Back to Details

alibabacloud-waf-quick-showcase

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Using WAF to Protect Web Applications on ECS

使用WAF保护ECS上的Web应用

With this skill, you can quickly deploy a complete web application protection solution, including network environment setup, ECS instance creation, sample application deployment, and WAF integration.
借助该技能,你可以快速部署完整的Web应用防护解决方案,包括网络环境搭建、ECS实例创建、示例应用部署以及WAF集成。

Supported Scenarios

支持场景

This skill supports two usage scenarios:
  1. Quick WAF Protection Experience: Create VPC, ECS, and WAF from scratch for a complete protection experience
  2. Existing WAF Protection Experience: User already has WAF, create new VPC and ECS to integrate with existing WAF
Prohibited Scenario:
  • Existing ECS Integration: Does not support integrating user's existing ECS into WAF
If the user indicates they have existing ECS and want to integrate it into WAF, respond: "This skill is designed for experiencing the complete WAF protection workflow and requires creating new ECS instances. If you want to integrate your existing ECS into WAF, please refer to the Cloud Product Integration feature in the WAF console."
CRITICAL: Scenario 1 Resource Creation Rules
If the user requests "Quick Experience" (Scenario 1):
  • VPC: Create new if quota is sufficient; use existing VPC if quota is full
  • Must Create New: VSwitch, Security Group, ECS
  • WAF Reusable: If WAF already exists, skip creation and use existing WAF to integrate ECS
  • If creation fails, must stop and inform the user
MUST: Scenario 1 Must Check for Existing WAF Instance
After authentication confirmation and before parameter confirmation, must execute:
bash
aliyun waf-openapi describe-instance --region cn-hangzhou --user-agent AlibabaCloud-Agent-Skills
  • If valid InstanceId is returned: Skip WAF creation steps and use this WAF directly to integrate ECS
  • Prompt: "Detected that your account already has a WAF instance (InstanceId: [xxx]), will use this instance for protection experience."
  • If no WAF instance: Execute Step 4 to create new WAF
该技能支持两种使用场景
  1. WAF防护快速体验:从零开始创建VPC、ECS和WAF,体验完整的防护流程
  2. 已有WAF防护体验:用户已持有WAF实例,创建新的VPC和ECS与现有WAF集成
禁止场景
  • 现有ECS集成:不支持将用户已有的ECS接入WAF
如果用户表示已有ECS并希望将其接入WAF,回复: "本技能用于体验完整的WAF防护工作流,需要创建新的ECS实例。如果您希望将已有ECS接入WAF,请参考WAF控制台中的云产品集成功能。"
关键说明:场景1资源创建规则
如果用户请求「快速体验」(场景1):
  • VPC:配额充足时新建,配额已满时使用现有VPC
  • 必须新建:交换机(VSwitch)、安全组、ECS
  • WAF可复用:如果已存在WAF实例,跳过创建步骤直接使用现有WAF集成ECS
  • 如果创建失败,必须停止操作并告知用户
必填操作:场景1必须检查已有WAF实例
身份认证确认后、参数确认前,必须执行:
bash
aliyun waf-openapi describe-instance --region cn-hangzhou --user-agent AlibabaCloud-Agent-Skills
  • 如果返回有效的InstanceId:跳过WAF创建步骤,直接使用该WAF集成ECS
  • 提示语:"检测到您的账户已有WAF实例(InstanceId:[xxx]),将使用该实例进行防护体验。"
  • 如果无WAF实例:执行步骤4新建WAF

Scenario 2: Existing WAF Protection Experience (Detailed)

场景2:已有WAF防护体验(详细说明)

CRITICAL: Handling Process When User Already Has WAF
When the user indicates they have a WAF instance:
  1. Ask for WAF Instance ID: Must first ask for the user's existing WAF instance ID
  2. Skip WAF Creation: Prohibit executing 
    create-postpaid-instance
    , directly use the WAF instance ID provided by the user
  3. Create New Network and ECS: Still need to create VPC, VSwitch, Security Group, ECS
  4. Integrate Existing WAF: Use the user's WAF instance ID to execute 
    sync-product-instance
    and 
    create-cloud-resource
Inquiry Prompt: "You already have a WAF instance. Please provide your WAF instance ID (format: waf-cn-xxx), and I will create a new ECS for you and integrate it with your existing WAF for experience."
关键说明:用户已有WAF时的处理流程
当用户表示已有WAF实例时:
  1. 索要WAF实例ID:必须首先询问用户现有WAF的实例ID
  2. 跳过WAF创建禁止执行
    create-postpaid-instance
    命令,直接使用用户提供的WAF实例ID
  3. 新建网络和ECS:仍需创建VPC、交换机、安全组、ECS
  4. 集成现有WAF:使用用户提供的WAF实例ID执行
    sync-product-instance
    create-cloud-resource
    命令
询问提示语: "您已持有WAF实例,请提供您的WAF实例ID(格式:waf-cn-xxx),我将为您创建新的ECS并接入现有WAF进行体验。"

Pre-flight Checks (Must Remind Users Before Each Run)

前置检查(每次运行前必须提醒用户)

IMPORTANT: Must proactively ask and help users complete the following checks before running
  1. CLI Version: Run 
    aliyun version
    to confirm version >= 3.3.1
  2. Authentication Configuration: Run 
    aliyun configure list
    to confirm authentication status is Valid
  3. Auto Plugin: Run 
    aliyun configure set --auto-plugin-install true
  4. Account Balance: Confirm Alibaba Cloud account balance >= 100 CNY
重要说明:运行前必须主动询问并协助用户完成以下检查
  1. CLI版本:运行
    aliyun version
    确认版本 >= 3.3.1
  2. 认证配置:运行
    aliyun configure list
    确认认证状态为Valid
  3. 自动插件安装:运行
    aliyun configure set --auto-plugin-install true
  4. 账户余额:确认阿里云账户余额 >= 100元人民币

Authentication Configuration Check (Must Execute)

认证配置检查(必须执行)

bash
aliyun configure list
Reminder when authentication is valid: "Detected that your current CLI authentication configuration is valid:
  • Authentication Mode: [OAuth/AK/StsToken] | Account: [Profile Name] | Region: [Region]
Please confirm whether to use the current account for operations? Operations will incur charges."
MUST: Wait for user confirmation before continuing
  • Prohibit: Executing any resource creation operations before user confirmation
  • Prohibit: Any authentication mode (including StsToken) must wait for user confirmation
When authentication is invalid: Run 
aliyun configure --mode OAuth
to complete configuration
Security Reminder: Explicitly handling AK/SK credentials is strictly prohibited. This skill only supports OAuth authentication mode.
bash
aliyun configure list
认证有效时的提示: "检测到您当前的CLI认证配置有效:
  • 认证模式:[OAuth/AK/StsToken] | 账户:[配置名] | 区域:[Region]
请确认是否使用当前账户进行操作?操作将产生费用。"
必填操作:必须等待用户确认后再继续
  • 禁止:用户确认前执行任何资源创建操作
  • 禁止:任何认证模式(包括StsToken)都必须等待用户确认
认证无效时:运行
aliyun configure --mode OAuth
完成配置
安全提示:严格禁止直接处理AK/SK凭证,本技能仅支持OAuth认证模式。

Solution Architecture

解决方案架构

Architecture Components: VPC + VSwitch + Security Group + ECS + WAF 3.0 (Pay-as-you-go)
Traffic Path: User Request → WAF 3.0 (Traffic Filtering and Cleaning) → ECS (Web Application)
架构组件:VPC + 交换机(VSwitch) + 安全组 + ECS + WAF 3.0(按量付费)
流量路径:用户请求 → WAF 3.0(流量过滤清洗) → ECS(Web应用)

Installation and Configuration

安装与配置

For detailed installation steps, see references/cli-installation-guide.md
Quick Start:
bash
undefined
详细安装步骤请参考 references/cli-installation-guide.md
快速开始
bash
undefined

macOS (Homebrew)

macOS(Homebrew安装)

brew install aliyun-cli
brew install aliyun-cli

Authentication Configuration (OAuth Mode)

认证配置(OAuth模式)

aliyun configure --mode OAuth
aliyun configure --mode OAuth

Verify Version (must be >= 3.3.1)

验证版本(必须 >= 3.3.1)

aliyun version

> **Security Reminder**: Explicitly handling AK/SK credentials is strictly prohibited. This skill only supports OAuth authentication mode.
aliyun version

> **安全提示**:严格禁止直接处理AK/SK凭证,本技能仅支持OAuth认证模式。

Parameter Confirmation

参数确认

MUST: Must confirm parameters before execution
Prohibit: Directly using default values to execute commands; must confirm parameters with the user first.
MUST: Input Validation Rules (Must verify the following formats)
  • RegionId: Must match 
    ^[a-z]{2}-[a-z]+-[a-z]\d*$
    format (e.g., cn-hangzhou-j)
  • CidrBlock: Must be valid CIDR format and within RFC1918 private network segments (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • ZoneId: Must have RegionId as prefix (e.g., cn-hangzhou-j corresponds to cn-hangzhou)
  • InstanceType: Must comply with Alibaba Cloud ECS specification naming convention (ecs.[series]-[spec])
  • InstancePassword: 8-30 characters, must contain uppercase letters, lowercase letters, and numbers
  • Security Requirement: All parameters are prohibited from containing special characters (such as ; | & $ ` \ etc.)
必填操作:执行前必须确认参数
禁止:直接使用默认值执行命令,必须先与用户确认参数
必填操作:输入校验规则(必须校验以下格式)
  • RegionId:必须匹配
    ^[a-z]{2}-[a-z]+-[a-z]\d*$
    格式(例如cn-hangzhou-j)
  • CidrBlock:必须为有效CIDR格式,且属于RFC1918私网网段(10.0.0.0/8、172.16.0.0/12、192.168.0.0/16)
  • ZoneId:必须以RegionId为前缀(例如cn-hangzhou-j对应cn-hangzhou)
  • InstanceType:必须符合阿里云ECS规格命名规范(ecs.[系列]-[规格])
  • InstancePassword:8-30个字符,必须同时包含大写字母、小写字母和数字
  • 安全要求:所有参数禁止包含特殊字符(如; | & $ ` \等)

Parameter Confirmation Prompt (Must Execute)

参数确认提示(必须执行)

After authentication confirmation and before executing any commands, must confirm the following parameters with the user:
Confirmation Prompt: "Before starting deployment, please confirm the following parameters:
  1. Region: cn-hangzhou (or other regions you prefer, such as cn-shanghai, cn-beijing)
  2. VPC CIDR Block: 192.168.0.0/16
  3. Zone: cn-hangzhou-j
  4. ECS Specification: ecs.e-c1m2.large
  5. ECS Password: Please provide your ECS login password (8-30 characters, containing uppercase letters, lowercase letters, and numbers)
Do you want to use the above parameters? Or tell me which ones you want to modify."
MUST: Wait for user confirmation or modification before continuing
  • Expected user responses: "Confirm", "Yes", "OK", or provide modifications
  • Prohibit: Executing any resource creation operations before user confirms parameters
  • Prohibit: Auto-generating ECS passwords; passwords must be provided by the user
  • If the user does not provide a password, must ask again and cannot continue
  • If the user wants to modify parameters, record the modifications and confirm again
MUST: Must reject execution if parameter validation fails
  • If user-provided parameters do not meet the format requirements, must clearly inform the user and provide correct examples
  • Prohibit: Using invalid parameters to execute commands
  • Prohibit: Escaping dangerous characters and continuing execution (should directly reject and require user to provide legal parameters)
MUST: Return Value and Output Desensitization
  • In any scenario, the 
    --password
    parameter value in commands, logs, and error messages displayed to users must be shown as 
    ***
    or 
    [REDACTED]
  • CLI Execution Echo: If CLI output contains plaintext passwords, must replace and desensitize before displaying to users
  • Error Message Handling: If error messages may contain passwords, must desensitize before displaying
  • Prohibited Behaviors:
    • Printing complete commands containing plaintext passwords in terminal
    • Saving plaintext passwords in history records
    • Leaking plaintext passwords in error logs
  • Correct Example:
    bash
    # Actually executed command (internal)
aliyun ecs run-instances --password MyPass@2024 ...

# Command displayed to user (desensitized)
aliyun ecs run-instances --password *** ...
MUST: Must use user-confirmed parameters when executing commands
  • The 
    cn-hangzhou
    , 
    192.168.0.0/16
    , etc. in the command examples below are reference values only
  • Prohibit: Directly copying example commands for execution; must replace with actual values confirmed by the user
  • If the user changes the region to cn-shanghai, then all subsequent commands' 
    --biz-region-id
    , 
    --region
    , 
    --zone-id
    must be modified accordingly
认证确认后、执行任何命令前,必须与用户确认以下参数:
确认提示语: "开始部署前,请确认以下参数:
  1. 区域:cn-hangzhou(或您偏好的其他区域,如cn-shanghai、cn-beijing)
  2. VPC网段:192.168.0.0/16
  3. 可用区:cn-hangzhou-j
  4. ECS规格:ecs.e-c1m2.large
  5. ECS密码:请提供您的ECS登录密码(8-30个字符,需同时包含大写字母、小写字母和数字)
您是否需要使用以上参数?或者告知我需要修改的项。"
必填操作:等待用户确认或修改后再继续
  • 预期用户回复:"确认"、"是的"、"OK",或者提供修改内容
  • 禁止:用户确认参数前执行任何资源创建操作
  • 禁止:自动生成ECS密码,密码必须由用户提供
  • 如果用户未提供密码,必须再次询问,不得继续操作
  • 如果用户需要修改参数,记录修改后再次确认
必填操作:参数校验失败时必须拒绝执行
  • 如果用户提供的参数不符合格式要求,必须明确告知用户并提供正确示例
  • 禁止:使用无效参数执行命令
  • 禁止:转义危险字符后继续执行(应直接拒绝,要求用户提供合法参数)
必填操作:返回值与输出脱敏
  • 任何场景下,向用户展示的命令、日志、错误信息中的
    --password
    参数值必须显示为
    ***
    [REDACTED]
  • CLI执行回显:如果CLI输出包含明文密码,必须替换脱敏后再展示给用户
  • 错误信息处理:如果错误信息可能包含密码,必须脱敏后再展示
  • 禁止行为
    • 在终端打印包含明文密码的完整命令
    • 在历史记录中保存明文密码
    • 在错误日志中泄露明文密码
  • 正确示例
    bash
    # 实际执行的命令(内部使用)
aliyun ecs run-instances --password MyPass@2024 ...

# 展示给用户的命令(脱敏后)
aliyun ecs run-instances --password *** ...
必填操作:执行命令时必须使用用户确认后的参数
  • 下方命令示例中的
    cn-hangzhou
    192.168.0.0/16
    等仅为参考值
  • 禁止:直接复制示例命令执行,必须替换为用户确认的实际值
  • 如果用户将区域修改为cn-shanghai,后续所有命令的
    --biz-region-id
    --region
    --zone-id
    都必须对应修改

Parameter Description and Validation Rules

参数说明与校验规则

ParameterDescriptionReference ValueValidation Rule
RegionId
Region IDcn-hangzhouFormat: 
^[a-z]{2}-[a-z]+-[a-z]\d*$
, only lowercase letters, hyphens, and numbers allowed
CidrBlock
VPC CIDR Block192.168.0.0/16Must be RFC1918 private network segment (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), mask range /8-/24
ZoneId
Zone IDcn-hangzhou-jMust have RegionId as prefix, format: 
${RegionId}-${letter}
InstanceType
ECS Specificationecs.e-c1m2.largeFormat: 
ecs.[series]-[spec]
, series such as e, c, g, r, t, etc.
ImageId
Image IDaliyun_3_x64_20G_alibase_20240819.vhdMust end with 
.vhd
, comply with Alibaba Cloud image naming convention
InstancePassword
ECS Login PasswordUser Provided8-30 characters, must contain uppercase letters, lowercase letters, and numbers simultaneously
SHOULD: Special Character Filtering
  • All parameters are prohibited from containing: 
    ; | & $ \
    " ' < > ( ) { } [ ] ! # ~`
  • If the above characters are detected, must reject execution and prompt the user to re-enter
参数描述参考值校验规则
RegionId
区域IDcn-hangzhou格式:
^[a-z]{2}-[a-z]+-[a-z]\d*$
,仅允许小写字母、连字符和数字
CidrBlock
VPC网段192.168.0.0/16必须为RFC1918私网网段(10.0.0.0/8、172.16.0.0/12、192.168.0.0/16),掩码范围/8-/24
ZoneId
可用区IDcn-hangzhou-j必须以RegionId为前缀,格式:
${RegionId}-${字母}
InstanceType
ECS规格ecs.e-c1m2.large格式:
ecs.[系列]-[规格]
,系列如e、c、g、r、t等
ImageId
镜像IDaliyun_3_x64_20G_alibase_20240819.vhd必须以
.vhd
结尾,符合阿里云镜像命名规范
InstancePassword
ECS登录密码用户提供8-30个字符,必须同时包含大写字母、小写字母和数字
建议操作:特殊字符过滤
  • 所有参数禁止包含:
    ; | & $ \
    " ' < > ( ) { } [ ] ! # ~`
  • 如果检测到上述字符,必须拒绝执行并提示用户重新输入

Core Workflow

核心工作流

Step 0: Check VPC Quota

步骤0:检查VPC配额

CRITICAL: Must check quota before creating VPC (Each account has a maximum of 10 VPCs per region by default)
bash
aliyun vpc describe-vpcs --biz-region-id cn-hangzhou --page-size 50 --connect-timeout 5 --read-timeout 30 --user-agent AlibabaCloud-Agent-Skills
关键说明:创建VPC前必须检查配额(默认每个账户单区域最多可创建10个VPC)
bash
aliyun vpc describe-vpcs --biz-region-id cn-hangzhou --page-size 50 --connect-timeout 5 --read-timeout 30 --user-agent AlibabaCloud-Agent-Skills

Check TotalCount in the response

检查返回结果中的TotalCount

>
> **Idempotency Protection**: Use `--client-token` parameter to ensure multiple executions won't create duplicate resources.

> **Quota Check Result Handling**:
> 
> - **TotalCount < 10**: Quota is sufficient, create new VPC
> - **TotalCount >= 10**: Quota is full, use existing VPC
> 
> **Handling Process When Quota is Full**:
> 1. Select an existing VPC from the response results (prioritize those with names containing "waf" or "test")
> 2. Prompt the user: "Your VPC quota is full, will use existing VPC (VpcId: [xxx]) to continue deployment."
> 3. Create new VSwitch, Security Group, and ECS under this VPC
>
> **幂等保护**:使用`--client-token`参数确保多次执行不会创建重复资源。

> **配额检查结果处理**:
> 
> - **TotalCount < 10**:配额充足,新建VPC
> - **TotalCount >= 10**:配额已满,使用现有VPC
> 
> **配额已满时的处理流程**:
> 1. 从返回结果中选择一个现有VPC(优先选择名称包含"waf"或"test"的VPC)
> 2. 提示用户:"您的VPC配额已满,将使用现有VPC(VpcId:[xxx])继续部署。"
> 3. 在该VPC下新建交换机、安全组和ECS

Step 1: Create VPC and VSwitch

步骤1:创建VPC和交换机

CRITICAL: Failure Handling and Rollback Mechanism
If any resource creation fails:
  1. Stop Immediately: Must not continue executing subsequent steps
  2. Inform User: Clearly explain the failure reason (such as insufficient resources, insufficient permissions, insufficient quota, etc.)
  3. Prohibit Substitution: Must not use existing resources instead
Failure Prompt: "Sorry, [VPC/ECS/WAF] creation failed, reason: [error message]. Please check and try again."
bash
undefined
关键说明:失败处理与回滚机制
如果任意资源创建失败:
  1. 立即停止:不得继续执行后续步骤
  2. 告知用户:清晰说明失败原因(如资源不足、权限不足、配额不足等)
  3. 禁止替换:不得使用现有资源替代
失败提示语: "抱歉,[VPC/ECS/WAF]创建失败,原因:[错误信息]。请检查后重试。"
bash
undefined

1.1 Create VPC (Idempotent Operation)

1.1 创建VPC(幂等操作)

aliyun vpc create-vpc
--biz-region-id cn-hangzhou
--cidr-block 192.168.0.0/16
--vpc-name VPC_HZ
--description "WAF Protection Solution VPC"
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills
aliyun vpc create-vpc
--biz-region-id cn-hangzhou
--cidr-block 192.168.0.0/16
--vpc-name VPC_HZ
--description "WAF防护解决方案VPC"
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills

Save the returned VpcId, e.g., vpc-bp1234567890abcdef

保存返回的VpcId,例如vpc-bp1234567890abcdef

1.2 Query VPC Status, Wait Until Status Becomes Available

1.2 查询VPC状态,等待状态变为Available

aliyun vpc describe-vpcs
--biz-region-id cn-hangzhou
--vpc-id <VpcId>
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
aliyun vpc describe-vpcs
--biz-region-id cn-hangzhou
--vpc-id <VpcId>
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills

1.3 Create VSwitch (Idempotent Operation)

1.3 创建交换机(幂等操作)

aliyun vpc create-vswitch
--zone-id cn-hangzhou-j
--cidr-block 192.168.1.0/24
--vpc-id <VpcId>
--vswitch-name vsw_001
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills
aliyun vpc create-vswitch
--zone-id cn-hangzhou-j
--cidr-block 192.168.1.0/24
--vpc-id <VpcId>
--vswitch-name vsw_001
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills

Save the returned VSwitchId

保存返回的VSwitchId

undefined
undefined

Step 2: Create Security Group and Configure Rules

步骤2:创建安全组并配置规则

bash
undefined
bash
undefined

2.1 Create Security Group (Idempotent Operation)

2.1 创建安全组(幂等操作)

aliyun ecs create-security-group
--biz-region-id cn-hangzhou
--vpc-id <VpcId>
--security-group-name SecurityGroup_1
--security-group-type normal
--description "WAF Protection Solution Security Group"
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills
aliyun ecs create-security-group
--biz-region-id cn-hangzhou
--vpc-id <VpcId>
--security-group-name SecurityGroup_1
--security-group-type normal
--description "WAF防护解决方案安全组"
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills

Save the returned SecurityGroupId

保存返回的SecurityGroupId

2.2 Add Inbound Rule - Open Port 80

2.2 添加入站规则 - 开放80端口

aliyun ecs authorize-security-group
--biz-region-id cn-hangzhou
--security-group-id <SecurityGroupId>
--permissions '[{"Policy":"Accept","Priority":"1","IpProtocol":"TCP","PortRange":"80/80","SourceCidrIp":"0.0.0.0/0"}]'
--connect-timeout 10 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
undefined
aliyun ecs authorize-security-group
--biz-region-id cn-hangzhou
--security-group-id <SecurityGroupId>
--permissions '[{"Policy":"Accept","Priority":"1","IpProtocol":"TCP","PortRange":"80/80","SourceCidrIp":"0.0.0.0/0"}]'
--connect-timeout 10 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
undefined

Step 3: Create ECS Instance

步骤3:创建ECS实例

CRITICAL: ABSOLUTELY PROHIBITED - Using Existing ECS Instances
  • MUST CREATE NEW: Always create a new ECS instance using 
    RunInstances
  • PROHIBITED: Discovering and reusing existing ECS instances (e.g., 'Found multiple existing ECS instances... Selected i-bp1xxx')
  • PROHIBITED: Saying "I found an existing ECS instance named 'web-server-waf-demo', will use it"
  • Security Policy: Even if user has existing ECS instances, the skill MUST create a new one for the WAF protection experience
  • Correct Behavior:
    • ✅ Always execute 
      aliyun ecs run-instances
      to create a new instance
    • ✅ Use user-provided password for the new instance
    • ✅ If user asks to use existing ECS, explain: "This skill creates new resources for a complete WAF protection experience"
Recommended Image IDs (Avoid Blind Queries):
  • Alibaba Cloud Linux 3: 
    aliyun_3_x64_20G_alibase_20240819.vhd
  • Alternative: 
    aliyun_3_x64_20G_alibase_20221102.vhd
Directly use the above ImageId, no need to call DescribeImages query.
MUST: Password Desensitization Processing
  • Prohibit: Displaying plaintext passwords in terminal output, log printing, or commands shown to users
  • Must: Replace 
    --password
    parameter value with 
    ***
    or 
    [REDACTED]
    before displaying
  • Example: 
    --password ***
    instead of 
    --password MyPass@2024
  • Security Requirement: Password is only used in original form when passing to CLI commands; any echo must be desensitized
bash
undefined
关键说明:绝对禁止 - 使用现有ECS实例
  • 必须新建:始终使用
    RunInstances
    创建新的ECS实例
  • 禁止:发现并复用现有ECS实例(例如"找到多个现有ECS实例... 选择i-bp1xxx")
  • 禁止:说出"我找到一个名为'web-server-waf-demo'的现有ECS实例,将使用它"
  • 安全策略:即使用户已有ECS实例,本技能也必须新建实例用于WAF防护体验
  • 正确行为
    • ✅ 始终执行
      aliyun ecs run-instances
      创建新实例
    • ✅ 新实例使用用户提供的密码
    • ✅ 如果用户要求使用现有ECS,解释:"本技能会新建资源以提供完整的WAF防护体验"
推荐镜像ID(避免盲目查询):
  • Alibaba Cloud Linux 3
    aliyun_3_x64_20G_alibase_20240819.vhd
  • 备选
    aliyun_3_x64_20G_alibase_20221102.vhd
直接使用上述ImageId,无需调用DescribeImages查询。
必填操作:密码脱敏处理
  • 禁止:在终端输出、日志打印或展示给用户的命令中显示明文密码
  • 必须:展示前将
    --password
    参数值替换为
    ***
    [REDACTED]
  • 示例:使用
    --password ***
    替代
    --password MyPass@2024
  • 安全要求:密码仅在传递给CLI命令时使用原始形式,任何回显都必须脱敏
bash
undefined

3.1 Create ECS Instance (Idempotent Operation)

3.1 创建ECS实例(幂等操作)

aliyun ecs run-instances
--biz-region-id cn-hangzhou
--instance-type ecs.e-c1m2.large
--image-id aliyun_3_x64_20G_alibase_20240819.vhd
--security-group-id <SecurityGroupId>
--vswitch-id <VSwitchId>
--instance-name web-server
--host-name web-server
--internet-charge-type PayByTraffic
--internet-max-bandwidth-out 5
--system-disk-size 40
--system-disk-category cloud_essd_entry
--password <YourPassword>
--amount 1
--connect-timeout 10 --read-timeout 120
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills
aliyun ecs run-instances
--biz-region-id cn-hangzhou
--instance-type ecs.e-c1m2.large
--image-id aliyun_3_x64_20G_alibase_20240819.vhd
--security-group-id <SecurityGroupId>
--vswitch-id <VSwitchId>
--instance-name web-server
--host-name web-server
--internet-charge-type PayByTraffic
--internet-max-bandwidth-out 5
--system-disk-size 40
--system-disk-category cloud_essd_entry
--password <YourPassword>
--amount 1
--connect-timeout 10 --read-timeout 120
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills

Save the returned InstanceId

保存返回的InstanceId

3.2 Query ECS Status, Wait Until Status Becomes Running

3.2 查询ECS状态,等待状态变为Running

aliyun ecs describe-instances
--biz-region-id cn-hangzhou
--instance-ids '["<InstanceId>"]'
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
undefined
aliyun ecs describe-instances
--biz-region-id cn-hangzhou
--instance-ids '["<InstanceId>"]'
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
undefined

Step 4: Enable WAF and Integrate ECS

步骤4:启用WAF并集成ECS

⚠️ Integration Reminder: When integrating WAF, web services may experience brief second-level connection interruptions. It is recommended to perform operations during off-peak business hours.
⚠️ 集成提示:集成WAF时,Web服务可能会出现短暂的秒级连接中断,建议在业务低峰期操作。

4.1 Create WAF Pay-as-you-go Instance

4.1 创建WAF按量付费实例

bash
undefined
bash
undefined

Create WAF 3.0 Pay-as-you-go Instance (Idempotent Operation)

创建WAF 3.0按量付费实例(幂等操作)

aliyun waf-openapi create-postpaid-instance
--region cn-hangzhou
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills
aliyun waf-openapi create-postpaid-instance
--region cn-hangzhou
--connect-timeout 10 --read-timeout 60
--client-token $(uuidgen)
--user-agent AlibabaCloud-Agent-Skills

The response result contains InstanceId, please save it

返回结果包含InstanceId,请保存


> **Idempotency Protection**: Use `--client-token` parameter to ensure multiple executions won't create duplicate resources.

> **Concurrent Scenario Handling**: If creation fails and the error indicates "WAF instance already exists", execute `describe-instance` to query existing instance and use it directly.

> **Authorization Failure Handling**:
> - If HTTP 500 is returned or authorization is required → Prompt user to go to console for authorization
> - **Prompt**: "First-time use of WAF requires completing service linked role authorization in the console. Please visit https://yundun.console.aliyun.com/?p=waf and click 'Create Service Linked Role' to complete authorization."
> - **MUST**: Wait for user to reply "Authorization completed" before retrying creation
> - **Prohibit**: Repeatedly attempting creation before user confirmation

> **Note**: When creating a WAF instance for the first time, you need to complete the service linked role authorization in the console.
> If CLI reports an error indicating authorization is required, please visit [WAF Console](https://yundun.console.aliyun.com/?p=waf) and click "Create Service Linked Role" to complete authorization before trying again.

> **幂等保护**:使用`--client-token`参数确保多次执行不会创建重复资源。

> **并发场景处理**:如果创建失败,错误提示为"WAF实例已存在",执行`describe-instance`查询现有实例直接使用即可。

> **授权失败处理**:
> - 如果返回HTTP 500或提示需要授权 → 提示用户前往控制台完成授权
> - **提示语**:"首次使用WAF需要在控制台完成服务关联角色授权,请访问https://yundun.console.aliyun.com/?p=waf,点击「创建服务关联角色」完成授权。"
> - **必填操作**:等待用户回复「授权完成」后再重试创建
> - **禁止**:用户确认前重复尝试创建

> **注意**:首次创建WAF实例时,需要在控制台完成服务关联角色授权。如果CLI报错提示需要授权,请访问[WAF控制台](https://yundun.console.aliyun.com/?p=waf)点击「创建服务关联角色」完成授权后重试。

4.2 Query WAF Instance Information

4.2 查询WAF实例信息

bash
undefined
bash
undefined

Query WAF Instance Details

查询WAF实例详情

aliyun waf-openapi describe-instance
--region cn-hangzhou
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
aliyun waf-openapi describe-instance
--region cn-hangzhou
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills

Save the returned InstanceId

保存返回的InstanceId

undefined
undefined

4.3 Sync ECS Assets to WAF

4.3 同步ECS资产到WAF

bash
undefined
bash
undefined

Sync ECS, CLB, NLB Assets to WAF

同步ECS、CLB、NLB资产到WAF

Note: WAF instance may need to wait about 10 seconds after creation before it can be called normally

注意:WAF实例创建后可能需要等待10秒左右才能正常调用

aliyun waf-openapi sync-product-instance
--instance-id <WAF-InstanceId>
--region cn-hangzhou
--connect-timeout 10 --read-timeout 60
--user-agent AlibabaCloud-Agent-Skills
aliyun waf-openapi sync-product-instance
--instance-id <WAF-InstanceId>
--region cn-hangzhou
--connect-timeout 10 --read-timeout 60
--user-agent AlibabaCloud-Agent-Skills

If 503 error is returned, please wait 10 seconds and retry

如果返回503错误,请等待10秒后重试

undefined
undefined

4.4 Integrate ECS into WAF Protection

4.4 将ECS接入WAF防护

bash
undefined
bash
undefined

Integrate ECS Instance into WAF, Configure HTTP 80 Port Protection

将ECS实例接入WAF,配置HTTP 80端口防护

Note: Must provide --redirect parameter with ReadTimeout and WriteTimeout

注意:必须提供--redirect参数,包含ReadTimeout和WriteTimeout

aliyun waf-openapi create-cloud-resource
--instance-id <WAF-InstanceId>
--biz-region-id cn-hangzhou
--listen '{"ResourceProduct":"ecs","ResourceInstanceId":"<ECS-InstanceId>","Port":80,"Protocol":"http"}'
--redirect '{"ReadTimeout":120,"WriteTimeout":120}'
--connect-timeout 10 --read-timeout 60
--user-agent AlibabaCloud-Agent-Skills
undefined
aliyun waf-openapi create-cloud-resource
--instance-id <WAF-InstanceId>
--biz-region-id cn-hangzhou
--listen '{"ResourceProduct":"ecs","ResourceInstanceId":"<ECS-InstanceId>","Port":80,"Protocol":"http"}'
--redirect '{"ReadTimeout":120,"WriteTimeout":120}'
--connect-timeout 10 --read-timeout 60
--user-agent AlibabaCloud-Agent-Skills
undefined

4.5 Verify ECS Has Been Integrated into WAF

4.5 验证ECS已接入WAF

bash
undefined
bash
undefined

Query Cloud Products List That Have Been Integrated into WAF

查询已接入WAF的云产品列表

aliyun waf-openapi describe-cloud-resources
--instance-id <WAF-InstanceId>
--resource-product ecs
--page-number 1
--page-size 10
--region cn-hangzhou
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
undefined
aliyun waf-openapi describe-cloud-resources
--instance-id <WAF-InstanceId>
--resource-product ecs
--page-number 1
--page-size 10
--region cn-hangzhou
--connect-timeout 5 --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills
undefined

Completion Prompt

完成提示

IMPORTANT: Must prompt users for next steps after WAF integration is complete
Prompt: "WAF has been successfully integrated with ECS! You can proceed with the following operations:
  1. Deploy Web Application: Log in to ECS to deploy your web application, or use sample application for testing
  2. Verify Protection Effectiveness: Access ECS public IP to test normal access and attack interception
For detailed verification methods, see references/verification-method.md"
重要说明:WAF集成完成后必须提示用户后续操作
提示语: "WAF已成功与ECS集成!您可以进行以下操作:
  1. 部署Web应用:登录ECS部署您的Web应用,或使用示例应用进行测试
  2. 验证防护效果:访问ECS公网IP测试正常访问和攻击拦截效果
详细验证方法请参考 references/verification-method.md"

RAM Permission Requirements

RAM权限要求

For detailed permission list, see references/ram-policies.md
详细权限列表请参考 references/ram-policies.md

CLI Support Status

CLI支持状态

All cloud service operations involved in this skill (VPC, ECS, WAF) support CLI implementation.
Console Operation Required: When using WAF for the first time, need to click "Create Service Linked Role" in the console to complete authorization.
For detailed API and CLI command list, see references/related-apis.md
本技能涉及的所有云服务操作(VPC、ECS、WAF)都支持通过CLI实现。
需要控制台操作:首次使用WAF时,需要在控制台点击「创建服务关联角色」完成授权。
详细API和CLI命令列表请参考 references/related-apis.md

References

参考文档