.

When you connect your website to WAF in cloud load balancer access mode, pay attention to the following restrictions.

Only dedicated ELB load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used. Dedicated load balancers with Specifications set to Network load balancing (TCP/UDP) are not supported.
Only the professional and platinum editions allow you to specify a custom policy for Policy.
Limitation: After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

When you connect your website to WAF in dedicated mode, the restrictions are as follows:

Constraint	Description
ELB load balancer	Only dedicated ELB load balancers can be used for dedicated WAF instances. For details, see Load Balancer Types. NOTE: Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023). For details, see Dedicated Engine Version Iteration.
Domain name	The wildcard domain name * can be added to WAF. When the domain name is set to *, only non-standard ports except 80 and 443 can be protected. A protected object can only be added to WAF once. Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.
Proxy	If a layer-7 proxy server, such as CDN or cloud acceleration, is used before WAF, you need to select Yes for Use Layer-7 Proxy. By doing this, WAF can obtain real client access IP addresses from the configured header field. For details, see Configuring a Traffic Identifier for a Known Attack Source.
Certificate	Only .pem certificates can be used in WAF. Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.
WebSocket protocol	WAF supports the WebSocket protocol, which is enabled by default. WebSocket request inspection is enabled by default if Client Protocol is set to HTTP. WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.
Limitation	After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

Processes of Connecting a Website to WAF

The process of connecting a website to WAF varied depending on the access mode you select.

When connecting a website to WAF in CNAME access mode, refer to the process shown in Figure 1.

Figure 1 Process of connecting a website to WAF - Cloud Mode (CNAME Access)

**Table 1** Process of connecting your website domain name to WAF
Procedure	Description
Adding a Domain Name to WAF	Configure basic information, such as the domain name, protocol, and origin server.
Whitelisting WAF back-to-source IP addresses	If other security software or firewalls are installed on your origin server, whitelist only requests from WAF. This ensures normal access and protects the origin server from hacking.
Testing WAF	To ensure that your WAF instance forwards website traffic normally, test the WAF instance locally and then route traffic destined for the website domain name to WAF by modifying DNS record.
Modifying DNS Records for a Domain Name	No proxy used Configure a CNAME record for the protected domain name on the DNS platform you use. Proxy (such as advanced anti-DDoS and CDN) used Change the back-to-source IP address of the used proxy, such as advanced anti-DDoS and CDN, to the copied CNAME record.

Connect your website to WAF in just a few clicks. For details, see Connecting Your Website to WAF (Cloud Mode - Load Balancer Access).

When connecting a website to WAF in dedicated mode, refer to the process shown in Figure 2.

Figure 2 Process of connecting a website to a dedicated WAF instance

**Table 2** Process of connecting your website domain name to WAF
Procedure	Description
Adding Your Website to WAF	You need to configure your website (domain name or IP address) details, such as protocol and origin server.
Configuring a Load Balancer for Your Dedicated WAF Instance	To ensure your dedicated WAF instance reliability, after you add a website to it, use Huawei Cloud Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.
Binding an EIP to the Load Balancer	Unbind an elastic IP address (EIP) from the origin server and bind the EIP to the load balancer configured for the dedicated WAF instance. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.
Allowing Back-to-Source IP Addresses of Dedicated WAF Instances on the Origin Server	The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. As a result, your website may become unavailable or respond very slowly. Therefore, ACL rules must be configured on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.
Testing Dedicated WAF Instances	After adding a website to a dedicated WAF instance, verify that WAF can forward traffic properly and ELB load balancers work well.