Integrating WAF with ELB to Protect Your Websites

Scenarios

If your service servers are deployed on Huawei Cloud, you can purchase dedicated WAF instances to protect important domain names or websites that only use IP addresses to provide services.

In this way, ELB routes HTTP or HTTPS requests first to dedicated WAF instances for filtering out malicious traffic and the latter then directs normal traffic to backend servers.

This document describes how you can add dedicated WAF instances to the backend server group of your load balancer to protect your websites.

Constraints

• The security group rules configured for backend servers must allow traffic from the backend subnet where the load balancer resides to the backend servers over the backend port. For details, see Configuring Security Group Rules for Backend Servers.
• The security group rules configured for WAF instances must allow traffic over the specified port. For details, see Adding a Security Group Rule.

Traffic Path

After WAF is integrated with ELB, the traffic flow is as illustrated in Figure 1.

Figure 1 Traffic path

Procedure

Figure 2 Process for associating a dedicated WAF instance with an application load balancer

Creating an Application Load Balancer

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
4. On the Load Balancers page, click Buy Elastic Load Balancer. For details, see Creating a Dedicated Load Balancer.

   Complete the basic configuration of the load balancer as prompted. For example, select Application load balancing (HTTP/HTTPS) for Specifications.

   Figure 3 Creating an application load balancer (Dedicated)
   
5. Configure the network as prompted.

   Choose Public IPv4 network for Network Type and select an existing EIP for or assign a new EIP to the load balancer to receive requests from public networks.

   Figure 4 Selecting an EIP for the load balancer
   
6. Confirm the information, click Next, and submit your request.

Adding an HTTP Listener and Creating a Backend Server Group

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
4. On the Load Balancers page, locate the created load balancer and click its name.
5. Under Listeners, click Add Listener. Add an HTTP listener and specify a frontend port for it.
   For details, see .

   Figure 5 Adding an HTTP listener
   
6. Click Next: Configure Request Routing Policy. On the Configure Routing Policy page, select Create new for Backend Server Group.
   Figure 6 Creating a backend server group
   
7. Click Next: Add Backend Server. Add backend servers and configure health check for the backend server group.
8. Click Next: Confirm, confirm the settings, and click Submit.

Translating Domain Names into the EIP of the Load Balancer

Use Huawei Cloud DNS to translate your domain name, such as www.example.com, into the EIP bound to your load balancer.

For details about how to configure DNS, see Routing Internet Traffic to a Website.

Buying a Dedicated WAF Instance

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
4. In the upper right corner of the page, click Buy WAF. Configure the parameters as prompted. Select Dedicated Mode for WAF Mode.
   For more details, see Buying a Dedicated WAF Instance.

   Figure 7 Buying a dedicated WAF instance
   
5. Confirm the settings and go through the subsequent steps to complete the purchase.

Adding Your Website to WAF

You can add your website (domain name: www.example.com) to WAF by following the below steps. For more details, see Adding a Website to WAF (Dedicated Mode).

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
4. In the navigation pane on the left, choose Website Settings.
5. In the upper left corner of the website list, click Add Website.
   In the displayed dialog box, select Dedicated mode and click OK.

   Figure 8 Adding a domain name to WAF
   
6. Confirm the advanced settings. Set Proxy Configured to Layer-7 proxy.
   Figure 9 Confirming advanced settings
   

Associating WAF with Your Load Balancer

You can add THE dedicated WAF instance to the backend server group. Ensure that the network ACL and the security group that contains the WAF instance allow traffic from IP address ranges where the WAF instance and load balancer are deployed.

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
5. Locate the WAF instance created in Buying a Dedicated WAF Instance and choose More > Add to ELB in the Operation column.
6. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group.
   Figure 10 Adding the WAF instance to a load balancer
   
7. Click Confirm. Set Backend Port to the one configured for Protected Port in Adding Your Website to WAF.
8. Click Confirm.

Whitelisting the Back-to-Source IP Addresses of Your Dedicated WAF Instance

In dedicated mode, website traffic is directed to the load balancer and then to dedicated WAF instances. The latter filters out malicious traffic and routes only normal traffic to the origin server.

In this way, the origin server only communicates with WAF back-to-source IP addresses. By doing so, WAF protects the origin server from being attacked. In dedicated mode, the WAF back-to-source IP addresses are the subnet IP addresses of the dedicated WAF instances.

The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. As a result, your website may become unavailable or respond very slowly. Therefore, ACL rules must be configured on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.

For details, see Pointing Traffic to a Load Balancer.