The exclusive clusters of Web Application Firewall (WAF) support the protection capabilities that are provided by WAF shared clusters. WAF exclusive clusters also support custom configurations to better protect your workloads. For example, exclusive clusters support non-standard ports, Server Name Indication (SNI), custom error pages, flexible HTTPS encryption settings, and custom settings for persistent connection timeout.
If your workloads require these protection configurations, we recommend that you create a WAF exclusive cluster and associate your workloads with the cluster for protection.
Comparison between exclusive clusters and shared clusters
Item | WAF shared cluster | WAF exclusive cluster |
---|---|---|
Supported regions | Shared clusters are supported by 14 nodes deployed in the following regions: China
(Beijing), China (Shanghai), China (Hangzhou), China (Shenzhen), China (Hong Kong),
Singapore (Singapore), Malaysia (Kuala Lumpur), US (Virginia), Australia (Sydney),
Germany (Frankfurt), India (Mumbai), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo).
If you associate your workloads with a shared cluster, WAF automatically allocates protection resources from the region that is closest to the location of the origin server. This region is determined based on the IP address of the origin server. |
An exclusive cluster includes primary and secondary clusters. You can specify a region
for the primary cluster. However, you cannot specify a region for the secondary cluster.
Notice After the region of the primary cluster is specified, you can no longer change the
region.
After you associate your workloads with an exclusive cluster, WAF allocates protection resources from the region where the primary cluster resides to protect your workloads. The secondary cluster serves as a backup. If errors occur on the primary cluster, your workloads are switched to the secondary cluster. If your workloads are under attack, the secondary cluster is used to reinforce protection. |
Supported cluster ports | If your workloads use non-standard ports, you must specify the ports when you add your website to WAF. Shared clusters support specific non-standard ports. For more information, see View the allowed port range. | Exclusive clusters support more non-standard ports than shared clusters. However,
exclusive clusters do not support the following system ports: 22, 53, 9100, 4431,
4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987.
If you want to use a non-standard port in an exclusive cluster, you must enable the
port in the exclusive cluster and select the enabled port when you associate your
workloads with the exclusive cluster.
Note An exclusive cluster supports up to 50 non-standard ports. By default, only the ports
80 and 443 are enabled.
|
SNI | If clients do not support SNI, HTTPS requests may fail after you associate your workloads with a shared cluster. For more information, see HTTPS access exceptions arising from SNI compatibility ("Certificate not trusted"). | When you configure an exclusive cluster, you can upload the default certificate. This way, clients that do not support SNI can normally access the websites that are protected by the exclusive cluster. |
Error pages | If you use a shared cluster, WAF returns the default error page when it blocks requests. | If you want WAF to return a custom error page, you can use an exclusive cluster and
customize the error page.
You can upload a custom static page to Alibaba Cloud CDN, and specify the URL of the page in WAF. This improves user experience. |
HTTPS encryption settings | Shared clusters do not support custom HTTPS encryption settings. | When you configure an exclusive cluster, you can select TLS versions and cipher suites to enable HTTPS encryption based on your business requirements. |
Settings for persistent connection timeout | Shared clusters do not support custom settings for persistent connection timeout. | When you configure an exclusive cluster, you can specify the maximum duration of a persistent connection to improve network resource usage. |
Associate workloads with an exclusive cluster
Prerequisites
A WAF instance of the Exclusive edition is purchased, or the WAF instance is upgraded to the Exclusive edition. For more information, see Purchase a WAF instance and Renewal and upgrade.
Procedure
The following procedure describes how to associate workloads with an exclusive cluster. In the following procedure, the port 90 is used. This port is not within the range of non-standard ports supported by shared clusters. If you want to use WAF to protect the workloads over this port, you must associate the workloads to an exclusive cluster.