Help Center/ Web Application Firewall/ User Guide/ Buying WAF/ Buying a Dedicated WAF Instance
Updated on 2024-11-19 GMT+08:00

Buying a Dedicated WAF Instance

If your service servers are deployed on Huawei Cloud, you can purchase dedicated WAF instances to protect important domain names or web services that have only IP addresses. To expand the protection capacities and eliminate single points of failure (SPOFs), buy an Elastic Load Balance (ELB) load balancer for your dedicated WAF instances.

Dedicated WAF instances are billed on a pay-per-use basis. You only pay for what you use.

Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued.

You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.

Prerequisites

  • The account used to log in to the WAF console must have the WAF Administrator or WAF FullAccess permission.
  • You are advised to use a parent account to purchase dedicated WAF instances. If you want to use an IAM user to purchase dedicated WAF instances, you need to assign the IAM management permission to the IAM user.
    • For first-time buyers, you need to assign IAM system role Security Administrator to them.
    • For non-first-time buyers, you need to assign IAM system policy IAM ReadOnlyAccess or custom permissions to them. The permissions are as follows:
      • iam:agencies:listAgencies
      • iam:agencies:getAgency
      • iam:permissions:listRolesForAgency
      • iam:permissions:listRolesForAgencyOnProject
      • iam:permissions:listRolesForAgencyOnDomain

    For details, see Creating a User Group and Granting Permissions.

  • A VPC has been created. For details, see Creating a VPC.
  • The Organizations service is in open beta test (OBT). To use organization rules, apply for OBT.

Constraints

  • If dedicated WAF instances and origin servers they protect are not in the same VPC, you can use a VPC peering connection to connect two VPCs. This method is not recommended as VPC peering connections may be not stable enough sometimes.
  • Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services. For details about supported regions, see In Which Regions Is WAF Available?
  • If you enable Anti-affinity, a maximum of five dedicated WAF instances can be created.

Specification Limitations

The specifications of a dedicated WAF instance cannot be modified.

Application Scenarios

Dedicated WAF instances are good choice if your service servers are deployed on Huawei Cloud and you plan to protect your website by adding its domain names or IP addresses to WAF.

This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.

Buying a Dedicated WAF Instance

  1. Log in to the management console.
  2. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  3. In the upper right corner of the page, click Buy WAF.
  4. On the Buy Web Application Firewall page, select Dedicated Mode for WAF Mode.
  5. Configure instance parameters by referring to Table 1.

    Table 1 Parameters of a dedicated WAF instance

    Parameter

    Description

    Example Value

    Basic settings

    Billing mode

    Only the pay-per-use billing mode is supported.

    Pay-per-use billing

    Region

    For details about supported regions, see In Which Regions Is WAF Available?

    Generally, a WAF instance purchased in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster and reduce latency, select the region nearest to your services.

    -

    General AZ

    Select an AZ in the selected region.

    NOTE:

    After an AZ is selected, it cannot be changed after the purchase.

    -

    Edition and specifications

    Edition selection

    Specifications WI-500 and WI-100 are available.

    • Specifications: WI-500. Estimated performance:
      • HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000
      • HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000
      • WebSocket service - Maximum concurrent connections: 5,000
      • Maximum WAF-to-server persistent connections: 60,000
    • Specifications: WI-100. Estimated performance:
      • HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000
      • HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600
      • WebSocket service - Maximum concurrent connections: 1,000
      • Maximum WAF-to-server persistent connections: 60,000

    WI-500

    WAF Instance Type

    Select a WAF instance type. Only Network interface is available now.

    The WAF instance will be connected to your network through a VPC network interface. Only dedicated load balancers can be used for this type of instance. For details, see Website Connection Process (Dedicated Mode).

    NOTE:

    WAF also provides the ECS type of WAF instance. This type of WAF instance is deployed on your own ECSs. You can view the ECSs housing your WAF instances on the ECS console. To use this type of WAF instance, submit a service ticket. Note that only some regions support this type of WAF instance.

    Network Interface

    Network settings

    VPC

    Select the VPC to which the origin server belongs.

    -

    Subnet

    Select a subnet configured in the VPC.

    -

    Security Group

    Select a security group in the region or click Manage Security Group to go to the VPC console and create a security group. After you select a security group, the WAF instance will be protected by the access rules of the security group.

    NOTICE:
    • You can configure your security group as follows:
      • Inbound rules

        Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80.

      • Outbound rules

        Retain the default settings. All outgoing network traffic is allowed by default.

      For more details, see Adding a Security Group Rule.

    • If your dedicated WAF instance and origin server are not in the same VPC, enable communications between the instance and the subnet of the origin server in the security group.

    -

    Usage Settings

    Quantity

    Set the number of WAF instances you want to purchase.

    You are advised to buy at least two WAF instances and use both of them to protect your services. With multiple WAF instances being used for your services, if one of them becomes faulty, WAF automatically switches the traffic to other running WAF instances to ensure continuous protection.

    2

    (Optional) Advanced Settings

    Instance Name Prefix

    Set a prefix of the WAF instance name. If you expect to purchase multiple instances, the prefix to each instance name is the same.

    WAF

    Enterprise Project

    This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. To learn more, see Enabling the Enterprise Center. You can use enterprise projects to more efficiently manage cloud resources and project members.

    NOTE:
    • Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
    • The default option is available in the Enterprise Project drop-down list only after you purchase WAF under the logged-in account.

    default

    Tag

    TMS's predefined tag function is recommended for adding the same tag to different cloud resources.

    If your organization has configured a tag policy for Web Application Firewall (WAF), you need to add tags to dedicated WAF instances based on the tag policy rules. If a tag does not comply with the policies, dedicated WAF instance may fail to be created. Contact your organization administrator to learn more about tag policies.

    -

    Authorization

    This parameter is available first time you purchase a WAF instance. After you enable the authorization, WAF will create an agency in IAM on behalf of you to grant itself related permissions.

    -

    Anti-affinity

    • If you enable this function, a maximum of five dedicated WAF instances can be created.
    • If you enable this function, dedicated instances will be deployed on different physical servers as much as possible to improve service reliability.

    -

  6. Confirm the product details and click Buy Now in the lower right corner of the page.

    If you want to use the content moderation check service, click Buy Now to go to the purchase page.

  7. Check the order details and read the Huawei Cloud WAF Disclaimer. Then, check the box next to "I have read and agree to the WAF Disclaimer" and click Pay Now.
  1. On the payment page, select a payment method and pay for your order.
  2. After the payment is successful, click Back to Dedicated Engine List. On the Dedicated Engine page, view the instance status.

Verification

It takes about 5 minutes to create a dedicated WAF instance. If the instance is in the Running status, the instance has been created successfully.

Related Operations

Managing Dedicated WAF Engines

This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance.

Authorizing WAF to Access Data in the VPC Your Website Resides

If you expect to use a dedicated WAF instance, authorize WAF to directly access data in the VPC by enabling certain security rules.

By purchasing a WAF dedicated instance, you agree to authorize WAF to enable such security rules. Currently, the security group rules listed in Table 2 will be automatically enabled for a dedicated WAF instance.

Table 2 Security group rules for WAF to access the VPC your website resides

Protocol & Port

Type

Source Address

Description

Inbound rules

TCP: 22

IPv4

100.64.0.0/10

WAF remote O&M

Outbound rules

TCP: 9011

IPv4

100.125.0.0/16

WAF event logs reporting

TCP: 9012

IPv4

100.125.0.0/16

WAF event logs reporting

TCP: 9013

IPv4

100.125.0.0/16

WAF event logs reporting

TCP: 9018

IPv4

100.125.0.0/16

WAF policy synchronization

TCP: 9019

IPv4

100.125.0.0/16

WAF heartbeat logs reporting

TCP: 4505

IPv4

100.125.0.0/16

WAF policy synchronization

TCP: 4506

IPv4

100.125.0.0/16

WAF policy synchronization

TCP: 50051

IPv4

100.125.0.0/16

WAF performance logs reporting

TCP: 443

IPv4

100.125.0.0/16

WAF policy synchronization