Help Center/ API Gateway/ Best Practices/ Interconnecting a Dedicated Gateway with WAF
Updated on 2024-10-10 GMT+08:00
View PDF
Share

Interconnecting a Dedicated Gateway with WAF

To protect API Gateway and your backend servers from malicious attacks, deploy Web Application Firewall (WAF) between API Gateway and the external network.

Figure 1 Access to a backend server

(Recommended) Solution 1: Register API Group Debugging Domain Name on WAF and Use the Domain Name to Access the Backend Service

API groups provide services using domain names for high scalability.

  1. Create an API group in a gateway, record the domain name, and create an API in the group.

    1. Log in to the APIG console, and choose API Management > API Groups.
    2. Click Create API Group > Create Directly and enter the group name.
    3. Click the name of the created group. The group details page is displayed.
    4. On the Group Information tab, view and record the debugging domain name. It is unique and cannot be changed. It can be accessed up to 1,000 times a day.
    5. On the APIs tab, click Create API > Create API to add an API.

  1. Add a domain name to WAF. Log in to the WAF console and choose Website Settings > Add Website. When configuring the Server Address, you need to enter the domain name of the API group and add a certificate. After adding a domain name, you need to whitelist the back-to-origin IP addresses, test WAF locally, and modify the DNS resolution settings of the domain name. For details, see Connection Process (Cloud Mode).

    You can use a public network client to access WAF with its domain name. WAF then uses the same domain name to forward your requests to API Gateway. There is no limit on the number of requests that API Gateway can receive for the domain name.

  2. On the gateway details page, bind the domain name to the API group.

    1. Go to the APIG console, and choose API Management > API Groups.
    2. Click the name of a created group.
    3. On the Group Information tab, click Bind Independent Domain Name.
    4. In the dialog box that is displayed, add the domain name.

  3. Enable real_ip_from_xff and set the parameter value to 1.

    1. In the navigation pane of the APIG console, choose Gateways.
    2. On the Parameters tab, configure real_ip_from_xff.

      When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. API Gateway resolves the actual IP address of the user based on the header.

Solution 2: Forward Requests Through the DEFAULT Group and Use Gateway Inbound Access Address to Access the Backend Service from WAF

  1. View the inbound access addresses of your gateway. There is no limit on the number of times the API gateway can be accessed using an IP address.

    1. Log in to the APIG console, and choose Gateways in the navigation pane.
    2. Click the gateway name or Access Console.
    3. On the Basic Information tab, view the inbound access.
      • VPC Access Address: VPC private access address
      • EIP: public network access address

  1. Create an API in the DEFAULT group.

    1. Go to the APIG console, and choose API Management > API Groups.
    2. Click the name of the DEFAULT group.
    3. Click Create API > Create API to add an API.

  1. Add a domain name to WAF. Log in to the WAF console and choose Website Settings > Add Website. Set the Server Address to the inbound access of the gateway and add a certificate. After adding a domain name, you need to whitelist the back-to-origin IP addresses, test WAF locally, and modify the DNS resolution settings of the domain name. For details, see Connection Process (Cloud Mode).

    • If WAF and your gateway are in the same VPC, set Server Address to the VPC access address.
    • If your gateway is bound with an EIP, set Server Address to the EIP.

  2. On the gateway details page, bind the domain name to the DEFAULT group.

    1. Go to the APIG console, and choose API Management > API Groups.
    2. Click the name of the DEFAULT group.
    3. On the Group Information tab, click Bind Independent Domain Name.
    4. In the dialog box that is displayed, add the domain name.

  3. Enable real_ip_from_xff and set the parameter value to 1.

    1. In the navigation pane of the APIG console, choose Gateways.
    2. On the Parameters tab, configure real_ip_from_xff.

      When a user accesses WAF using a public network client, WAF records the actual IP address of the user in the HTTP header X-Forwarded-For. APIG resolves the actual IP address of the user based on the header.