All Products
Search
Document Center

Web Application Firewall:Enable WAF protection for a CLB instance

Last Updated:Jul 15, 2026

To protect your public-facing Classic Load Balancer (CLB) instances from web attacks, you can enable Web Application Firewall (WAF) protection. This mode does not require changes to your existing network architecture or DNS configuration. You only need to configure a traffic routing port. The system then automatically redirects public traffic from that port on your CLB instance to WAF for security inspection and filtering. This provides efficient and transparent protection.

How it worksimage

  • How it works: Web Application Firewall (WAF) integrates with your CLB instance by using a transparent proxy. You only need to configure a traffic routing port for your CLB instance. The system automatically adjusts the underlying network routing policies to divert all HTTP/HTTPS traffic from that port to WAF for security inspection. After WAF blocks malicious requests, it forwards legitimate requests to the origin CLB instance.

  • Scope of protection: This mode protects all domains on the specified traffic routing port, including services that are accessed only by a public IP address without a domain name.

  • Supported listener protocols: WAF can protect CLB instances with HTTP, HTTPS, or TCP listeners. For a TCP listener, WAF inspects only the HTTP/HTTPS traffic on that port. It does not forward or protect non-HTTP/HTTPS traffic, such as FTP, SMTP, or database traffic.

Applicability

If your CLB instance does not meet the following requirements, use the CNAME record mode.

Instance requirements:

  • The instance must be public-facing, or be a private instance with an Elastic IP address (EIP) bound to it.

  • You must add an HTTP, HTTPS, or TCP listener to the CLB instance before you add the instance to WAF.

  • The IP version must be IPv4.

  • Shared CLB instances are not supported because they do not support TLS security policy configuration.

Instance region requirements:

  • WAF in the Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao).

  • WAF Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Singapore.

Important

Adding an instance to WAF may cause a brief connection interruption lasting a few seconds. Perform this during off-peak hours and monitor your service afterward. Clients with automatic reconnection recover without business impact.

Quick start

  1. Open the console

    Log on to the Web Application Firewall console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of your WAF instance. In the left-side navigation pane, click Onboarding. Click the Cloud Native tab, and then select Classic Load Balancer (CLB) from the cloud service type list.

  2. Authorize WAF (first-time setup only)

    Follow the on-screen instructions to click Authorize Now and grant the required permissions. You can view the created service-linked role AliyunServiceRoleForWAF on the Roles page in the RAM console.

  3. Add the CLB instance

    1. In the instance list, find the target CLB instance. Click the image.png icon to expand its details, select the port that you want to protect, and then click Add Now in the Actions column.

      • If the target instance is not in the list, click Synchronize Assets in the upper-right corner. If the instance still does not appear, it does not meet the requirements specified in Applicability.

      • If the Add Now button is unavailable or the status is Protection Exception, see FAQ.

        On the Cloud Service Access page, select Classic Load Balancer CLB from the left-side list, find the target instance, expand its listener list, and click Add Now next to the target listener (for example, HTTP port 80) to enable WAF protection.

    2. Configure the settings based on the listener protocol of the port.

      HTTP and HTTPS listeners

      On the Configure Instance page, to customize settings for Layer 7 proxy settings (such as CDN), X-Forwarded-Proto header settings, or Traffic Tagging, see Obtain real client information. To customize settings for back-to-origin timeout or back-to-origin keep-alive, see Optimize back-to-origin link quality. Otherwise, click OK to apply the default settings.

      Note

      If the protocol is HTTPS, certificates are configured in the CLB console. You do not need to configure certificates in the WAF console.

      TCP listeners

      On the Configure Instance page, select a Protocol Type based on the traffic that the port handles.

      HTTP

      To customize settings for Layer 7 proxy settings (such as CDN), X-Forwarded-Proto header settings, or Traffic Tagging, see Obtain real client information. To customize settings for back-to-origin timeout or back-to-origin keep-alive, see Optimize back-to-origin link quality. Otherwise, click OK to apply the default settings.

      HTTPS

      1. To customize settings for HTTP/2, TLS version, cipher suite, or additional certificates, see Enhance HTTPS security. Otherwise, use the default settings.

      2. In the Default Certificate section, select a method to upload the certificate:

        • Upload: Use this option if your certificate is not in Certificate Management Service (Original SSL Certificate).

        • Select Existing Certificate: Select a certificate that is issued by or uploaded to Certificate Management Service (Original SSL Certificate).

          Upload
          • Certificate Name: Enter a unique name for the certificate. The name cannot be the same as that of an existing certificate.

          • Certificate File: Open the certificate file in a text editor and paste the full content of the certificate in PEM, CER, or CRT format.

            Format example: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

            • Format conversion: If your certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.

            • Certificate chain: If an intermediate certificate is included, paste the server certificate followed by the intermediate certificate.

          • Private Key: Open the private key file in a text editor and paste the full content of the private key in PEM format.

            Format example: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

          Select existing certificate

          From the certificate drop-down list, select the certificate that you want to upload to WAF.

          Note

          If the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", the certificate chain has an issue. Verify that your certificate content is correct and complete, then re-upload it on the Certificate Management Service console. Upload, sync, and share SSL certificates.

      3. To customize settings for Layer 7 proxy settings (such as CDN), X-Forwarded-Proto header settings, or Traffic Tagging, see Obtain real client information. To customize settings for back-to-origin timeout or back-to-origin keep-alive, see Optimize back-to-origin link quality. Otherwise, click OK to apply the default settings.

  4. Verify protection

    After you add the instance, verify the protection by visiting a website hosted on the CLB instance in a browser and appending a web attack test payload to the URL. For example, use http://yourdomain.com/alert(xss). If WAF returns a 405 block page, the attack was successfully intercepted and WAF protection is active.

  5. Review and configure protection rules

    After the instance is added, WAF automatically creates a protected object named instance-id-port-asset-type and enables default protection rules for it, such as web core protection rules. You can view the object on the Protection Config > Protected Objects page. If the default rules do not meet your business needs (for example, you need to add a specific IP address to a whitelist to allow all its requests), you can create or edit protection rules. For more information, see Overview.

Important
  • Certificate and instance status: After you add the instance, ensure that the certificate is valid and the instance status is normal. WAF protection becomes invalid if the certificate expires or the EIP of the instance changes. For more information, see Update the certificate bound to a traffic routing port and Re-add the instance to WAF after changes.

  • Multiple domains on a single CLB instance: If multiple domains resolve to the same CLB instance and you need to configure different protection rules for each, you must manually add each domain as a protected object. For more information, see Add a protected object.

Enhance HTTPS security

Note

These settings are available only if the listener protocol of the port is TCP and the traffic it handles is HTTPS.

Parameter

Description

HTTP/2

Enables the HTTP/2 protocol to improve page load speed, reduce latency, and enhance user experience. You can enable this feature if your website supports HTTP/2. After you enable it, HTTP/2 and HTTPS use the same port, and both the listener and back-to-origin protocols are HTTP/2. If your website does not support HTTP/2, do not enable this feature. Otherwise, your website will be inaccessible.

TLS version

Defines the TLS versions allowed for connections between clients and WAF. Higher versions offer stronger security but lower compatibility with older clients. For high-security scenarios, we recommend that you select TLS 1.2 or later.

Cipher suite

Defines the encryption algorithms allowed for connections between clients and WAF. Strong cipher suites provide high security but low compatibility with older clients. For high-security scenarios, we recommend that you select strong cipher suites.

Additional certificates

If a CLB instance hosts HTTPS websites for multiple domains and a single certificate cannot cover all of them, you need to upload a certificate for each domain.

  • HTTP/2

    On the Configure Instance page, select HTTP/2 to enable this feature.

  • TLS version

    On the Configure Instance page, select an option in the TLS Version section.

    • TLS 1.0 and Later (Best Compatibility and Low Security): Allows access from all older clients.

    • TLS 1.1 and Later (High Compatibility and High Security): Prevents older clients that use TLS 1.0 from accessing the website.

    • TLS 1.2 and Later (High Compatibility and Best Security): Meets the latest security compliance requirements but prevents older clients that use TLS 1.0 or TLS 1.1 from accessing the website.

    • Support TLS 1.3: If your website supports TLS 1.3, select this checkbox. By default, WAF does not listen for client requests that use TLS 1.3.

  • Cipher suite

    On the Configure Instance page, select an option in the Cipher Suite section.

    • All Cipher Suites (High Compatibility and Low Security)

    • Custom Cipher Suite (Select It based on protocol version. Proceed with caution.): If your website supports only specific cipher suites, select this option and choose the supported suites from the list.

      Strong cipher suites

      Weak cipher suites

      • ECDHE-ECDSA-AES128-GCM-SHA256

      • ECDHE-ECDSA-AES256-GCM-SHA384

      • ECDHE-ECDSA-AES128-SHA256

      • ECDHE-ECDSA-AES256-SHA384

      • ECDHE-RSA-AES128-GCM-SHA256

      • ECDHE-RSA-AES256-GCM-SHA384

      • ECDHE-RSA-AES128-SHA256

      • ECDHE-RSA-AES256-SHA384

      • ECDHE-ECDSA-AES128-SHA

      • ECDHE-ECDSA-AES256-SHA

      • AES128-GCM-SHA256

      • AES256-GCM-SHA384

      • AES128-SHA256

      • AES256-SHA256

      • ECDHE-RSA-AES128-SHA

      • ECDHE-RSA-AES256-SHA

      • AES128-SHA

      • AES256-SHA

      • DES-CBC3-SHA

      Note
      • Cipher suite security note: ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384 cipher suites use ECDHE for key exchange, RSA for authentication, and AES-CBC encryption. Compared with cipher suites that use authenticated encryption modes such as AES-GCM, these have lower security and performance. Some security scanning tools may flag them as weak cipher suites. If this occurs, use a custom cipher suite and manually exclude these two suites.

      • Cipher suite naming conventions: WAF displays cipher suites in OpenSSL format, but some scanning tools may use IANA naming conventions. For example, ECDHE-ECDSA-AES256-SHA384 in OpenSSL corresponds to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 in IANA. To look up the mapping, visit ciphersuite.info or use another TLS cipher suite lookup tool.

  • Additional certificates

    On the Configure Instance page, upload certificates in the Additional Certificate section. The upload method is the same as for the default certificate. For details, see Default certificate.

    Note

    When you add multiple additional certificates, all certificates must be valid. If any certificate is expired, the operation fails.

Obtain real client information

Parameter

Description

Is a Layer-7 proxy (such as Anti-DDoS or CDN) deployed in front of WAF?

If a Layer-7 proxy such as a CDN is deployed in front of WAF, you must configure the Obtain Actual IP Address of Client. This ensures that WAF can obtain real client IP addresses for security analysis, such as identifying the Attacker IP Address in Security Reports.

Enable traffic tagging

Allows your origin server to distinguish requests that have passed through WAF and obtain the real client source IP or port.

Obtain the WAF listener protocol by using the X-Forwarded-Proto header

By default, WAF inserts the X-Forwarded-Proto header into the HTTP requests it processes. This header indicates the original protocol (HTTP or HTTPS) that the client used to connect to WAF. You can configure this setting if your web application needs to process this header.

  • Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF

    On the Configure Instance page, configure this setting in the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF section. The options are:

    No other proxy

    Indicates that requests are sent directly from clients to WAF.

    Other proxies

    Indicates that requests are forwarded to WAF from another layer 7 proxy. You must also specify the Obtain Actual IP Address of Client.

    • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client

      If you select this option, WAF obtains the source IP in the following order of precedence:

      1. The value of the X-Real-IP request header.

      2. If the X-Real-IP header does not exist, the first IP address in the X-Forwarded-For (XFF) header.

    • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery

      Note

      We recommend that you configure the upstream proxy service to write the source IP address to a specified header field, such as X-Real-IP or X-Client-IP. Using a specified header prevents attackers from bypassing WAF by spoofing the XFF header.

      In the Header Field box, enter one or more header fields. Press Enter after each field. WAF obtains the source IP in the following order of precedence:

      1. The specified Header Field, in the order entered.

      2. If none of the specified headers exist, the value of the X-Real-IP header.

      3. If the X-Real-IP header also does not exist, the first IP address in the XFF header.

    • Use the Client IP from the Proxy Protocol header as the client's source IP.: If an upstream proxy has Proxy Protocol enabled, you can select this option to extract the original client IP. This method transmits the source IP at the transport layer, so it cannot be spoofed at the HTTP layer. This method is ideal for scenarios that require a high degree of trust in the source IP. If the Proxy Protocol does not contain the client IP, WAF uses the IP address of the upstream proxy as the source IP.

  • Enable Traffic Tagging

    On the Configure Instance page, expand Advanced Settings, select Enable Traffic Tagging, and then configure the following types of marking headers:

    • Custom Header: By configuring a Header Name and Header Value, WAF adds this header information to back-to-origin requests to identify requests that have passed through WAF. For example, you can configure the tag WAF-TAG: Yes, where WAF-TAG is the header name and Yes is the header value. After configuration, the server can establish validation or access control policies based on this header to enhance security and request identification.

      Important

      Do not enter standard HTTP header names (such as User-Agent). Otherwise, the content of the standard header will be overwritten by the custom value.

    • Originating IP Address: By configuring the header name where the real client source IP is located, WAF can record this header and pass it to the origin server. For specific rules on how WAF determines the real client source IP, see the description of the Is a Layer-7 proxy (such as Anti-DDoS or CDN) deployed in front of WAF? parameter.

    • Source Port: By configuring the header name where the real client source port is located, WAF can record this header and pass it to the origin server.

  • Retrieve client protocol from the X-Forwarded-Proto header

    On the Configure Instance page, expand Advanced Settings and select Retrieve client protocol from the X-Forwarded-Proto header as needed.

Optimize back-to-origin link quality

Parameter

Description

Set read and write connection timeouts

If your origin server takes a long time to process requests, which may cause timeouts, you can adjust the read and write connection timeout settings in WAF.

Back-to-origin keep-alive

Maintains persistent connections between WAF and your origin server. If you encounter occasional 502 errors after adding the instance, check the origin server's related parameters. We recommend setting the WAF keep-alive parameters to be less than or equal to the corresponding server-side parameters.

  • Set read and write connection timeouts

    On the Configure Instance page, expand Advanced Settings and configure the following items:

    • Read Timeout: The timeout period for waiting for a response from the origin server. For interfaces with long response times, such as report exports or batch data processing, you need to increase this parameter. The default value is 120s, and the configurable range is 1s to 3600s.

    • Write Timeout: The timeout period for WAF to send a request to the origin server. This does not usually require adjustment. Increase this value only when the origin server load is high and processes requests slowly. The default value is 120s, and the configurable range is 1s to 3600s.

  • Origin Keep-alive

    Important

    If this feature is disabled, back-to-origin keep-alive connections will not support the WebSocket protocol.

    On the Configure Instance page, expand Advanced Settings, enable the feature in the Origin Keep-alive section, and configure the following settings:

    • Max Requests per Connection: The default value is 1,000, and the configurable range is 60 to 1,000. For example, if the origin server uses Nginx, this parameter corresponds to the Nginx parameter keepalive_requests. For more information, see the Nginx documentation.

    • Idle Timeout: The default value is 3600s, and the configurable range is 10s to 3600s. For example, if the origin server uses Nginx, this parameter corresponds to the Nginx parameter keepalive_timeout.

Control file upload size

Max Body Size (Available in Ultimate Edition only)

  • Description: By default, WAF supports a maximum file upload size of 2 GB. The Ultimate Edition of WAF allows you to increase this limit to accommodate large file uploads.

  • Procedure: On the Add Now page, expand Advanced Settings and configure the Max Body Size. The default value is 2 GB, and the maximum is 10 GB. After you configure this setting, you must also increase the Read Timeout and Write Timeout values. If the listener protocol of the port is HTTP/HTTPS, contact the Alibaba Cloud CLB backend team to coordinate an adjustment of the CLB's read connection timeout and write connection timeout parameters.

Improve resource management

Resource Group

  • Description: Use resource groups to simplify resource and permission management. If no resource group is specified, the instance is added to the Default resource group. For more information, see Resource groups.

  • Procedure: On the Configure Instance page, in the Resource Group section, select the resource group for the instance from the drop-down list.

Daily O&M

Update traffic routing port certificates

You must update the certificate for a traffic routing port when the certificate is about to expire or has been changed (for example, revoked).

Step 1: Prepare a new certificate

Purchase new certificate

Renew your SSL certificate in the Certificate Management Service (Original SSL Certificate) console. For more information, see Renew an SSL certificate.

Upload external certificate

  1. Download the certificate file from the original purchasing platform.

  2. Go to the Upload Certificate page and click Additional Certificate to upload the certificate in PEM format. For more information, see Upload a local certificate.

Step 2: Replace the old certificate

Original listener: HTTP and HTTPS

  1. In the CLB console, create a certificate and select Purchase Certificate as the certificate source. Do not select Upload. For more information, see Create a certificate.

  2. In the CLB console, modify the listener configuration to replace the server certificate with the newly uploaded certificate. For more information, see Step 2: Configure an SSL certificate.

Original listener: TCP

  1. On the Cloud Native tab, select the Classic Load Balancer (CLB) page. Locate the target instance, click the image.png icon, and in the Actions column for the target port, click Modify.

  2. In the Default Certificate section, select Select Existing Certificate and re-select the replacement certificate.

Note
  • If a certificate expires in less than 30 days, WAF displays an image.png icon in the list of domains to indicate that it is about to expire. Update the certificate promptly to avoid service disruptions.

  • You can set up notifications for SSL certificates to receive expiration alerts by email, SMS, and other methods. For more information, see Set up message notifications for SSL certificates.

  • To prevent service disruptions from an expired certificate, enable the certificate hosting service in Alibaba Cloud's Certificate Management Service (Original SSL Certificate). This service automatically applies for certificates before they expire. For more information, see What is Certificate Hosting Service?.

Remove an instance

  • Temporarily disable WAF protection: If you encounter issues after adding the instance, such as a large number of false positives, and need to temporarily disable WAF protection, you can turn off the WAF Protection Status switch on the Protected Objects page in the WAF console. For more information, see Disable WAF protection with one click.

  • Remove an instance: If you no longer want to use WAF to protect the CLB instance, you can follow these steps to remove it.

    On the Cloud Native tab, select the Classic Load Balancer (CLB) page, locate the target instance, click the image.png icon, click Remove, and in the Remove dialog box, click OK.

Important
  • Service impact: Removing an instance from WAF may cause a brief connection interruption lasting a few seconds. Perform this during off-peak hours. Clients with automatic reconnection recover without business impact.

  • Re-adding protection: After removal, traffic is no longer protected. Click Add Now to reconfigure the traffic forwarding port.

  • Billing reminder: For pay-as-you-go WAF instances, charges include the instance, protection rules, and request processing fees. To stop billing, Disable WAF.

Re-add instance after changes

WAF protects business traffic through the traffic routing ports of a CLB instance. When the CLB instance is changed by any of the following operations, the original traffic routing port configuration becomes invalid, causing traffic to bypass WAF, leaving it exposed to public network risks:

  • Releasing the CLB instance.

  • Deleting the listener port that was added to WAF.

  • Replacing the EIP bound to the CLB instance.

To restore security protection, you must re-add the CLB instance in the WAF console.

Production deployment

To ensure security and stability in a production environment, we recommend that you follow these best practices when you add a production CLB instance.

  • HTTPS configuration: We recommend that you configure a HTTPS: traffic routing port and note the following configurations to manage certificates efficiently.

    • Upload the certificate file to Certificate Management Service (Original SSL Certificate).

    • We recommend that you configure the TLS version to TLS 1.2 or later.

    • Set up message notifications for SSL certificates to update them in a timely manner before they expire.

  • Canary release strategy: Prioritize adding a non-production CLB instance during off-peak hours. After a trial period to verify that services are operating normally, add the production CLB instance.

  • Check business health: After adding the instance, you can verify that your services are operating normally in the following ways.

    • Check logs: Check whether the proportion of status code 200 in the logs has fluctuated significantly, or if there are any sudden spikes or drops in QPS. If the WAF log service is enabled, you can inspect the WAF logs.

    • Business monitoring: Check whether business functions, such as user access and transactions, are operating normally.

  • Ongoing maintenance: After the production environment is connected, continuous maintenance is required to monitor for attacks and false positives.

    • Event handling: We recommend that you monitor Security reports and configure CloudMonitor notifications to stay informed about attack and security events in a timely manner.

    • Rule adjustment: Continuously monitor attack logs, analyze logs for false positives where legitimate requests are blocked, and optimize protection rules accordingly.

Quotas and limitations

  • Number of ports: The total number of configured traffic routing ports must not exceed the limit of your WAF instance edition.

    • WAF subscription instances: Basic edition supports up to 300 ports; Pro edition up to 600 ports; Enterprise edition up to 2,500 ports; Ultimate edition up to 10,000 ports.

    • WAF pay-as-you-go instances: Up to 10,000 ports.

  • Requirements for CLB instances with HTTPS listeners:

    • The certificate must not be expired.

    • Only the built-in TLS security policies of CLB are supported.

    • Certificates manually uploaded to the CLB console are not supported.

    • Mutual authentication cannot be enabled.

  • Certificate requirements: SM certificates are not supported.

FAQ

Why is "Add Now" disabled or showing an exception?

TCP listeners

Locate the target CLB instance, click the image.png icon to expand the details, and then add the instance. You cannot click Add Now without expanding the details.image

HTTPS listeners

  • Possible causes

    • The certificate has expired.

    • Mutual authentication is enabled.

    • The certificate was only manually uploaded to the CLB console.

  • Solutions

    • If the certificate has expired, update it as described in Update the certificate bound to a traffic routing port.

    • If mutual authentication is enabled, disable it before adding the instance. For more information, see Configure mutual authentication.

    • If the certificate was only manually uploaded to the CLB console, perform the following operations:

      1. Upload the certificate to Certificate Management Service (Original SSL Certificate). For more information, see Upload an SSL certificate.

      2. In the CLB console, create a certificate and select Purchase Certificate as the certificate source. For more information, see Create a certificate.

      3. In the CLB console, configure the listener to replace the server certificate with the newly uploaded certificate. For more information, see Step 2: Configure an SSL certificate.

      Note

      When you manually upload a certificate to the CLB console, the certificate information is not automatically synchronized to Certificate Management Service. Since WAF retrieves certificate information only from Certificate Management Service, this issue occurs.

Why can't I find my CLB instance?

First, click Synchronize Assets in the upper-right corner of the Onboarding page.

In the Web Application Firewall 3.0 console, choose Access Management from the left-side navigation pane. The Asset Access Status section displays the following statistics:

  • Number of connected domain assets

  • Number of connected cloud service assets

  • Application Load Balancer ALB (connected/total)

  • Elastic Compute Service ECS (connected/total)

  • Classic Load Balancer CLB (connected/total)

  • Network Load Balancer NLB (connected/total)

An Add Now link is displayed next to unconnected assets. You can click Synchronize Assets to refresh the asset list.

If the instance still does not appear, it does not meet the requirements specified in Applicability. For example, a CLB instance in a region Outside the Chinese mainland must be added to a WAF instance purchased for a region Outside the Chinese mainland in cloud native mode. Alternatively, use the CNAME record mode.

How to protect a domain with multiple CLB instances?

  • Use the cloud native mode: You need to add each of these CLB instances one by one to ensure that WAF directs traffic to all target instances.

  • Use the CNAME record mode: Add the domain in CNAME record mode and configure the public IP addresses of the multiple CLB instances as the origin addresses.

How to protect multiple domains on one CLB instance?

  • Use the cloud native mode: After you add this CLB instance, all domains on the instance are protected by the default WAF protection policy. However, if you need to configure different protection rules for each of these domains, you must manually add it as a protected object. For more information, see Manually add a protected object.

  • Use the CNAME record mode: Add each domain one by one.