WAF can be connected with servers in data centers outside Tencent Cloud. WAF protects servers in any public networks, including but not limited to Tencent Cloud, and clouds and IDCs from other vendors.
Domain names connected in Mainland China must be ICP licensed as required by MIIT.
WAF fully supports HTTPS services. You just need to upload the SSL certificate and private key as instructed, or select the Tencent Cloud hosting certificate to make WAF protect HTTPS traffic.
The QPS limit in WAF is for the entire instance. For example, if three domain names are under protection of the WAF, the total QPS of the three domains names cannot exceed the upper limit. If the QPS limit of the purchased instance is exceeded, speed limit is triggered, which will result in packet loss.
When adding a domain name to WAF, you must enter a public IP or domain name as real server address, including CVM public IP, CLB public IP, or Egress IP from other local IDCs, and cannot enter a CVM private IP.
Yes, you can empower WAF with high DDoS protection capability simply by selecting IPs specified in a WAF instance in the Anti-DDoS Pro console configuration page. For more information, please see Anti-DDoS Pro access practice.
You can set up to 20 ones for a WAF-protected domain name.
In case of multiple intermediate IPs, WAF will load balance access requests with Round Robin algorithm.
In WAF, health check is enabled by default. WAF will detect if any real server IP is inaccessible. If a real server IP does not respond, WAF will stop forwarding requests to this IP until it goes back to normal.
Session persistence is enabled in WAF by default.
In general, a configuration change takes effect within 10 seconds.
Will WAF automatically add an intermediate IP range to a security group?
No, WAF won’t automatically add an intermediate IP range to a security group. To add intermediate IPs to a security group, see Getting Started with WAF.
They won’t be blocked if WAF is disabled. However, if you enable block mode in WAF, it blocks malicious files uploaded with HTTP or HTTPS, but does not block any files uploaded with SFTP, a non-HTTP or -HTTPS protocol beyond protection of WAF.
CLB WAF supports SSL mutual authentication, while SaaS WAF does not.