Connecting a Domain Name to WAF
This section describes how to connect a domain name to WAF so that website traffic passes through WAF.
To ensure that WAF works properly, you are advised to test WAF by following the instructions in Testing WAF before performing this operation.
How WAF Works
- No proxy used
DNS resolves your domain name to the origin server IP address before the site is moved to WAF. DNS resolves your domain name to the CNAME of WAF after the site is connected to WAF. WAF then filters out illegitimate traffic and only routes legitimate traffic back to the origin server.
- A proxy (such as AAD) used
DNS resolves the domain name to the AAD IP address before your site is moved to WAF. In this case, the traffic passes through AAD and then AAD routes the traffic back to the origin server. After your site is moved to WAF, change the AAD back-to-source IP address to the access address of WAF and add a subdomain name and TXT record to the DNS records of your DNS provider for WAF to take effect. In this way, AAD forwards the traffic to WAF. WAF then filters out illegitimate traffic and only routes legitimate traffic back to the origin server.
Prerequisites
- Login credentials have been obtained.
- A domain name has been created but not connected to WAF.
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click Service List at the top of the page. Choose . In the navigation pane on the left, choose Domains.
- In the Name column, click the target domain name. Its information is displayed.
- Without a proxy
- In the CNAME row, click to copy the CNAME value.
- Go to your DNS provider and configure the CNAME record. For details, contact your DNS provider.
The high availability of our system, which is based on multi-AZ deployments to support both active-active and disaster recovery, relies on the WAF CNAME record. Do not use a fixed IP address to access services. Otherwise, service disaster recovery reliability will be affected.
- Do not modify the hosts file. Add the CNAME record directly to the DNS records of your DNS provider.
- Do not use the A record to replace the CNAME record.
The CNAME binding method of some common DNS providers is listed for your reference. If the following configuration is inconsistent with the actual configuration, rely on information provided by the DNS providers.
- Log in to the management console of the DNS provider.
- Go to the domain resolution record page.
- Set the CNAME resolution record.
- Set the record type to CNAME.
- Generally, enter the domain name prefix in the host record. For example, if the protected domain name is admin.demo.com, enter admin in the host record.
- The record value is the CNAME generated by WAF.
- Resolution line: keep the default value TTL.
- Click Save.
The preceding resolution methods are provided by third parties. This document does not control or assume responsibility for any third party content, including but not limited to its accuracy, compatibility, reliability, availability, legitimacy, appropriateness, performance, non-infringement, or status update, unless otherwise specified in this document.
- Verify that the CNAME has been configured.
- With a proxy
- Click in the Access Address, Subdomain Name, and TXT Record rows to copy the required values, respectively.
- Change the back-to-source address of the proxy (such as AAD or CDN) to the copied access address. Add a subdomain name and TXT record to the DNS records of your DNS provider. Then, the domain name is connected to WAF and traffic passes through WAF.
The high availability of our system, which is based on multi-AZ deployments to support both active-active and disaster recovery, relies on the WAF CNAME record. Do not use a fixed IP address to access services. Otherwise, service disaster recovery reliability will be affected.
By default, WAF detects the DNS resolution status of each domain name to be protected on an hourly basis. If you have performed domain connection and DNS is Normal, the domain name is connected to WAF.
- Without a proxy
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot