Help Center/ Web Application Firewall/ Service Overview/ Limitations and Constraints
Updated on 2024-11-18 GMT+08:00
View PDF
Share

Limitations and Constraints

This topic describes some limitations and constraints on using WAF.

Protection Object Limitations

Table 1 Protection object limitations

Access Mode

Protected Object

Cloud mode - CNAME access
  • Domain names only
  • Protection for web services on Huawei Cloud, other clouds, and on-premises

Cloud mode - Load balancer
  • Domain names
  • IP addresses
  • Protection for only web services on Huawei Cloud

Dedicated mode
  • Domain names
  • IP addresses
  • Protection for only web services on Huawei Cloud

Service Edition Limitations

  • Only one edition can be selected in a larger geographical region using the same account.

    For example, in the CN East region, only one WAF edition can be selected under an account in CN East-Shanghai1 and CN East-Shanghai2.

    Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.

  • Service edition selection:
    • You can use Cloud Mode - Load balancer access mode only after you purchase the standard, professional, or platinum edition in cloud mode.
    • In dedicated mode, your dedicated instances and origin servers should be in the same VPC. If they are not in the same VPC, you need to use a VPC Peering Connection to connect the two VPCs.

Constraints on Protected Domain Names

  • If a domain name is added to WAF in cloud CNAME access mode, make sure the domain name has been registered with an ICP license. WAF will check the domain name ICP license. Domain names that are not licensed cannot be added to WAF.
  • A protected object can only be added to WAF once.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

Certificate Constraints

  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.

ELB Load Balancer Constraints

  • Dedicated WAF instances can use only dedicated ELB load balancers. For details about load balancer types, see Differences Between Dedicated and Shared Load Balancers.

    Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023).

  • In cloud load balancer access mode, only dedicated load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used.

Specifications Limitations

  • For details about the service specifications supported by each WAF edition, see Specifications Supported by Each Edition.
  • After your website is connected to WAF, the size of the file each time you can upload to the website is limited as follows:
    • Cloud mode - CNAME access: 1 GB
    • Cloud mode - load balancer access or dedicated mode: 10 GB
  • The bandwidth limit applies only to websites connected to the cloud CNAME access mode. There is no bandwidth limit but only QPS limit for websites connected to WAF in load balancer access mode.