Configure bandwidth caps for domain names to limit bandwidth usage - CDN

You can configure bandwidth caps to prevent unexpected high bills that are caused by malicious attacks or fraudulent traffic.

Overview

A bandwidth cap specifies the maximum bandwidth value and limits the amount of bandwidth resources that can be consumed. If the average bandwidth value of a domain name in a statistical period (1 minute) reaches the specified bandwidth cap, the system suspends Alibaba Cloud CDN services for the domain name and resolves the domain name to offline.***.com, which is considered invalid. In this case, the domain name becomes inaccessible.

If the average bandwidth value that is measured during a statistical period is less than the specified bandwidth cap, the domain name can use Alibaba Cloud CDN services as expected.
If the bandwidth value of a domain name reaches the specified bandwidth cap due to traffic spikes, the domain name is automatically disabled and resolved to offline.***.com, which is considered invalid. In this case, the domain name becomes inaccessible.
The system does not automatically restore the suspended Alibaba Cloud CDN services even if the average bandwidth value drops below the specified bandwidth cap. To restore the suspended CDN services, you need to log on to the Alibaba Cloud CDN console and enable the domain name. For more information, see Restore Alibaba Cloud CDN services.

Usage notes

You cannot configure a bandwidth cap for a wildcard domain name. If you configure a bandwidth cap for a wildcard domain name, the bandwidth cap does not take effect.
After you configure a bandwidth cap for a domain name, the domain name is automatically disabled if the bandwidth value that is measured during a statistical period reaches the specified bandwidth cap. Before you configure a bandwidth cap for your domain name, we recommend that you estimate the maximum bandwidth value that is required by your workloads to ensure service availability.
The monitoring data of bandwidth values may be delayed by approximately 10 minutes. Therefore, Alibaba Cloud CDN takes approximately 10 minutes to disable a domain name after the bandwidth cap of the domain name is reached. You are charged for the traffic, bandwidth, and requests that are consumed before the domain name is disabled.
A RAM user can configure bandwidth caps only after you grant the RAM user the required permissions.
To grant the required permissions to a RAM user, log on to the RAM console, create the AliyunCDNFullAccess policy, and then attach the policy to the RAM user.
A bandwidth cap does not throttle bandwidth. If the average bandwidth value that is measured during a statistical period reaches the specified bandwidth cap, the domain name is automatically disabled. The bandwidth throttling feature throttles bandwidth for a domain name if the bandwidth value reaches the specified upper limit.
You can configure bandwidth caps for up to 20 domain names in the Alibaba Cloud CDN console. Each domain name can have only one bandwidth cap. If you configure bandwidth caps for more than 20 domain names after the bandwidth cap feature is enabled, the configuration results for the excess domain names are not displayed in the Alibaba Cloud CDN console. If you want to configure bandwidth caps for more domain names, you need to go to the Alibaba Cloud CloudMonitor console. For more information, see View or modify alert rules in CloudMonitor.
The bandwidth cap feature adopts 1-minute real-time monitoring data. The data source of real-time monitoring is the same as that in the Alibaba Cloud CDN console. In most cases, the peak bandwidth in 1 minute is higher than the peak bandwidth in 5 minutes that is collected by using the resource usage query or resource monitoring feature. To prevent the domain names from being disabled due to bandwidth usage spikes, we recommend that you specify a bandwidth cap based on the peak bandwidth that is collected by using the real-time monitoring feature. For more information, see Real-time monitoring, Resource monitoring, and Query resource usage.

Enable or disable the bandwidth cap feature

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click Traffic Throttling.
Optional. The first time that you enable the bandwidth cap feature, grant CloudMonitor access permissions on Alibaba Cloud CDN.
1. Click Authorize to the right of Role Authorization.
2. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
  Note
  If you cannot grant CloudMonitor access permissions on Alibaba Cloud CDN by using the Alibaba Cloud CDN console, you can grant permissions on Alibaba Cloud CDN by using the RAM console. For more information, see Grant permissions on Alibaba Cloud CDN by using the RAM console.
In the Bandwidth Cap section, click Modify.
Enable or disable the bandwidth cap feature based on your business requirements.
- Enable bandwidth cap: Turn on Bandwidth Cap and configure a bandwidth cap.
  Note
  The conversion between two neighboring data units is 1,000. For example, 1 Tbit/s is equal to 1,000 Gbit/s, and 1 Gbit/s is equal to 1,000 Mbit/s.
- Disable bandwidth cap: Turn off Bandwidth Cap.
Click OK.

View or modify alert rules in CloudMonitor

After you turn on Bandwidth Cap, Alibaba Cloud CDN uses the monitoring and alerting feature of CloudMonitor. An alert rule is created in CloudMonitor to monitor bandwidth values for Alibaba Cloud CDN. If the alert rule is triggered, notifications are sent to the contacts that are specified in CloudMonitor.

To change the contacts or view alerts, perform the following steps:

Log on to the CloudMonitor console.
In the left-side navigation pane, choose Alerts > Alert Rules.
Change the contacts or view alerts.
- Modify an alert contact or alert contact group
- View the alert history of a specific alert rule
View the alert rules of a specific domain name.
To query the alert rules of a specific domain name, enter the domain name that you want to query in the search box on the Alert Rules page and click the search icon.

Restore Alibaba Cloud CDN services

The system does not automatically restore the suspended Alibaba Cloud CDN services even if the average bandwidth value drops below the specified bandwidth cap. To restore the suspended Alibaba Cloud CDN services, you need to log on to the Alibaba Cloud CDN console and enable the domain name. Perform the following operations:

Log on to the Alibaba Cloud CDN console and navigate to the Domain Names page. Then, select the domain name that you want to enable and click Enable to enable the domain name.

Grant permissions on Alibaba Cloud CDN by using the RAM console

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
1. On the JSON tab, enter the following policy content:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cdn:StopCdnDomain"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
2. Click Next to edit policy information, configure the following parameters, and then click OK.
  Name: AliyunCloudMonitorAccessingCDNRolePolicy.
  Description: The authorization policy for the CloudMonitor role, including the permission to call the operation for disabling an Alibaba Cloud CDN-accelerated domain.
In the left-side navigation pane, choose Identities > Roles.
1. On the Roles page, click Create Role.
2. In the Select Trusted Entity section, select Alibaba Cloud Account and click Next.
3. In the Configure Role step, enter the following information.
  RAM Role Name: AliyunCloudMonitorAccessingCDNRole.
  Note: By default, CloudMonitor uses this role to access resources in Alibaba Cloud CDN.
4. In the Select Trusted Alibaba Cloud Account section, select Current Alibaba Cloud Account and click OK.
After you create the role, click AliyunCloudMonitorAccessingCDNRole on the Roles page.
1. On the Trust Policy Management tab, click Edit Trust Policy, enter the following information, and then click OK.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "cloudmonitor.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
2. On the Permissions tab, click Grant Permission.
  In the Authorized Scope section, select Alibaba Cloud Account.
  In the Select Policy section, click the Custom Policy tab, select the AliyunCloudMonitorAccessingCDNRolePolicy policy that you created, and then click OK.
Go to the Traffic Throttling page in the Alibaba Cloud CDN console. You can see that the role is authorized to use the Bandwidth Cap feature.

Revoke permissions on Alibaba Cloud CDN

If you do not want CloudMonitor to have permissions on Alibaba Cloud CDN, you can revoke the permissions of the corresponding role in the RAM console.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click AliyunCloudMonitorAccessingCDNRole.
On the Permissions tab, find the policy that you want to manage and click Revoke Permission in the Actions column.
Choose Identities > Roles, find AliyunCloudMonitorAccessingCDNRole and click Delete Role in the Actions column.
Enter AliyunCloudMonitorAccessingCDNRole and click Delete Role.

FAQ

Why is the actual bandwidth of a domain name higher than the bandwidth cap before you disable the domain name?

The monitoring data of bandwidth values may be delayed by approximately 10 minutes. Therefore, Alibaba Cloud CDN takes approximately 10 minutes to disable a domain name after the bandwidth cap of the domain name is reached. You are charged for the traffic, bandwidth, and requests that are consumed before the domain name is disabled. The following examples show how resources are billed before the domain name is disabled:

Example 1: pay-by-peak-bandwidth
Customer A selects the pay-by-peak-bandwidth metering method and adds only example.com to Alibaba Cloud CDN. The bandwidth cap of the domain name is set to 10 Gbit/s.
From 21:00:00 (UTC+8) to 21:01:00 (UTC+8) on February 1, 2021, the bandwidth value reached 10 Gbit/s. The domain name was disabled at 21:11:00 (UTC+8) on February 1, 2021 because the monitoring data of bandwidth values is delayed by 10 minutes. Before the domain name was disabled, the actual bandwidth value reached 25 Gbit/s. In this case, the bandwidth fees that are included in the bill for February 1, 2021 are calculated based on the actual peak bandwidth value of 25 Gbit/s.
Example 2: pay-by-data-transfer
Customer B selects the pay-by-data-transfer metering method and adds only example.com to Alibaba Cloud CDN. The bandwidth cap of the domain name is set to 10 Gbit/s.
From 21:00:00 (UTC+8) to 21:01:00 (UTC+8) on February 1, 2021, the bandwidth value reached 10 Gbit/s. During the 1 minute, 30 GB of data transfer was generated. The domain name was disabled at 21:11:00 (UTC+8) on February 1, 2021 because the monitoring data of bandwidth values is delayed by 10 minutes. Before the domain name was disabled, 400 GB of data transfer was generated. In this case, the data transfer fees are included in the bill for the billing cycle from 21:00:00 (UTC+8) to 22:00:00 (UTC+8) on February 1, 2021.

Does Alibaba Cloud CDN support traffic cap?

No.

If you want to prevent excessive traffic, you can use CloudMonitor to monitor the outbound traffic of Alibaba Cloud CDN. If the amount of traffic reaches the threshold that you specify, an alert is sent to the administrator by text message, email, and DingTalk. For more information, see Alert Service.

Does Alibaba Cloud CDN support a total bandwidth cap for all domain names?

No. A bandwidth cap is configured for only one domain name. You can configure a bandwidth cap separately for each domain name.

You can configure bandwidth caps for up to 20 domain names in the Alibaba Cloud CDN console. Each domain name can have only one bandwidth cap. If you configure bandwidth caps for more than 20 domain names after the bandwidth cap feature is enabled, the configuration results for the excess domain names are not displayed in the Alibaba Cloud CDN console. If you want to configure bandwidth caps for more domain names, you need to go to the Alibaba Cloud CloudMonitor console. For more information, see View or modify alert rules in CloudMonitor.

What do I do if I do not want a domain name to be disabled but want to limit the total bandwidth after the bandwidth of the domain name reaches its bandwidth cap?

After the bandwidth of the domain name reaches the bandwidth cap, the domain name is automatically disabled. If you do not want to disable the domain name, you can configure traffic throttling for individual requests to limit the overall peak bandwidth of domain names. For more information, see Configure traffic throttling for individual requests.

Does Alibaba Cloud CDN support traffic throttling for a specific IP address?

No. Bandwidth caps in Alibaba Cloud are configured for domain names and cannot be configured for specific IP addresses.

Related API operations

The bandwidth cap feature of Alibaba Cloud CDN relies on the bandwidth monitoring and alerting feature of CloudMonitor. For more information, see the following CloudMonitor API operations: