# How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS

### Overview:

Setup a Network Load Balancer (NLB) with two static IPs:

* Static\_IP\_1 (e.g., 192.0.2.10)
* Static\_IP\_2 (e.g., 192.0.2.20)

The NLB redirects the traffic to ALB

This guide will walk you through obtaining a certificate for your root domain, configuring an Application Load Balancer (ALB) rule for the redirect, and verifying the setup.

{% tabs %}
{% tab title="AWS" %}

### Step 1: Request a Certificate for the Root Domain

1. Navigate to AWS Certificate Manager (ACM).
2. **Request a new certificate** for your root domain (e.g., [example.com](http://example.com/)).
   1. Click on **"Request a certificate"**, then select **"Request a public certificate"** and follow the prompts.<br>

      <figure><img src="/files/gMaXJ2YXcwi3nqu0Aaeg" alt=""><figcaption></figcaption></figure>
   2. For **Domain name**, enter your root domain.
   3. Choose **DNS validation** for the validation method.<br>

      <figure><img src="/files/39uwrVAWQo5hciE8cRlm" alt=""><figcaption></figcaption></figure>
3. Find your Validation Challenge:\
   Add the DNS validation record provided by ACM to your DNS configuration to complete the validation process. (CNAME name and CNAME value). You can find this in ACM -> Certificates -> \<your certificate> :<br>

   <figure><img src="/files/ZAZFWt1gL5iCB3yQUUJw" alt=""><figcaption></figcaption></figure>
4. Wait until the Certificate is Validate\
   It may take some time for DNS changes to propagate and for ACM to validate the certificate. Monitor the certificate status in ACM.

### Step 2: Add a Rule in the ALB

1. Navigate to your ALB in the EC2 Management Console.
2. Select the listener that handles incoming requests for your domain.<br>

   <figure><img src="/files/WNXQtfhGV4Fglw1zTCen" alt=""><figcaption></figcaption></figure>
3. Add a new rule to redirect requests from the root domain to the subdomain.
   1. Condition: host header match to your root domain
   2. Action: Redirect to the subdomain with appropriate protocol (HTTP or HTTPS), port and path.<br>

      <figure><img src="/files/ytPTe8efwexUv1P5cQDZ" alt=""><figcaption></figcaption></figure>

      <figure><img src="/files/oBA39WX67blP7CQ1JWoM" alt=""><figcaption></figcaption></figure>

### Step 3: Add certificate

In the ALB screen click on certificates tab and then add certificate:

<figure><img src="/files/2FP9UTCdipxAa98DQysk" alt=""><figcaption></figcaption></figure>

Then find the certificate you have added in step 1.

### Step 4: Add Relevant Tags in Rule

* Tagging rules can help with organization and billing. Add any relevant tags as per your organization's tagging strategy.
* add the relevant tags as the other rules

### Step 5: Test

To test the redirect, use the following curl commands:

* curl --resolve example.com:443:Static\_IP\_1 <https://example.com> -v&#x20;
* curl --resolve example.com:443:Static\_IP\_2 <https://example.com> -v&#x20;

Replace example.com with your actual root domain and Static\_IP\_1 and Static\_IP\_2 with the static IP addresses of your Network Load Balancer (e.g., 192.0.2.10 and 192.0.2.20).

The expected result is a **301 redirect** response pointing to the subdomain.
{% endtab %}

{% tab title="Azure" %}

### Step 1: Create a sub-domain that will be protected by CloudGuard WAF

1. Navigate to Azure DNS Zones.
2. In the DNS zone, click on "**+ Record set**" to create a new record set.
   1. Set the name field to the desired sub-domain (in this example it is 'www'):<br>

      <figure><img src="/files/wn3ax7tO9FyvQQtdK851" alt=""><figcaption></figcaption></figure>
   2. Set the Type field to be CNAME
   3. Click **Add**.

### Step 2: Onboard the sub-domain to CloudGuard WAF as a Service

Follow the instructions on the Infinity Portal

### Step 3: Create an Alias Record for the root domain

1. In the DNS zone, click on "+ Record set" to create a new record set.&#x20;
2. Set the Name field to "@" to indicate the root domain. Set the Type to "A" or "CNAME" depending on your setup.&#x20;
3. In the Alias record set section, toggle the switch to "Yes".&#x20;
4. In the Alias type dropdown, select "Zone record set".&#x20;
5. In the zone record set dropdown, select the subdomain you have created and onboarded to CloudGuard WAF as a Service in stages 1 and 2.
6. Save the Record.<br>

   <figure><img src="/files/DhnvOJeJZW6HeS9sLmhU" alt=""><figcaption></figcaption></figure>

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/troubleshooting/waf-as-a-service/how-to-redirect-a-root-domain-to-a-subdomain-protected-by-waf-saas.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.