Help Center> Web Application Firewall> Best Practices> Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports
Updated on 2022-10-10 GMT+08:00
View PDF

Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports

This topic walks you through how to combine dedicated WAF instances and layer-7 load balancers to protect your services over non-standard ports that cannot be protected with WAF alone. For ports supported by WAF, see Ports Supported by WAF

Protection Scenarios

The following procedure describes how WAF and ELB together protect www.example.com:9876. Port 9876 is a non-standard port WAF alone cannot protect.

Prerequisites

  • You have purchased a load balancer. For details about load balancers, see Differences Between Shared and Dedicated Load Balancers.
  • Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
    You can configure your security group as follows:
    • Inbound rules

      Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows TCP and port 80.

    • Outbound rules

      Retain the default settings. All outgoing network traffic is allowed by default.

    For more details, see Adding a Security Group Rule.

Procedure

  1. Buy a dedicated WAF instance.
  2. Connect www.example.com to WAF by referring to Adding a Website to WAF (Dedicated Mode). Select any non-standard port, for example, port 86, and set Proxy Configured to Yes.
  3. Add listeners and backend server groups to the load balancer.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region or project.
    3. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the Load Balancers page.
    4. Click the name of the load balancer in the Name column to go to the Basic Information page.
    5. Click the Listeners tab and then click Add Listener. On the displayed page, configure the listener. In the Frontend Port text box, enter the port you want to protect. In this case, enter 9876.
      Figure 1 Configuring a listener
    6. Click Next: Configure Request Routing Policy.
      Figure 2 Configuring a backend server group
      • If you select Weighted round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.
      • For details about ELB traffic distribution policies, see Load Balancing Algorithms.
    7. Click Next: Add Backend Server and click Next: Confirm.

  4. Add the WAF instance to the load balancer.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region or project.
    3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
    4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
      Figure 3 Dedicated engine list
    5. Locate the row containing the WAF instance. In the Operation column, click More > Add to ELB.
    6. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group based on Step 3.
      Figure 4 Add to ELB
    7. Click Confirm. Then, configure service port for the WAF instance. In this example, configure Backend Port to 86, which is the one we configured in Step 2.
      Figure 5 Configuring Backend Port
    8. Click Confirm.

  5. Bind an EIP to the load balancer.
  6. Whitelist the IP addresses of the dedicated WAF Instance.

How the Combination Protects Traffic