Help Center> Web Application Firewall> Best Practices> Website Access Configuration> Combining AAD and WAF to Get All-Round Protection
Updated on 2024-06-06 GMT+08:00
View PDF

Combining AAD and WAF to Get All-Round Protection

How the Combination Works

  • Advanced Anti-DDoS works as a proxy and uses AAD IP address to forward requests to origin servers. All public network traffic is diverted to the AAD IP address so that the origin server is hidden from the public. This protects origin servers from DDoS attacks.

    Objects supported by AAD: domain names of web applications on Huawei Cloud, other cloud platforms, or on-premises data centers

  • Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
    When adding a website to WAF, you can select Cloud - CNAME, Cloud - Load balancer, or Dedicated for Protection. Before you start, get familiar with the following differences:
    • Cloud - CNAME: protects your web applications that have domain name and are deployed on any clouds or in on-premises data centers.
    • Cloud - Load balancer: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses.
    • Dedicated: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses.

You can deploy both AAD and WAF to protect your websites hosted on Huawei Cloud, other clouds, or in on-promises data centers. The combination of AAD and WAF can protect your website against DDoS attacks (such as NTP flood, SYN flood, ACK flood, ICMP flood, and HTTP Get flood attacks), web application attacks (such as SQL injection, cross-site scripting, web shells, command/code injection, file inclusion, sensitive file access, third-party application vulnerability attacks, CC attacks, malicious crawler scanning, and cross-site request forgery). Figure 1 shows the configuration.

Figure 1 WAF configuration when a proxy is used

If you configure AAD and WAF for your website, website traffic goes to AAD first. AAD scrubs incoming traffic and forwards clean traffic to WAF. WAF blocks attacks and forwards only the normal traffic to the origin server. In this way, two layers of protection are implemented on your website.

The configurations are as follows:

  • Cloud - CNAME

    Point the website domain name to AAD and change the AAD retrieval IP address to the WAF CNAME record. To prevent others from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), add the subdomain name and TXT record on your DNS management platform.

  • Cloud - Load balancer

    Resolve the domain name to AAD, modify the AAD retrieval IP address to the EIP bound to the load balancer selected in Add a Website to WAF (ELB Mode).

  • Dedicated mode

    Point your website domain name to AAD and change the AAD retrieval IP address to the EIP bound to the load balancer configured for your dedicated WAF instance.

Constraints

  • Joint protection with AAD and WAF is only for domain names.
  • If your website uses proxies such as anti-DDoS, Content Delivery Network (CDN), and cloud acceleration services, select Per user for Rate Limit Mode and enable All WAF instances for your CC attack protection rules.

Prerequisites

You have purchased an AAD instance, connected your website service to the instance, and completed the configurations shown in Table 1.

Table 1 Configurations required in different WAF modes

Deployment Mode

Description

Cloud - CNAME
  1. You have bought a cloud WAF instance.
  2. You have added the website domain name to your cloud WAF instance and configured other details, including origin server IP address and port.
    NOTE:

    If the origin server uses IPv6 addresses, IPv6 protection is enabled by default. To prevent IPv6 service from interruption, keep the IPv6 protection enabled. If IPv6 protection is not needed, edit the server configuration and delete IPv6 configuration from the origin server first. For details, see Editing Server Information.

  3. You have obtained the permissions from the DNS service provider to add domain names.
  4. (Optional) You have whitelisted WAF back-to-source IP addresses. If non-Huawei Cloud security software is used on the origin server, whitelist the WAF back-to-source IP addresses to prevent normal traffic from being blocked. For details, see Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers.

Cloud - Load balancer
  1. You have bought a cloud WAF instance.
  2. You have added the domain name to WAF in ELB mode.

Dedicated mode
  1. You have bought a dedicated WAF instance.
  2. You have added website domain name to your dedicated WAF instance, configured other details, including origin server IP address and port, and completed the following operations:
    1. You have configured a load balancer for the dedicated WAF instance.
    2. You have bound an EIP to the load balancer.
    3. You have whitelisted back-to-source IP addresses of dedicated WAF instances.

Cloud WAF Configuration - CNAME Access

The methods to configure the DNS server are similar. The following uses Huawei Cloud AAD as an example.

  1. Obtain settings of CNAME, Subdomain Name, and TXT Record.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region or project.
    3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
    4. In the Protected Website column, click the domain name you want to go to the Basic Information page.
      Figure 2 Basic Information
    5. Check whether Proxy Configured is set to Layer 4 proxy or Layer-7 proxy.

      If you use AAD for layer-4 proxy forwarding, select Layer-4 proxy, otherwise, select Layer-7 proxy.

      • If it is not, click next to Proxy Configured. In the displayed dialog box, select Layer-4 proxy or Layer-7 proxy and click Confirm. Then go to 1.f.
      • If it is, go to 1.f.
    6. Click in the CNAME row to copy CNAME records. On the top of the page, click next to Inaccessible. In the dialog box displayed, copy the subdomain name and TXT record.

  2. Change the AAD back-to-source IP address.

    1. Click at the top of the page and choose Security & Compliance > DDoS Mitigation. In the navigation pane on the left, choose Advanced Anti-DDoS > Domain Name Access to go to the domain name configuration page.
    2. In the Operation column of the target domain name, click Edit. On the displayed page, set Origin Server IP Address/Domain Name to the copied WAF CNAME record.
    3. Click OK.

  3. You can also add a WAF subdomain name and TXT record on the DNS server.

    To prevent others from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), this step is recommended.

    1. Access the DNS resolution page.
      Figure 3 DNS page
    2. In the upper right corner of the page, click Add Record Set. The Add Record Set page is displayed.
      • Name: TXT record copied in 1.f.
      • Type: Select TXT – Specify text records.
      • Alias: Select No.
      • Line: Select Default.
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Add quotation marks to the TXT record copied in 1.f and paste them in the text box, for example, TXT record.
      • Keep other settings unchanged.
      Figure 4 Adding a record set
    3. Click OK.

  4. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.

    It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again.

Dedicated/ELB WAF Configuration

Perform the following steps to complete configurations on Huawei Cloud AAD:

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > DDoS Mitigation.
  4. In the navigation pane on the left, choose Advanced Anti-DDoS > Domain Name Access to go to the Domain Name Access page.
  5. In the row containing the domain name you want, click Modify in the Operation column.
  6. In the Modify Domain Name dialog box, change the origin server IP address. Figure 5 shows an example.

    Figure 5 Changing the origin server IP address

  7. Click OK.

Verification

If Access Status is Accessible, the traffic destined for your website domain name or IP address is routed to WAF.

  • WAF automatically checks the access status of protected websites every hour. If WAF detects that a protected website has received 20 access requests within 5 minutes, it considers that the website has been successfully connected to WAF.
  • By default, WAF checks only the Access Status of domain names added or updated over the last two weeks. If a domain name was added to WAF two weeks ago and has not been modified in the last two weeks, you can click in the Access Progress column to refresh the progress.

If a domain name fails to be connected to WAF, its access status is Inaccessible. To fix this issue, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?