All Products
Search

This Product

    Web Application Firewall:WAF adds new back-to-origin CIDR blocks

    Document Center

    Web Application Firewall:WAF adds new back-to-origin CIDR blocks

    Last Updated:May 12, 2026

    Dear Alibaba Cloud users:

    Web Application Firewall (WAF) plans to add the following new back-to-origin CIDR blocks for CNAME access starting from 00:00:00 on May 28, 2026.

    Chinese Mainland:

    47.109.121.0/24, 8.137.30.0/24, 2408:4006:1281:2100::/56

    Outside Chinese Mainland:

    8.221.179.0/24, 8.209.48.128/25, 8.213.181.0/24, 240b:4009:219:2100::/56, 240b:4001:2b6:f200::/56, 240b:400e:163:d00::/56, 240b:400b:60:a800::/56, 240b:4000:14:3200::/56, 240b:4005:19b:9300::/56, 240b:4004:cc:2a00::/56

    Impact scope

    • WAF 3.0: Applies to users who have accessed their domain names via CNAME and configured WAF back-to-origin IP allow rules on their origin servers (for example, ECS instance security groups). Users using the Cloud Product Access mode are not affected.

    • WAF 2.0: Applies to users who have accessed their domain names via CNAME and configured WAF back-to-origin IP allow rules on their origin servers (for example, ECS instance security groups). Users using the Transparent Access mode are not affected.

    Action required

    Since this change adds new back-to-origin IP CIDR blocks, to ensure your business access is not affected, configure your origin server to allow the latest back-to-origin IP CIDR blocks by following these steps:

    WAF 3.0

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland, Outside Chinese Mainland).

    2. In the left-side navigation pane, click Onboarding. On the CNAME Record tab, click Back-to-origin CIDR Blocks on the right side.

    3. In the Back-to-origin CIDR Block dialog box, click Copy to copy all WAF back-to-origin IP CIDR blocks to the clipboard.

      Note

      The copied back-to-origin CIDR blocks are separated by commas (,). Addresses similar to 2408:400a:3c:xxxx::/56 are IPv6 CIDR blocks.

    4. Allow the preceding IP CIDR blocks in your server firewall or other locations. For example, if the origin server is an Alibaba Cloud ECS instance, you must allow them in the ECS security group. For more operations, see Add a security group rule.

    WAF 2.0

    1. Log on to the Web Application Firewall (WAF) console. In the top menu bar, select the resource group and region for your WAF instance: Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Systems > Service Information.

    3. On the Service Information page, click Copy All IP Addresses in the Back-to-origin CIDR Block section in the lower-right corner.

      Note

      The copied back-to-origin CIDR blocks are separated by commas (,). Addresses similar to 2408:400a:3c:xxxx::/56 are IPv6 CIDR blocks.

    4. Allow the preceding IP CIDR blocks in your server firewall or other locations. For example, if the origin server is an Alibaba Cloud ECS instance, you must allow them in the ECS security group. For more operations, see Add a security group rule.

    FAQ

    If the security group of the origin server already has an inbound allow rule for 0.0.0.0/0, is it affected by this change?

    No. The inbound 0.0.0.0/0 allow rule allows access to the origin server from any source. Therefore, no additional configuration is required for the new back-to-origin IP CIDR blocks.

    Are assets using Cloud Product Access or Transparent Access affected by this change?

    No. Cloud Product Access and Transparent Access use transparent proxy or SDK integration architectures, which do not rely on the traditional back-to-origin IP mechanism. Therefore, no update to related policies is required.

    How do I view and configure ECS instance security group rules?

    1. Go to the ECS console - Security Groups page and click the target security group ID to open its details page.

    2. On the details page of the target security group, select the Inbound tab to view the configured rules. To add a rule, click Add Rule.

    3. Security group rules cannot contain both IPv4 and IPv6 addresses in a single rule. You need to perform the following two steps:

      1. Add an IPv4 rule: In the Source section of the Create Security Group Rule panel, paste the copied IP CIDR blocks and manually remove the IPv6 addresses. Set Destination (This Instance) to the back-to-origin port configured when you perform CNAME Access in the WAF console. Keep the other parameters at their default values, and click OK.

      2. Add an IPv6 rule: Click Add Rule again. Add the IPv6 CIDR blocks as described in the previous step, and select IPv6 in the Source section.

    How do I configure OpenAPI to automatically obtain back-to-origin CIDR blocks and add them to the allowlist?

    Update the configuration based on your actual business architecture:

    • Manually trigger an update: Before the change takes effect, call the OpenAPI operation to obtain back-to-origin IP CIDR blocks once, and synchronize the returned latest CIDR blocks to your security group or firewall policies.

    • Check automated scripts or scheduled tasks: If you have deployed a scheduled task to automatically fetch and update the allowlist, confirm the execution cycle and status of the task to ensure that the latest CIDR blocks are synchronized before the change takes effect.