Web Application Firewall (WAF) Exclusive Edition provides virtual exclusive clusters. These exclusive clusters allow you to customize domain name settings and protection settings in WAF based on your business requirements.

Background information

If your websites have special requirements, you can create an exclusive cluster and add your website to the exclusive cluster for comprehensive protection.

After you purchase a WAF instance that runs Exclusive Edition, you can create an exclusive cluster and customize the following settings for the exclusive cluster:

  • Cluster region: You can select a region for the cluster.
  • Cluster ports: An exclusive cluster supports more non-standard ports than a shared cluster does. You can use HTTP ports, HTTPS ports, and HTTP/2 ports as the back-to-origin ports.
    Note The following system ports are not supported: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987.
  • SNI support: You can upload a certificate to allow clients that do not support the Server Name Indication (SNI) protocol to access your website.
  • Response page: You can specify a static URL that is uploaded to Alibaba Cloud CDN. If a request is blocked, the page that is specified by the URL is displayed.
  • TLS security policy: You can specify the TLS versions and cipher suites.
  • Persistent connection timeout: You can specify the connection timeout period, request timeout period, and response timeout period.

Create an exclusive cluster

After you purchase a WAF instance that runs Exclusive Edition or upgrade your WAF instance to Exclusive Edition, you can use an exclusive cluster or a shared cluster to protect your website. Before you can use the features of an exclusive cluster, you must create an exclusive cluster based on your business requirements.

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose System Management > Exclusive Settings.
  4. On the Exclusive Settings page, configure the following parameters:
    • Select a region for Region.
      Note After you create an exclusive cluster, you cannot change the value of Region.
    • Configure Destination Server Port. Select a protocol and click Customize. Enter the ports that you want to protect and click Save. If you add a domain name to the exclusive cluster, you can select a server port that is specified for this cluster.
    • Configure URL of Blocking Response Page. Enter the static URL that is uploaded to Alibaba Cloud CDN. If a request is blocked, the page that is specified by the URL is displayed.
    • Enter the content of Certificate file and Private key file to allow clients that do not support the SNI protocol to access your website.
    • Configure HTTPS settings.
      • TLS Versions: The default value is Support TLS 1.0 and Later (High Compatibility and Low Security). You can select Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security) or Support TLS 1.2 and Later (Moderate Compatibility and High Security) based on your business requirements.
      • Cipher Suites:
        • If you select Select cipher suites based on the protocol version. Proceed with caution, you can customize the TLS versions and cipher suites by domain name. For example, you can separately customize the TLS version. You can also customize a combination of strong encryption algorithms, weak encryption algorithms, or both.
        • If you select Strong Cipher Suites (Low Compatibility and High Security), the following strong cipher suites are supported:
          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        • If you select All Cipher Suites (High Compatibility and Low Security), all the preceding strong cipher suites and the following weak cipher suites are supported:
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_128_GCM_SHA256
          • TLS_RSA_WITH_AES_256_GCM_SHA384
          • TLS_RSA_WITH_AES_128_CBC_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA256
          • TLS_RSA_WITH_AES_128_CBC_SHA
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • Specify the persistent connection timeout.
      • Connection Timeout: Set the connection timeout period to a value between 5 and 3,600 seconds.
      • Read Timeout: Set the read timeout period to a value between 120 and 3,600 seconds.
      • Write Timeout: Set the write timeout period to a value between 120 and 3,600 seconds.
    Exclusive cluster settings
  5. Click Create.
    After you perform operations, WAF creates an exclusive cluster. The exclusive cluster is created in about 20 minutes. You can view and modify the settings of the exclusive cluster that you created on the Exclusive Settings page.

What to do next

After an exclusive cluster is created, you can add websites that have special requirements to the exclusive cluster for custom protection. The following scenarios are supported:
  • You can add a website to the exclusive cluster for protection. For more information, see Add a website.
  • If a website is added to WAF, perform the following operations to enable exclusive cluster protection for the website: Go to the Website Access page in the WAF console and set Protection Resource to Exclusive Cluster for the website.
    You can also change the protection resource of a website from an exclusive cluster to a shared cluster.
    Notice The ports supported by WAF vary based on the cluster type. Before you change the protection cluster type for a website, make sure that the cluster supports the ports of your website.