Web Application Firewall (WAF) exclusive clusters support protection services that are provided by WAF shared clusters. WAF exclusive clusters also support custom services to better protect your workloads. For example, exclusive clusters support non-standard ports, Server Name Indication (SNI), custom error pages, flexible HTTPS encryption settings, and custom persistent connection settings. If your workloads require these protection services, we recommend that you create an exclusive WAF cluster and associate your workloads with the cluster for protection.

Differences between exclusive and shared clusters

Item WAF shared cluster WAF exclusive cluster
Supported regions Shared clusters are supported by 14 nodes deployed in the following regions: China (Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Hong Kong), Singapore (Singapore), Malaysia (Kuala Lumpur), US (Virginia), US (Silicon Valley), Australia (Sydney), Germany (Frankfurt), India (Mumbai), Indonesia (Jakarta), and UAE (Dubai).

After you associate your workloads with a shared cluster, WAF automatically allocates protection resources from the region that is closest to the location of the origin server IP address.

Exclusive clusters include primary and secondary clusters. You can specify a region for a primary cluster. However, you cannot specify a region for a secondary cluster.
Note After the region of a primary cluster is specified, you can no longer change the region.

After workloads are associated with exclusive clusters, WAF allocates protection resources from the region where primary clusters are deployed to protect your workloads. Secondary clusters serve as redundant backups. If errors occur on primary clusters, your workloads are switched to secondary clusters. When your workloads are under attack, the secondary clusters are used to reinforce protection.

Cluster ports If your workloads use non-standard ports, you must specify the ports when you add your website to WAF. Shared clusters only support a limited number of non-standard ports. For more information, see Supported non-standard ports. Exclusive clusters support more non-standard ports, excluding the following system ports: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987.
To use custom ports in exclusive clusters, you must open a server port and select the server port when you associate a website with an exclusive cluster for protection.
Note An exclusive cluster supports up to 50 custom ports. By default, only the 80 and 443 ports are open.
SNI After your workloads are associated with exclusive clusters, HTTP requests initiated from clients that do not support SNI may experience errors. For more information, see HTTPS access exceptions arising from SNI compatibility. When you configure an exclusive cluster, you can upload the default SNI certificate. In this case, HTTP requests initiated from clients that do not support SNI can be forwarded to websites that are protected by exclusive clusters.
Error pages WAF shared clusters return the default error page to visitors when their requests are blocked. If you want to return a custom error page, you can use exclusive clusters and specify an error page.

You can upload a custom static page to Alibaba Cloud CDN, and specify the URL of the page in WAF. This improves user experience.

HTTPS encryption settings WAF shared clusters do not support custom HTTPS encryption settings. When you configure an exclusive cluster, you can select a TLS version and cipher suite to enable HTTPS encryption.
Persistent connection settings WAF shared clusters do not support custom persistent connections. When you configure an exclusive cluster, you can specify the maximum duration of a persistent connection to save network resources.

Associate workloads with an exclusive cluster

Prerequisites

You have purchased the WAF Exclusive edition, or upgraded WAF to the Exclusive edition. For more information, see Activate a WAF instance and Renewal and upgrade.

Procedure

The following procedure shows how to associate workloads with an exclusive cluster. In this example, the website uses port 90. This port is not supported by shared clusters.

  1. Configure an exclusive cluster.
    1. Log on to the WAF console.
    2. In the left-side navigation pane, choose Settings > Exclusive Cluster Settings.
    3. On the Exclusive Cluster Settings page, configure the cluster based on your workload requirements.
      In this example, add HTTP port 90 to Server Ports. Steps are:
      1. Click Customize next to Server Ports.
      2. Select HTTP, add port 90, and then click Save.Add port 90
      3. Verify that port 90 is open.Exclusive cluster settings
      For more information, see Configure an exclusive cluster.
    4. Click Save Settings.
      The system configures the exclusive cluster based on these settings.
  2. Associate workloads with specific requirements to an exclusive cluster. For example, workloads on port 90.
    • Update settings of a website that is already added to WAF
      1. In the left-side navigation pane, choose Management > Website Configuration.
      2. Find the target website, and set Protection Resource to Exclusive Cluster.
        Note Before you change protection resources, make sure that the port used by the website has been added to the server ports of the exclusive cluster. For example, if your website uses HTTP port 80, you must add this port to the server ports of the exclusive cluster.
        Set Protection Resource to Exclusive Cluster
      3. Update the website settings as required. For example, change the server port to HTTP port 90. For more information, see Edit website configurations.
    • Add a website and configure settings
      1. In the left-side navigation pane, choose Management > Website Configuration.
      2. Click Add Domain and select Add other domains manually.
      3. The Add Domain wizard appears. On the Fill in the website information tab, set Protection Resource to Exclusive Cluster, and set other parameters according to your website settings. For example, set Server Port to HTTP 90.
        Note After you set Protection Resource to Exclusive Cluster, you can only set Server Port to a port that is open in the exclusive cluster. For more information, see Configure an exclusive cluster.
        Website information

        For more information, see Add website configurations manually.

      4. Click Next, and follow the instructions to update the DNS settings of the website domain. The website workloads will be protected by WAF.

        For more information, see Configure DNS settings.

  3. If workloads protected by WAF exclusive clusters change, you must change the cluster configurations accordingly to make sure that the workloads are protected. Follow steps 1 and 2 to update the configurations.