Barracuda WAF-as-a-Service accepts traffic for your application through Endpoints. An endpoint is a combination of an IP address and a TCP port. One application may have multiple endpoints. Each application must have at least one endpoint.
You might want an application to accept traffic on a number of endpoints if you want to accept:
- both HTTP (port 80) and HTTPS (port 443) traffic.
- traffic on a non-standard port, for example, port 8000 for HTTP traffic.
HTTPS Endpoints and SSL Certificates
When you configure an endpoint to use the HTTPS protocol, traffic between your users and Barracuda WAF-as-a-Service is encrypted with the SSL protocol. This requires WAF-as-a-Service to have an SSL certificate. By default, Barracuda uses the Let’s Encrypt certificate authority to retrieve SSL certificates for your application. For security purposes, Let’s Encrypt will only issue certificates if you have met the following two conditions:
- You modified the DNS records for all of your domains to point to the Barracuda-allocated endpoint address. Refer to Getting Started for information on how to modify the DNS records.
- You have an HTTP Endpoint on port 80. If you require different HTTP ports, you can add them as additional endpoints, but maintain the port 80 endpoint in addition.
In general, performance improves when locate protection in a region that is close to your application servers. For the best performance, Barracuda WAF-as-a-Service automatically chooses the region nearest the IP address for your application servers as its deployment location. It then chooses the next closest location as a backup. Most deployments do not require any changes to these settings. If you have special circumstances, like data residency requirements, you might need to change this setting. For background information, refer to Understanding Deployment Locations. For information on changing a location, refer to Moving an Application to Another Location.
Provisioning Your Application
When you first add an application, it must be provisioned. During this process, which can take up to one hour, a message appears on the Endpoints page. To avoid potential downtime, wait until your application is fully provisioned before changing your DNS records.