Solution skill for using WAF to protect web applications on ECS. Used for quickly deploying network environments including VPC, security groups, and ECS instances, and integrating WAF for web application protection.
Trigger words: "WAF protection", "ECS web protection", "Web Application Firewall", "website security"
With this skill, you can quickly deploy a complete web application protection solution, including network environment setup, ECS instance creation, sample application deployment, and WAF integration.
Prerequisites
Pre-check: Aliyun CLI >= 3.3.3 required
Run aliyun version to verify >= 3.3.3. If not installed or version too low,
run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to update,
or see references/cli-installation-guide.md for installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.
[MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.
[MUST] AI-Mode Configuration — Must configure AI-Mode before executing CLI commands:
[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-quick-showcase
Supported Scenarios
This skill supports two usage scenarios:
Quick WAF Protection Experience: Create VPC, ECS, and WAF from scratch for a complete protection experience
Existing WAF Protection Experience: User already has WAF, create new VPC and ECS to integrate with existing WAF
Prohibited Scenario:
Existing ECS Integration: Does not support integrating user's existing ECS into WAF
If the user indicates they have existing ECS and want to integrate it into WAF, respond:
"This skill is designed for experiencing the complete WAF protection workflow and requires creating new ECS instances. If you want to integrate your existing ECS into WAF, please refer to the Cloud Product Integration feature in the WAF console."
CRITICAL: Scenario 1 Resource Creation Rules
If the user requests "Quick Experience" (Scenario 1):
VPC: Create new if quota is sufficient; use existing VPC if quota is full
Must Create New: VSwitch, Security Group, ECS
WAF Reusable: If WAF already exists, skip creation and use existing WAF to integrate ECS
If creation fails, must stop and inform the user
MUST: Scenario 1 Must Check for Existing WAF Instance
After authentication confirmation and before parameter confirmation, must execute:
CRITICAL: Handling Process When User Already Has WAF
When the user indicates they have a WAF instance:
Ask for WAF Instance ID: Must first ask for the user's existing WAF instance ID
Skip WAF Creation: Prohibit executing create-postpaid-instance, directly use the WAF instance ID provided by the user
Create New Network and ECS: Still need to create VPC, VSwitch, Security Group, ECS
Integrate Existing WAF: Use the user's WAF instance ID to execute sync-product-instance and create-cloud-resource
Inquiry Prompt:
"You already have a WAF instance. Please provide your WAF instance ID (format: waf-cn-xxx), and I will create a new ECS for you and integrate it with your existing WAF for experience."
Pre-flight Checks (Must Remind Users Before Each Run)
IMPORTANT: Must proactively ask and help users complete the following checks before running
CLI Version: Run aliyun version to confirm version >= 3.3.3. If not installed or version too low, run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to install/update.
Then [MUST] run aliyun plugin update to ensure that any existing plugins on your local machine are always up-to-date.
Authentication Configuration: Run aliyun configure list to confirm authentication status is Valid
Auto Plugin: Run aliyun configure set --auto-plugin-install true
⚠️ Integration Reminder: When integrating WAF, web services may experience brief second-level connection interruptions. It is recommended to perform operations during off-peak business hours.
4.1 Create WAF Pay-as-you-go Instance
bash
# Create WAF 3.0 Pay-as-you-go Instance (Idempotent Operation)
aliyun waf-openapi create-postpaid-instance \
--region cn-hangzhou \
--connect-timeout 10 --read-timeout 60 \
--client-token $(uuidgen) \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-quick-showcase
# The response result contains InstanceId, please save it
Idempotency Protection: Use --client-token parameter to ensure multiple executions won't create duplicate resources.
Concurrent Scenario Handling: If creation fails and the error indicates "WAF instance already exists", execute describe-instance to query existing instance and use it directly.
Authorization Failure Handling:
If HTTP 500 is returned or authorization is required → Prompt user to go to console for authorization
Prompt: "First-time use of WAF requires completing service linked role authorization in the console. Please visit https://yundun.console.aliyun.com/?p=waf and click 'Create Service Linked Role' to complete authorization."
MUST: Wait for user to reply "Authorization completed" before retrying creation
Prohibit: Repeatedly attempting creation before user confirmation
Note: When creating a WAF instance for the first time, you need to complete the service linked role authorization in the console.
If CLI reports an error indicating authorization is required, please visit WAF Console and click "Create Service Linked Role" to complete authorization before trying again.
4.2 Query WAF Instance Information
bash
# Query WAF Instance Details
aliyun waf-openapi describe-instance \
--region cn-hangzhou \
--connect-timeout 5 --read-timeout 30 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-quick-showcase
# Save the returned InstanceId
4.3 Sync ECS Assets to WAF
bash
# Sync ECS, CLB, NLB Assets to WAF
# Note: WAF instance may need to wait about 10 seconds after creation before it can be called normally
aliyun waf-openapi sync-product-instance \
--instance-id <WAF-InstanceId> \
--region cn-hangzhou \
--connect-timeout 10 --read-timeout 60 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-quick-showcase
# If 503 error is returned, please wait 10 seconds and retry
4.4 Integrate ECS into WAF Protection
bash
# Integrate ECS Instance into WAF, Configure HTTP 80 Port Protection
# Note: Must provide --redirect parameter with ReadTimeout and WriteTimeout
aliyun waf-openapi create-cloud-resource \
--instance-id <WAF-InstanceId> \
--biz-region-id cn-hangzhou \
--listen '{"ResourceProduct":"ecs","ResourceInstanceId":"<ECS-InstanceId>","Port":80,"Protocol":"http"}' \
--redirect '{"ReadTimeout":120,"WriteTimeout":120}' \
--connect-timeout 10 --read-timeout 60 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-quick-showcase
4.5 Verify ECS Has Been Integrated into WAF
bash
# Query Cloud Products List That Have Been Integrated into WAF
aliyun waf-openapi describe-cloud-resources \
--instance-id <WAF-InstanceId> \
--resource-product ecs \
--page-number 1 \
--page-size 10 \
--region cn-hangzhou \
--connect-timeout 5 --read-timeout 30 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-quick-showcase
Completion Prompt
IMPORTANT: Must prompt users for next steps after WAF integration is complete
Prompt:
"WAF has been successfully integrated with ECS! You can proceed with the following operations:
Deploy Web Application: Log in to ECS to deploy your web application, or use sample application for testing
Verify Protection Effectiveness: Access ECS public IP to test normal access and attack interception