IPv6 traffic protection extends WAF coverage to IPv6 clients, so attacks from both IPv4 and IPv6 sources are detected and blocked before reaching your origin servers.
Prerequisites
Before you begin, confirm that all of the following conditions are met:
| Requirement | Supported values |
|---|---|
| WAF instance edition (subscription) | Business, Enterprise, Exclusive |
| WAF instance region | Chinese mainland only |
| Website access mode | CNAME record mode only |
IPv6 traffic protection is not available for WAF instances outside the Chinese mainland, or for websites added in transparent proxy mode.
You have activated a subscription Business, Enterprise, or Exclusive instance.
How it works
When IPv6 traffic protection is enabled, the CNAME that WAF generates resolves over two separate channels:
IPv4 client requests go to an IPv4 protection cluster.
IPv6 client requests go to an IPv6 protection cluster.
Each cluster inspects traffic independently and forwards only clean requests to your origin server.
Forwarding to origin servers over IPv6 (optional)
If your origin server supports IPv6, you can configure WAF to forward each request using the same protocol as the incoming request:
Configure both back-to-origin IPv4 and IPv6 addresses for your domain.
Select Use the Same Protocol when adding the domain.
For configuration steps, see Add a domain name to WAF.
Enable IPv6 traffic protection
Log on to the WAF console. In the top navigation bar, select the resource group and region for your WAF instance, then select Chinese Mainland. If Chinese Mainland is already displayed, you do not need to switch the region.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Domain Names tab, find the domain name for which you want to enable IPv6 protection and turn on IPV6 in the Quick Access column.
In the Tips dialog, click Confirm.
After IPv6 protection is enabled, the IPV6 toggle in the Quick Access column shows Enabled.
What's next
After you enable IPv6 protection, WAF uses new back-to-origin CIDR blocks to forward requests from IPv6 clients to your origin server. If your origin server has access control configured, add these CIDR blocks to the allowlist — otherwise, IPv6 client requests will fail with connection errors.
To find the new CIDR blocks and update your allowlist: