When you add a domain name to Web Application Firewall (WAF) using the CNAME connection type, you can assign an exclusive IP address to monitor service requests for that domain name. This ensures that the domain name is not affected if other domain names that use the same shared WAF IP address are under a volumetric DDoS attack.
Shared and exclusive IP addresses
By default, all domain names added to the same WAF instance using the CNAME Record type share a single WAF IP address to monitor their service requests. This is known as the shared IP address. Each WAF instance is assigned one shared IP address by default.
WAF instances that are purchased by different users are isolated from each other and have different shared IP addresses.
An exclusive IP address is a WAF IP address that is assigned to a specific domain name to monitor its service requests. Each exclusive IP address can be bound to only one domain name that is protected by WAF.
However, this IP address is not fixed. To ensure maximum service stability, you must follow the steps in CNAME connection to modify your domain name's DNS settings. For more information, see Can I change the DNS resolution to point to a WAF IP address?
Benefits of an exclusive IP address
An exclusive IP address prevents your domain name from becoming inaccessible if another domain name that shares the same WAF IP address is under a volumetric DDoS attack.
With the CNAME connection type, if one domain name is under a volumetric DDoS attack, the shared WAF IP address may be subject to blackhole filtering. This makes all domain names that use the shared IP address on the WAF instance inaccessible. You can enable an exclusive IP address for an important domain name to keep it accessible even if blackhole filtering is triggered for the shared IP address.
Billing
The exclusive IP address is a paid feature. You are billed based on the number of domain names for which this feature is enabled.
If you use the CNAME Record type, you can enable an exclusive IP address for each domain name that you add to WAF. You are charged a fee for each domain name that uses an exclusive IP address. For more information about billing, see Billing.
Enable an exclusive IP address
You can enable an exclusive IP address for a domain name protected by WAF only if you use the CNAME Record type.
To enable an exclusive IP address, perform the following steps:
On the Provisioning page of the Web Application Firewall 3.0 console, click Add on the CNAME Record tab. The Add Domain Name configuration wizard opens.
In the Configure Listener step, click More Settings and turn on the Exclusive IP Address switch for the domain name, as shown in the following figure.
For more information, see Add a website to WAF using a CNAME record.
After you enable an exclusive IP address, the CNAME record that WAF generates for the domain name is automatically resolved to a new exclusive WAF IP address. You can ping the CNAME record of the domain name to verify the configuration.
If you disable the exclusive IP address, the domain name switches to a shared IP address.