Best practices for WAF exclusive clusters

0.0.201

The exclusive clusters of Web Application Firewall (WAF) support the protection capabilities that are provided by WAF shared clusters. WAF exclusive clusters also support custom configurations to better protect your workloads. For example, exclusive clusters support non-standard ports, Server Name Indication (SNI), custom error pages, flexible HTTPS encryption settings, and custom settings for persistent connection timeout.

If your workloads require these protection configurations, we recommend that you create a WAF exclusive cluster and associate your workloads with the cluster for protection.

Comparison between exclusive clusters and shared clusters

Item	WAF shared cluster	WAF exclusive cluster

Item	WAF shared cluster	WAF exclusive cluster
Supported regions	Shared clusters are supported by 11 nodes deployed in the following regions: China (Beijing), China (Hangzhou), China (Shenzhen), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo). If you associate your workloads with a shared cluster, WAF automatically allocates protection resources from the region that is closest to the location of the origin server. This region is determined based on the IP address of the origin server.	An exclusive cluster includes primary and secondary clusters. You can specify a region for the primary cluster. However, you cannot specify a region for the secondary cluster. Important After the region of the primary cluster is specified, you can no longer change the region. After you associate your workloads with an exclusive cluster, WAF allocates protection resources from the region where the primary cluster resides to protect your workloads. The secondary cluster serves as a backup. If errors occur on the primary cluster, your workloads are switched to the secondary cluster. If your workloads are under attack, the secondary cluster is used to reinforce protection.
Supported cluster ports	If your workloads use non-standard ports, you must specify the ports when you add your website to WAF. Shared clusters support specific non-standard ports. For more information, see View the ports supported by WAF.	Exclusive clusters support more non-standard ports than shared clusters. However, exclusive clusters do not support the following system ports: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987. If you want to use a non-standard port in an exclusive cluster, you must enable the port in the exclusive cluster and select the enabled port when you associate your workloads with the exclusive cluster. Note An exclusive cluster supports up to 50 non-standard ports. By default, only the ports 80 and 443 are enabled.
SNI	If clients do not support SNI, HTTPS requests may fail after you associate your workloads with a shared cluster. For more information, see HTTPS access exceptions arising from SNI compatibility ("Certificate not trusted").	When you configure an exclusive cluster, you can upload the default certificate. This way, clients that do not support SNI can normally access the websites that are protected by the exclusive cluster.
Error pages	If you use a shared cluster, WAF returns the default error page when it blocks requests.	If you want WAF to return a custom error page, you can use an exclusive cluster and customize the error page. You can upload a custom static page to Alibaba Cloud CDN, and specify the URL of the page in WAF. This improves user experience.
HTTPS encryption settings	When you configure a shared cluster, you can select Transport Layer Security (TLS) versions and cipher suites to enable HTTPS encryption based on your business requirements.	When you configure an exclusive cluster, you can select TLS versions and cipher suites to enable HTTPS encryption based on your business requirements.
Settings for persistent connection timeout	Shared clusters do not support custom settings for persistent connection timeout.	When you configure an exclusive cluster, you can specify the maximum duration of a persistent connection to improve network resource usage.

Associate workloads with an exclusive cluster

Prerequisites

A WAF instance of the Exclusive edition is purchased, or a WAF instance is upgraded to the Exclusive edition. For more information, see Renew a WAF instance.

Procedure

The following procedure describes how to associate workloads with an exclusive cluster. In the following procedure, the port 90 is used. This port is not within the range of non-standard ports supported by shared clusters. If you want to use WAF to protect the workloads over this port, you must associate the workloads to an exclusive cluster.

Create an exclusive cluster.
1. Log on to the WAF console. In the top navigation bar, select the resource group and region of your WAF instance. The region can be Chinese Mainland or Outside Chinese Mainland.
2. In the top navigation bar, select the resource group to which the instance belongs and the region, Chinese Mainland or Outside Chinese Mainland, in which the instance resides.
3. In the left-side navigation pane, choose Systems > Exclusive Cluster Configurations.
4. On the Exclusive Cluster Configurations page, create an exclusive cluster based on your workloads.
  In this example, you must select HTTP and enter 90 in the Destination Server Port section. For more information, see Create an exclusive cluster.
5. Click Save Settings.
  WAF creates the exclusive cluster based on your settings.
Associate the workloads over the HTTP port 90 with the created exclusive cluster.
- A website is added to WAF.
  1. In the left-side navigation pane, choose Asset Center > Website Access.
  2. Find the domain name of the website that you want to add to the exclusive cluster. Then, set Protection Resource in the Quick Access column to Exclusive Cluster.
    Note
    Protection Resource appears only when your WAF instance runs the Exclusive edition.
  3. Optional:Update the website settings based on your business requirements. For example, change the server port to the HTTP port 90. For more information, see Add a domain name to WAF.
- Add a website to WAF.
  1. In the left-side navigation pane, choose Asset Center > Website Access.
  2. On the Domain Names tab, click Website Access.
  3. Optional:On the Add Domain Name page, set Access Mode to CNAME Record.
    If CNAME Record is automatically selected, skip this step.
  4. In the Enter Your Website Information step, set Protection Resource to Exclusive Cluster and enter the server port. In this example, add the HTTP port 90 in the Destination Server Port section.
    Note
    After you select Exclusive Cluster, you can select the server port only from the ports enabled for the exclusive cluster in the Destination Server Port section. For more information, see Create an exclusive cluster.
    For more information about the settings, see Add a domain name to WAF.
  5. Click Next. Then, follow the instructions to change the DNS records of the website. After you change the DNS records, WAF can protect your workloads.
    For more information, see Modify a DNS record.
If the characteristics of the workloads change and the exclusive cluster is affected, update the cluster and website settings. For more information, see Step 1 and Step 2.

Feedback

Previous: Create an exclusive clusterNext: Monitoring and Alarm

On this page （1）

Comparison between exclusive clusters and shared clusters

Associate workloads with an exclusive cluster

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Comparison between exclusive clusters and shared clusters

Associate workloads with an exclusive cluster

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)