Announcing Oracle Cloud Infrastructure WAF Protection on Flexible Load Balancers

October 28, 2021 | 5 minute read
Gopi Gopalakrishnan
Sr. Principal Product Manager
Text Size 100%:


Secure application delivery is as critical as good application architecture and performance. It is vital to not just optimize for performance and user experience, but to protect your web application against the increasingly sophisticated cyberattacks. Web applications are often targets of malicious attacks that exploit vulnerabilities and misconfigurations in the application. In the cloud era the size and sophistication of these attacks has grown exponentially. At Oracle as a cloud service provider, we share roles for security with our customers. We are committed to being a reliable partner by providing a highly secure platform and native security services to help protect your applications. Oracle Cloud Infrastructure Web Application Firewall (WAF) is one such critical service and an important part of the broader security posture of your application. OCI WAF is a cloud-based security service that helps protect your web applications from malicious and unwanted internet traffic. It uses a multilayered approach to help protect web applications from a host of cyber threats including malicious bots, application layer (L7) DDOS attacks, cross-site scripting, SQL injection, and other vulnerabilities defined by the Open Web Application Security Project (OWASP). It can protect any internet-facing endpoint, providing consistent rule enforcement across applications and can filter out malicious requests to your web application or API.

WAF protection on Flexible Load Balancers

Modern web applications are built using a set of building blocks and microservices, that work together to deliver rich digital experiences. As the gateway between users and your application, your flexible load balancers and WAF are an important part of that application stack. Oracle Cloud Infrastructure Flexible Load Balancer offers application delivery capabilities including SSL offloading, cookie-based session persistence, multi-site hosting, URL path and advanced layer 7 header based routing. It provides SSL policy control and end to end SSL encryption to provide better application security hardening.

Today, we are excited to announce the general availability of OCI WAF enforcement on Flexible Load Balancer service. With this enhancement, you can now directly apply and enforce OCI WAF protection on your Flexible Load Balancer (both Public and Private) instances in addition to WAF edge enforcement on your web applications. WAF enforcement on the Flexible Load Balancer further strengthens the security posture of your applications by protecting them from the common web vulnerabilities, as identified by OWASP top 10 vulnerabilities. This allows you to secure both your internet-facing as well as your internal application workloads. In addition to help protect your internet facing applications, WAF on Flexible Load Balancers can also help protect your internal applications against insider threats and provide enhanced WAF security for your “in-region” application workloads. These attacks are mitigated in-region before they reach your application backend servers. 

Comprehensive WAF security enforcement 

Let's walk through a sample 3-tier application of an e-commerce retailer and the different components that are protected from layer 7 attacks using WAF service. In this example, the customer has their e-commerce website, shopping cart and shipping services hosted in Oracle Cloud Infrastructure. The shopping cart web-tier is fronted by a public flexible load balancer, while the application and database tiers are hosted behind a private flexible load balancer. They also have some workloads such as their CRM service hosted outside OCI. 

Just as legitimate users interact with the e-commerce site, hackers can conduct malicious interactions pretending to be legitimate users as well. These attacks predominantly occur as layer 7 DoS/DDoS attacks, SQL injections, cross-site scripting and malicious file executions. These requests are filtered using WAF rules and threat intelligence feeds to help ensure only good traffic is allowed. WAF accomplishes this by intercepting and analyzing each and every HTTP request against the set of WAF policy security rules. These rules protect against OWASP Top 10 vulnerabilities, rate-limit or block layer-7 DDoS attacks like HTTP flood, SYN flood. Additionally, WAF policy at the edge can also secure internet-facing workloads hosted outside Oracle Cloud Infrastructure such as the CRM service, in this example. 

When a dynamic content request to the shopping cart service reaches the public load balancer, WAF protects against man-in-the middle attacks like IP or HTTPS spoofing. The shopping cart web tier might route request to a number of internal endpoints such as the data base backends. WAF is designed to protect against these east-west traffic in the private network from insider threats such as a data breach due to a compromised vendor computer or a data breach due to a malicious insider. WAF is also designed to protect the application from zero-day attacks due to software/hardware vulnerabilities and malware. 

In summary, OCI WAF service provides you the flexibility to enforce WAF protection at the edge closest to your users as well as on flexible load balancers closest to your applications. WAF protects your application infrastructure and workloads no matter where they reside: in Oracle Cloud Infrastructure, on-premises, multi-cloud, and anywhere in between.

Simplified and Flexible Pricing

With this release, we are also introducing a new flexible and simplified pricing for OCI WAF. The new pricing is comprised of two components – WAF Instance and WAF Requests. The WAF instances charge is based on the number of active WAF policy enforcements and the requests charge is based on the volume of traffic processed by WAF. Oracle Cloud Infrastructure customers (excluding Government customers) will not be charged for the first WAF instance and usage up to 10 million requests per month. 

Next steps

For more information, on how to set up OCI WAF on Flexible Load Balancers, see the OCI WAF documentation. We want you to experience these new features and all the enterprise-grade capabilities that Oracle Cloud Infrastructure offers. It’s easy to try them out with a US$300 free credit.

Don’t miss to join our announcement webcast for all the new Oracle security services, sign up for either the North America event on November 9th or the Europe and Middle East event on November 10th.

Additional resources

Gopi Gopalakrishnan

Sr. Principal Product Manager

Gopi Gopalakrishnan is a Sr. Principal Product Manager in the Oracle Cloud Infrastructure team. Gopi leads product management for OCI Load Balancing and Web Application Firewall products.

Previous Post

Tune in to our “Innovate with Business-First AI” webcast

Mark De Visser | 3 min read

Next Post

Cost Advantages to Consider when Choosing a Cloud Platform - Part 2: Performance & Automation

Justin Smith | 3 min read