This feature protects your website against attacks that originate from IPv6 sources. This topic describes how to enable IPv6 traffic protection.

Background information

After IPv6 traffic protection is enabled, the Canonical Name (CNAME) that is automatically generated by WAF resolves in two channels based on the following rules:
  • Resolution requests from IPv4 clients are resolved to a protection cluster for IPv4 addresses.
  • Resolution requests from IPv6 clients are resolved to a protection cluster for IPv6 addresses.

Two-channel resolution allows WAF to detect and block threats that originate from IPv4 and IPv6 sources. Only secure traffic is forwarded to origin servers.

In addition, you can enable request forwarding to origin servers over IPv6. To enable this feature, you must configure back-to-origin IPv4 and IPv6 addresses and select Use the Same Protocol. This way, WAF forwards requests to origin servers based on the protocol that is specified in the requests. For more information, see Add a domain name.


  • A subscription WAF instance is purchased. The WAF instance runs the Business, Enterprise, or Exclusive edition. For more information, see Purchase a subscription WAF instance.
  • The region of the WAF instance is the Chinese mainland.
    Note IPv6 traffic protection is not supported by WAF instances that reside outside the Chinese mainland.
  • The website that you want to protect is added to WAF in CNAME record mode. For more information, see Add a domain name.
    Note IPv6 traffic protection is not supported for websites that are added to WAF in transparent proxy mode.


  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Asset Center > Website Access.
  3. On the Domain Names tab, find the domain name that you want to manage, and turn on the IPV6 switch in the Quick Access column. IPv6 switch
  4. In the Tips message, click Confirm.
    After IPv6 protection is enabled, the status of the IPv6 switch in the Quick Access column changes to Enabled.

What to do next

After IPv6 protection is enabled, WAF uses new back-to-origin CIDR blocks to forward the requests from the IPv6 clients to origin servers.

To ensure that origin servers can receive the requests forwarded by WAF, you must configure the origin servers to allow the requests from the new back-to-origin CIDR blocks of WAF, especially when you have configured access control for the origin servers. Otherwise, access from IPv6 clients may encounter errors or failures. For more information, see Allow access from the back-to-origin CIDR blocks of WAF and Configure protection for an origin server.