Updated on 2024-09-29 GMT+08:00

AAD + Cloud WAF (ELB Access)

CNAD Advanced protection improves the anti-DDoS capability of cloud services on HUAWEI CLOUD, such as Elastic Cloud Server (ECS), Elastic Load Balance (ELB), Web Application Firewall (WAF), and Elastic IP (EIP). WAF keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

Application Scenarios

To deploy CNAD Advanced and WAF together for your website, your website workloads must be hosted on Huawei Cloud ECSs. After you connect a website to a cloud WAF (ELB access) instance, add the EIP bound to the load balancer configured for the cloud WAF instance to the CNAD Advanced instance. This gives your website two layers of protection and defends against layer-4 DDoS attacks, layer-7 web application attacks, and CC attacks, greatly improving the security and stability of your website workloads.

With a CNAD Advanced and a cloud WAF instance in place, the WAF engine inspects all incoming traffic. It filters out malicious activities such as DDoS, web, and CC attacks, ensuring that only legitimate traffic reaches your origin server.

Figure 1 CNAD Advanced collaborates with WAF

Constraints

CNAD Advanced protection is only available for EIPs purchased in your region.

Prerequisites

The website has been connected to cloud WAF (ELB access).

Procedure

  1. Obtain the EIP of the load balancer.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region or project.
    3. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the ELB console.
    4. Locate the row that contains the load balancer bound to the WAF instance, and obtain the EIP of the load balancer.
      Figure 2 Copying the EIP

  2. Buy a CNAD Advanced instance in the region where the EIP bound to the load balancer resides.
  3. Add the EIP of the ELB to CNAD Advanced.

    1. Click in the upper left corner of the page and choose Security & Compliance > DDoS Mitigation.
    2. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Instances. The Instances page is displayed.
    3. In the upper right corner of the target instance box, click Add Protected Object.
    4. Search for the EIP of the load balancer in 1, set it as a protected object, and click Next.
      Figure 3 Adding a protected object
    5. Select a protection policy for the added IP address and click OK.
      Figure 4 Policy

      After adding a protected object, you can configure a protection policy for it. For details, see Adding a Protection Policy.