Combining AAD and WAF to Get All-Round Protection
Application Scenarios
With the deepening of digital applications, web applications are widely used by most enterprises. Many web applications, such as enterprise websites, online shopping malls, and remote office systems, are publicly accessible. They are becoming major targets of hackers. According to historical data analysis, about 75% of information security attacks target web applications. In addition, web applications and components have more vulnerabilities than others. The critical Log4j vulnerability affected most web applications adversely.
If your website has been protected with AAD already, you can use WAF as well to give better protection to the website.
For details about how to connect your website to AAD, see Configuring a Protected Domain Name (Website Services).
Architecture
- Advanced Anti-DDoS works as a proxy and uses AAD IP address to forward requests to origin servers. All public network traffic is diverted to the AAD IP address so that the origin server is hidden from the public. This protects origin servers from DDoS attacks.
Objects supported by AAD: domain names of web applications on Huawei Cloud, other cloud platforms, or on-premises data centers
- Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injections, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
When adding a website to WAF, you can select Cloud Mode - CNAME, Cloud Mode - Load balancer, or Dedicated Mode. Before you start, get familiar with their differences:
- Cloud Mode - CNAME: protects your web applications that have domain name and are deployed on any clouds or in on-premises data centers.
- Cloud Mode - Load balancer: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses (public or private IP addresses).
- Dedicated Mode: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses (public or private IP addresses).
You can deploy both AAD and WAF to protect your websites hosted on Huawei Cloud, other clouds, or in on-promises data centers. The combination of AAD and WAF can protect your website against DDoS attacks (such as NTP flood, SYN flood, ACK flood, ICMP flood, and HTTP Get flood attacks), web application attacks (such as SQL injection, cross-site scripting, web shells, command/code injection, file inclusion, sensitive file access, third-party application vulnerability attacks, CC attacks, malicious crawler scanning, and cross-site request forgery). Figure 1 shows the configuration.
If you configure AAD and WAF for your website, website traffic goes to AAD first. AAD scrubs incoming traffic and forwards clean traffic to WAF. WAF blocks attacks and forwards only the normal traffic to the origin server. In this way, two layers of protection are implemented on your website.
The configurations are as follows:
- Cloud - CNAME
Point the website domain name to AAD and change the AAD retrieval IP address to the WAF CNAME record. To prevent others from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), add the subdomain name and TXT record on your DNS management platform.
- Cloud - Load balancer
Resolve the domain name to AAD, modify the AAD retrieval IP address to the EIP bound to the load balancer selected in Add a Website to WAF (ELB Mode).
- Dedicated mode
Point your website domain name to AAD and change the AAD retrieval IP address to the EIP bound to the load balancer configured for your dedicated WAF instance.
Advantages
You can deploy both AAD and WAF to protect your website against DDoS attacks (such as NTP flood, SYN flood, ACK flood, ICMP flood, and HTTP Get flood attacks), web application attacks (such as SQL injection, cross-site scripting, web shells, command/code injection, file inclusion, sensitive file access, third-party application vulnerability attacks, CC attacks, malicious crawler scanning, and cross-site request forgery).
Resource and Cost Planning
Resource |
Description |
Monthly Fee |
---|---|---|
DDoS protection |
|
For details about billing rules, see Billing Description. |
Web Application Firewall |
Cloud - Standard edition
|
For details about pricing rules, see Billing Description. |
Constraints
- Joint protection with AAD and WAF is only for domain names.
- If your website uses proxies such as anti-DDoS, Content Delivery Network (CDN), and cloud acceleration services, select Per user for Rate Limit Mode and enable All WAF instances for your CC attack protection rules.
Step 1: Buy the Standard Edition Cloud WAF
The following describes how to buy the standard edition cloud WAF.
- Log in to Huawei Cloud management console.
- On the management console page, choose .
- In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.
- Region: Select the region nearest to your services WAF will protect.
- Edition: Select Standard.
- Expansion Package and Required Duration: Set them based on site requirements.
- Confirm the product details and click Buy Now in the lower right corner of the page.
- Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
- On the payment page, select a payment method and pay for your order.
Step 2: Add Website Information to WAF
The following example shows how to add a website information to WAF in cloud CNAME access mode.
- For details about the cloud load balancer access mode, see Connecting a Website to WAF (Cloud Mode - ELB Access).
- For details about the dedicated mode, see Connecting a Website to WAF (Dedicated Mode).
- In the navigation pane on the left, choose Website Settings.
- In the upper left corner of the website list, click Add Website.
- Select Cloud - CNAME and click Configure Now.
- Configure website information as prompted.
Figure 2 Configuring basic information
Table 2 Key parameters Parameter
Description
Example Value
Domain Name
Domain name you want to add to WAF for protection.
- The domain name has an ICP license.
- You can enter a single domain name (for example, top-level domain name example.com or level-2 domain name www.example.com) or a wildcard domain name (*.example.com).
www.example.com
Protected Port
The port over which the website traffic goes
Standard ports
Server Configuration
Web server address settings. You need to configure the client protocol, server protocol, server weights, server address, and server port.
- Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS.
- Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
- Server Address: public IP address (generally corresponding to the A record of the domain name configured on the DNS) or domain name (generally corresponding to the CNAME record of the domain name configured on the DNS) of the web server that a client accesses.
- Server Port: service port over which the WAF instance forwards client requests to the origin server.
- Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.
Client Protocol: Select HTTP.
Server Protocol: HTTP
Server Address: IPv4 XXX.XXX.1.1
Server Port: 80
Use Layer-7 Proxy
You need to configure whether you deploy other layer-7 proxies in front of WAF. Select Yes.
NOTE:If you deploy AAD before WAF for your website, to let WAF obtain the real IP address of the client, you need to set IP Tag to $remote_addr in the Traffic Identifier area on the basic information page for the protected domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source.
Yes
- Click Next. Then, whitelist WAF back-to-source IP addresses and test WAF as prompted.
Figure 3 Domain name added to WAF
Step 3: Resolve the Domain Name
On the Advanced Anti-DDoS page, add the CNAME record of WAF to let the traffic pass through WAF.
Cloud CNAME Mode Configuration
The methods to configure the DNS server are similar. The following uses Huawei Cloud AAD as an example.
- Obtain settings of CNAME, Subdomain Name, and TXT Record.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
- In the Protected Website column, click the domain name you want to go to the Basic Information page.
- Check that Use Layer-7 Proxy is set to Yes.
- Click in the CNAME row to copy CNAME records. On the top of the page, click next to Inaccessible. In the dialog box displayed, copy the subdomain name and TXT record.
- Change the back-to-source IP address of the AAD instance.
- Click at the top of the page and choose Security & Compliance > DDoS Mitigation. In the navigation pane on the left, choose Advanced Anti-DDoS > Domain Name Access to go to the domain name configuration page.
- In the Operation column of the target domain name, click Edit. On the displayed page, set Origin Server IP Address/Domain Name to the copied WAF CNAME record.
- Click OK.
- (Optional) Add a WAF subdomain name and TXT record at your DNS provider.
To prevent others from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), this step is recommended.
- Access the DNS resolution page.
Figure 4 DNS page
- In the upper right corner of the page, click Add Record Set. The Add Record Set page is displayed.
- Name: TXT record copied in 1.f.
- Type: Select TXT – Specify text records.
- Alias: Select No.
- Line: Select Default.
- TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
- Value: Add quotation marks to the TXT record copied in 1.f and paste them in the text box, for example, TXT record.
- Keep other settings unchanged.
Figure 5 Adding a record set
- Click OK.
- Access the DNS resolution page.
- (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.
It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again.
How to Configure in Dedicated/Load Balancer Access Modes
Perform the following steps to complete configurations on Huawei Cloud AAD:
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner of the page and choose Security & Compliance > DDoS Mitigation.
- In the navigation pane on the left, choose Advanced Anti-DDoS > Domain Name Access to go to the Domain Name Access page.
- In the row containing the domain name you want, click Modify in the Operation column.
- In the Modify Domain Name dialog box, change the origin server IP address. Figure 6 shows an example.
- If you use a dedicated WAF instance, in the Origin Server IP Address/Domain Name text box, enter the EIP you bind to the load balancer.
- If you use a cloud WAF instance and select ELB load balancer access for your services, enter the EIP bound to the load balancer selected in Add a Website to WAF (ELB Mode) in the Origin Server IP Address/Domain Name text box.
- Click OK.
Verification
If Access Status is Accessible, the traffic destined for your website domain name or IP address is routed to WAF.
- WAF automatically checks the access status of protected websites every hour. If WAF detects that a protected website has received 20 access requests within 5 minutes, it considers that the website has been successfully connected to WAF.
- By default, WAF checks only the access status of domain names added or updated over the last two weeks. If a domain name was added to WAF two weeks ago and has not been modified in the last two weeks, you can click in the Access Status column to refresh its status.
If a domain name fails to be connected to WAF, its access status is Inaccessible. To fix this issue, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot