Buying a Dedicated WAF Instance

Prerequisites

• The account used to log in to the WAF console must have the WAF Administrator or WAF FullAccess permission.
• You are advised to use a parent account to purchase dedicated WAF instances. If you want to use an IAM user to purchase dedicated WAF instances, you need to assign the IAM management permission to the IAM user.
  • For first-time buyers, you need to assign IAM system role Security Administrator to them.
  • For non-first-time buyers, you need to assign IAM system policy IAM ReadOnlyAccess or custom permissions to them. The permissions are as follows:
    • iam:agencies:listAgencies
    • iam:agencies:getAgency
    • iam:permissions:listRolesForAgency
    • iam:permissions:listRolesForAgencyOnProject
    • iam:permissions:listRolesForAgencyOnDomain

  For details, see Creating a User Group and Granting Permissions.

• A VPC has been created.
• The Organizations service is in open beta test (OBT). To use organization rules, apply for OBT.

Constraints

• If dedicated WAF instances and origin servers they protect are not in the same VPC, you can use a VPC peering connection to connect two VPCs. This method is not recommended as VPC peering connections may be not stable enough sometimes.
  

  • For details about supported regions, see In Which Regions Is WAF Available?
  • Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.
• If you enable Anti-affinity, a maximum of five dedicated WAF instances can be created.

Specification Limitations

The specifications of a dedicated WAF instance cannot be modified.

Application Scenarios

Dedicated WAF instances are good choice if your service servers are deployed on Huawei Cloud and you plan to protect your website by adding its domain names or IP addresses to WAF.

This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.

Procedure

1. Log in to the management console.
2. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
3. In the upper right corner of the page, click Buy WAF.
4. (Optional): Select an enterprise project from the Enterprise Project drop-down list.

   This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members.

   

   • Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
   • The default option is available in the Enterprise Project drop-down list only after you purchase WAF under the logged-in account.

5. On the Buy Web Application Firewall page, select Dedicated Mode for WAF Mode.
6. Configure instance parameters by referring to Table 1.
   Figure 1 Configuring a dedicated WAF instance
   

   Table 1 Parameters of a dedicated WAF instance

   Parameter	Description
   Region	For details about supported regions, see In Which Regions Is WAF Available? Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster and reduce latency, select the region nearest to your services.
   Project	Select a project in the target region.
   AZ	Select an AZ in the selected region. NOTE: After an AZ is selected, it cannot be changed after the purchase.
   Instance Name Prefix	Set a prefix of the dedicated WAF instance name. If you purchase multiple instances, the prefix to each instance name is the same.
   Quantity	Set the number of WAF instances you want to buy. You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.
   Specifications	Specifications WI-500 and WI-100 are available. Specifications: WI-500. Referenced performance: HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000. HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000. WebSocket service - Maximum concurrent connections: 5,000 Maximum WAF-to-server persistent connections: 60,000 Specifications: WI-100. Referenced performance: HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000. HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600 WebSocket service - Maximum concurrent connections: 1,000 Maximum WAF-to-server persistent connections: 60,000
   WAF Instance Type	Select a WAF instance type. Only Network interface is available now. The WAF instance will be connected to your network through a VPC network interface. Only dedicated load balancers can be used for this type of instance. For details, see Website Connection Process (Dedicated Mode). NOTE: WAF also provides the ECS type of WAF instance. This type of WAF instance is deployed on your own ECSs. You can view the ECSs housing your WAF instances on the ECS console. To use this type of WAF instance, submit a service ticket. Note that only some regions support this type of WAF instance.
   VPC	Select the VPC to which the origin server belongs.
   Subnet	Select a subnet configured in the VPC.
   Security Group	Select a security group in the region or click Manage Security Group to go to the VPC console and create a security group. After you select a security group, the WAF instance will be protected by the access rules of the security group. NOTICE: You can configure your security group as follows: Inbound rules Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80. Outbound rules Retain the default settings. All outgoing network traffic is allowed by default. For more details, see Adding a Security Group Rule. If your dedicated WAF instance and origin server are not in the same VPC, enable communications between the instance and the subnet of the origin server in the security group.
   Tag	TMS's predefined tag function is recommended for adding the same tag to different cloud resources. If your organization has configured a tag policy for Web Application Firewall (WAF), you need to add tags to dedicated WAF instances based on the tag policy rules. If a tag does not comply with the policies, dedicated WAF instance may fail to be created. Contact your organization administrator to learn more about tag policies.
   Authorization	This parameter is available first time you purchase a WAF instance. After you enable the authorization, WAF will create an agency in IAM on behalf of you to grant itself related permissions.
   Anti-affinity	If you enable this function, a maximum of five dedicated WAF instances can be created. If you enable this function, dedicated instances will be deployed on different physical servers as much as possible to improve service reliability.

7. Confirm the product details and click Buy Now in the lower right corner of the page.

8. Confirm the order details and click Pay Now.
9. On the payment page, select a payment method and pay for your order.
10. After the payment is successful, click Back to Dedicated Engine List. On the Dedicated Engine page, view the instance status.

Verification

It takes about 5 minutes to create a dedicated WAF instance. If the instance is in the Running status, the instance has been created successfully.

Related Operations

Managing Dedicated WAF Engines

This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance.

Authorizing WAF to Access Data in the VPC Your Website Resides

If you expect to use a dedicated WAF instance, authorize WAF to directly access data in the VPC by enabling certain security rules.

By purchasing a WAF dedicated instance, you agree to authorize WAF to enable such security rules. Currently, the security group rules listed in Table 2 will be automatically enabled for a dedicated WAF instance.