When adding a domain name to WAF, the real server address must be a domain name or a public IP, such as CVM public IP, CLB public IP, or Egress IP of other local IDCs, while a CVM private IP is not supported.
A forwarding IP is automatically assigned after the protected domain name is configured in SaaS WAF. When forwarding traffic to the client’s real server, WAF will use the forwarding IP as source address. To achieve better protection, you need to add the forwarding IP to a trusted list on the server. It is recommended allowing only access traffic from the WAF forwarding IP to the real server.
Up to 20 real server IPs can be set for one protected domain name in WAF.
If multiple forwarding IPs are configured, WAF achieves load balancing for access requests by polling.
WAF does not automatically add a forwarding IP range to a security group. To do so, please see Getting Started.