tencent cloud

Web Application Firewall

Custom Application Gateway Connection

Download
포커스 모드
폰트 크기
마지막 업데이트 시간: 2026-06-26 17:53:22
If your business is deployed on third-party public clouds, private clouds, or on-premises IDC data centers, you can utilize the hybrid cloud WAF connection method to centrally manage and perform Ops for your web services across cloud and on-premises environments through Web Application Firewall (WAF). Hybrid cloud WAF connection extends cloud-based protection capabilities to other cloud platforms or local IDC regions, delivering an integrated web application security management solution that combines local and cloud resources.

Use Cases

Hybrid cloud business, with services simultaneously deployed on Tencent Cloud, other public clouds, private clouds, on-premises IDC, and VPC private networks, requires a unified Web service protection solution.
For special businesses where traffic cannot be routed to public cloud WAF protection for local-specific Web services, yet requiring the use of Tencent Cloud's public cloud WAF protection capabilities.

Feature Strengths

Unified security operations and maintenance management for cloud and on-premises assets and protection policies, reducing the complexity and workload of security operations.
Localized deployment solutions provide localized protection for customer services while supporting Web protection services in diverse and complex environments, minimizing risks associated with business transformation.
Cloud-based protection rules and threat intelligence capabilities are synchronized in real time, reducing Ops costs.
Support custom application gateway SDK access, off-path detection, and manual bypass (bypass) capabilities to enhance business operational stability.
Supporting cluster object access protection, with cluster-level default protection policies taking effect by default, reducing the risk of missed blocking and comprehensively converging the risk exposure surface.

Activation conditions

Activate a WAF instance with a yearly/monthly subscription for Enterprise Edition or Flagship Edition, and retain at least 2 hybrid cloud nodes.
Confirm that the required node deployment resources are prepared. For resource recommendations, see Hybrid Cloud Cluster Resource Preparation.

Hybrid Cloud WAF Cluster Management and Traffic Access Configuration

Step 1: Create a hybrid cloud cluster

1. Log in to the WAF console, choose Service Settings > Hybrid Cloud Management in the left sidebar.
2. On the Hybrid Cloud Cluster Management page, click Configure Now to automatically create a hybrid cloud cluster.

Step 2: Local protection node deployment

Contact Tencent Cloud after-sales support experts to obtain the deployment scripts and images for this protection node, supporting on-premises deployment.
Automated installation is suitable for scenarios with relatively relaxed R&D environments, mainly including: importing db data, installing helm applications, requiring kubectl access permissions. After modifying the files, run ./install.sh.


Step 3: Onboard Domains and Cluster Objects

1. Log in to the WAF console, choose Connection Management > Domain Onboarding in the left sidebar.
2. On the Domain names page, click Add domain, fill in the relevant configuration parameters, and click OK to complete the process.
Field Description
Associated instance: Select Cloud-Native and Cluster Object Name.
Domain name: Add the domain name to be protected, such as test.com, in the domain name input box.
Traffic source: Select other application gateways.
Use proxy: Select whether Anti-DDoS, CDN, Cloud Acceleration, or other proxies have been used based on the actual situation.
Note:
Selecting "Yes" allows WAF to obtain the client's real IP address from the XFF field as the source address, which may pose a risk of source IP address spoofing.
Cluster name: Custom cluster name.
Remarks: Enter remarks as needed.
3. After the OK button is clicked, you will return to the Domain Access page where information such as the domain name protected by SaaS WAF, Gateway Instance ID, and Name can be viewed.

Step 4: Install the SDK and enable traffic routing

The SDK integration requires deploying an SDK plugin on the Unified Access Gateway. The SDK plugin replicates a copy of the gateway's service traffic to the WAF protection cluster. In this mode, the hybrid cloud WAF protection cluster does not participate in traffic forwarding, achieving decoupling of service traffic forwarding and detection.

Step 5: Verification testing

Enter the URL http://<gateway domain name or IP address>/?test=alert(123) in the browser and access it. If the browser returns the block page, it indicates that the WAF protection feature is functioning properly.



도움말 및 지원

문제 해결에 도움이 되었나요?

피드백