Release Notes and Announcements

Release Notes

Product Announcement

Security Advisory

User Guide

Product Introduction

Overview

Product Category

Strengths

Scenarios

Plans and Editions

Supported Regions

Basic Concepts

Purchase Guide

Billing Overview

Purchase Guide

WAF Plan Upgrade Method

Renewing Connections

Payment Overdue

Refund

Getting Started

FAQs for Beginners

Operation Guide

Overview

Connection Management

Security Operations

Protection Policies

Service Settings

Practical Tutorial

WAF CCP Overview

Bot Management

API Security

Integration

Protection Configuration

API Documentation

History

Introduction

API Category

Making API Requests

Asset Management APIs

Billing APIs

Protection Settings APIs

Other APIs

IP Management APIs

Integration APIs

Log Service APIs

Security Overview APIs

Rule Engine APIs

Data Types

Error Codes

FAQS

Product Consultation

Connection

Usage

Permissions

Sandbox Isolation Status

Service Level Agreement

WAF Policy

Data Processing And Security Agreement

Glossary

Product Category

PDF

Focus Mode

Font Size

Last updated: 2025-07-07 17:39:10

Type Overview
Tencent Cloud provides two types of cloud WAF, namely, SaaS WAF and CLB WAF. They have basically the same security protection capabilities but different connection methods and use cases. You can select an appropriate WAF type based on your actual deployment.
Type
SaaS WAF
CLB WAF
Use case
It is suitable for all users (Tencent Cloud users and local IDC users) and can be connected through domain names by means of DNS resolution and scheduling.
It is suitable for Tencent Cloud users who have already used or plan to use Layer-7 CLB, API Gateway, or Serverless Cloud Function (SCF), as well as for those who want to combine WAF protection capabilities with APISIX or custom application gateway services.
Strength
It is widely applicable to users in and outside Tencent Cloud.
Imperceptible connection to WAF with millisecond-level latency is implemented, which does not require adjustment of your existing network architecture.
Website business forwarding and security protection are isolated from each other, and quick bypass is supported, ensuring that your website business is secure, stable, and reliable.
Multi-region connection is supported.
How to choose
If you need to protect both Tencent Cloud-hosted and local websites or layer-7 CLB is not used for your Tencent Cloud resources, you are recommended to use SaaS WAF.
If you are using or plan to use Layer-7 CLB, API Gateway, or Serverless Cloud Function (SCF) on Tencent Cloud, and have requirements for web security protection, bot traffic management, CCPC compliance, or website security operations, it is recommended to use CLB WAF.
Region
You need to select a region when purchasing SaaS WAF
You need to select a region in the console after purchasing CLB WAF.
SaaS WAF
After you add a protected domain name and set the origin-pull information on WAF, it will assign a unique CNAME address to the protected domain name. You can modify the DNS resolution to change the original A record to the CNAME record and schedule traffic to the protected domain name to the WAF cluster, which will detect and block malicious traffic and forward normal traffic to the real server in order to protect your website security.

﻿
CLB WAF
Connect Method Overview
Connect Type
Connect Steps
CLB Domain Onboarding
Configure the domain and Layer-7 Load Balancer (CLB) resources (listeners) in the WAF console. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the load balancer listener, achieving separation of business forwarding and security protection.
CLB Instance Object Onboarding
Enable Layer-7 Load Balancer (CLB) instance connect to WAF in the WAF console. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the load balancer instance, achieving separation of business forwarding and security protection.
API Gateway and Serverless Cloud Function Domain Onboarding
Enable WAF protection through the API Gateway console (refer to API Gateway product documentation) and SCF console, then configure the domain in the WAF console. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the API Gateway and SCF, achieving separation of business forwarding and security protection.
API Gateway Instance Object Onboarding
Enable WAF protection in the API Gateway console (refer to API Gateway product documentation) and in the WAF console, then enable API Gateway (instance) connect to WAF. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the API Gateway instance, achieving separation of business forwarding and security protection.
﻿
Traffic Processing Mode
CLB WAF provides two traffic processing modes:
Protection mode
By associating through the domain, CLB, API Gateway, and SCF forward business traffic to the WAF cluster, where WAF performs bypass detection and alerts, synchronizes the request's trusted status, and the gateway cluster intercepts or allows the request based on the status.
﻿
Mirror mode
By associating through the domain, CLB mirrors traffic to the WAF cluster, where WAF performs bypass detection and alerts, without returning the request's trusted status.
﻿
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Web Application Firewall

Product Category

Type Overview

SaaS WAF

CLB WAF

Connect Method Overview

Traffic Processing Mode

Protection mode

Mirror mode

Help and Support

Type	SaaS WAF	CLB WAF
Use case	It is suitable for all users (Tencent Cloud users and local IDC users) and can be connected through domain names by means of DNS resolution and scheduling.	It is suitable for Tencent Cloud users who have already used or plan to use Layer-7 CLB, API Gateway, or Serverless Cloud Function (SCF), as well as for those who want to combine WAF protection capabilities with APISIX or custom application gateway services.
Strength	It is widely applicable to users in and outside Tencent Cloud.	Imperceptible connection to WAF with millisecond-level latency is implemented, which does not require adjustment of your existing network architecture. Website business forwarding and security protection are isolated from each other, and quick bypass is supported, ensuring that your website business is secure, stable, and reliable. Multi-region connection is supported.
How to choose	If you need to protect both Tencent Cloud-hosted and local websites or layer-7 CLB is not used for your Tencent Cloud resources, you are recommended to use SaaS WAF.	If you are using or plan to use Layer-7 CLB, API Gateway, or Serverless Cloud Function (SCF) on Tencent Cloud, and have requirements for web security protection, bot traffic management, CCPC compliance, or website security operations, it is recommended to use CLB WAF.
Region	You need to select a region when purchasing SaaS WAF	You need to select a region in the console after purchasing CLB WAF.

Connect Type	Connect Steps
CLB Domain Onboarding	Configure the domain and Layer-7 Load Balancer (CLB) resources (listeners) in the WAF console. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the load balancer listener, achieving separation of business forwarding and security protection.
CLB Instance Object Onboarding	Enable Layer-7 Load Balancer (CLB) instance connect to WAF in the WAF console. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the load balancer instance, achieving separation of business forwarding and security protection.
API Gateway and Serverless Cloud Function Domain Onboarding	Enable WAF protection through the API Gateway console (refer to API Gateway product documentation) and SCF console, then configure the domain in the WAF console. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the API Gateway and SCF, achieving separation of business forwarding and security protection.
API Gateway Instance Object Onboarding	Enable WAF protection in the API Gateway console (refer to API Gateway product documentation) and in the WAF console, then enable API Gateway (instance) connect to WAF. This allows bypass threat detection and cleansing of HTTP/HTTPS traffic passing through the API Gateway instance, achieving separation of business forwarding and security protection.