Using WAF, ELB, and NAT Gateway to Protect Services Not Deployed on Our Cloud

Application Scenarios

By default, in cloud load balancer access mode, WAF can protect only workloads deployed on our cloud. If your origin servers are not deployed on our cloud, but you want to use WAF in this mode, you can use Network Address Translation (NAT) gateways to route traffic from Huawei Cloud to the public IP addresses of your origin server. Then, you can connect your website to WAF in cloud load balancer access mode to let WAF check your website traffic.

Architecture

Figure 1 Architecture

Resource and Cost Planning

Step 1: Create a Dedicated Load Balancer

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
4. On the Elastic Load Balance page, click Buy Elastic Load Balancer.
   1. Select the basic configuration for the load balancer as prompted.
      • Type: Select Dedicated load balancer.
      • Specifications: Select Application load balancing (HTTP/HTTPS) .
      • Other parameters: Set them based on your service requirements.
   2. Configure the network as prompted.
      • IP as a Backend: Toggle it on ().
      • Frontend Subnet: Select the subnet for your load balancer to use the IP addresses in this subnet to receive requests.
      • Backend Subnet: Select the subnet for your load balancer to use IP addresses in this subnet to establish connections with backend servers. You need to select a backend subnet that is different from the frontend subnet.
        

        If the frontend subnet is the same as the backend one, NAT Gateway will get confused.

      • Other parameters: Set them based on your service requirements.

   For details about how to create a dedicated load balancer, see Creating a Dedicated Load Balancer.

5. Click Next.
6. Confirm the configuration details and complete the creation as prompted.

Step 2: Configure a Listener for the Load Balancer You Create

1. Click the name of the target load balancer in the Name/ID column.
2. Click the Listeners tab, click Add Listener, and configure the listener name, frontend protocol, and port.
3. Click Next: Configure Request Routing Policy.
4. Click Next: Add Backend Server. Then, click the IP as Backend Servers tab.
5. Click Add IP as Backend Server. In the displayed dialog box, configure IP Address and Backend Port.
   • IP Address: Enter the IP address of your origin server.
   • Backend Port: Enter the port number.

6. Click OK.
7. Click Next: Confirm, confirm the information, and click Submit.

Step 3: Configure a NAT Gateway

1. Buy a public NAT gateway.
   1. Click in the upper left corner of the page and choose Networking > NAT Gateway.
   2. Click Buy Public NAT Gateway in the upper right corner.
      • Subnet: Select the one you configured as the backend subnet in 2.
      • Other parameters: Set them to meet your service requirements.
   3. Click Next and confirm the public NAT gateway specifications on the displayed page.
   4. Confirm the details and click Submit.

      It takes 1 to 6 minutes to create a public NAT gateway.

2. Add an SNAT rule.
   1. On the displayed page, click the name of the public NAT gateway on which you need to add an SNAT rule.
   2. On the SNAT Rules tab, click Add SNAT Rule.

      Subnet: Select the one you configured as the backend subnet in 2.

   3. Click OK.

Step 4: Add Website Domain Names to WAF in Cloud Load Balancer Access Mode

1. Buy the standard edition cloud WAF.
   1. On the management console page, choose Security & Compliance > Web Application Firewall.
   2. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.
      • Region: Select the region nearest to your services WAF will protect.
      • Edition: Select Standard.
      • Expansion Package and Required Duration: Set them based on site requirements.
   3. Confirm the product details and click Buy Now in the lower right corner of the page.
   4. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
   5. On the payment page, select a payment method and pay for your order.

2. Add the domain name to WAF in cloud load balancer access mode.
   1. In the navigation pane on the left, choose Website Settings.
   2. In the upper left corner of the website list, click Add Website.
   3. Select Cloud - Load balancer and click Configure Now.
   4. On the Add Domain Name pane, configure related information.
      • ELB (Load Balancer): Select the load balancer created in Step 1: Create a Dedicated Load Balancer.
      • ELB Listener: Select the one added in Step 2: Configure a Listener for the Load Balancer You Create.
      • Domain Name: Enter the domain name you want to protect. This domain name has been pointed to the EIP of the dedicated load balancer created earlier.
   5. Click Confirm.

Verification

If General Check is enabled and Mode is set to Block for your domain name www.example.com, take the following steps to verify the protection effect:

1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
   • If the website is inaccessible, connect the website domain name to WAF by referring to Step 1: Create a Dedicated Load Balancer to Step 4: Add Website Domain Names to WAF in Cloud Load Balancer Access Mode.
   • If the website is accessible, go to Step 2.

2. Clear the browser cache and enter http://www.example.com?id=1%27%20or%201=1 in the address box of the browser to simulate an SQL injection attack.

   WAF blocks the access request. Figure 2 shows an example block page.

   Figure 2 Block page
   

3. Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view the event log.