Buying Dedicated Mode WAF

Prerequisites

• IAM users used to log in to the WAF console must have the WAF Administrator or WAF FullAccess permission.
• You are advised to use a parent account to purchase dedicated WAF instances. If you want to use an IAM user to purchase dedicated WAF instances, you need to assign the IAM management permission to the IAM user.
  • For first-time buyers, you need to assign IAM system role Security Administrator to them.
  • For non-first-time buyers, you need to assign IAM system policy IAM ReadOnlyAccess or custom permissions to them. The permissions are as follows:
    • iam:agencies:listAgencies
    • iam:agencies:getAgency
    • iam:permissions:listRolesForAgency
    • iam:permissions:listRolesForAgencyOnProject
    • iam:permissions:listRolesForAgencyOnDomain

  For details, see Creating a User Group and Granting Permissions.

• A VPC has been created. For details, see Creating a VPC and Subnet.
• The Organizations service is under open beta test (OBT). To use organization rules, apply for OBT.

Constraints

• If dedicated WAF instances and origin servers they protect are not in the same VPC, you can use a VPC peering connection to connect two VPCs. This method is not recommended as VPC peering connections may be not stable enough sometimes.
• Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services. For details about supported regions, see In Which Regions Is WAF Available?

Specification Limitations

The specifications of a dedicated WAF instance cannot be modified.

Buying a Dedicated WAF Instance

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the upper right corner of the page, click Buy WAF.
5. On the Dashboard page, click Buy WAF.
6. On the Buy Web Application Firewall page, select Dedicated for WAF Mode.
7. On the Buy Web Application Firewall page, configure parameters according to Table 1.

   Table 1 Parameters of a dedicated WAF instance

   Parameter		Description	Example Value
   Basic Settings	WAF Mode	WAF mode you want to buy. If you select Dedicated Mode, Connecting Your Website to WAF with Dedicated Mode is supported.	Dedicated Mode
   	Billing Mode	Billing mode of WAF. Select Pay-per-use, which is a postpaid payment method. For details about pay-per-use billing, see Pay-per-Use Billing.	Pay-per-use
   	Region	Region where the WAF instance will be deployed. Select a region from the Region drop-down list. Only one WAF edition can be purchased in a region. Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.	-
   	General	Select an AZ in the selected region. An Availability Zone (AZ) is a physical area where resources use independent power supply and networks. AZs are physically isolated from one another but interconnected through an internal network. You can select an AZ when you buy a WAF instance. A region has multiple AZs. If one AZ becomes faulty, other AZs in the same region are not affected. Random: The cloud platform will assign an AZ based on the ECS you selected. ECSs of different specifications are located in different AZs. For example, the S6 ECSs are available only in AZ 1. S3 ECSs can be purchased in AZ 2 and AZ 3 and has been sold out in AZ 1. Specified: You can select AZ 1, AZ 2, AZ 3, or AZ 7. CAUTION: After an AZ is selected, it cannot be changed after the purchase.	-
   Edition	Edition	Specifications WI-500 and WI-100 are available. Specifications: WI-500. Estimated performance: HTTP services: 5,000 QPS (recommended) HTTPS services: 4,000 QPS (recommended) WebSocket service - Maximum concurrent connections: 5,000 Maximum WAF-to-server persistent connections: 60,000 Specifications: WI-100. Estimated performance: HTTP services: 1,000 QPS (recommended) HTTPS services: 800 QPS (recommended) WebSocket service - Maximum concurrent connections: 1,000 Maximum WAF-to-server persistent connections: 60,000	WI-500
   	WAF Instance Type	Select a WAF instance type. Only Network Interface is available now. The WAF instance will be connected to your network through a VPC network interface. Only the dedicated load balancer can be used. For details about how to connect the WAF instance, see Connecting Your Website to WAF with Dedicated Mode. NOTE: WAF also provides the ECS type of WAF instance. This type of WAF instance is deployed on your own ECSs. You can view the ECSs housing your WAF instances on the ECS console. To use this type of WAF instance, submit a service ticket. Note that only some regions support this type of WAF instance.	Network Interface
   Network Settings	Virtual Private Cloud	Select the VPC to which the origin server belongs.	-
   	Subnet	Select a subnet configured in the VPC.	-
   	Security Groups	Select a security group in the region, or click Create Security Group and create one. After you select a security group, the WAF instance will be protected by the access rules of the security group. WAF provides three types of security group templates. You can select one that best fits your need. General-purpose web server: allows all inbound ICMP traffic and inbound traffic on ports 22, 80, 443, and 3389. This template applies to scenarios where you need to remotely log in to an instance, run the ping command to verify the network connectivity of the instance, and provide website access services for external systems. All ports open: allows inbound and outbound traffic over any ports. This may introduce security risks. Exercise caution when selecting this option. Fast-add rule: You can select common protocols and ports to quickly add inbound rules. If you do not select any protocols and ports, no ports will be opened. You can add or modify security group rules as required after a security group is created. Click to Show Default Rule and view the inbound and outbound rules of the selected security group template. You can also create a security group on the VPC console and configure the following access rules: Inbound rules Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80. Outbound rules Retain the default settings. All outgoing network traffic is allowed by default. For details, see Adding a Security Group Rule. If your dedicated WAF instance and origin server are not in the same VPC, enable communications between the instance and the subnet of the origin server in the security group.	-
   (Optional) Advanced Settings	Instance Name Prefix	Set a prefix of the WAF instance name. If you expect to purchase multiple instances, the prefix to each instance name is the same.	WAF
   	Enterprise Project	This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members. Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project. The default option is available in the Enterprise Project drop-down list only after you purchase WAF under the logged-in account.	default
   	Tag	Tag of the instance you buy. The tag is used to mark the instance. Click Add tag and enter Tag key and Tag value. A maximum of 20 tags can be added. If your organization has configured tag policies for WAF, add tags to dedicated instances based on the policies. If a tag does not comply with the policies, dedicated WAF instance may fail to be created. Contact your organization administrator to learn more about tag policies. If you want to use the same tag to identify multiple cloud resources, that is, to select the same tag for all services, you are advised to create predefined tags on the Tag Management Service (TMS). For details, see Creating Predefined Tags.	-
   	Authorize WAF	This parameter is required first time you buy a WAF instance. After you enable the authorization, WAF will create an agency in IAM on behalf of you to grant itself related permissions.	-
   	Anti-affinity	If you enable this function, dedicated instances will be deployed on different physical servers as much as possible to improve service reliability.	-
   Usage Settings	Purchased Quantity	Set the number of WAF instances you want to purchase. You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.	2

8. Confirm the product details and click Buy Now in the lower right corner of the page.
   

   The specifications of a dedicated WAF instance cannot be modified after the purchase.

9. On the Confirm Configuration page, confirm the order details, check the boxes before "I have read and agree to the WAF Disclaimer." and "I agree to assign permissions of the following roles to WAF", and click Pay.
   • After the payment, click Back to Dedicated Engine List. On the Dedicated Engine page, view and manage the dedicated instances. For details, see Managing Dedicated WAF Engines.
   • After you buy a dedicated WAF instance, WAF is authorized to access data in the VPC your website resides by default. For more details, see Authorizing WAF to Access Data in the VPC Your Website Resides.
   • It takes about 5 minutes to create a dedicated instance. If the instance is in the Running status, the instance has been created successfully.

Follow-up Operations

1. Connecting a Website to WAF: Connect a website domain name or IP address to your dedicated WAF instances.
2. Viewing Protection Events: After a domain name or IP address is connected to WAF, by default, WAF enables General Check in Basic Web Protection, with Protective Action set to Log only and Protection Level to medium, and enables Scanner in Anti-Crawler, with Protective Action set to Log only. You can view and handle protection events on the Events page.
3. Configuring Protection Policies: If default protection rules cannot meet your website security requirements, you can configure custom protection rules.
4. Querying a Protection Event: View website protection details.