What Is WAF?
Web Application Firewall (WAF) helps users within and outside Tencent Cloud handle web attacks, intrusions, vulnerability exploitation, trojans, tampering, backdoors, crawlers, and other website and web business security protection issues. By deploying the Tencent Cloud WAF service, enterprises can transfer web attack threats to Tencent Cloud WAF protection cluster nodes, obtain web business protection capabilities of Tencent in minutes, and ensure secure website and web business operations.
SaaS-based WAF and CLB-based WAF are supported. Both types support access protection. The following table compares the two WAF types.
|
Whether gateway console operations are required | Yes. | No. |
Access method | Domain name protection and object protection are supported, which can also be used simultaneously. | |
Traffic path from WAF to the gateway | Bypass integration is used. Traffic first goes to the gateway and then to WAF. Traffic is sent for review in bypass mode. | Traffic first goes to WAF and then to the gateway. |
Type of traffic from WAF to the gateway | Private network. | Public network. |
How to select the WAF type | Bypass integration is used. Business traffic forwarding and security protection are separated, minimizing the impact of security protection on businesses. Private network integration is used to reduce traffic costs. | Only one public IP address of the public load balancer can be bound. If webpage tampering prevention and data leakage prevention are needed, only SaaS-based WAF can be used. |
For Cloud Native API Gateway, CLB-based WAF is recommended. It mirrors the HTTP/HTTPS traffic received by the gateway to the WAF cluster. The WAF performs bypass threat detection and scrubbing, then synchronizes the trust status of user requests to the Cloud Native API Gateway for threat blocking or allowing, thereby protecting your business security. The bypass integration approach offers the following advantages:
Seamless domain name access to WAF without needing to adjust the existing network architecture
Separated website business traffic forwarding and security protection, ensuring secure, stable, and reliable website businesses
CLB-based WAF Access Methods
CLB-based WAF supports the following two access methods:
Method 1: Domain Name Access
Bind gateway resources to WAF through adding domain names to detect and intercept HTTP or HTTPS traffic passing through the gateway. You need to perform the following operations on the gateway:
1. Add an access domain name.
2. Configure resources to be protected.
Method 2: Object Access
Associate a WAF instance with a gateway instance through the Instance Management module in the WAF asset center to implement object access. All traffic of the gateway instance is protected.
Cloud-native object access supports access protection in the Cloud Native API Gateway instance dimension. It mirrors the web business traffic of the gateway instance and forwards it to the WAF cluster for access protection. After access, a protection collection based on the gateway instance ID is generated automatically, starts protection for web traffic without configuring domain name access, and allows the customer to modify protection policy rules.
Comparison of Two Access Methods
|
Whether a domain name needs to be configured | Required | Not required |
Protection granularity | Resource-level (supporting route-level and service-level) | Instance-level |
Access complexity | Relatively complex | Simple |
Traffic method between the gateway and WAF | Bypass integration |
|
Effective Sequence of the Two Access Protection Methods
Object access performs security protection in the gateway instance dimension. If you need more refined protection, you can use domain name access. By configuring WAF-protected domain names, resources can be protected precisely. You can also configure both protection policies. The effective sequence of the protection policies is as follows:
Precise domain name access protection: It has the highest priority, and this security protection policy takes effect preferentially after the domain name hits.
Object access protection: For traffic not hitting any domain name protection policy, the default object access protection policy is executed.
Note:
Object access: WAF object access is supported only in the Enterprise Edition and later editions.
Scenarios
Scenario 1: Instance Protection
Scenario description: WAF protection is performed for all access requests to a gateway instance. WAF protection does not need to be independently configured for existing routes and newly added routes. It applies to production scenarios with extremely high security requirements.
Usage method: Enable object access protection.
Scenario 2: Protection of Some Services
Scenario description: Only access requests to specific backend services are protected, and other requests do not require access protection. It applies to test scenarios or production scenarios with high security requirements.
Usage method: Enable domain name protection for services to be protected.
Scenario 3: Protection of Some Routes
Scenario description: Only access requests to some specific routes need to be protected, and other requests do not require access protection. It applies to test scenarios or production scenarios with low security requirements.
Usage method: Enable domain name protection for routes to be protected.
Scenario 4: Service-Level Protection Enabled with Access Protection Disabled for Some Routes Under the Service
Scenario description: Service-level protection is enabled, and test routes are added for testing, and access protection needs to be disabled for these routes.
Usage method: Disable protection for routes to be tested. In this case, the status of service-level protection is changed from All enabled to Partially enabled. After the test is completed, you can enable access protection for these routes to change the status of service-level protection from Partially enabled to All enabled.