WAF of the Exclusive edition provides virtual exclusive clusters. These exclusive clusters allow you to customize domain name settings and protection settings in WAF based on your business requirements.

Background information

A website runs both internal and external workloads, which can be intricately designed to meet different business needs. The implementation of a website may involve different web development tools and use non-standard ports. An exclusive cluster allows you to add websites that use non-standard ports to WAF for comprehensive protection.

After you buy a WAF instance of the Exclusive edition, you can customize the configuration of an exclusive cluster. The following parameters are supported:

  • Cluster region: You can select a region for the cluster.
  • Cluster ports: An exclusive cluster supports more non-standard ports than a shared cluster does. You can use HTTP ports, HTTPS ports, and HTTP/2 ports as the back-to-origin ports.
    Note The following system ports are not supported: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987.
  • SNI support: You can upload a certificate to allow clients that do not support the SNI protocol to access your website.
  • Response page: You can specify a static URL that is uploaded to Alibaba Cloud CDN. If a request is blocked, the page that is specified by this URL is returned.
  • TLS security policy: You can specify the TLS versions and cipher suites.
  • Persistent connection timeout: You can specify the connection timeout period, read timeout period, and write timeout period.

Create an exclusive cluster

After you buy a WAF instance of the Exclusive edition or upgrade your WAF instance to the Exclusive edition, you can use a virtual exclusive cluster and a shared cluster to protect your website. To use the features provided by an exclusive cluster, create an exclusive cluster based on your workloads.

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose System Management > Exclusive Cluster Settings.
  4. On the Exclusive Cluster Settings page, configure the following parameters:
    • Select Region.
      Note After an exclusive cluster is created, you cannot modify Region.
    • Set Destination Server Port. Select a protocol and click Customize. Enter the ports to be protected and click Save. When you add a domain name to the exclusive cluster for protection, you can select a server port specified for this cluster.
    • Set URL of Blocking Response Page. Enter the static URL that is uploaded to Alibaba Cloud CDN. If a request is blocked, the page that is specified by this URL is returned.
    • Enter the content of Certificate file and Private key file to allow clients that do not support the SNI protocol to access your website.
    • Configure HTTPS settings.
      • TLS Versions: The default value is Support TLS 1.0 and Later (High Compatibility and Low Security). You can select Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security) or Support TLS 1.2 and Later (Moderate Compatibility and High Security) based on your needs.
      • Cipher Suites:
        • If you select Strong Cipher Suites (Low Compatibility and High Security), the following strong cipher suites are supported:
          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        • If you select All Cipher Suites (High Compatibility and Low Security), all the preceding strong cipher suites and the following weak cipher suites are supported:
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_128_GCM_SHA256
          • TLS_RSA_WITH_AES_256_GCM_SHA384
          • TLS_RSA_WITH_AES_128_CBC_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA256
          • TLS_RSA_WITH_AES_128_CBC_SHA
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • Set the persistent connection timeout.
      • Connection Timeout: Set the connection timeout period to a value between 5 and 3,600 seconds.
      • Read Timeout: Set the read timeout period to a value between 120 and 3,600 seconds.
      • Write Timeout: Set the write timeout period to a value between 120 and 3,600 seconds.
    Exclusive cluster settings
  5. Click Create.
    After these operations, WAF creates an exclusive cluster. It requires about 20 minutes to create a cluster. You can view and modify the settings of the exclusive cluster that you create on the page.

What to do next

After an exclusive cluster is created, you can add websites to this exclusive cluster for custom protection. The following scenarios are supported:
  • You can add a website to WAF and use the exclusive cluster to protect this website. For more information, see Add websites.
  • If you have added a website to WAF, perform the following operations to enable exclusive cluster protection for this website: Go to the Website Access page in the WAF console and set Protection Resource to Exclusive Cluster for the website.
    You can also change the protection resource of a website from an exclusive cluster to a shared cluster.
    Notice The ports supported by WAF vary with the cluster type. Before you change the protection cluster type for a website, make sure that the cluster supports the ports of your website.