The OCI WAF: the Web Application Firewall
I first configured a WAF a couple of years ago, and I thought it was a splendid product offering all the features and counter measures you might want to help protect and enhance your web site against Layer 7 threats. The idea is that you set up your web servers on a private subnet behind an internet facing load balancer on a public subnet, as usual. However, instead of deploying your digital certificate to the load balancer and creating DNS records pointing your FQDN to the load balancer, you create a WAF and deploy the cert to that and point the DNS to it. The WAF then forwards all the traffic to the load balancer.
This delivers two major facilities. First, multiple edge servers. OCI has WAF listeners dotted around the world, and all requests will be directed to ones that are geographically close to the user. Of course there is load balancing and fault tolerance. For me, based in England, requests to a WAF protected domain usually go either to the London or to the Zurich data centres, each having many addresses; people in North America will usually go to either Ashburn or Phoenix for the same domain. Pretty cool: very fault tolerant, and should help performance too. Second, you get the security. WAF can do the obvious: blocking requests by source names, IP, or location. And cleverer stuff: blocking SQL or PHP injection, cross site scripting attacks, DDOS and bot management. Lots more, but that will do for now.
However, when I set up a WAF the other day I found that it has all changed. You can still configure a WAF through the wizard as above, but you have to click on a link for “legacy workflow” to do so. That creates what we now have to call an Edge WAF (aka WAF v1). If you don’t do that, then the default workflow goes through a similar process for setting up all the access control rules, but at the end you select an “enforcement point”: this is your load balancer. This creates a Regional WAF (or WAF v2).
So when would you use the new version or the old version? The Edge WAF is going to enhance performance if you are expecting traffic from anywhere in the world. It can be used in front of any website: not just OCI environments, also on-prem systems or third party clouds. The Regional WAF is directly attatched to a load balancer: it extends the load balancer’s capabilities. Propagating config changes is significantly faster because they happen in the load balancer, rather than having to be deployed to multiple servers around the world. Unlike an Edge WAF, a regional WAF can be deployed to a private load balancer: it can therefore protect systems from internal threats.
They are completely different architectures. Moving forward, I shall apply a general rule: if the site is expecting incoming traffic from anywhere, use Edge WAF; if users are likely to be in the same OCI region as the web site, use Regional WAF. There will be more to it than that, but as a general principle that is a good start.
John Watson is an Oracle Certified Master DBA and Certified Oracle Cloud Infrastructure (OCI) Professional. Learn more about John’s Oracle DBA Services and OCI Services (page coming soon).