Web Application Firewall (WAF) uses specific back-to-origin CIDR blocks to forward normal traffic to an origin server. After you add your website to WAF, you must add the back-to-origin CIDR blocks to the IP address whitelist of security software on the origin server. This topic describes how to allow requests from the back-to-origin CIDR blocks of WAF.
Procedure
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the lower-right corner of the Service Information page, find the WAF IP Segments section and click Copy All IP Addresses.
The WAF IP Segments section displays the most recent back-to-origin CIDR blocks of WAF.
Add the back-to-origin CIDR blocks to the IP address whitelist of security software on the origin server.
WarningIf you do not add the back-to-origin CIDR blocks of WAF to the IP address whitelist of security software on the origin server, normal requests forwarded by WAF may be blocked. This may cause service interruptions.
What to do next
To ensure security, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server. For more information, see Configure protection for an origin server.
FAQ
What is a back-to-origin CIDR block of WAF?
A back-to-origin CIDR block of WAF is a CIDR block that is used by WAF to forward requests that are sent from clients to the origin server. After a website is added to WAF, the origin server handles all requests as requests that originated from the back-to-origin CIDR blocks of WAF. The actual IP addresses of clients are added to the X-Forwarded-For (XFF) fields in the HTTP headers of requests.
Why do I need to add the back-to-origin CIDR blocks of WAF to the IP address whitelist of security software on the origin server?
After a website is added to WAF, the origin server receives requests from the back-to-origin CIDR blocks of WAF at a high rate. In this case, the firewall or security software on the origin server may consider the CIDR blocks as attack IP addresses and block them. If the IP addresses are blocked, WAF cannot receive normal responses from the origin server. Make sure that the back-to-origin CIDR blocks of WAF are added to the IP address whitelist of security software on the origin server after you add a website to WAF. Otherwise, the website may become slow or inaccessible.