WAF uses specified back-to-origin CIDR blocks to forward normal traffic back to the origin server. To allow inbound traffic from the WAF back-to-origin CIDR blocks, you can configure security software or access control policies of the origin server when you add a website to the WAF console.
If you use security software such as FortiGate for your origin server, you must add the WAF back-to-origin CIDR blocks to the whitelist of the software. This prevents normal traffic forwarded by WAF to the origin server from being blocked by access control policies.
For security purposes, we recommend that you configure access control policies for the origin server to allow only inbound traffic from the WAF back-to-origin CIDR blocks. This prevents attackers from bypassing WAF and directly attacking the origin server.
Back-to-origin CIDR blocks added on April 30, 2020
- Mainland China:
- Regions outside mainland China:
We recommend that you add the new back-to-origin CIDR blocks before May 15, 2020.
You can obtain the back-to-origin CIDR blocks from the following table based on the region of your WAF instance, or follow the following steps to obtain the latest back-to-origin CIDR blocks from the WAF console.
|Region of the WAF instance||Back-to-origin CIDR block|
|Regions in mainland China||
|Regions outside mainland China||
Note If the origin server of the website is deployed in Japan, add the
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, choose .
- At the lower part of the Product Information page, locate the WAF IP Segments section and click Copy All IPs.
The WAF IP Segments section displays the latest back-to-origin CIDR blocks.
After obtaining the WAF back-to-origin CIDR blocks, you can add them to the whitelist of your origin security software.
If the website traffic is routed to WAF, you can configure access control policies for the origin server to allow only inbound traffic from the WAF back-to-origin CIDR blocks. For more information, see Configure protection for your origin server.