Web Application Firewall

Liferay Cloud provides built-in Web Application Firewall (WAF) capabilities, protecting applications against sophisticated Layer 7 attacks that might otherwise lead to loss of sensitive data, systems being hijacked by attackers, and downtime.

Here, you’ll learn how Liferay Cloud’s features form the WAF that protects against common attacks.

Figure 1: The Web Application Firewall protects against common attacks.


Custom firewall rules are not available with shared cluster subscriptions.

Private Network

Liferay Cloud’s services are not exposed publicly to the internet. Every environment in Liferay Cloud has its own private network, which allows services from the same environment to communicate through a secure communication protocol without interacting with the public internet. For information on configuring this private network, see Private Network.

Public Load Balancer

The Liferay Cloud Public Load Balancer (Layer 7) gives internet access to the environment’s services via proxied HTTP(S) connections using TLS (1.0 to 1.2) protocol. Each load balancer has a static IP that can be used to set up custom domains. HTTP(S) load balancing can absorb and protect from IP spoofing and large SYN flood attacks. This functionality is built-in to Liferay Cloud and does not require user configuration.

CDN Offload

Liferay Cloud’s CDN acts as a proxy between the clients and origin servers. The CDN caches and serves cacheable content from points-of-presence (POPs) closer to users, instead of sending them to backend servers (instances).

In the event of a DDoS attack for cacheable content, the requests are sent to POPs all over the globe instead of the origin servers, thereby providing a larger set of locations to absorb the attack.

IP Allow and Deny Lists

The ability to permit or block incoming traffic based on IP addresses or ranges using allow lists and deny lists is available through the Webserver (Nginx) service that Liferay Cloud provides.

Users can leverage the allow and deny directives inside the stream context or server block in the nginx.conf file:

stream {
    server {
        listen 12345;
        allow  2001:0db8::/32;
        deny   all;