{"id":51,"date":"2026-04-12T16:01:59","date_gmt":"2026-04-12T16:01:59","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-web-application-firewall-waf-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-12T16:01:59","modified_gmt":"2026-04-12T16:01:59","slug":"alibaba-cloud-web-application-firewall-waf-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-web-application-firewall-waf-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Alibaba Cloud Web Application Firewall (WAF) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Security<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Alibaba Cloud Web Application Firewall (WAF)<\/strong> is a managed Security<\/strong> service designed to protect websites and APIs from common web-layer attacks and abusive traffic. It sits in front of your application (typically as a reverse proxy), inspects inbound HTTP\/HTTPS traffic, and blocks malicious requests before they reach your origin servers.<\/p>\n\n\n\n

In simple terms: you point your domain to Alibaba Cloud WAF, and WAF becomes the \u201csecurity gate\u201d for your web app. Legitimate users pass through; suspicious or clearly malicious requests are blocked or challenged.<\/p>\n\n\n\n

Technically, Web Application Firewall (WAF) applies a combination of managed rule sets<\/strong> (for vulnerabilities like SQL injection and XSS), custom rules<\/strong>, bot\/automation controls<\/strong>, and rate limiting \/ CC protection<\/strong>. It also provides visibility via dashboards and (depending on configuration and edition) integration with Alibaba Cloud logging and monitoring services.<\/p>\n\n\n\n

Web Application Firewall (WAF) solves a specific problem: your application code and perimeter controls alone are not enough<\/strong> to defend against web attacks, credential stuffing, scanners, exploit attempts, and traffic spikes targeting your application endpoints. WAF adds a specialized, continuously updated protection layer so teams can reduce risk and operational load without building and maintaining a custom WAF stack.<\/p>\n\n\n\n

\n

Service name note: The official service is currently offered as Web Application Firewall (WAF)<\/strong> on Alibaba Cloud. Alibaba Cloud may offer multiple editions\/versions and purchasing options; always verify the latest console terminology and purchase models in official documentation before production rollout.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Web Application Firewall (WAF)?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

Alibaba Cloud Web Application Firewall (WAF)<\/strong> is a managed web security gateway that helps protect websites and APIs<\/strong> from web application attacks, malicious bots, and abusive traffic patterns by inspecting and filtering HTTP\/HTTPS traffic.<\/p>\n\n\n\n

Core capabilities (what it generally does)<\/h3>\n\n\n\n

Web Application Firewall (WAF) typically provides:<\/p>\n\n\n\n

    \n
  • Protection against common web attacks<\/strong> (for example, SQL injection, XSS, command injection, path traversal, malicious file uploads).<\/li>\n
  • Virtual patching<\/strong> behavior: blocking exploit attempts even before your application is patched (coverage depends on rule sets and your traffic).<\/li>\n
  • Bot management \/ anti-automation<\/strong> controls (capability and naming vary by edition\u2014verify in official docs for your plan).<\/li>\n
  • Rate limiting \/ CC protection<\/strong> (challenge\/blacklist\/allowlist patterns for burst traffic).<\/li>\n
  • Access control policies<\/strong> (IP allow\/deny lists, geo or header-based policies, URL-based controls).<\/li>\n
  • TLS termination and certificate management<\/strong> (for HTTPS protected domains).<\/li>\n
  • Observability<\/strong> through event\/attack dashboards and optional log export.<\/li>\n<\/ul>\n\n\n\n

    Major components (how you\u2019ll interact with it)<\/h3>\n\n\n\n

    While exact names can vary by console version and edition, you typically work with:<\/p>\n\n\n\n

      \n
    • WAF instance\/edition<\/strong>: the purchased protection capacity and feature set.<\/li>\n
    • Protected objects<\/strong>: domains (websites) and\/or API endpoints that you onboard.<\/li>\n
    • Back-to-origin configuration<\/strong>: origin IPs\/ports, origin protocol, health behavior.<\/li>\n
    • Protection policies<\/strong>:<\/li>\n
    • Managed protection rules (often enabled\/tuned per domain)<\/li>\n
    • Custom protection rules (matching URL, headers, args, cookies, method, etc.)<\/li>\n
    • Bot\/rate limit rules (if available in your edition)<\/li>\n
    • Certificates<\/strong>: uploaded\/imported TLS certificates (for HTTPS).<\/li>\n
    • Logs and reports<\/strong>: security events, access details, and exports.<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • Type<\/strong>: Managed security service (WAF), commonly deployed as a reverse proxy<\/strong> in front of origins.<\/li>\n
      • Operational model<\/strong>: You configure protection via the Alibaba Cloud console and\/or APIs. Alibaba Cloud operates and updates the detection engines and infrastructure.<\/li>\n<\/ul>\n\n\n\n

        Scope (regional\/global\/account-scoped)<\/h3>\n\n\n\n
          \n
        • Account scope<\/strong>: Web Application Firewall (WAF) is purchased and managed at the Alibaba Cloud account level, with access controlled by RAM (Resource Access Management).<\/li>\n
        • Traffic scope<\/strong>: WAF protection is applied to the domains\/endpoints you onboard<\/strong> and the traffic that you route through WAF (typically via DNS CNAME or other supported access modes).<\/li>\n
        • Region model<\/strong>: WAF is a cloud service with global presence, but availability, billing region, and supported traffic access modes can vary<\/strong>. Verify the latest region\/availability notes in the official documentation for your account and target audience location.<\/li>\n<\/ul>\n\n\n\n

          How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n

          Web Application Firewall (WAF) is one layer in a broader Alibaba Cloud Security stack:<\/p>\n\n\n\n

            \n
          • It complements network-layer protections<\/strong> (e.g., Anti-DDoS products) by focusing on Layer 7 (HTTP\/S) threats<\/strong>.<\/li>\n
          • It integrates naturally with Alibaba Cloud hosting patterns:<\/li>\n
          • Origins on ECS, containers, or PaaS<\/li>\n
          • Traffic via SLB\/ALB, API gateways, CDN (integration patterns vary\u2014verify supported architectures)<\/li>\n
          • It supports operational needs via logs, alerts, and API-driven configuration in DevSecOps workflows.<\/li>\n<\/ul>\n\n\n\n
            \n\n\n\n

            3. Why use Web Application Firewall (WAF)?<\/h2>\n\n\n\n

            Business reasons<\/h3>\n\n\n\n
              \n
            • Reduce breach risk and downtime<\/strong> from common web exploits and automated abuse.<\/li>\n
            • Lower incident response cost<\/strong> by blocking known bad patterns upstream.<\/li>\n
            • Improve time-to-remediate<\/strong>: WAF can reduce exposure windows while application patches are being tested and deployed.<\/li>\n
            • Meet customer and partner security expectations<\/strong> (many enterprise questionnaires expect a WAF in front of public web apps\/APIs).<\/li>\n<\/ul>\n\n\n\n

              Technical reasons<\/h3>\n\n\n\n
                \n
              • Layer 7 inspection<\/strong>: Your security groups and NACLs don\u2019t understand HTTP payloads; WAF does.<\/li>\n
              • Rule updates without app changes<\/strong>: Managed rules evolve without redeploying your app.<\/li>\n
              • Granular controls<\/strong>: Block by URL patterns, query args, headers, methods, cookies, referrer, user-agent, etc. (availability depends on WAF feature set; verify exact match fields supported in your edition).<\/li>\n<\/ul>\n\n\n\n

                Operational reasons<\/h3>\n\n\n\n
                  \n
                • Centralized control<\/strong> across many apps\/domains.<\/li>\n
                • Visibility<\/strong> into attack patterns, top targeted endpoints, and suspicious clients.<\/li>\n
                • Safer changes<\/strong>: You can test tuning by running in monitor\/alert mode first (if supported).<\/li>\n<\/ul>\n\n\n\n

                  Security\/compliance reasons<\/h3>\n\n\n\n
                    \n
                  • Helps implement defense-in-depth controls often mapped to:<\/li>\n
                  • OWASP Top 10 mitigation patterns (as a compensating control, not a replacement for secure coding)<\/li>\n
                  • Security baseline requirements for internet-facing services<\/li>\n
                  • Provides evidence and audit trails via logs and reports (export options vary by configuration).<\/li>\n<\/ul>\n\n\n\n

                    Scalability\/performance reasons<\/h3>\n\n\n\n
                      \n
                    • WAF infrastructure can absorb and filter large volumes of HTTP\/S requests before they hit your origins.<\/li>\n
                    • Offloads some security processing from application servers.<\/li>\n<\/ul>\n\n\n\n

                      When teams should choose it<\/h3>\n\n\n\n

                      Choose Alibaba Cloud Web Application Firewall (WAF) when you have:<\/p>\n\n\n\n

                        \n
                      • Public-facing websites and APIs<\/li>\n
                      • Compliance requirements or customer expectations for web security controls<\/li>\n
                      • High risk of scanning, credential stuffing, bot scraping, or frequent exploit attempts<\/li>\n
                      • A need for managed rules and rapid response without building custom ModSecurity stacks<\/li>\n<\/ul>\n\n\n\n

                        When teams should not choose it<\/h3>\n\n\n\n

                        WAF is not a universal solution. Avoid or defer if:<\/p>\n\n\n\n

                          \n
                        • Your system is not HTTP\/S<\/strong> (WAF is not a generic TCP firewall).<\/li>\n
                        • Your application is internal-only<\/strong> and not reachable from untrusted networks (you may still want it, but risk profile is different).<\/li>\n
                        • You cannot change DNS\/traffic routing to place WAF in the path.<\/li>\n
                        • You require extremely specialized request handling that conflicts with proxy inspection (rare, but can happen with unusual protocols over HTTP, strict mutual TLS patterns, or custom clients\u2014test first).<\/li>\n
                        • You want to stop volumetric DDoS at L3\/L4 only: you\u2019ll need Anti-DDoS products in addition to (or instead of) WAF.<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          4. Where is Web Application Firewall (WAF) used?<\/h2>\n\n\n\n

                          Industries<\/h3>\n\n\n\n
                            \n
                          • E-commerce and retail (checkout, login, catalog scraping)<\/li>\n
                          • FinTech and payments (API abuse, credential stuffing, fraud automation)<\/li>\n
                          • SaaS platforms (tenant portals, admin consoles)<\/li>\n
                          • Media and gaming (bots, scraping, abusive sign-ups)<\/li>\n
                          • Healthcare and education (sensitive data exposure risk, compliance controls)<\/li>\n
                          • Public sector (high scanning rates, strict security requirements)<\/li>\n<\/ul>\n\n\n\n

                            Team types<\/h3>\n\n\n\n
                              \n
                            • Platform engineering teams managing shared ingress\/security<\/li>\n
                            • DevOps\/SRE teams responsible for availability and incident response<\/li>\n
                            • Security engineering teams enforcing web security policies and monitoring attacks<\/li>\n
                            • Application teams needing fast mitigation without code changes<\/li>\n<\/ul>\n\n\n\n

                              Workloads<\/h3>\n\n\n\n
                                \n
                              • Traditional web apps (server-rendered sites)<\/li>\n
                              • Modern SPAs with API backends<\/li>\n
                              • Microservices fronted by API gateways or ingress controllers<\/li>\n
                              • B2B portals and admin dashboards<\/li>\n
                              • Mobile app backends and public API endpoints<\/li>\n<\/ul>\n\n\n\n

                                Architectures<\/h3>\n\n\n\n
                                  \n
                                • Single-region web apps behind SLB\/ALB<\/li>\n
                                • Multi-region active-active deployments with DNS-based routing (WAF placement must be designed carefully)<\/li>\n
                                • CDN in front of WAF or WAF in front of CDN depending on supported patterns (verify the recommended pattern in official Alibaba Cloud docs for your CDN\/WAF combination)<\/li>\n<\/ul>\n\n\n\n

                                  Real-world deployment contexts<\/h3>\n\n\n\n
                                    \n
                                  • Production: always recommended for internet-facing apps with real users and business impact.<\/li>\n
                                  • Dev\/test: useful for validating rule impact and tuning, but ensure you don\u2019t pay for unused capacity; isolate test domains and be explicit about logging to avoid noise and cost.<\/li>\n<\/ul>\n\n\n\n
                                    \n\n\n\n

                                    5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                    Below are realistic scenarios where Alibaba Cloud Web Application Firewall (WAF) is commonly used.<\/p>\n\n\n\n

                                    1) Block SQL injection attempts against login and search endpoints<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: Attackers inject SQL payloads into query parameters or POST bodies.<\/li>\n
                                    • Why WAF fits<\/strong>: Managed rules detect common injection signatures and patterns.<\/li>\n
                                    • Example<\/strong>: \/login?user=admin'--<\/code> or payloads in JSON body to \/api\/auth<\/code>.<\/li>\n<\/ul>\n\n\n\n

                                      2) Stop reflected and stored XSS probes<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: Automated scanners test inputs for script injection.<\/li>\n
                                      • Why WAF fits<\/strong>: XSS detection rules and configurable blocking actions reduce exploit attempts reaching your app.<\/li>\n
                                      • Example<\/strong>: Requests containing <script>alert(1)<\/script><\/code> in comment fields.<\/li>\n<\/ul>\n\n\n\n

                                        3) Protect REST APIs from abusive clients and brute-force login<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: Attackers brute-force passwords or enumerate tokens.<\/li>\n
                                        • Why WAF fits<\/strong>: Rate limiting \/ CC protection and custom rules for sensitive endpoints.<\/li>\n
                                        • Example<\/strong>: Limit requests to \/api\/login<\/code> per IP\/user-agent and block abnormal bursts.<\/li>\n<\/ul>\n\n\n\n

                                          4) Virtual patching for newly disclosed vulnerabilities<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: A CVE is announced; patching takes days due to testing\/change control.<\/li>\n
                                          • Why WAF fits<\/strong>: Rule updates can mitigate exploitation attempts while you patch.<\/li>\n
                                          • Example<\/strong>: Exploit attempts targeting common frameworks or misconfigurations (exact coverage varies\u2014verify rule coverage).<\/li>\n<\/ul>\n\n\n\n

                                            5) Reduce bot scraping of product pages and content<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: Scrapers overwhelm pages or steal pricing\/content.<\/li>\n
                                            • Why WAF fits<\/strong>: Bot controls, behavior analysis, and challenge mechanisms (feature availability depends on edition).<\/li>\n
                                            • Example<\/strong>: Block headless browser user-agents hitting \/products\/*<\/code> at high rates.<\/li>\n<\/ul>\n\n\n\n

                                              6) Enforce access control for admin portals<\/h3>\n\n\n\n
                                                \n
                                              • Problem<\/strong>: Admin endpoints are exposed to the internet.<\/li>\n
                                              • Why WAF fits<\/strong>: IP allowlist, header-based rules, geo restrictions, and MFA gateway patterns.<\/li>\n
                                              • Example<\/strong>: Allow \/admin\/*<\/code> only from corporate IP ranges and block others.<\/li>\n<\/ul>\n\n\n\n

                                                7) Protect file upload endpoints from malicious payloads<\/h3>\n\n\n\n
                                                  \n
                                                • Problem<\/strong>: Attackers attempt to upload web shells or dangerous files.<\/li>\n
                                                • Why WAF fits<\/strong>: File upload inspection controls may help (exact capability depends on WAF features\u2014verify).<\/li>\n
                                                • Example<\/strong>: Block suspicious multipart payloads to \/api\/upload<\/code>.<\/li>\n<\/ul>\n\n\n\n

                                                  8) Prevent HTTP protocol abuse and evasion<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem<\/strong>: Attackers use malformed requests to bypass application parsing.<\/li>\n
                                                  • Why WAF fits<\/strong>: Normalization and protocol validation at the edge can detect anomalies.<\/li>\n
                                                  • Example<\/strong>: Unusual encodings, header smuggling patterns (coverage varies).<\/li>\n<\/ul>\n\n\n\n

                                                    9) Create custom allow\/deny rules during an incident<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem<\/strong>: Ongoing attack from specific ASN\/IP ranges or malicious referrers.<\/li>\n
                                                    • Why WAF fits<\/strong>: Rapid policy changes without redeploying apps.<\/li>\n
                                                    • Example<\/strong>: Deny a list of IPs or block requests missing expected headers.<\/li>\n<\/ul>\n\n\n\n

                                                      10) Protect multi-tenant SaaS APIs with tenant-aware rules<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem<\/strong>: One tenant\u2019s API key is abused, causing noisy neighbor effects.<\/li>\n
                                                      • Why WAF fits<\/strong>: Rate limiting by path and request attributes; block patterns quickly.<\/li>\n
                                                      • Example<\/strong>: Apply stricter limits to \/api\/v1\/export<\/code> across all tenants.<\/li>\n<\/ul>\n\n\n\n

                                                        11) Reduce origin exposure by allowing only WAF egress IPs<\/h3>\n\n\n\n
                                                          \n
                                                        • Problem<\/strong>: Attackers bypass WAF by hitting origin IP directly.<\/li>\n
                                                        • Why WAF fits<\/strong>: With correct origin firewall rules, only WAF can reach origin.<\/li>\n
                                                        • Example<\/strong>: Security group only allows inbound from WAF published IP ranges (verify the official IP list publication method).<\/li>\n<\/ul>\n\n\n\n

                                                          12) Centralize security monitoring for many domains<\/h3>\n\n\n\n
                                                            \n
                                                          • Problem<\/strong>: Each app team has different logging and inconsistent alerting.<\/li>\n
                                                          • Why WAF fits<\/strong>: Consolidated attack reporting and consistent enforcement across domains.<\/li>\n
                                                          • Example<\/strong>: A platform team onboards 50 marketing domains and applies baseline rules.<\/li>\n<\/ul>\n\n\n\n
                                                            \n\n\n\n

                                                            6. Core Features<\/h2>\n\n\n\n

                                                            Feature availability can vary by edition\/region and by the access mode you use. Verify your plan\u2019s feature list in the official Alibaba Cloud WAF documentation and console.<\/p>\n\n\n\n

                                                            6.1 Managed protection rules (OWASP-style protections)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: Inspects HTTP\/S requests and blocks known malicious patterns (SQLi, XSS, command injection, path traversal, etc.).<\/li>\n
                                                            • Why it matters<\/strong>: Stops high-volume commodity attacks and reduces risk of unpatched vulnerabilities.<\/li>\n
                                                            • Practical benefit<\/strong>: You get baseline web security without writing rules from scratch.<\/li>\n
                                                            • Caveats<\/strong>: False positives can occur; tune rules and use monitoring mode when available.<\/li>\n<\/ul>\n\n\n\n

                                                              6.2 Custom rules (fine-grained policy)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Lets you define match conditions (URL, headers, args, cookies, method, UA, etc.) and actions (block\/allow\/monitor\/challenge depending on capabilities).<\/li>\n
                                                              • Why it matters<\/strong>: Every app has unique endpoints and risk profiles.<\/li>\n
                                                              • Practical benefit<\/strong>: Protects sensitive routes like \/login<\/code>, \/admin<\/code>, \/checkout<\/code>, \/api\/*<\/code>.<\/li>\n
                                                              • Caveats<\/strong>: Overly broad patterns can break legitimate traffic; change-control and testing are important.<\/li>\n<\/ul>\n\n\n\n

                                                                6.3 IP allowlists and blocklists<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does<\/strong>: Allow or deny traffic by source IP\/CIDR.<\/li>\n
                                                                • Why it matters<\/strong>: Quick containment for active attacks; restrict admin endpoints.<\/li>\n
                                                                • Practical benefit<\/strong>: Simple control with immediate effect.<\/li>\n
                                                                • Caveats<\/strong>: NAT and shared IPs can cause collateral damage; prefer combining with authentication where possible.<\/li>\n<\/ul>\n\n\n\n

                                                                  6.4 Rate limiting \/ CC protection (HTTP flood controls)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does<\/strong>: Detects and mitigates bursts of HTTP requests that aim to exhaust application capacity.<\/li>\n
                                                                  • Why it matters<\/strong>: Many outages are caused by L7 floods and aggressive bots, not just L3\/L4 DDoS.<\/li>\n
                                                                  • Practical benefit<\/strong>: Preserves origin capacity by throttling abusive patterns.<\/li>\n
                                                                  • Caveats<\/strong>: Requires careful thresholds; if you set too low, you will block real users behind NAT\/mobile carriers.<\/li>\n<\/ul>\n\n\n\n

                                                                    6.5 Bot management \/ anti-automation (edition-dependent)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does<\/strong>: Identifies and mitigates bots (scrapers, credential stuffing, headless browsers) using signatures and behavior signals.<\/li>\n
                                                                    • Why it matters<\/strong>: Bots can cause fraud, content theft, and performance issues.<\/li>\n
                                                                    • Practical benefit<\/strong>: Fewer fake sign-ups, reduced scraping load, better conversion.<\/li>\n
                                                                    • Caveats<\/strong>: Bot defenses can impact accessibility and legitimate automation; test and provide allow paths for trusted partners.<\/li>\n<\/ul>\n\n\n\n

                                                                      6.6 Website and API protection onboarding (domain-based)<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does<\/strong>: Lets you add domains and specify origin servers, ports, protocols, and certificate configuration.<\/li>\n
                                                                      • Why it matters<\/strong>: Domain onboarding is how traffic starts flowing through WAF.<\/li>\n
                                                                      • Practical benefit<\/strong>: Central place to manage security policies per domain.<\/li>\n
                                                                      • Caveats<\/strong>: Requires DNS changes and coordination with certificate\/HTTPS settings.<\/li>\n<\/ul>\n\n\n\n

                                                                        6.7 HTTPS\/TLS termination and certificate handling<\/h3>\n\n\n\n
                                                                          \n
                                                                        • What it does<\/strong>: WAF can terminate HTTPS connections and forward traffic to origin (HTTP or HTTPS).<\/li>\n
                                                                        • Why it matters<\/strong>: Enables inspection of encrypted traffic and consistent security controls.<\/li>\n
                                                                        • Practical benefit<\/strong>: Centralized TLS policy; easier certificate rotation (depending on tooling).<\/li>\n
                                                                        • Caveats<\/strong>: You must upload\/import the correct certificate; ensure cipher\/TLS requirements align with clients. Mutual TLS (mTLS) requirements may need careful design\u2014verify support.<\/li>\n<\/ul>\n\n\n\n

                                                                          6.8 Origin protection and anti-bypass patterns<\/h3>\n\n\n\n
                                                                            \n
                                                                          • What it does<\/strong>: Supports designs where origin only accepts traffic from WAF (by IP allowlist or private networking patterns).<\/li>\n
                                                                          • Why it matters<\/strong>: If attackers can reach origin directly, they can bypass WAF.<\/li>\n
                                                                          • Practical benefit<\/strong>: Stronger security posture; fewer direct-to-origin attacks.<\/li>\n
                                                                          • Caveats<\/strong>: Requires strict network controls and careful handling of health checks and admin access.<\/li>\n<\/ul>\n\n\n\n

                                                                            6.9 Monitoring, dashboards, and reporting<\/h3>\n\n\n\n
                                                                              \n
                                                                            • What it does<\/strong>: Provides visibility into blocked\/allowed events, attack types, and top targeted URLs.<\/li>\n
                                                                            • Why it matters<\/strong>: Without telemetry, you can\u2019t tune or prove value.<\/li>\n
                                                                            • Practical benefit<\/strong>: Faster incident triage; evidence for security reviews.<\/li>\n
                                                                            • Caveats<\/strong>: Retention and detail may depend on edition; exporting logs can add cost.<\/li>\n<\/ul>\n\n\n\n

                                                                              6.10 Log export \/ integration (edition-dependent)<\/h3>\n\n\n\n
                                                                                \n
                                                                              • What it does<\/strong>: Exports access\/security logs to log platforms (often Alibaba Cloud Log Service \/ SLS) for search, alerting, and retention.<\/li>\n
                                                                              • Why it matters<\/strong>: Production security requires long-term logs and correlation with app\/infra logs.<\/li>\n
                                                                              • Practical benefit<\/strong>: Centralized detection engineering (SIEM-like workflows).<\/li>\n
                                                                              • Caveats<\/strong>: Additional service cost (SLS ingestion\/storage); ensure PII handling and retention policies.<\/li>\n<\/ul>\n\n\n\n

                                                                                6.11 API\/automation support<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • What it does<\/strong>: Provides APIs to manage configurations and retrieve information (exact API coverage varies).<\/li>\n
                                                                                • Why it matters<\/strong>: Enables Infrastructure as Code and CI\/CD changes with approvals.<\/li>\n
                                                                                • Practical benefit<\/strong>: Repeatable onboarding of many domains; consistent baseline policies.<\/li>\n
                                                                                • Caveats<\/strong>: API permissions must be tightly controlled; test changes in staging first.<\/li>\n<\/ul>\n\n\n\n
                                                                                  \n\n\n\n

                                                                                  7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                                  High-level service architecture<\/h3>\n\n\n\n

                                                                                  At a high level, Alibaba Cloud Web Application Firewall (WAF) acts as a reverse proxy<\/strong>:<\/p>\n\n\n\n

                                                                                    \n
                                                                                  1. A client requests https:\/\/www.example.com<\/code>.<\/li>\n
                                                                                  2. DNS resolves www.example.com<\/code> to a WAF-provided CNAME\/endpoint (or another supported access mode).<\/li>\n
                                                                                  3. WAF terminates TLS (for HTTPS), parses the HTTP request, and evaluates it against:\n – managed rules\n – custom policies\n – rate\/bot controls (if enabled)<\/li>\n
                                                                                  4. If allowed, WAF forwards the request to the configured origin (ECS\/SLB\/ALB\/ingress, etc.).<\/li>\n
                                                                                  5. Origin responds to WAF, and WAF returns the response to the client.<\/li>\n<\/ol>\n\n\n\n

                                                                                    Request\/data\/control flow<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Data plane<\/strong>: Actual HTTP\/S requests and responses between clients \u2192 WAF \u2192 origin.<\/li>\n
                                                                                    • Control plane<\/strong>: Console\/API changes for onboarding domains, rules, certificates, and export settings.<\/li>\n
                                                                                    • Telemetry plane<\/strong>: Event dashboards and logs; optional export to log platforms for long-term retention and alerting.<\/li>\n<\/ul>\n\n\n\n

                                                                                      Integrations with related Alibaba Cloud services (common patterns)<\/h3>\n\n\n\n

                                                                                      Integration patterns depend on your environment and edition:<\/p>\n\n\n\n

                                                                                        \n
                                                                                      • ECS (Elastic Compute Service)<\/strong>: WAF protects NGINX\/Apache apps running on ECS.<\/li>\n
                                                                                      • SLB\/ALB<\/strong>: WAF forwards to a load balancer origin for multi-instance apps.<\/li>\n
                                                                                      • Alibaba Cloud DNS<\/strong>: used to change records (CNAME) to direct traffic to WAF.<\/li>\n
                                                                                      • Certificate Management Service<\/strong>: often used to manage TLS certificates (exact integration flow can vary\u2014verify).<\/li>\n
                                                                                      • Log Service (SLS)<\/strong>: used for centralized logs and alerting (if supported in your edition).<\/li>\n
                                                                                      • ActionTrail<\/strong>: records API actions in Alibaba Cloud for auditing (recommended to enable).<\/li>\n<\/ul>\n\n\n\n

                                                                                        Dependency services<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • A domain name<\/strong> you control and can modify DNS for.<\/li>\n
                                                                                        • An origin<\/strong> that serves your website\/API and is reachable from WAF.<\/li>\n
                                                                                        • TLS certificate material for HTTPS.<\/li>\n<\/ul>\n\n\n\n

                                                                                          Security\/authentication model<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Managed via RAM (Resource Access Management)<\/strong>:<\/li>\n
                                                                                          • Users\/roles with least privilege can administer WAF.<\/li>\n
                                                                                          • Read-only roles for audit\/monitoring teams.<\/li>\n
                                                                                          • Actions should be audited using Alibaba Cloud logging\/audit services (for example, ActionTrail\u2014verify configuration steps in official docs).<\/li>\n<\/ul>\n\n\n\n

                                                                                            Networking model<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • WAF typically requires that your domain resolves to WAF and WAF forwards traffic to origin over the public network or private connectivity (depending on your design and supported modes).<\/li>\n
                                                                                            • For anti-bypass<\/strong>, configure origin firewall rules so only WAF can reach origin.<\/li>\n
                                                                                            • This often requires referencing the official published list of WAF egress IP ranges (availability and method vary\u2014verify in official docs).<\/li>\n<\/ul>\n\n\n\n

                                                                                              Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Define ownership: who can change rules, who can onboard domains, who reviews blocked traffic.<\/li>\n
                                                                                              • Maintain rule change records (ticketing + IaC where possible).<\/li>\n
                                                                                              • Export WAF logs for correlation with:<\/li>\n
                                                                                              • application logs (login failures, errors)<\/li>\n
                                                                                              • infrastructure logs (load balancer, ECS)<\/li>\n
                                                                                              • identity logs (RAM\/ActionTrail)<\/li>\n<\/ul>\n\n\n\n

                                                                                                Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                                                flowchart LR\n  U[Users \/ Clients] -->|HTTPS| DNS[Public DNS]\n  DNS -->|CNAME to WAF| WAF[Alibaba Cloud Web Application Firewall (WAF)]\n  WAF -->|Allowed requests| ORIGIN[Origin: ECS \/ SLB \/ ALB]\n  ORIGIN -->|Responses| WAF --> U\n<\/code><\/pre>\n\n\n\n
                                                                                                Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                                                flowchart TB\n  subgraph Internet\n    U[Users]\n    BOT[Automated bots\/attackers]\n  end\n\n  subgraph Alibaba_Cloud\n    DNS[Alibaba Cloud DNS]\n    WAF[Web Application Firewall (WAF)]\n    SLS[Log Service (SLS)\\n(optional export)]\n    AT[ActionTrail\\n(audit)]\n    subgraph App_VPC[VPC]\n      ALB[ALB\/SLB (optional)]\n      ECS1[ECS \/ App Instance 1]\n      ECS2[ECS \/ App Instance 2]\n      DB[(Database)]\n    end\n  end\n\n  U --> DNS\n  BOT --> DNS\n  DNS -->|CNAME| WAF\n  WAF -->|Allow| ALB\n  ALB --> ECS1\n  ALB --> ECS2\n  ECS1 --> DB\n  ECS2 --> DB\n\n  WAF -->|Security events| SLS\n  WAF -.config\/audit.-> AT\n<\/code><\/pre>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                8. Prerequisites<\/h2>\n\n\n\n
                                                                                                Before you start, confirm you have the following.<\/p>\n\n\n\n
                                                                                                Account and billing<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • An Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n
                                                                                                • Ability to purchase\/activate Web Application Firewall (WAF)<\/strong> in your account.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Permissions \/ IAM (RAM)<\/h3>\n\n\n\n
                                                                                                  You need RAM permissions to:\n– Purchase\/activate WAF\n– Add and manage protected domains\n– Upload\/manage certificates\n– Configure logging\/export (if used)<\/p>\n\n\n\n
                                                                                                  If you operate in a multi-team setup:\n– Create a RAM role for WAF admins (write)\n– Create a RAM role for security auditors (read-only)\n– Use Resource Groups for scoping where appropriate (verify how WAF resources map to resource groups in your account)<\/p>\n\n\n\n
                                                                                                  DNS and domain ownership<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • A domain you control, with ability to create\/modify DNS records.<\/li>\n
                                                                                                  • Ideally a test subdomain<\/strong> like waf-lab.example.com<\/code> for this tutorial.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Origin application<\/h3>\n\n\n\n
                                                                                                    One of the following:\n– A website\/API reachable from the internet (for example, NGINX on ECS), or\n– A load balancer (SLB\/ALB) fronting your app instances<\/p>\n\n\n\n
                                                                                                    Tools (optional but helpful)<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • curl<\/code> for testing<\/li>\n
                                                                                                    • Ability to SSH into ECS if you build a demo origin<\/li>\n
                                                                                                    • A text editor for notes and rule definitions<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Region availability<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • WAF availability depends on your Alibaba Cloud account and region offerings.<\/li>\n
                                                                                                      • Verify region support in official docs: https:\/\/www.alibabacloud.com\/help\/en\/waf<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Quotas\/limits (must verify for your edition)<\/h3>\n\n\n\n
                                                                                                        Typical limits include:\n– number of protected domains\n– QPS\/requests capacity\n– number of custom rules\n– log retention\/export limits<\/p>\n\n\n\n
                                                                                                        Because these vary by edition and purchase model, verify your limits in the console and official docs<\/strong>.<\/p>\n\n\n\n
                                                                                                        Prerequisite services (for this lab)<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • ECS (optional) if you want to create a demo origin<\/li>\n
                                                                                                        • Alibaba Cloud DNS (or another DNS provider) to update CNAME records<\/li>\n
                                                                                                        • A TLS certificate (optional if you test HTTP only; recommended to test HTTPS)<\/li>\n<\/ul>\n\n\n\n
                                                                                                          \n\n\n\n
                                                                                                          9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                          Alibaba Cloud Web Application Firewall (WAF) pricing is not a single flat number; it depends on your edition<\/strong>, billing mode<\/strong>, and usage\/scale<\/strong>. Do not estimate cost until you confirm the pricing model for your region and selected edition.<\/p>\n\n\n\n
                                                                                                          Official pricing sources<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Product page (contains pricing entry points): https:\/\/www.alibabacloud.com\/product\/waf<\/li>\n
                                                                                                          • Help center (pricing\/how-to-buy topics may be linked): https:\/\/www.alibabacloud.com\/help\/en\/waf<\/li>\n
                                                                                                          • Alibaba Cloud Pricing Calculator: https:\/\/www.alibabacloud.com\/pricing-calculator<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Common pricing dimensions (verify exact dimensions for your plan)<\/h3>\n\n\n\n
                                                                                                            Depending on the current offering in your region, WAF pricing may consider:<\/p>\n\n\n\n
                                                                                                              \n
                                                                                                            • Edition\/plan<\/strong> (feature set and included capacity)<\/li>\n
                                                                                                            • Protected assets<\/strong> (number of domains, apps, or protected objects)<\/li>\n
                                                                                                            • Traffic\/request volume<\/strong> (for example, QPS, requests, or clean traffic; model varies)<\/li>\n
                                                                                                            • Advanced features<\/strong> (bot management, API protection, log export, etc.)<\/li>\n
                                                                                                            • Log export costs<\/strong> (if exporting to Log Service \/ SLS, you pay for ingestion, storage, indexing depending on SLS settings)<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Because Alibaba Cloud can offer both subscription-style and usage-based models for various security services, confirm whether your purchase is subscription, pay-as-you-go, or a hybrid<\/strong> in the \u201cBuy\/Activate\u201d flow and pricing documentation.<\/p>\n\n\n\n
                                                                                                              Free tier<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • A permanent free tier is not guaranteed for WAF.<\/li>\n
                                                                                                              • Sometimes trials\/promotions exist. Verify in the WAF purchase page<\/strong> for your region\/account.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Primary cost drivers<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Traffic volume<\/strong>: More requests and larger traffic footprints generally increase cost.<\/li>\n
                                                                                                                • Number of protected domains<\/strong>: More domains usually require higher editions or add-ons.<\/li>\n
                                                                                                                • Advanced bot\/rate features<\/strong>: Can add to cost.<\/li>\n
                                                                                                                • Logging<\/strong>:<\/li>\n
                                                                                                                • Exporting high-volume logs to SLS can become a major cost component if you index everything and retain for long periods.<\/li>\n
                                                                                                                • Storing unindexed archives is cheaper than full-text indexed retention (SLS pricing specifics vary\u2014verify).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Hidden\/indirect costs<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Origin scaling<\/strong>: WAF reduces malicious traffic, but legitimate traffic still reaches your app; you may still need capacity planning.<\/li>\n
                                                                                                                  • Certificate operations<\/strong>: managing\/renewing certs and ensuring no downtime.<\/li>\n
                                                                                                                  • Engineering time<\/strong>: rule tuning, false positive handling, incident runbooks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • WAF changes the traffic path. You may see:<\/li>\n
                                                                                                                    • Different source IP addresses at your origin (often WAF egress IPs).<\/li>\n
                                                                                                                    • Need to rely on X-Forwarded-For<\/code> or similar headers for real client IP.<\/li>\n
                                                                                                                    • Data transfer fees depend on how your origin is hosted and billed; verify your ECS\/SLB\/ALB and bandwidth billing.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Cost optimization tips<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Start with a small number of domains and baseline protections.<\/li>\n
                                                                                                                      • Export logs selectively:<\/li>\n
                                                                                                                      • Keep high-value security events indexed<\/li>\n
                                                                                                                      • Reduce retention for noisy data<\/li>\n
                                                                                                                      • Use staged rollout:<\/li>\n
                                                                                                                      • Enable protections in monitor mode (if supported) \u2192 tune \u2192 enforce<\/li>\n
                                                                                                                      • Avoid protecting unused domains or test environments beyond what you need.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Example low-cost starter estimate (non-numeric)<\/h3>\n\n\n\n
                                                                                                                        A low-cost starter setup usually looks like:\n– 1 test domain\n– baseline managed protection enabled\n– minimal custom rules\n– limited or no log export (or short retention)<\/p>\n\n\n\n
                                                                                                                        Exact monthly cost varies significantly by region\/edition. Use the official pricing page and calculator to estimate<\/strong>.<\/p>\n\n\n\n
                                                                                                                        Example production cost considerations (non-numeric)<\/h3>\n\n\n\n
                                                                                                                        For production, plan for:\n– multiple domains\/environments\n– higher traffic capacity\n– bot management and CC controls\n– log export to SLS with retention aligned to compliance (30\/90\/180+ days)\n– operational overhead (tuning and reviews)<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                                        This lab onboards a real domain to Alibaba Cloud Web Application Firewall (WAF) using a typical DNS (CNAME) cutover pattern, validates protection with safe test requests, and then cleans up.<\/p>\n\n\n\n
                                                                                                                        Because Alibaba Cloud console flows can change, always cross-check UI labels with the official \u201cgetting started\u201d documentation for WAF in your region: https:\/\/www.alibabacloud.com\/help\/en\/waf<\/p>\n\n\n\n
                                                                                                                        Objective<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Deploy (or use) a simple origin website.<\/li>\n
                                                                                                                        • Add a domain to Web Application Firewall (WAF)<\/strong>.<\/li>\n
                                                                                                                        • Update DNS to route traffic through WAF.<\/li>\n
                                                                                                                        • Validate that:<\/li>\n
                                                                                                                        • the site works through WAF<\/li>\n
                                                                                                                        • WAF blocks at least one obvious attack pattern<\/li>\n
                                                                                                                        • Clean up resources to avoid unexpected charges.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Lab Overview<\/h3>\n\n\n\n
                                                                                                                          You will:\n1. Create a small NGINX origin on ECS (optional if you already have an origin).\n2. Activate\/purchase Alibaba Cloud Web Application Firewall (WAF).\n3. Add a protected domain and configure origin settings.\n4. Point DNS (CNAME) to WAF.\n5. Validate normal traffic and a blocked request.\n6. (Optional) Enable log export if available.\n7. Remove the protected domain and delete lab resources.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 1: Create a simple origin website on ECS (optional but recommended)<\/h3>\n\n\n\n
                                                                                                                          If you already have a test website\/API endpoint, you can skip to Step 2.<\/p>\n\n\n\n
                                                                                                                          1.1 Create an ECS instance<\/h4>\n\n\n\n
                                                                                                                          Create a small ECS instance in a region that makes sense for your testing. Ensure:\n– You can SSH to it.\n– Security group allows inbound:\n  – TCP 80 from your IP (for initial setup)\n  – TCP 80 from the internet temporarily (for WAF forwarding), or<\/strong> restrict later to WAF egress IPs (recommended for production; for lab you can keep it open but understand the risk).<\/p>\n\n\n\n
                                                                                                                          \n
                                                                                                                          Cost note: ECS is billed separately from WAF.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                          1.2 Install NGINX and publish a test page<\/h4>\n\n\n\n
                                                                                                                          SSH to the instance and run:<\/p>\n\n\n\n
                                                                                                                          # Debian\/Ubuntu\nsudo apt-get update\nsudo apt-get install -y nginx\n\n# Make a simple page\necho \"Hello from origin $(hostname) - $(date)\" | sudo tee \/var\/www\/html\/index.html\n\n# Start and enable nginx\nsudo systemctl enable nginx\nsudo systemctl restart nginx\n<\/code><\/pre>\n\n\n\n
                                                                                                                          For RHEL\/CentOS-like images:<\/p>\n\n\n\n
                                                                                                                          sudo yum install -y nginx\nsudo systemctl enable nginx\nsudo systemctl start nginx\necho \"Hello from origin $(hostname) - $(date)\" | sudo tee \/usr\/share\/nginx\/html\/index.html\n<\/code><\/pre>\n\n\n\n
                                                                                                                          1.3 Verify the origin directly<\/h4>\n\n\n\n
                                                                                                                          From your laptop:<\/p>\n\n\n\n
                                                                                                                          curl -i http:\/\/<ECS_PUBLIC_IP>\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>: HTTP 200 with your \u201cHello from origin \u2026\u201d body.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 2: Prepare your domain and DNS<\/h3>\n\n\n\n
                                                                                                                          You need a domain\/subdomain to route through WAF.<\/p>\n\n\n\n
                                                                                                                          2.1 Choose a test hostname<\/h4>\n\n\n\n
                                                                                                                          Example: waf-lab.example.com<\/code><\/p>\n\n\n\n
                                                                                                                          2.2 Confirm you can change DNS records<\/h4>\n\n\n\n
                                                                                                                          In your DNS provider (Alibaba Cloud DNS or external):\n– You must be able to create\/modify a CNAME record for waf-lab.example.com<\/code>.<\/p>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>: You\u2019re ready to apply a DNS cutover when WAF provides the CNAME target.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 3: Activate\/purchase Alibaba Cloud Web Application Firewall (WAF)<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. Go to the Alibaba Cloud console and locate Web Application Firewall (WAF)<\/strong>.<\/li>\n
                                                                                                                          2. Follow the \u201cBuy\/Activate\u201d flow.<\/li>\n
                                                                                                                          3. Select the edition<\/strong> and billing mode that fits a small lab.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            Because editions and purchase options evolve, verify the exact edition names and features in your console<\/strong> and on the product page:\n– https:\/\/www.alibabacloud.com\/product\/waf<\/p>\n\n\n\n
                                                                                                                            Expected outcome<\/strong>: Your account has an active WAF instance and you can open the WAF console.<\/p>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Step 4: Add a protected domain (website) to WAF<\/h3>\n\n\n\n
                                                                                                                            In the WAF console, find the onboarding flow typically labeled similar to:\n– \u201cWebsite access\u201d, \u201cAdd domain\u201d, or \u201cProtected object\u201d (naming may vary)<\/p>\n\n\n\n
                                                                                                                            Provide the following (exact fields vary):<\/p>\n\n\n\n
                                                                                                                            4.1 Domain information<\/h4>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Domain<\/strong>: waf-lab.example.com<\/code><\/li>\n
                                                                                                                            • Protocol<\/strong>:<\/li>\n
                                                                                                                            • Start with HTTP<\/strong> for simplicity, or<\/li>\n
                                                                                                                            • Configure HTTPS<\/strong> if you have a certificate ready<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              4.2 Origin configuration<\/h4>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Origin type<\/strong>:<\/li>\n
                                                                                                                              • ECS public IP (for this lab), or<\/li>\n
                                                                                                                              • SLB\/ALB domain, or<\/li>\n
                                                                                                                              • Another reachable origin<\/li>\n
                                                                                                                              • Origin address<\/strong>: your ECS public IP (example: 203.0.113.10<\/code>)<\/li>\n
                                                                                                                              • Origin port<\/strong>: 80<\/code><\/li>\n
                                                                                                                              • Back-to-origin protocol<\/strong>: HTTP<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                4.3 (Optional) Configure HTTPS on WAF<\/h4>\n\n\n\n
                                                                                                                                If you want https:\/\/waf-lab.example.com<\/code>:\n– Upload\/import the TLS certificate for waf-lab.example.com<\/code>\n– Ensure certificate chain is correct\n– Select TLS settings as needed (defaults are usually fine for a lab)<\/p>\n\n\n\n
                                                                                                                                Expected outcome<\/strong>: WAF creates a protected domain entry and provides you with a CNAME target<\/strong> (a WAF endpoint hostname) to use in DNS.<\/p>\n\n\n\n
                                                                                                                                \n\n\n\n
                                                                                                                                Step 5: Update DNS to point your domain to WAF (CNAME cutover)<\/h3>\n\n\n\n
                                                                                                                                In your DNS provider:<\/p>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                1. \n
                                                                                                                                  Create or update a record:\n   – Type: CNAME<\/code>\n   – Name\/Host: waf-lab<\/code> (or full waf-lab.example.com<\/code> depending on UI)\n   – Value\/Target: the WAF-provided CNAME target from Step 4<\/p>\n<\/li>\n
                                                                                                                                2. \n
                                                                                                                                  Set a low TTL (e.g., 60\u2013300 seconds) for faster propagation during the lab.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                  Important: If your DNS provider requires an A record at apex\/root domain, use a subdomain for this lab. Root\/apex CNAME restrictions vary by DNS provider.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                  Expected outcome<\/strong>: After DNS propagates, waf-lab.example.com<\/code> resolves to WAF, not directly to your origin.<\/p>\n\n\n\n
                                                                                                                                  To confirm:<\/p>\n\n\n\n
                                                                                                                                  # Linux\/macOS\ndig waf-lab.example.com CNAME +short\n\n# Or\nnslookup -type=CNAME waf-lab.example.com\n<\/code><\/pre>\n\n\n\n
                                                                                                                                  You should see the WAF CNAME target.<\/p>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  Step 6: Verify your site works through WAF<\/h3>\n\n\n\n
                                                                                                                                  Now request the site via your domain:<\/p>\n\n\n\n
                                                                                                                                  curl -i http:\/\/waf-lab.example.com\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                                  Expected outcome<\/strong>:\n– HTTP 200\n– Response body matches your origin page\n– Headers may include WAF-related headers (not guaranteed; do not rely on them for validation)<\/p>\n\n\n\n
                                                                                                                                  If you configured HTTPS:<\/p>\n\n\n\n
                                                                                                                                  curl -i https:\/\/waf-lab.example.com\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                                  If you get a certificate error, fix the WAF certificate configuration and ensure DNS points to WAF.<\/p>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  Step 7: Enable baseline protections and test a safe \u201cattack-like\u201d request<\/h3>\n\n\n\n
                                                                                                                                  You want to confirm WAF is actually inspecting traffic.<\/p>\n\n\n\n
                                                                                                                                  7.1 Confirm baseline protection is enabled<\/h4>\n\n\n\n
                                                                                                                                  In the WAF console, locate protection settings for the domain and ensure managed protections are enabled (terminology varies).<\/p>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                  If the console offers \u201cMonitor\u201d vs \u201cBlock\u201d mode, start with Monitor in production. For a lab, blocking is fine as long as you only test your own domain.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                  7.2 Send a test request that often triggers WAF rules<\/h4>\n\n\n\n
                                                                                                                                  Use a benign request with a classic SQLi pattern in a query parameter:<\/p>\n\n\n\n
                                                                                                                                  curl -i \"http:\/\/waf-lab.example.com\/?id=1%27%20OR%20%271%27%3D%271\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                                  Expected outcome<\/strong>:\n– WAF may return a 403<\/strong> or a block page depending on configuration.\n– If it is only logging\/monitoring, you may still get 200, but the event should appear in WAF logs\/events.<\/p>\n\n\n\n
                                                                                                                                  Also try a simple XSS pattern:<\/p>\n\n\n\n
                                                                                                                                  curl -i \"http:\/\/waf-lab.example.com\/?q=%3Cscript%3Ealert(1)%3C%2Fscript%3E\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                  Note: Detection varies by rule set and mode. If nothing is blocked, check:\n– Is protection mode set to block?\n– Are managed rules enabled for this domain?\n– Are you testing the exact protected hostname?<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  Step 8 (Optional): Export logs to Log Service (SLS) for deeper visibility<\/h3>\n\n\n\n
                                                                                                                                  If your WAF edition supports log export:<\/p>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  1. In WAF console, locate logging settings (often \u201cLog Service\u201d, \u201cSLS integration\u201d, or \u201cLog configuration\u201d).<\/li>\n
                                                                                                                                  2. Choose or create:\n   – An SLS Project\n   – A Logstore<\/li>\n
                                                                                                                                  3. Enable export for access\/security events.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                    Expected outcome<\/strong>:\n– Within a few minutes, you can search WAF logs in SLS and find your test requests and block events.<\/p>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                    Cost note: SLS ingestion, indexing, and retention cost money. For a lab, keep retention short and indexing minimal.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                    \n\n\n\n
                                                                                                                                    Validation<\/h3>\n\n\n\n
                                                                                                                                    Use this checklist:<\/p>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    1. \n
                                                                                                                                      DNS points to WAF<\/strong>\n   – dig<\/code>\/nslookup<\/code> shows the WAF CNAME target.<\/p>\n<\/li>\n
                                                                                                                                    2. \n
                                                                                                                                      Normal request succeeds<\/strong>\n   – curl -i http:\/\/waf-lab.example.com\/<\/code> returns 200 and your origin content.<\/p>\n<\/li>\n
                                                                                                                                    3. \n
                                                                                                                                      Attack-like request is blocked or logged<\/strong>\n   – SQLi\/XSS test returns 403\/block page or<\/strong> appears in WAF event logs.<\/p>\n<\/li>\n
                                                                                                                                    4. \n
                                                                                                                                      Origin still works directly (optional check)<\/strong>\n   – curl -i http:\/\/<ECS_PUBLIC_IP>\/<\/code> returns 200.\n   – In production, you typically want to prevent direct origin access<\/strong> (anti-bypass).<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      Troubleshooting<\/h3>\n\n\n\n
                                                                                                                                      Problem: DNS changed but traffic still goes to origin<\/h4>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Cause<\/strong>: DNS propagation delay or local caching.<\/li>\n
                                                                                                                                      • Fix<\/strong>:<\/li>\n
                                                                                                                                      • Lower TTL and wait.<\/li>\n
                                                                                                                                      • Check using a public resolver:\n    bash\n    dig @8.8.8.8 waf-lab.example.com CNAME +short\n    dig @1.1.1.1 waf-lab.example.com CNAME +short<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Problem: WAF returns 502\/504 or origin unreachable<\/h4>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Cause<\/strong>: Incorrect origin IP\/port, origin security group blocks WAF, origin health issues.<\/li>\n
                                                                                                                                        • Fix<\/strong>:<\/li>\n
                                                                                                                                        • Confirm origin is reachable from the internet on the configured port.<\/li>\n
                                                                                                                                        • Check NGINX is running.<\/li>\n
                                                                                                                                        • Ensure security group allows inbound on origin port.<\/li>\n
                                                                                                                                        • If you restricted origin to WAF IPs, ensure you used the correct official IP ranges (verify in official docs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Problem: HTTPS fails with certificate errors<\/h4>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Cause<\/strong>: Wrong certificate, missing intermediate chain, mismatched hostname.<\/li>\n
                                                                                                                                          • Fix<\/strong>:<\/li>\n
                                                                                                                                          • Upload correct certificate for waf-lab.example.com<\/code>.<\/li>\n
                                                                                                                                          • Include full chain if required.<\/li>\n
                                                                                                                                          • Ensure you are requesting the exact hostname covered by the cert.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Problem: Test \u201cattack\u201d requests are not blocked<\/h4>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Cause<\/strong>: Domain not in blocking mode, managed rules disabled, or rules tuned permissively.<\/li>\n
                                                                                                                                            • Fix<\/strong>:<\/li>\n
                                                                                                                                            • Confirm WAF policy is applied to the correct domain.<\/li>\n
                                                                                                                                            • Switch to blocking mode for the lab (if supported).<\/li>\n
                                                                                                                                            • Check event logs\u2014some setups log but do not block.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Problem: Your app sees WAF IP addresses instead of client IP<\/h4>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Cause<\/strong>: Reverse proxy behavior.<\/li>\n
                                                                                                                                              • Fix<\/strong>:<\/li>\n
                                                                                                                                              • Configure your app\/server (NGINX) to use X-Forwarded-For<\/code> \/ X-Real-IP<\/code> as client IP (verify WAF header behavior in official docs).<\/li>\n
                                                                                                                                              • Example for NGINX (conceptual; validate for your environment):\n    nginx\n    real_ip_header X-Forwarded-For;\n    set_real_ip_from 0.0.0.0\/0;  # Do NOT use this in production; use trusted proxy IP ranges\n    real_ip_recursive on;<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                Cleanup<\/h3>\n\n\n\n
                                                                                                                                                To avoid ongoing charges and reduce exposure:<\/p>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                1. \n
                                                                                                                                                  Remove the protected domain from WAF<\/strong>\n   – In WAF console, delete waf-lab.example.com<\/code> from protected objects.<\/p>\n<\/li>\n
                                                                                                                                                2. \n
                                                                                                                                                  Revert DNS<\/strong>\n   – Remove the CNAME record or point it back to your original endpoint.<\/p>\n<\/li>\n
                                                                                                                                                3. \n
                                                                                                                                                  Delete optional logging resources<\/strong>\n   – If you created SLS Project\/Logstore specifically for this lab, delete them or reduce retention.<\/p>\n<\/li>\n
                                                                                                                                                4. \n
                                                                                                                                                  Terminate ECS instance<\/strong>\n   – If you created an ECS instance only for this lab, stop and release it.<\/p>\n<\/li>\n
                                                                                                                                                5. \n
                                                                                                                                                  Review billing<\/strong>\n   – Check Alibaba Cloud Billing Management for any remaining running resources.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                  \n\n\n\n
                                                                                                                                                  11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                                  Architecture best practices<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Put WAF in front of every internet-facing app and API<\/strong> that handles authentication, PII, or revenue-critical traffic.<\/li>\n
                                                                                                                                                  • Use a load balancer as the origin<\/strong> (SLB\/ALB) for multi-instance apps to avoid single points of failure.<\/li>\n
                                                                                                                                                  • Design for anti-bypass<\/strong>:<\/li>\n
                                                                                                                                                  • Restrict origin inbound to WAF egress IP ranges (preferred).<\/li>\n
                                                                                                                                                  • Or place origin in private networks accessible only through approved ingress paths (pattern depends on your environment).<\/li>\n
                                                                                                                                                  • Use separate domains\/subdomains for environments<\/strong>:<\/li>\n
                                                                                                                                                  • app.example.com<\/code> (prod)<\/li>\n
                                                                                                                                                  • app-staging.example.com<\/code> (staging)<\/li>\n
                                                                                                                                                  • Apply different policies and logging.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Least privilege<\/strong> with RAM:<\/li>\n
                                                                                                                                                    • Separate roles for \u201cWAF Admin\u201d vs \u201cWAF Viewer\/Auditor\u201d.<\/li>\n
                                                                                                                                                    • Protect certificate management permissions carefully.<\/li>\n
                                                                                                                                                    • Change control<\/strong>:<\/li>\n
                                                                                                                                                    • Require approvals for rule changes that can block traffic.<\/li>\n
                                                                                                                                                    • Log all changes using ActionTrail or equivalent audit.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Cost best practices<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Right-size your edition\/capacity<\/strong> for actual traffic.<\/li>\n
                                                                                                                                                      • Log smart<\/strong>:<\/li>\n
                                                                                                                                                      • Export only what you need for detection and compliance.<\/li>\n
                                                                                                                                                      • Tune retention (hot searchable vs archived).<\/li>\n
                                                                                                                                                      • Avoid onboarding unused domains<\/strong> and stale test environments.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Performance best practices<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Minimize false positives<\/strong> by tuning rules for high-traffic endpoints.<\/li>\n
                                                                                                                                                        • Use targeted policies<\/strong>:<\/li>\n
                                                                                                                                                        • stricter rules on \/login<\/code>, \/api\/auth<\/code>, \/admin<\/code><\/li>\n
                                                                                                                                                        • more permissive rules on static content routes if needed<\/li>\n
                                                                                                                                                        • Validate latency impact<\/strong> in your region and for your client base.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Have a rollback plan<\/strong>:<\/li>\n
                                                                                                                                                          • DNS rollback procedure<\/li>\n
                                                                                                                                                          • Temporary bypass method (careful: bypass increases risk)<\/li>\n
                                                                                                                                                          • Document emergency rules<\/strong>:<\/li>\n
                                                                                                                                                          • IP blocks for active incidents<\/li>\n
                                                                                                                                                          • Rate-limit templates for common floods<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Operations best practices<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Dashboards and alerting<\/strong>:<\/li>\n
                                                                                                                                                            • Monitor spikes in blocked requests, top targeted endpoints, and unusual geographies.<\/li>\n
                                                                                                                                                            • Runbook-driven response<\/strong>:<\/li>\n
                                                                                                                                                            • Triage \u2192 containment rule \u2192 confirm \u2192 longer-term fix (patch\/app change)<\/li>\n
                                                                                                                                                            • Regular reviews<\/strong>:<\/li>\n
                                                                                                                                                            • Monthly rule tuning<\/li>\n
                                                                                                                                                            • Quarterly access reviews for RAM permissions<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Use consistent naming for:<\/li>\n
                                                                                                                                                              • domains: team-app-env.example.com<\/code><\/li>\n
                                                                                                                                                              • rules: ENV-App-Endpoint-Intent<\/code> (e.g., Prod-Checkout-RateLimit-Strict<\/code>)<\/li>\n
                                                                                                                                                              • Use resource groups\/tags where supported to map ownership and cost centers.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                \n\n\n\n
                                                                                                                                                                12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                                Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Use RAM<\/strong> to control who can:<\/li>\n
                                                                                                                                                                • add\/remove protected domains<\/li>\n
                                                                                                                                                                • modify rules<\/li>\n
                                                                                                                                                                • view logs\/events<\/li>\n
                                                                                                                                                                • manage certificates<\/li>\n
                                                                                                                                                                • Prefer role-based access:<\/li>\n
                                                                                                                                                                • Security team: approve policies<\/li>\n
                                                                                                                                                                • Platform team: implement baseline and integrations<\/li>\n
                                                                                                                                                                • App team: request exceptions with evidence<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Encryption<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • In transit<\/strong>:<\/li>\n
                                                                                                                                                                  • Clients \u2192 WAF: HTTPS recommended.<\/li>\n
                                                                                                                                                                  • WAF \u2192 origin: use HTTPS where feasible to avoid plaintext inside the path.<\/li>\n
                                                                                                                                                                  • At rest<\/strong>:<\/li>\n
                                                                                                                                                                  • Logs exported to SLS must be treated as sensitive; apply retention and access controls.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                    Verify exact TLS configuration options supported by your WAF edition in official docs.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                                                    Network exposure<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Avoid direct-to-origin access:<\/li>\n
                                                                                                                                                                    • Restrict origin inbound rules to known WAF egress IPs or approved load balancers.<\/li>\n
                                                                                                                                                                    • Carefully handle admin endpoints:<\/li>\n
                                                                                                                                                                    • IP allowlist + strong authentication<\/li>\n
                                                                                                                                                                    • Do not rely on WAF alone for admin security<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Certificates and private keys used on WAF are high sensitivity:<\/li>\n
                                                                                                                                                                      • Limit who can upload\/export<\/li>\n
                                                                                                                                                                      • Rotate certificates before expiry<\/li>\n
                                                                                                                                                                      • Maintain inventory of cert owners and renewal process<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Enable audit trails for WAF configuration changes (for example via ActionTrail).<\/li>\n
                                                                                                                                                                        • Export WAF logs to SLS for:<\/li>\n
                                                                                                                                                                        • incident investigation<\/li>\n
                                                                                                                                                                        • compliance evidence<\/li>\n
                                                                                                                                                                        • detections and alerting<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                                          WAF can support compliance, but it is not a compliance certificate by itself. For compliance mapping:\n– Document WAF placement and enforced controls.\n– Define log retention policy aligned to your requirements.\n– Ensure PII in logs is handled appropriately (masking\/tokenization may be needed; verify whether WAF supports masking in logs\u2014if uncertain, implement at log pipeline level).<\/p>\n\n\n\n
                                                                                                                                                                          Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Not restricting origin access<\/strong>, enabling easy bypass.<\/li>\n
                                                                                                                                                                          • Blocking too aggressively without monitoring, causing outages.<\/li>\n
                                                                                                                                                                          • Treating WAF as a replacement for secure coding and patching.<\/li>\n
                                                                                                                                                                          • Over-sharing WAF admin rights (certificate theft risk).<\/li>\n
                                                                                                                                                                          • Logging everything without access control (PII leakage risk).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • Start in staging with representative traffic.<\/li>\n
                                                                                                                                                                            • Roll out to production with:<\/li>\n
                                                                                                                                                                            • monitor-only (if supported) \u2192 tune \u2192 enforce<\/li>\n
                                                                                                                                                                            • careful allowlists for known legitimate automation<\/li>\n
                                                                                                                                                                            • Maintain a break-glass procedure with limited, audited access.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              \n\n\n\n
                                                                                                                                                                              13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                              These are common WAF realities; confirm specifics for Alibaba Cloud WAF in your edition and region.<\/p>\n\n\n\n
                                                                                                                                                                              Known limitations (general WAF class)<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • False positives\/negatives<\/strong>: No WAF is perfect; tuning is required.<\/li>\n
                                                                                                                                                                              • Encrypted traffic inspection requires TLS termination<\/strong> at WAF, which changes certificate handling.<\/li>\n
                                                                                                                                                                              • Some protocols over HTTP<\/strong> (custom binary payloads) can cause parsing issues.<\/li>\n
                                                                                                                                                                              • Large request bodies \/ file uploads<\/strong> may have inspection limits (size thresholds vary\u2014verify).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                Quotas<\/h3>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                • Protected domains count<\/li>\n
                                                                                                                                                                                • Custom rules count<\/li>\n
                                                                                                                                                                                • QPS\/request capacity<\/li>\n
                                                                                                                                                                                • Log export limits\nAll can be edition-dependent. Verify in official docs and console.<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  Regional constraints<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Availability and PoP behavior may vary.<\/li>\n
                                                                                                                                                                                  • Certain features may be limited to particular regions\/editions. Verify before committing.<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • Log export (SLS) can become expensive with:<\/li>\n
                                                                                                                                                                                    • high traffic<\/li>\n
                                                                                                                                                                                    • long retention<\/li>\n
                                                                                                                                                                                    • full indexing<\/li>\n
                                                                                                                                                                                    • Higher editions may be required for:<\/li>\n
                                                                                                                                                                                    • many protected domains<\/li>\n
                                                                                                                                                                                    • advanced bot features<\/li>\n
                                                                                                                                                                                    • higher traffic capacity<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                      Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                                                        \n
                                                                                                                                                                                      • If your origin expects the original client IP at TCP level, you must adapt to reverse proxy headers.<\/li>\n
                                                                                                                                                                                      • Some authentication flows can be affected if WAF challenges or blocks endpoints used by mobile apps or third parties.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                        Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                                                          \n
                                                                                                                                                                                        • DNS cutovers require careful TTL management and rollback planning.<\/li>\n
                                                                                                                                                                                        • If you block a shared NAT IP (mobile carriers, enterprise proxies), you may affect many legitimate users.<\/li>\n
                                                                                                                                                                                        • Staging policies must not accidentally be applied to production domains.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                          Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                                                            \n
                                                                                                                                                                                          • Moving from another WAF vendor requires:<\/li>\n
                                                                                                                                                                                          • rule migration and retesting<\/li>\n
                                                                                                                                                                                          • logging pipeline updates<\/li>\n
                                                                                                                                                                                          • certificate handling changes<\/li>\n
                                                                                                                                                                                          • client IP and header behavior validation<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                            Vendor-specific nuances (verify)<\/h3>\n\n\n\n
                                                                                                                                                                                              \n
                                                                                                                                                                                            • Access mode options and exact onboarding steps can differ (CNAME vs other supported access patterns).<\/li>\n
                                                                                                                                                                                            • Published WAF egress IP range handling is essential for anti-bypass; confirm the official method<\/strong> Alibaba Cloud provides for obtaining those IPs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                              \n\n\n\n
                                                                                                                                                                                              14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                                              WAF is one part of the security toolbox. Here\u2019s how Alibaba Cloud Web Application Firewall (WAF) compares to common alternatives.<\/p>\n\n\n\n
                                                                                                                                                                                              In Alibaba Cloud (same cloud)<\/h3>\n\n\n\n
                                                                                                                                                                                                \n
                                                                                                                                                                                              • Cloud Firewall<\/strong>: Network-level firewalling and access control (not a full HTTP payload inspection WAF).<\/li>\n
                                                                                                                                                                                              • Anti-DDoS<\/strong> products: Focus on volumetric attacks and network-layer mitigation; WAF focuses on L7 threats and app-layer abuse.<\/li>\n
                                                                                                                                                                                              • Security Center<\/strong>: Host security posture, vulnerability scanning, malware detection\u2014complements WAF but does not replace it.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                Other cloud providers<\/h3>\n\n\n\n
                                                                                                                                                                                                  \n
                                                                                                                                                                                                • AWS WAF<\/strong>, Azure Web Application Firewall<\/strong>, Google Cloud Armor<\/strong>: Similar concept, different integrations and pricing models.<\/li>\n
                                                                                                                                                                                                • Choose based on where your workloads run and how your traffic is routed.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                  Open-source\/self-managed<\/h3>\n\n\n\n
                                                                                                                                                                                                    \n
                                                                                                                                                                                                  • ModSecurity + OWASP CRS<\/strong> on NGINX\/Apache, or WAF features in ingress controllers:<\/li>\n
                                                                                                                                                                                                  • Maximum control<\/li>\n
                                                                                                                                                                                                  • Higher operational burden<\/li>\n
                                                                                                                                                                                                  • Harder to keep rule sets tuned and infrastructure resilient<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                    Comparison table<\/h4>\n\n\n\n
                                                                                                                                                                                                    \n\n\n\n\n\n\n\n\n
                                                                                                                                                                                                    Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                                    Alibaba Cloud Web Application Firewall (WAF)<\/strong><\/td>\nAlibaba Cloud-hosted apps needing managed L7 protection<\/td>\nManaged rules, centralized policies, fast mitigation, console + API control<\/td>\nNeeds tuning; adds proxy layer; edition-based feature differences<\/td>\nYou need managed web\/app\/API protection on Alibaba Cloud with operational efficiency<\/td>\n<\/tr>\n
                                                                                                                                                                                                    Alibaba Cloud Cloud Firewall<\/td>\nNetwork boundary control and segmentation<\/td>\nStrong L3\/L4 and access control posture<\/td>\nNot a full HTTP payload WAF<\/td>\nYou need network firewall governance; use alongside WAF for defense-in-depth<\/td>\n<\/tr>\n
                                                                                                                                                                                                    Alibaba Cloud Anti-DDoS (product variants)<\/td>\nVolumetric DDoS and large-scale floods<\/td>\nStrong DDoS mitigation upstream<\/td>\nDoesn\u2019t replace WAF for SQLi\/XSS\/bots<\/td>\nYou have DDoS risk; combine with WAF for full coverage<\/td>\n<\/tr>\n
                                                                                                                                                                                                    Self-managed ModSecurity\/OWASP CRS<\/td>\nDeep customization, special needs<\/td>\nFull control, portable, no vendor lock-in<\/td>\nHigh ops burden, tuning complexity, scaling\/logging responsibility<\/td>\nYou have strong in-house expertise and need custom behavior<\/td>\n<\/tr>\n
                                                                                                                                                                                                    Cloudflare \/ third-party edge WAF<\/td>\nMulti-cloud\/edge use cases<\/td>\nGlobal edge, fast rollout, bot ecosystem<\/td>\nDifferent governance model; data residency concerns<\/td>\nYou want vendor-neutral edge security in front of multiple clouds<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                                    15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                                                    Enterprise example: Multi-brand e-commerce platform<\/h3>\n\n\n\n
                                                                                                                                                                                                      \n
                                                                                                                                                                                                    • Problem<\/strong>: The company operates multiple storefronts and APIs. They face constant scanning, credential stuffing on login, and occasional L7 floods during promotions. App teams patch quickly but still experience exposure windows.<\/li>\n
                                                                                                                                                                                                    • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                                                                                                    • Alibaba Cloud DNS routes storefront domains to Web Application Firewall (WAF)<\/strong>.<\/li>\n
                                                                                                                                                                                                    • WAF forwards to ALB\/SLB, then to ECS\/containers in a VPC.<\/li>\n
                                                                                                                                                                                                    • Origin security groups only allow inbound from WAF egress IP ranges (anti-bypass).<\/li>\n
                                                                                                                                                                                                    • Logs exported to SLS; alerts configured for spikes in blocks, login abuse, and new attack signatures.<\/li>\n
                                                                                                                                                                                                    • Why WAF was chosen<\/strong>:<\/li>\n
                                                                                                                                                                                                    • Centralized protection across many domains with consistent baseline policies.<\/li>\n
                                                                                                                                                                                                    • Faster incident response via custom rules and rate limiting.<\/li>\n
                                                                                                                                                                                                    • Managed rules reduce dependency on each app team to implement bespoke filters.<\/li>\n
                                                                                                                                                                                                    • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                                                                                                    • Reduced successful exploitation attempts<\/li>\n
                                                                                                                                                                                                    • Better visibility into attack campaigns<\/li>\n
                                                                                                                                                                                                    • More stable origin performance during abusive traffic<\/li>\n
                                                                                                                                                                                                    • Improved audit posture through centralized logs and change tracking<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                      Startup\/small-team example: SaaS dashboard + public API<\/h3>\n\n\n\n
                                                                                                                                                                                                        \n
                                                                                                                                                                                                      • Problem<\/strong>: A small team has a SaaS dashboard and a public API. They see bot sign-ups, endpoint probing, and occasional brute-force attempts. They can\u2019t afford 24\/7 manual monitoring.<\/li>\n
                                                                                                                                                                                                      • Proposed architecture<\/strong>:<\/li>\n
                                                                                                                                                                                                      • One WAF-protected domain for the dashboard and one for the API.<\/li>\n
                                                                                                                                                                                                      • Strict policies on \/api\/auth<\/code> and \/login<\/code> endpoints, more relaxed on marketing pages.<\/li>\n
                                                                                                                                                                                                      • Basic rate limiting and IP blocklists for obvious abusive sources.<\/li>\n
                                                                                                                                                                                                      • Minimal log export (short retention) to control costs.<\/li>\n
                                                                                                                                                                                                      • Why WAF was chosen<\/strong>:<\/li>\n
                                                                                                                                                                                                      • Managed protection with minimal operational overhead.<\/li>\n
                                                                                                                                                                                                      • Quick onboarding and ability to block common attacks without building custom infrastructure.<\/li>\n
                                                                                                                                                                                                      • Expected outcomes<\/strong>:<\/li>\n
                                                                                                                                                                                                      • Reduced noise from scanners\/bots<\/li>\n
                                                                                                                                                                                                      • Fewer brute-force attempts hitting the origin<\/li>\n
                                                                                                                                                                                                      • Clearer visibility into suspicious traffic patterns with manageable cost<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                                        16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                                                        1) Is Alibaba Cloud Web Application Firewall (WAF) a network firewall?<\/strong>\nNo. It is a Layer 7 (HTTP\/HTTPS) protection service focused on web application attacks and abusive web traffic. Use network firewalls\/security groups for L3\/L4 controls and segmentation.<\/p>\n\n\n\n
                                                                                                                                                                                                        2) Does WAF replace secure coding and patching?<\/strong>\nNo. WAF is a compensating control. You still must patch vulnerabilities, validate inputs, and follow secure SDLC.<\/p>\n\n\n\n
                                                                                                                                                                                                        3) Will WAF add latency?<\/strong>\nYes, any reverse proxy can add some latency. In practice it is often small, but measure it for your user regions and endpoints, especially for latency-sensitive APIs.<\/p>\n\n\n\n
                                                                                                                                                                                                        4) Can attackers bypass WAF and hit my origin directly?<\/strong>\nYes, if your origin is publicly reachable. Prevent bypass by restricting origin inbound traffic to WAF egress IPs (verify official IP range publication) or by using a private origin design.<\/p>\n\n\n\n
                                                                                                                                                                                                        5) Do I need to change application code to use WAF?<\/strong>\nUsually no. You mainly change DNS\/routing and configure WAF. You may need to adjust logging of client IP and trust proxy headers.<\/p>\n\n\n\n
                                                                                                                                                                                                        6) How do I see the real client IP at my origin?<\/strong>\nTypically via X-Forwarded-For<\/code> and\/or related headers. Configure your web server\/framework to treat WAF as a trusted proxy. Verify Alibaba Cloud WAF header behavior in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                                        7) Can I protect APIs (JSON\/REST) with WAF?<\/strong>\nYes, WAF commonly protects API endpoints over HTTP\/HTTPS. Confirm your edition supports the policy types you need (rate limiting, bot controls, schema validation if desired).<\/p>\n\n\n\n
                                                                                                                                                                                                        8) Does WAF support WebSockets or gRPC?<\/strong>\nSupport varies by vendor and edition. For Alibaba Cloud WAF, verify in official docs<\/strong> for your access mode and region before adopting for WebSockets\/gRPC.<\/p>\n\n\n\n
                                                                                                                                                                                                        9) How do I avoid false positives?<\/strong>\nStart in monitoring mode (if available), analyze logs, create exclusions for known safe patterns, and apply stricter rules only on high-risk endpoints.<\/p>\n\n\n\n
                                                                                                                                                                                                        10) Can I use WAF with a CDN?<\/strong>\nOften yes, but the recommended architecture (CDN \u2192 WAF \u2192 origin or WAF \u2192 CDN \u2192 origin) depends on product support and your requirements. Verify the supported integration pattern<\/strong> in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                                        11) Do I need a separate WAF for staging vs production?<\/strong>\nYou typically protect different domains for staging\/prod and apply different policies. Whether you need separate instances depends on how Alibaba Cloud packages capacity and quotas\u2014verify.<\/p>\n\n\n\n
                                                                                                                                                                                                        12) What happens if I misconfigure WAF and block real users?<\/strong>\nYou can roll back by:\n– adjusting or disabling the problematic rule\n– switching to monitor mode (if supported)\n– reverting DNS to bypass WAF (emergency only, increases risk)<\/p>\n\n\n\n
                                                                                                                                                                                                        13) Can I automate WAF configuration?<\/strong>\nAlibaba Cloud provides APIs for many services. For WAF, API coverage exists but varies\u2014verify the official API reference and test in non-production first.<\/p>\n\n\n\n
                                                                                                                                                                                                        14) What logs should I retain for security investigations?<\/strong>\nAt minimum:\n– timestamp, client IP (original), request path, response status, rule matched, action taken\nRetention depends on compliance and incident response needs. Export to SLS if you need longer retention and querying.<\/p>\n\n\n\n
                                                                                                                                                                                                        15) Is WAF enough to stop DDoS?<\/strong>\nWAF helps with application-layer floods and abusive patterns, but volumetric DDoS protection usually requires Anti-DDoS services. Use both for full coverage.<\/p>\n\n\n\n
                                                                                                                                                                                                        16) How do I protect multiple subdomains?<\/strong>\nTypically by onboarding each subdomain or using wildcard\/domain group features if supported. Exact capability depends on WAF edition\u2014verify.<\/p>\n\n\n\n
                                                                                                                                                                                                        17) Do I need to upload certificates to WAF for HTTPS?<\/strong>\nIf WAF terminates HTTPS for your domain, yes. Plan certificate lifecycle management carefully.<\/p>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                                        17. Top Online Resources to Learn Web Application Firewall (WAF)<\/h2>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                                        Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                                        Official product page<\/td>\nAlibaba Cloud Web Application Firewall (WAF)<\/td>\nOverview, core benefits, entry points for buying and documentation: https:\/\/www.alibabacloud.com\/product\/waf<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Official documentation<\/td>\nAlibaba Cloud WAF Help Center<\/td>\nPrimary source for onboarding, configuration, rules, and FAQs: https:\/\/www.alibabacloud.com\/help\/en\/waf<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Official pricing entry<\/td>\nWAF pricing (via product page)<\/td>\nPricing varies by edition\/region; start here and follow the \u201cPricing\u201d links: https:\/\/www.alibabacloud.com\/product\/waf<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Pricing calculator<\/td>\nAlibaba Cloud Pricing Calculator<\/td>\nBuild estimates across services (WAF + ECS + SLS): https:\/\/www.alibabacloud.com\/pricing-calculator<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Security best practices (general)<\/td>\nAlibaba Cloud Security resources<\/td>\nBroader security architecture context; find WAF references within Alibaba Cloud security guidance: https:\/\/www.alibabacloud.com\/solutions\/security<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Logging service docs<\/td>\nAlibaba Cloud Log Service (SLS) documentation<\/td>\nNeeded for exporting\/analyzing WAF logs (cost\/retention\/search): https:\/\/www.alibabacloud.com\/help\/en\/sls<\/td>\n<\/tr>\n
                                                                                                                                                                                                        IAM docs<\/td>\nResource Access Management (RAM) documentation<\/td>\nLeast-privilege and operational governance: https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Audit logging docs<\/td>\nActionTrail documentation<\/td>\nAudit who changed WAF configurations and when: https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<\/tr>\n
                                                                                                                                                                                                        Community learning<\/td>\nAlibaba Cloud community\/blog<\/td>\nPractical articles and patterns; validate against official docs: https:\/\/www.alibabacloud.com\/blog<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                                        18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                                                        The following training providers may offer courses related to Alibaba Cloud, cloud security fundamentals, WAF operations, and DevSecOps. Verify current course availability, outlines, and delivery modes on each website.<\/p>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n\n\n\n\n\n
                                                                                                                                                                                                        Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                                        DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nDevSecOps practices, cloud security operations, WAF concepts<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        ScmGalaxy.com<\/td>\nBeginners to intermediate engineers<\/td>\nDevOps tooling, CI\/CD security basics, operational foundations<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        CLoudOpsNow.in<\/td>\nCloud ops engineers, administrators<\/td>\nCloud operations, reliability practices, security basics<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        SreSchool.com<\/td>\nSREs, reliability-focused engineers<\/td>\nSRE practices, incident response, monitoring and governance<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        AiOpsSchool.com<\/td>\nOps\/SRE teams exploring automation<\/td>\nAIOps fundamentals, operational analytics, incident automation<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                                        19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                                                        These sites are presented as training resources\/platforms. Verify trainer profiles, course syllabi, and Alibaba Cloud relevance directly on each site.<\/p>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n\n\n\n\n
                                                                                                                                                                                                        Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                                        RajeshKumar.xyz<\/td>\nCloud\/DevOps training content (verify offerings)<\/td>\nEngineers seeking guided learning<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        devopstrainer.in<\/td>\nDevOps training (verify cloud\/security modules)<\/td>\nDevOps engineers, students<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        devopsfreelancer.com<\/td>\nConsulting\/training style resources (verify focus)<\/td>\nTeams seeking practical implementation guidance<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        devopssupport.in<\/td>\nSupport\/training resources (verify scope)<\/td>\nOps teams needing hands-on support<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                                        20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                                        These organizations may provide consulting services. Confirm service scope, Alibaba Cloud experience, and references directly with the vendor.<\/p>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n\n\n\n
                                                                                                                                                                                                        Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                                        cotocus.com<\/td>\nCloud\/DevOps consulting (verify offerings)<\/td>\nArchitecture, delivery, managed services<\/td>\nWAF onboarding, secure ingress design, logging\/alerting setup<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        DevOpsSchool.com<\/td>\nDevOps\/Cloud consulting and training<\/td>\nDevSecOps transformation, platform engineering<\/td>\nStandard WAF rollout patterns, policy governance, CI\/CD guardrails<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                                        DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify service catalog)<\/td>\nAutomation, operations, security hardening<\/td>\nWAF rule tuning runbooks, incident response improvements<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                                        21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                                        What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                                                                                        To use Alibaba Cloud Web Application Firewall (WAF) effectively, learn:<\/p>\n\n\n\n
                                                                                                                                                                                                          \n
                                                                                                                                                                                                        • HTTP\/HTTPS fundamentals (methods, headers, cookies, status codes)<\/li>\n
                                                                                                                                                                                                        • TLS basics (certificates, chains, SNI)<\/li>\n
                                                                                                                                                                                                        • DNS fundamentals (A\/AAAA\/CNAME, TTL, propagation)<\/li>\n
                                                                                                                                                                                                        • Web security basics:<\/li>\n
                                                                                                                                                                                                        • OWASP Top 10<\/li>\n
                                                                                                                                                                                                        • authentication and session management<\/li>\n
                                                                                                                                                                                                        • common exploit patterns (SQLi, XSS, SSRF\u2014WAF can help but not guarantee prevention)<\/li>\n
                                                                                                                                                                                                        • Alibaba Cloud basics:<\/li>\n
                                                                                                                                                                                                        • ECS, VPC, security groups<\/li>\n
                                                                                                                                                                                                        • RAM permissions and policies<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                          What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                                                                            \n
                                                                                                                                                                                                          • Centralized logging and detection engineering with Log Service (SLS)<\/strong><\/li>\n
                                                                                                                                                                                                          • Incident response and forensic workflows<\/li>\n
                                                                                                                                                                                                          • Infrastructure as Code (Terraform or other tooling) for repeatable WAF onboarding (verify official\/provider support for WAF resources)<\/li>\n
                                                                                                                                                                                                          • Advanced bot management strategies and fraud controls (where applicable)<\/li>\n
                                                                                                                                                                                                          • Zero Trust and segmented architectures (WAF as one layer)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                            Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                                              \n
                                                                                                                                                                                                            • Cloud\/Platform Engineer<\/li>\n
                                                                                                                                                                                                            • DevOps Engineer<\/li>\n
                                                                                                                                                                                                            • SRE<\/li>\n
                                                                                                                                                                                                            • Security Engineer (AppSec \/ CloudSec)<\/li>\n
                                                                                                                                                                                                            • Security Analyst (monitoring and response)<\/li>\n
                                                                                                                                                                                                            • Solutions Architect<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                              Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                                                                              Alibaba Cloud certifications and security tracks change over time. If you want certification alignment:\n– Start with Alibaba Cloud fundamentals\n– Add security-focused learning paths\n– Look for WAF coverage in the current Alibaba Cloud certification outlines (verify on Alibaba Cloud official certification pages)<\/p>\n\n\n\n
                                                                                                                                                                                                              Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                                                \n
                                                                                                                                                                                                              1. \n
                                                                                                                                                                                                                Staging-to-production WAF rollout<\/strong>\n   – Onboard staging domain, tune false positives, then migrate policy to production.<\/p>\n<\/li>\n
                                                                                                                                                                                                              2. \n
                                                                                                                                                                                                                Anti-bypass implementation<\/strong>\n   – Restrict origin security group to WAF IP ranges (verify official IP range source).\n   – Validate that direct origin access fails.<\/p>\n<\/li>\n
                                                                                                                                                                                                              3. \n
                                                                                                                                                                                                                WAF + SLS detection dashboard<\/strong>\n   – Export logs to SLS.\n   – Build saved searches for top blocked IPs, targeted URLs, and attack categories.<\/p>\n<\/li>\n
                                                                                                                                                                                                              4. \n
                                                                                                                                                                                                                Rate limiting playbook<\/strong>\n   – Define endpoint-specific thresholds for \/login<\/code> and \/api\/auth<\/code>.\n   – Create a documented runbook for incident activation.<\/p>\n<\/li>\n
                                                                                                                                                                                                              5. \n
                                                                                                                                                                                                                Certificate rotation drill<\/strong>\n   – Rotate WAF TLS certificate before expiration without downtime.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                                                22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                                                  \n
                                                                                                                                                                                                                • WAF (Web Application Firewall)<\/strong>: A security control that inspects HTTP\/HTTPS traffic to detect and block web attacks.<\/li>\n
                                                                                                                                                                                                                • Reverse proxy<\/strong>: An intermediary that receives client requests and forwards them to origin servers.<\/li>\n
                                                                                                                                                                                                                • Origin<\/strong>: The backend server\/service that actually hosts your application (ECS, SLB\/ALB, containers, etc.).<\/li>\n
                                                                                                                                                                                                                • CNAME<\/strong>: A DNS record type that maps one name to another hostname (commonly used to point a domain to a WAF endpoint).<\/li>\n
                                                                                                                                                                                                                • TLS termination<\/strong>: Decrypting HTTPS traffic at a proxy (WAF) so it can inspect requests, then forwarding to origin.<\/li>\n
                                                                                                                                                                                                                • OWASP Top 10<\/strong>: A widely used list of common web application security risks.<\/li>\n
                                                                                                                                                                                                                • SQL Injection (SQLi)<\/strong>: An attack where SQL code is injected into queries via user input.<\/li>\n
                                                                                                                                                                                                                • Cross-Site Scripting (XSS)<\/strong>: An attack that injects malicious scripts into web pages viewed by users.<\/li>\n
                                                                                                                                                                                                                • CC attack (Challenge Collapsar \/ HTTP flood)<\/strong>: Application-layer traffic flooding intended to exhaust web server resources (terminology varies by region\/vendor).<\/li>\n
                                                                                                                                                                                                                • False positive<\/strong>: Legitimate traffic incorrectly blocked by security rules.<\/li>\n
                                                                                                                                                                                                                • False negative<\/strong>: Malicious traffic not detected\/blocked.<\/li>\n
                                                                                                                                                                                                                • RAM<\/strong>: Alibaba Cloud Resource Access Management, used for IAM users\/roles\/policies.<\/li>\n
                                                                                                                                                                                                                • SLS (Log Service)<\/strong>: Alibaba Cloud logging platform for collecting, searching, and analyzing logs.<\/li>\n
                                                                                                                                                                                                                • ActionTrail<\/strong>: Alibaba Cloud service for auditing API calls and configuration changes.<\/li>\n
                                                                                                                                                                                                                • Anti-bypass<\/strong>: Preventing attackers from reaching origin directly, ensuring all traffic passes through WAF.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                                                  23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                                                  Alibaba Cloud Web Application Firewall (WAF)<\/strong> is a managed Security<\/strong> service that protects websites and APIs by inspecting HTTP\/HTTPS traffic, applying managed and custom rules, and blocking common attacks and abusive patterns. It fits into Alibaba Cloud architectures as a reverse proxy in front of ECS\/SLB\/ALB origins, with DNS-based onboarding commonly used to route domains through WAF.<\/p>\n\n\n\n
                                                                                                                                                                                                                  Cost depends on edition, protected assets, traffic volume, and especially logging\/export choices\u2014use the official pricing page and the Alibaba Cloud pricing calculator to estimate accurately. From a security standpoint, the biggest success factors are anti-bypass origin controls, least-privilege RAM access, careful rule tuning to avoid false positives, and exporting logs for incident response.<\/p>\n\n\n\n
                                                                                                                                                                                                                  Use Web Application Firewall (WAF) when you run internet-facing web apps\/APIs and need practical, operationally manageable protection at Layer 7. Next, deepen your skills by integrating WAF logs into Log Service (SLS)<\/strong>, building alerting dashboards, and implementing repeatable onboarding via automation with strict change control.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                                                  Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10],"tags":[],"class_list":["post-51","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/51","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=51"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/51\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}