The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
Tencent Cloud offers two types of cloud-based WAFs: SaaS-type WAF and CLB-type WAF. Both WAFs have similar security protection capabilities but differ in connection methods and use cases. You can choose the type of WAF based on your actual deployment requirements.
Category
SaaS-type
CLB-Based
Applicable Scenario
Suitable for all users (Tencent Cloud users or local IDC users), domain access is achieved through DNS resolution scheduling.
Users on Tencent Cloud who are using or planning to use Layer 7 CLB.
Core Strength
The wide application scope covers both Tencent Cloud users and non-Tencent Cloud users.
Seamless access with millisecond latency; domain access to WAF requires no changes to the existing network architecture.
Website traffic forwarding and security protection are separated; one-click bypass ensures website business security, stable and reliable.
Supports multi-region access.
How to Choose
If the user has websites on both Tencent Cloud and locally that need protection, or if layer-7 CLB is not used on Tencent Cloud, we recommend using SaaS-type WAF.
If you need to use the web page tamper proofing and data leakage prevention features, only the SaaS-type WAF can support them.
For users on Tencent Cloud who are using or planning to use layer-7 CLB, and have web security protection, BOT traffic management, Cybersecurity Classified Protection Compliance Service protection, or website security operation needs, we recommend using CLB type WAF.
Selecting Region
When purchasing the SaaS-type WAF, you need to select the corresponding region.
Purchasing a CLB-based WAF does not require selecting a region; after purchase, you can associate it with the supported region of the CLB when configuring in the console.
SaaS-based WAF
After a user adds a protected domain and sets the origin information on WAF, WAF allocates a unique CNAME address for the protected domain. The user can modify DNS resolution, changing the original A Record to a CNAME Record, and direct the protected domain traffic to the WAF Cluster. The WAF Cluster carries out malicious traffic detection and protection for the protected domain and routes the normal traffic back to the origin server, ensuring website security.
Cloud Load Balancer (CLB) WAF
WAF integrates with the domain and Tencent Cloud Layer-7 CLB (Listener) Cluster to perform bypass threat detection and cleansing on HTTP/HTTPS traffic processed by the CLB, achieving business forwarding and security separation. This minimizes the impact of security protection on website operations, ensuring stable website performance.
The CLB-based WAF provides two traffic processing modes:
Mirror mode: Associated via domain, CLB mirrors traffic to the WAF Cluster, which performs bypass detection and alarm but does not return the trusted request status.
Cleaning mode: Associated via domain, CLB mirrors traffic to the WAF Cluster, which performs bypass detection and alarm while synchronizing the trusted request status. The CLB Cluster intercepts or bypasses requests based on this status.