Item | WAF shared cluster | WAF exclusive cluster |
Supported regions | Shared clusters are supported by 11 nodes deployed in the following regions: China (Beijing), China (Hangzhou), China (Shenzhen), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo). If you associate your workloads with a shared cluster, WAF automatically allocates protection resources from the region that is closest to the location of the origin server. This region is determined based on the IP address of the origin server. | An exclusive cluster includes primary and secondary clusters. You can specify a region for the primary cluster. However, you cannot specify a region for the secondary cluster. Important After the region of the primary cluster is specified, you can no longer change the region. After you associate your workloads with an exclusive cluster, WAF allocates protection resources from the region where the primary cluster resides to protect your workloads. The secondary cluster serves as a backup. If errors occur on the primary cluster, your workloads are switched to the secondary cluster. If your workloads are under attack, the secondary cluster is used to reinforce protection. |
Supported cluster ports | If your workloads use non-standard ports, you must specify the ports when you add your website to WAF. Shared clusters support specific non-standard ports. For more information, see View the ports supported by WAF. | Exclusive clusters support more non-standard ports than shared clusters. However, exclusive clusters do not support the following system ports: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987. If you want to use a non-standard port in an exclusive cluster, you must enable the port in the exclusive cluster and select the enabled port when you associate your workloads with the exclusive cluster. Note An exclusive cluster supports up to 50 non-standard ports. By default, only the ports 80 and 443 are enabled. |
SNI | If clients do not support SNI, HTTPS requests may fail after you associate your workloads with a shared cluster. For more information, see HTTPS access exceptions arising from SNI compatibility ("Certificate not trusted"). | When you configure an exclusive cluster, you can upload the default certificate. This way, clients that do not support SNI can normally access the websites that are protected by the exclusive cluster. |
Error pages | If you use a shared cluster, WAF returns the default error page when it blocks requests. | If you want WAF to return a custom error page, you can use an exclusive cluster and customize the error page. You can upload a custom static page to Alibaba Cloud CDN, and specify the URL of the page in WAF. This improves user experience. |
HTTPS encryption settings | When you configure a shared cluster, you can select Transport Layer Security (TLS) versions and cipher suites to enable HTTPS encryption based on your business requirements. | When you configure an exclusive cluster, you can select TLS versions and cipher suites to enable HTTPS encryption based on your business requirements. |
Settings for persistent connection timeout | Shared clusters do not support custom settings for persistent connection timeout. | When you configure an exclusive cluster, you can specify the maximum duration of a persistent connection to improve network resource usage. |