To better protect custom services, Web Application Firewall (WAF) offers an Exclusive edition. This edition uses virtual exclusive clusters and lets you customize access and protection capabilities based on your business needs.
Background information
If your website has special requirements, it may use non-standard designs. Exclusive clusters allow you to add business systems with custom requirements to WAF for complete application-layer attack protection.
After you purchase the WAF Exclusive edition, you can customize the service configuration of an exclusive cluster based on your business needs. You can configure the following settings:
Cluster region: Select a region for the cluster.
Cluster port settings: Protect a wider range of non-standard ports. You can configure custom back-to-origin ports for the HTTP, HTTPS, and HTTP 2.0 protocols.
NoteThe following system ports are not supported: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, or 4987.
SNI authentication: Upload a default SNI certificate. This allows client devices that do not support the standard SNI protocol to access your website.
Protection response page: You can configure the URL of a static page that is uploaded to a Content Delivery Network (CDN). WAF uses this page as the protection response page to improve the user experience.
TLS security policy: You can select the TLS version and cipher suite.
Persistent connection timeout configuration: You can customize the timeout periods for establishing connections, requests, and responses.
Create an exclusive cluster
After you purchase or upgrade to the WAF Exclusive edition, you can use virtual exclusive clusters or shared clusters to protect your website. Before you can use an exclusive cluster, you must create one based on your business needs.
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Exclusive Cluster Configurations page, configure the cluster based on your business needs.
Select a Region.
NoteAfter an exclusive cluster is created, the Region cannot be changed.
To set the Server Port range, select a Protocol Type, click Customize, enter the server port range, and then click Save. This lets you quickly select a port from the saved range when you add a domain name configuration to an exclusive cluster.
Set the Response Page. Enter the URL of a static page that is uploaded to a CDN. Websites protected by the exclusive cluster use this page as the WAF protection response page.
Upload a default SNI certificate by entering the content in the Certificate file and Private key file fields.
Configure HTTPS protocol encryption settings.
TLS Version: The default value is TLS 1.0 and Later (Best Compatibility and Low Security). You can select to support only TLS 1.1 or TLS 1.2 and later, based on your security requirements.
Cipher Suite:
Select Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.). This option lets you customize the TLS version and cipher suite for each domain. You can customize the TLS version separately. For the cipher suite, you can select strong encryption, weak encryption, or individual algorithms.
Select Strong Cipher Suites (Low Compatibility and High Security). Only the following strong cipher suites are supported:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Select All Cipher Suites (High Compatibility and Low Security). In addition to the strong cipher suites listed above, the following weak cipher suites are also supported:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
Set the persistent connection timeout.
Connection Timeout: The timeout period for establishing a connection. You can set a value from 5 to 3600 seconds.
Read Timeout: The timeout period for read connections. You can set a value from 120 to 3600 seconds.
Write Timeout: The timeout period for write connections. You can set a value from 120 to 3600 seconds.
Click Create Now.
The system creates an exclusive cluster based on the specified configurations. The creation process takes about 20 minutes. After the exclusive cluster is created, you can view and modify its settings on the Exclusive Cluster Configurations page.
What to do next
After the exclusive cluster is created, you can add services with custom requirements to the cluster for protection. The following scenarios are supported:
You can add a service to the exclusive cluster for protection when you add a new website domain name. For more information, see Add a domain name.
ImportantAfter you enable the exclusive cluster, the generated IP address is used only to listen for requests to services in the exclusive cluster. However, this IP address is not fixed. To ensure service stability, you must follow the steps in Add a domain name to modify the DNS resolution settings for your domain name.
For an existing domain name, you can go to the Website Access page and change the Protection Resource for the domain name to Exclusive Cluster. This adds the domain name to the exclusive cluster for protection.
You can also use this method to switch a domain name from an exclusive cluster to a shared cluster.
ImportantThe custom port ranges for exclusive clusters and shared clusters are different. When you switch clusters, make sure that the custom port configuration of the domain name is compatible.