AAD and WAF Interworking

Scenarios

This topic describes how to configure DNS resolution to implement interworking between AAD and WAF.

After AD with WAF interworking is enabled, traffic is routed through AAD before being directed to WAF, enabling a coordinated defense mechanism.

Figure 1 AAD and WAF interworking

When protecting multiple domain names under AAD with the same instance and port, and using WAF CNAME as the origin server, it is important to note that if the origin server IP addresses for these CNAMEs differ and all WAF CNAMEs are bypassed, then all domain names linked to that particular high-defense IP address and port will become inaccessible.

Prerequisites

• You have purchased an AAD instance.
• You have purchased cloud WAF and properly configured the protected domain names.

Constraints

• Joint protection with AAD and WAF is only for domain names.

When configuring the joint protection with AAD and WAF, you need to configure these two domain names separately.

Procedure

1. Obtain the WAF CNAME value.
   1. Log in to the management console.
   2. Click in the upper left corner of the management console and select a region or project.
   3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
   4. In the navigation pane, choose Website Settings.
   5. On the Domains page, click the target domain name whose CNAME value you want to obtain.
   6. In the Basic Information area, click for Use Layer-7 Proxy.
      Figure 2 Basic information
      
   7. In the dialog box that is displayed, select No and click OK.
   8. On the Basic Information page, copy the CNAME.
      Figure 3 Copying the CNAME value
      

2. Add the obtained WAF CNAME value to an AAD instance.
   

   After interworking with WAF is configured, no certificate needs to be uploaded for website services.

   1. Click in the upper left corner of the page and choose Security & Compliance > DDoS Mitigation.
   2. Choose AAD > Domain Name Access. The Domain Name Access configuration page is displayed.
   3. Select Chinese mainland or Other.
   4. Click Add Domain.
   5. Enter the domain name information and click Next.
      Figure 4 Configuring website domain
      

      Table 1 Parameter description

      Parameter	Description
      Protected Domain Name	Enter the domain name of the service to protect. Wildcard domain names are supported, for example, *.domain.com.
      Origin Server Type	Set this parameter to Domain name. Enter the forwarding protocol and origin server port of the origin server domain name. Enter the copied WAF CNAME.
      Server Configuration	Enter the forwarding protocol and port used by the origin server.

   6. On the Select Instance and Line page, select the required instances and high-defense IP addresses and click Submit and Continue.
      Figure 5 Selecting an instance and a line
      

3. Click Next.
4. On the Modify DNS Resolution page, copy the CNAME of the AAD and click Finish.
   Figure 6 Copying AAD CNAME
   

5. Modify DNS configuration.
   1. Click in the upper left corner of the page and choose Network > Domain Name Service. The Domain Name Service management console is displayed.
   2. Click Public Zones.
   3. Locate the row that contains the target domain name, and choose Manage Record Set.
   4. Click Add Record Set to add a CNAME record set.
      Figure 7 Adding a record set
      

      Table 2 Key parameters

      Parameter	Description
      Name	Set this parameter to the domain name configured in AAD.
      Record Type	Select CNAME – Map one domain to another.
      Line	Select Default.
      TTL (s)	TTL is short for time-to-live, which specifies the cache period of resource records on a local DNS server. If your service address is frequently changed, set TTL to a smaller value.
      DNS record	Enter the copied AAD CNAME.

      

      DNS resolution takes a period of time. In most cases, domain names can be resolved within 5 minutes.