In our ongoing effort to optimize the performance, scalability, and reliability of WAF-as-a-Service, we are making some changes to IP addressing of WAF-as-a-Service applications.

Starting in 30 days, we will begin migration of many existing WAF-as-a-Service applications to new IP addresses. Some of these IP addresses may be shared between multiple applications in your account. While this will not affect the security of your applications, it will have the following effects on traffic routing:

• Only traffic addressed to the domain names defined in your Endpoints will be accepted by WAF-as-a-Service. (While this is already the case for many WAF-as-a-Service applications, in some cases, incorrect configurations may still work today.)

• The IP addresses associated with some of your applications may change.

• You will not be able to define non-standard protocol and port combinations; for example:

  • On ports 80 or 8080, which are typically associated with HTTP, you will not be able to define HTTPS endpoints.

  • On ports 443 or 4430, which are typically associated with HTTPS, you will not be able to define HTTP endpoints.

• Only HTTPS traffic sent using SNI (Server Name Indication) will be accepted by WAF-as-a-Service (While this is already the case there are some old clients (e.g. mobile apps) that do not use this TLS extension).

Within the next 30 days, take the following steps to ensure these changes do not affect your applications:

• Ensure all application Endpoints include all domain names that you are using to process traffic to your application.

• Ensure you do not have more than one application with the same domain name. If multiple applications in your account have the same domain name, traffic for that domain may be sent intermittently to any of them.

• If you have endpoints using non-standard ports, such as port 80 for HTTPS instead of HTTP, adjust them to use standard ports.

• Ensure all your DNS records are updated as recommended on your Endpoints page. Specifically, do not use A records instead of CNAME records, as those will not be automatically updated to use the new IPs and will stop working starting in 30 days.

  • If you need to set A records for apex domains, see Apex Domains in Barracuda Campus.

  • If you need to set A records for DNSSEC, contact us for configuration details.

• Ensure you are not using an old client (e.g. mobile app) that does not support SNI. Please let us know if you have an old client (e.g. mobile app) that does not support SNI. We can then discuss options around keeping dedicated IP for the application.

Barracuda Technical Support will be proactively attempting to contact customers who we believe have not made these changes as we near the deadline. Ensure that your Technical Contact information at https://waas.barracudanetworks.com/resources/technical-contact is up to date so that we can reach you if necessary.

Note that the following applications will not be modified and the above does not apply to them:

• Applications on the Application Protection Premium plan.

• Applications in accounts configured in Isolated Mode (only for customers who purchased WAF-as-a-Service before April 2023).

As always, if you have any questions, feel free to contact us.