Imperva Cyber Community

Problem: When onboarding a (bare domain) website without a CNAME record and using multiple A records for Imperva, we tested an unexpected 50/50 traffic split between the two provided Imperva IP addresses, regardless of the client's geographical location. This results in approximately half of the traffic experiencing high latency due to being routed to a geographically distant IP.

Context/Observed Behaviour: A test domain was configured with two Imperva A records as per initial guidance. RIPE Atlas measurements using 150 probes was implemented, specifically from Germany (central Europe), show a consistent 50/50 split in traffic routing between the two A records. For example, probes expected to be routed to the EU-based IP are instead frequently routed to the non-EU IP, causing significant performance degradation.

Expected Behaviour vs. Current Behaviour: Based on discussions, it was initially explained that Imperva's routing mechanism would direct clients to the geographically closest Imperva IP. However, the current behaviour demonstrates a uniform distribution across the A records, leading to suboptimal performance. This indicates that Geo-IP based load balancing is not actively occurring with A records.

Documentation Update Request: We request that the Imperva documentation be updated to clearly address and elaborate on the following points related to non-CNAME onboarding:

• Explicitly state the performance limitations: Clearly document that onboarding a website without a CNAME record is an "expected performance limitation" and detail how this impacts traffic distribution (e.g., 50/50 split) and potential latency.

• Clarify lack of Geo-IP load balancing for A records: Improve clarity regarding the absence of Geo-IP based load balancing when multiple A records are used without a CNAME. The documentation should explicitly state that traffic distribution will not be optimized based on client geography in such configurations.

• Best practices for non-CNAME setups: Offer explicit recommendations or workarounds (e.g., Leveraging AWS Route53's geolocation-routing ) for customers who cannot or choose not to use CNAMEs, and the associated performance trade-offs.

Relevant Imperva Documentation Links:

• Imperva IP range: https://docs.imperva.com/bundle/z-kb-articles-knowledgebase-support/page/290228110.html

• Dedicated network: https://docs.imperva.com/bundle/cloud-application-security/page/more/dedicated-ip.htm

Hi Toby,

Thank you so much for this post. 

I checked internally with our team and one of our support managers suggested that the best way to ensure your feedback goes to the correct contact for actioning, is to use the feedback button on the docs article itself. I have highlighted the feedback button on the screenshot button in the image below: