Help Center/ Anti-DDoS Service/ Best Practices/ Best Practices of Advanced Anti-DDoS/ Using WAF and AAD to Protect Domain Names
Updated on 2025-01-27 GMT+08:00
View PDF
Share

Using WAF and AAD to Protect Domain Names

Application Scenarios

Huawei Cloud Web Application Firewall (WAF) detects HTTP and HTTPS requests to identify and block attacks such as SQL injection, cross-site scripting (XSS), web shells, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF), ensuring web service security and stability.

AAD ensures the continuity of domain names and protects services against heavy-traffic DDoS attacks.

WAF and AAD together can defend against web application attacks and traffic attacks, greatly enhancing the security and stability of domain names.

This practice is based on the scenario where a domain name is connected to WAF. It explains how to enable website traffic to pass through both AAD and WAF, thereby improving the comprehensive protection capability of your website.

For details about how to connect a domain name to WAF, see Connecting Your Website to WAF.

Architecture

After AD with WAF interworking is enabled, traffic is routed through AAD before being directed to WAF, enabling a coordinated defense mechanism.

Figure 1 AAD and WAF interworking

When protecting multiple domain names under AAD with the same instance and port, and using WAF CNAME as the origin server, it is important to note that if the origin server IP addresses for these CNAMEs differ and all WAF CNAMEs are bypassed, then all domain names linked to that particular high-defense IP address and port will become inaccessible.

Limitations and Constraints

  • Joint protection with AAD and WAF is only for domain names. When configuring the joint protection with AAD and WAF, you need to configure these two domain names separately.
  • For a high-defense IP address and port, you can configure only one type of origin server. Once an origin server domain name is set, configuring an additional origin server IP address is not possible.

Resource and Cost Planning

Resource

Description

Quantity

Cost

Web Application Firewall (WAF)

Connected to websites for defense against web and CC attacks.

1

For details about WAF billing modes and standards, see WAF Billing Overview .

AAD

Protects domain names connected to WAF against DDoS attacks.

1

For details about AAD billing modes and standards, see Billing Overview.

Procedure

  1. Obtain the WAF CNAME value.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region or project.
    3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
    4. In the navigation pane, choose Website Settings.
    5. On the Domains page, click the target domain name whose CNAME value you want to obtain.
    6. In the Basic Information area, click under Use Layer-7 Proxy.
      Figure 2 Basic information

      If you are using Huawei Cloud AAD before connecting the domain name to WAF, set IP Tag to $remote_addr in the Traffic Identifier area on the Basic Information page to obtain the actual IP address of the client. For details, see Configuring a Traffic Identifier for a Known Attack Source.

    7. On the displayed page, set Use Layer 7 Proxy to Yes and click OK.
    8. On the Basic Information page, copy the CNAME.
      Figure 3 Copying the CNAME value

  2. Add the obtained WAF CNAME value to an AAD instance.

    After interworking with WAF is configured, no certificate needs to be uploaded for website services.

    1. Click in the upper left corner of the page and choose Security & Compliance > DDoS Mitigation.
    2. Choose AAD > Domain Name Access. The Domain Name Access configuration page is displayed.
    3. Select Chinese mainland or Other.
    4. Click Add Domain.
    5. Enter the domain name information and click Next.
      Figure 4 Configuring website domain
      Table 1 Parameter description

      Parameter

      Description

      Protected Domain Name

      Enter the domain name of the service to protect. Wildcard domain names are supported, for example, *.domain.com.

      Origin Server Type
      • Set this parameter to Domain name.
      • Enter the forwarding protocol and origin server port of the origin server domain name.
      • Enter the copied WAF CNAME.

      Server Configuration

      Enter the forwarding protocol and port used by the origin server.
    6. On the Select Instance and Line page, select the required instances and high-defense IP addresses and click Submit and Continue.
      Figure 5 Selecting an instance and a line

  3. Click Next.
  4. On the Modify DNS Resolution page, copy the CNAME of the AAD and click Finish.

    Figure 6 Copying AAD CNAME

  5. Modify DNS configuration.

    1. Click in the upper left corner of the page and choose Network > Domain Name Service. The Domain Name Service management console is displayed.
    2. Click Public Zones.
    3. Locate the row that contains the target domain name, and choose Manage Record Set.
    4. Click Add Record Set to add a CNAME record set.
      Figure 7 Adding a record set
      Table 2 Key parameters

      Parameter

      Description

      Name

      Set this parameter to the domain name configured in AAD.

      Record Type

      Select CNAME – Map one domain to another.

      Line

      Select Default.

      TTL (s)

      TTL is short for time-to-live, which specifies the cache period of resource records on a local DNS server. If your service address is frequently changed, set TTL to a smaller value.

      DNS record

      Enter the copied AAD CNAME.

      DNS resolution takes a period of time. In most cases, domain names can be resolved within 5 minutes.