Website Connection Overview

To use Web Application Firewall (WAF) to protect your web services, the services must be connected to WAF. WAF provides three access modes for you to connect web services to WAF: cloud CNAME, cloud load balancer, and dedicated access modes. You can select a proper access method based on how your web services are deployed. This topic describes how WAF works in different access modes, their differences, and when to use them.

Application Scenarios

WAF provides the following access modes for you to connect websites to WAF.

Cloud - CNAME access mode
- Service servers are deployed on any cloud or in on-premises data centers.
- Protected objects: domain names
- Connecting a Website to WAF (Cloud Mode - CNAME Access)
Cloud - Load balancer access mode
- Service servers are deployed on Huawei Cloud.
  This mode suitable for large enterprise websites having high security requirements on service stability.
- Protected objects: domain names and IP addresses
- Connecting a Website to WAF (Cloud - ELB Load Balancer Access Mode)
Dedicated mode
- Service servers are deployed on Huawei Cloud.
  This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.
- Protected objects: domain names and IP addresses
- Connecting a Website to WAF (Dedicated Mode)

Constraints

There are some restrictions on using different access modes.

When you connect your website to WAF in cloud CNAME access mode, pay attention to the following restrictions.

Constraint	Description
Domain name	A domain name can only be added to WAF once in cloud mode. Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF. Only the domain names that have been registered with ICP licenses can be added to WAF.
Service edition	Only the professional and platinum editions support IPv6 protection, HTTP2, and load balancing algorithms. If you are using WAF standard edition, only system-generated policy can be selected for Policy.
Certificate	Only .pem certificates can be used in WAF. Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.
WebSocket protocol	WAF supports the WebSocket protocol, which is enabled by default. WebSocket request inspection is enabled by default if Client Protocol is set to HTTP. WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.
HTTP/2	HTTP/2 can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol. To make Server Configuration works, there must be at least one server configuration record with Client Protocol set to HTTPS. HTTP/2 can work only when the client supports TLS 1.2 or earlier versions.
Specifications	After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

When you connect your website to WAF in cloud load balancer access mode, pay attention to the following restrictions.

Only dedicated ELB load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used. Dedicated load balancers with Specifications set to Network load balancing (TCP/UDP) are not supported.
Only the professional and platinum editions allow you to specify a custom policy for Policy.

When you connect your website to WAF in dedicated mode, the restrictions are as follows:

Constraint	Description
ELB load balancer	When a website is connected to a dedicated WAF instances, only dedicated ELB load balancers are supported. For details, see Load Balancer Types. NOTE: Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023). For details, see Dedicated Engine Version Iteration.
Domain name	The wildcard domain name * can be added to WAF. When the domain name is set to *, only non-standard ports except 80 and 443 can be protected. A protected object can only be added to WAF once. Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.
Proxy	If a layer-7 proxy server, such as CDN or cloud acceleration, is used before WAF, you need to select Layer-7 proxy for Proxy Configured. By doing this, WAF can obtain real client access IP addresses from the configured header field. For details, see Configuring a Traffic Identifier for a Known Attack Source.
Certificate	Only .pem certificates can be used in WAF. Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.
WebSocket protocol	WAF supports the WebSocket protocol, which is enabled by default. WebSocket request inspection is enabled by default if Client Protocol is set to HTTP. WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.

Processes of Connecting a Website to WAF

The process of connecting a website to WAF varied depending on the access mode you select.

When connecting a website to WAF in CNAME access mode, refer to the process shown in Figure 1.

Figure 1 Process of connecting a website to WAF - Cloud Mode (CNAME Access)

**Table 1** Process of connecting your website domain name to WAF
Procedure	Description
Adding a Domain Name to WAF	Configure basic information, such as the domain name, protocol, and origin server.
Whitelisting WAF back-to-source IP addresses	If other security software or firewalls are installed on your origin server, whitelist only requests from WAF. This ensures normal access and protects the origin server from hacking.
Testing WAF	To ensure that your WAF instance forwards website traffic normally, test the WAF instance locally and then route traffic destined for the website domain name to WAF by modifying DNS record.
Modifying DNS Records for a Domain Name	No proxy used Configure a CNAME record for the protected domain name on the DNS platform you use. Proxy (such as advanced anti-DDoS and CDN) used Change the back-to-source IP address of the used proxy, such as advanced anti-DDoS and CDN, to the copied CNAME record.

Connect your website to WAF in just a few clicks. For details, see Connecting a Website to WAF (Cloud Mode - Load Balancer Access).

When connecting a website to WAF in dedicated mode, refer to the process shown in Figure 2.

Figure 2 Process of connecting a website to a dedicated WAF instance

Impact on the System

If a non-standard port is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?

Fixing Inaccessible Websites

If a domain name fails to be connected to WAF, its access status is Inaccessible. To fix this issue, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?

Parent Topic: Connecting a Website to WAF

Previous topic: Connecting a Website to WAF

Next topic: Connecting a Website to WAF (Cloud Mode - CNAME Access)