Help Center> API Gateway> Best Practices> Interconnecting a Dedicated Gateway with WAF
Updated on 2023-11-14 GMT+08:00
View PDF

Interconnecting a Dedicated Gateway with WAF

To protect API Gateway and your backend servers from malicious attacks, deploy Web Application Firewall (WAF) between API Gateway and the external network.

Figure 1 Access to a backend server

The following instructions are based on the new console. If you are using the old console, see the API Gateway User Guide.

(Recommended) Solution 1: Register API Group Debugging Domain Name on WAF and Use the Domain Name to Access the Backend Service

API groups provide services using domain names for high scalability.

  1. Create an API group in a gateway, record the domain name, and create an API in the group.

    Figure 2 Creating an API group and recording the debugging domain name
    Figure 3 Creating an API

  1. Go to the WAF console, and add a domain name by configuring Server Address as the API group domain name and adding a certificate. For details, see Connection Process (Cloud Mode).

    You can use a public network client to access WAF with its domain name. WAF then uses the same domain name to forward your requests to API Gateway. There is no limit on the number of requests that API Gateway can receive for the domain name.

  2. On the gateway details page, bind the domain name to the API group.

  3. Enable real_ip_from_xff and set the parameter value to 1.

    When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.

Solution 2: Forward Requests Through the DEFAULT Group and Use Gateway Inbound Access Address to Access the Backend Service from WAF

  1. View the inbound access addresses of your gateway. There is no limit on the number of times the API gateway can be accessed using an IP address.

    • VPC Ingress Address: VPC access address
    • EIP: public network access address

  1. Create an API in the DEFAULT group.

  1. Go to the WAF console, add a domain name by configuring Server Address as an inbound access address of your API gateway and adding a certificate, and then copy the WAF back-to-source IP addresses. For details, see Connection Process (Cloud Mode).

    • If WAF and your gateway are in the same VPC, set Server Address to the VPC access address.
    • If your gateway is bound with an EIP, set Server Address to the EIP.

  2. On the gateway details page, bind the domain name to the DEFAULT group.

  3. Enable real_ip_from_xff and set the parameter value to 1.

    When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.