The access control and throttling whitelist provides access control and throttling policies for websites that are added to Web Application Firewall (WAF) based on the application layer. It also ensures the accessibility of the website. The access control and throttling whitelist supports HTTP flood protection, IP blacklist, scan protection, and custom protection polices. You can configure the access control and throttling whitelist. Requests that match specific conditions in the whitelist can skip specified detection modules.

Notice This topic uses the new version of the WAF console released in January 2020. If the WAF instance was created before this date, you cannot use the access control and the throttling whitelist.


  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.

Background information

For more information about detection modules supported by access control and throttling, see the following topics:


  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Access Control/Throttling tab, find the Access Control/Throttling section, and then click Settings.
  6. Create the access control and throttling whitelist.
    1. On the Access Control/Throttling - Whitelisting page, click Create Rule.
    2. In the Add Rule dialogue box, set the following parameters.Add rules, access control and throttling, whitelist
      Parameter Description
      Rule name Specify a name for the rule.
      Matching Condition Specify the conditions that a whitelist request must match. Click Add rule to add more conditions. You can specify a maximum of five conditions. If you have set multiple conditions, the rule is matched only after all of them are met.

      For more information about match conditions, see Fields of match conditions.

      Modules Bypassing Check Specify the detection modules to be ignored after the match conditions of the rule have been matched. Detection modules include:
      • HTTP Flood Protection
      • Custom Rules
      • IP Blacklist
      • Anti-Scan
    3. Click Save.
    After you create rules for the access control and throttling whitelist, they are enabled automatically. You can view newly created rules in the rule list and disable, edit, or delete rules as needed.The access control and throttling whitelist