By Leaf Ye, Alibaba Cloud Solution Architect
The rapid growth of innovative technologies has brought about new opportunities for online businesses around the world. People today are not only used to, but also rely on the internet to carry out their daily lives, including shopping, playing games, watching movies, and almost everything else. Globally, Internet traffic will grow 3.2-fold from 2016 to 2021, a compound annual growth rate of 26%. The growth of e-commerce in the US jumped by more than 30% in 2020, accelerating the shift to online shopping by nearly 2 years.
However, this has also introduced new challenges for enterprises when scaling up/out to meet the requirements. Online business owners are closely monitoring their websites because any negative result of page load time will impact conversation rate. Improving website performance is an always-on task for DevOps team.
As online businesses become more advanced, it is important to continually work with the security threats coming with it. Here are the top 5 security threats to online business:
Managed security and faster performance are what online business is investing heavily today to protect and drive more business success.
This article shares a step-by-step instruction on how to use Alibaba Cloud Anti-DDoS Pro, Web Application Firewall (WAF) , and Cloud Firewall together to protect your online business. We will also discuss how to use Alibaba Cloud CDN to improve website performance at the same time.
Alibaba Cloud has multiple security products that you can choose from to protect your online business. In this article, we will show you how to setup Anti-DDoS, WAF, and Cloud Firewall together while enabling CDN at the same time to accelerate online business end user experience.
Customers sometimes are unsure about the sequence of the setup. We recommend the multi-layer setup as showed in the solution diagram:
Let us start to build these multi-layer protections.
Firewall protection between your internal network and internet is essential and is the first layer of protection for your origin server.
If you setup your origin server in Alibaba Cloud, you can configure security group for origin server which you can control inbound and outbound ports on origin server. Here are the best practices of security group, https://www.alibabacloud.com/help/doc-detail/51170.htm
Cloud Firewall provides the Internet firewall to control the traffic at the Internet boundaries, VPC firewalls to control the traffic between VPCs, and internal firewalls to control the traffic between ECS instances. You can use Cloud firewall to centrally manage security group policies and has visualization of traffic between security groups.
1.1 Purchase Cloud Firewall.
1.2 Enable the Cloud Firewall service on the Firewalls page.
1.3 Click Create Policy in the upper-right corner of the Access Control page to Configure access control policies.
1.4 Configure intrusion prevention policies on the Intrusion Prevention page.
1.5 View traffic analysis on the Traffic Analysis page. You can check traffic analysis on external connections, internet access, VPC access, intrusion detection, IPS analysis and all access activities.
2.1 Purchase WAF
There are four editions for WAF - Pro, Business, Enterprise and Exclusive edition. Capacity and features are different for each edition.
This table below is about capacity difference between four editions.
For feature difference, please refer to this document, https://www.alibabacloud.com/help/doc-detail/58487.htm
2.2 Add a website to WAF
To add a website to WAF, you must add the domain name of the website to the WAF console and change the DNS record to redirect the traffic destined for the website to WAF for protection.
Add your origin server IP or load balancer IP as the 'Destination Server'
Check 'Yes' for question of 'Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF'. We will configure CDN and Anti-DDoS in the next steps.
2.3 Configure WAF protection policy
WAF provides multiple protection features to protect your websites against different types of attacks. Among the features, only RegEx Protection Engine and HTTP Flood Protection are enabled by default. The RegEx Protection Engine feature protects your websites against common web attacks, such as SQL injection, XSS, and webshell upload. The HTTP Flood Protection feature protects your websites against HTTP flood attacks. You need to manually enable other features and configure protection rules. For more information, check details at https://www.alibabacloud.com/help/doc-detail/173612.htm
2.4 Enable WAF for the website
Change the DNS record of the domain name to map the domain name to the CNAME address assigned by WAF.
You can make this DNS change to verify WAF working properly. Since we will configure CDN in next step to connect to WAF service, we don't need this DNS change after verifying WAF function.
In this instruction, we configure CDN to improve website performance. CDN uses WAF CNAME we configured in the last step as the origin.
3.1 Purchase CDN
You must complete real-name registration before using CDN service.
3.2 Verify the ownership of a domain name
The first time a domain name is added to Alibaba Cloud Content Delivery Network (CDN), Alibaba Cloud CDN verifies the ownership of the domain name. If you pass the verification process, Alibaba Cloud CDN identifies you as the owner of the domain name. If you add the domain name to Alibaba Cloud CDN again or add its subdomain names to Alibaba Cloud CDN, the ownership verification process is not needed. You can use a Domain Name System (DNS) record or upload the verification file to prove the ownership. In the following example, a.com is used to demonstrate how to prove the ownership of a domain name.
3.3 Add domain name to CDN
Choose to use Site Domain at 'origin Info' which is the WAF CNAME we configured in the last step.
To accelerate in region 'Mainland China Only' and 'Global', your domain must have a valid ICP filing.
3.4 Enable CDN for the domain
After you add a domain name to Alibaba Cloud Content Delivery Network (CDN), Alibaba Cloud CDN assigns a canonical name (CNAME) to the domain name. To enable the Alibaba Cloud CDN service for the domain name, you must add a CNAME record to map the domain name to the CNAME. This way, requests that are sent to the domain name can be redirected to CDN nodes.
You can make this DNS change to verify CDN working properly. Since we will configure Anti-DDoS in next step to connect to Anti-DDoS service, we don't need this DNS change after verifying CDN function.
Alibaba Cloud offers multiple anti-DDoS products. In the table below, you can find the products and their major difference.
Anti-DDoS Origin is a Cloud native protection which you can enable without the efforts to redirect traffic outside to scrubbing center. It is the most convenient and recommended protection. Anti-DDoS origin BGP diversion is the most powerful tool when you are facing volumetric attack and in-place protection from Anti-DDoS origin cannot protect against the attacking bandwidth. Customer can use BGP announcement to reroute traffic to Alibaba Cloud scrubbing center.
Anti-DDoS service is regular service which use DNS redirect to reroute traffic to Alibaba Cloud scrubbing center. There are two version of Anti-DDoS service. Service area for Anti-DDoS Pro is Mainland China and service area for Anti-DDoS Premium is outside of Mainland China. Alibaba Cloud scrubbing center has 10 Tbps capacity.
In this instruction, we choose to use Anti-DDoS Pro service as our website origin is built in VPC in Mainland China and majority end users are from Mainland China.
4.1 Purchase Anti-DDoS Pro
Logon to Alibaba Cloud Console, search 'Anti-DDoS Pro' at Products and Services and go to Anti-DDoS Pro console. Under Assets -> Instances, click Purchase Instances.
You need to choose the followings to make the purchase:
4.2 Add your domains into protection
Go to Anti-DDoS Pro console and click Website Config under Provisioning, click Add Domain.
You need to choose function plan first, according to the table below.
Detail instruction on how to add domains can be found https://www.alibabacloud.com/help/doc-detail/143347.htm
Choose 'Origin Server Domain' as Server IP and use CDN CNAME which we configured in last step as the domain name.
4.3 (Optional) For non-web-based application, create port forwarding rule. https://www.alibabacloud.com/help/doc-detail/143349.htm
4.4 Configure protection policies, general policies and custom policies. https://www.alibabacloud.com/help/doc-detail/116704.htm
4.5 Reroute traffic to Anti-DDoS scrubbing center. If you want to use always-on mode of Anti-DDoS service, you can change your domain CNAME DNS record by using Anti-DDoS CNAME. You can also choose to make the change when attacks occur which is called standby mode.
If your origin server uses Alibaba Cloud service, like Elastic IP and CDN, you can use Sec-Traffic Manger to manage automatic Anti-DDoS protection when needed.
In this instruction, we have CDN enabled and we choose to use watch mode. We use Sec-Traffic Manager to enable interactions between Anti-DDoS Pro and CDN. If no attacks occur, normal traffic is directly forwarded to CDN service without increasing latency. If attacks occur, traffic is switched to Anti-DDoS Pro for scrubbing and forwarding.
As showed in below screenshot, Anti-DDoS can be triggered when request per second to CDN service is over 1000.
Then we change the domain DNS CNAME to Sec-Traffic Manager CNAME as showed in the screenshot below.
So, we have finished the configuration of this multi-layer protection solution which use Cloud firewall, WAF, CDN and Anti-DDoS together. In your real project, you can choose use all of the protections or some of the protections. Please let us know if you have any comments to this step-by-step guide.
Alibaba Clouder - January 28, 2021
Alibaba Clouder - July 9, 2019
Alibaba Clouder - March 11, 2019
Alibaba Cloud New Products - June 3, 2020
Alibaba Clouder - July 12, 2019
Alibaba Clouder - June 19, 2019
Explore Web Hosting solutions that can power your personal website or empower your online business.Learn More
A cloud firewall service utilizing big data capabilities to protect against web-based attacksLearn More
Deploy custom Alibaba Cloud solutions for business-critical scenarios with Quick Start templates.Learn More
Connect your business globally with our stable network anytime anywhere.Learn More
More Posts by Alibaba Clouder