WAF provides virtual exclusive clusters to enable custom application protection. An exclusive cluster allows you to add domains with non-standard ports for protection.

Background information

A website runs both internal and external workloads, which can be intricately designed to meet different business needs. The implementation of a website may involve different web development tools and use non-standard ports. An exclusive cluster allows you to add websites with non-standard ports to enable comprehensive application protection.

After you buy an Exclusive edition WAF instance, you can customize the configuration of the exclusive cluster. The supported parameters include:

  • Cluster region: You can select a region for the cluster.
  • Cluster ports: An exclusive cluster supports more non-standard ports than a shared cluster does. You can use HTTP ports, HTTPS ports, and HTTP/2 ports as the back-to-origin ports.
    Note The following system ports are not supported: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987.
  • SNI support: You can upload a certificate to allow clients that do not support the SNI protocol to access your website.
  • Response page: You can specify a static URL that has been uploaded to Alibaba Cloud CDN as the response page that appears when a request is blocked. This helps you improve user experience.
  • TLS security policy: You can specify the TLS versions and cipher suites.
  • Persistent connection timeout: You can specify the connection timeout, read timeout, and write timeout.

Create an exclusive cluster

After you buy an Exclusive edition WAF instance or upgrade your WAF instance to Exclusive edition, you can use a virtual exclusive cluster and a shared cluster to protect your website. To use the features provided by an exclusive cluster, create an exclusive cluster based on your workloads.

  1. Log on to the WAF console.
  2. In the left-side navigation pane, choose Setting > Exclusive Cluster. On the top of the page, set the region of your WAF instance to Mainland China or International.
  3. On the Exclusive Cluster Settings page, configure the following parameters:
    • Set Region.
      Note After an exclusive cluster is created, you cannot modify Region.
    • Set Destination Server Port. Select a protocol, and click Customize. Enter the ports to be protected, and click Save. When you add a domain to the exclusive cluster for protection, you can select a server port specified for this cluster.
    • Set URL of Blocking Response Page. Enter the static URL that you have uploaded to Alibaba Cloud CDN. WAF uses this URL as the response page that appears when a request to your website is blocked.
    • Enter the content of Certificate File and Private Key File to allow clients that do not support the SNI protocol to access your website.
    • Configure HTTPS settings.
      • TLS Versions: The default value is TLS 1.0 and Later (High Compatibility and Low Security). You can select TLS 1.1 or TLS 1.2 and later versions based on your needs.
      • Cipher Suites:
        • If you select Strong Cipher Suites (Low Compatibility and High Security), the following strong cipher suites are supported:
          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        • If you select All Cipher Suites (High Compatibility and Low Security), all the preceding strong cipher suites and the following weak cipher suites are supported:
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_128_GCM_SHA256
          • TLS_RSA_WITH_AES_256_GCM_SHA384
          • TLS_RSA_WITH_AES_128_CBC_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA256
          • TLS_RSA_WITH_AES_128_CBC_SHA
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • Set the persistent connection timeout.
      • Connection Timeout: Set the connection timeout to a value between 5 and 3,600 seconds.
      • Read Timeout: Set the read timeout to a value between 120 and 3,600 seconds.
      • Write Timeout: Set the write timeout to a value between 120 and 3,600 seconds.
    Exclusive Cluster Settings
  4. Click Save Settings.
    After these operations, WAF creates an exclusive cluster. It takes around 20 minutes to create a cluster.

What to do next

After an exclusive cluster is created, you can add websites to this exclusive cluster for custom protection.

Note After an exclusive cluster is created, you can modify the cluster settings on the Exclusive Cluster Settings page.
  • You can add a website to WAF and use the exclusive cluster to protect this website. For more information, see Website configuration.
  • If you have already added a website to WAF, perform the following operation to enable exclusive cluster protection for this website: Enter the Website Configuration page in the WAF console, and set Protection Resource of the website to Exclusive Cluster.
    Note You can also change the protection resource of a website from an exclusive cluster to a shared cluster. The ports supported by WAF vary with the cluster type. Before you change the protection cluster type for a website, make sure that the target cluster supports the ports of your website.