Enabling WAF IPv6 Protection

You can enable IPv6 protection if needed. If IPv6 protection is enabled, WAF assigns an IPv6 access address to your domain name. WAF adds IPv6 address resolution to CNAME record sets by default. All IPv6 access requests are first forwarded to WAF. WAF detects and filters out malicious traffic and returns legitimate traffic to the origin server. This can keep origin servers secure, stable, and available.

If the origin server address of the protected website is an IPv6 address, IPv6 protection is enabled by default. WAF uses the IPv6 back-to-source address to establish a connection to the origin server.
Figure 1 Only IPv6 addresses set for origin server addresses
If the origin server address of the protected website is set to an IPv4 address, after you manually enable IPv6 protection, WAF uses the NAT64 mechanism to translate the external IPv6 traffic to internal IPv4 traffic. NAT64 is a network address translation (NAT) mechanism that enables communications between IPv6 and IPv4 servers. WAF uses the IPv4 back-to-source address to establish a connection to the origin server.
Figure 2 Only IPv4 addresses set for origin server addresses

Prerequisites

You have connected the website you want to protect to WAF.

Enabling WAF IPv6 Protection

Log in to the WAF console.
Click in the upper left corner and select a region or project.
(Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
In the navigation pane on the left, click Website Settings.
On the Website Settings page, click the target website domain name.
In the IPv6 Protection row, click . In the dialog box displayed, select Enable and click OK.

If the above configuration works, the website is accessible using an IPv6 address.