Anti-DDoS Pro and Anti-DDoS Premium both provide Sec-Traffic Manager for you to set rules on the interaction between them and the protected cloud resources. You can configure rules for Anti-DDoS Pro or Anti-DDoS Premium to take effect in specific scenarios. This feature helps ensure service continuity and protection against DDoS attacks. Sec-Traffic Manager provides features such as cloud service interaction, tiered protection, CDN interaction, DCDN interaction, and network acceleration. The network acceleration feature is available only for Anti-DDoS Premium instances. This topic describes the scenarios most suitable for these features and how to configure them.

Differences between Sec-Traffic Manager provided by Anti-DDoS Pro and that provided by Anti-DDoS Premium

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can switch the region (Mainland China and Outside Mainland China), and the system switches between Anti-DDoS Pro and Anti-DDoS Premium accordingly for you to manage and configure Anti-DDoS Pro or Premium instances. Ensure that you switch to the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
The following table describes the feature differences of Sec-Traffic Manager provided by Anti-DDoS Pro and Anti-DDoS Premium.
Note The following table lists only the differentiated features.
Feature Description Anti-DDoS Pro Anti-DDoS Premium
Configuration for network acceleration If you use Anti-DDoS Premium to protect your service, network acceleration provides an IP address that is used to accelerate access to your service for users in mainland China as long as no DDoS attacks are launched against your service. If DDoS attacks are launched against your service, Anti-DDoS Premium takes effect. Not supported Supported

Scenario

The following table describes the scenarios of these features.

Feature Scenario Description
Cloud service interaction Anti-DDoS Pro or Anti-DDoS Premium takes effect only when your service is attacked. If no DDoS attacks are launched against your service, Anti-DDoS Pro or Anti-DDoS Premium is dormant to avoid a high latency. If DDoS attacks are launched, Anti-DDoS Pro or Anti-DDoS Premium automatically takes effect.Cloud service interaction
Tiered protection Anti-DDoS Pro or Anti-DDoS Premium takes effect only when your service suffers volumetric DDoS attacks. Anti-DDoS Origin is used to protect your workloads to avoid a high latency. If volumetric DDoS attacks are detected, Anti-DDoS Pro or Anti-DDoS Premium automatically takes effect.Tiered protection
CDN or DCDN interaction Content Delivery Network (CDN) or Dynamic Content Delivery Network (DCDN) is used for network acceleration. If DDoS attacks are launched, user traffic is rerouted from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium. If no DDoS attacks are launched against your service, the nearest CDN or DCDN nodes are used to accelerate access. If DDoS attacks are launched, the service traffic is rerouted from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium.CDN or DCDN interaction
Network acceleration
Note This feature is available only for Anti-DDoS Premium.
For an Anti-DDoS Premium instance, network acceleration provides an IP address that is used to accelerate access to your service for users in mainland China as long as no DDoS attacks are launched against your service. If DDoS attacks are launched, Anti-DDoS Premium takes effect. The IP address that network acceleration provides is used when no DDoS attacks are launched against your service. If DDoS attacks are launched, Anti-DDoS Premium takes effect.Network acceleration

Limits

The following table describes the limits of the features provided by Sec-Traffic Manager.

Feature Limit Description
Cloud service interaction Specifications of an Anti-DDoS Pro or Anti-DDoS Premium instance The specifications of an Anti-DDoS Pro or Anti-DDoS Premium instance, such as the queries per second (QPS) and clean bandwidth, are sufficient to protect your service.
Settings for Anti-DDoS Pro and Anti-DDoS Premium You must complete the forwarding settings for an Anti-DDoS Pro or Anti-DDoS Premium instance before user traffic is rerouted to the instance.
Tiered protection Anti-DDoS Origin You must purchase Anti-DDoS Origin Enterprise.
Specifications of an Anti-DDoS Origin instance The clean bandwidth of an Anti-DDoS Origin instance must meet protection requirements.
Settings for Anti-DDoS Pro and Anti-DDoS Premium You must complete the forwarding settings for an Anti-DDoS Pro or Anti-DDoS Premium instance before user traffic is rerouted to the instance.
Settings for Anti-DDoS Origin The protected cloud resource must be included in the objects protected by Anti-DDoS Origin Enterprise.
Network acceleration
Note This feature is available only for Anti-DDoS Premium.
Specifications of an Anti-DDoS Premium instance The specifications of an Anti-DDoS Premium instance, such as the QPS and clean bandwidth, are sufficient to protect your service.
Settings for Anti-DDoS Premium You must complete the forwarding settings for an Anti-DDoS Premium instance before user traffic is rerouted to the instance.
CDN or DCDN interaction State of the domain name in CDN or DCDN Domain names cannot be in a sandbox.
Note If a domain name is added to a sandbox by CDN or DCDN, we recommend that you use Anti-DDoS Pro or Anti-DDoS Premium without CDN interaction enabled.
Attack frequency This feature does not apply to websites that are attacked more than three times per week.
Response time of anti-DDoS protection This feature does not apply to scenarios where anti-DDoS protection is required to take effect in a short time.
Note After your service traffic is switched to an Anti-DDoS Pro or Anti-DDoS Premium instance, the time required for anti-DDoS protection to take effect depends on the time to live (TTL) of the DNS records on the protected websites.
Service bandwidth This feature does not apply to services with a high bandwidth or large QPS.
Note If the service bandwidth exceeds 3 Gbit/s or the QPS exceeds 10,000, submit a ticket to request an analysis on whether the feature is suitable for this website.
Service type This feature applies to HTTP and HTTPS requests only. Video live streaming is not supported.
Function plan of the Anti-DDoS Pro or Anti-DDoS Premium instance The Anti-DDoS Pro or Anti-DDoS Premium instance must use the enhanced function plan.

Switch between CDN or DCDN and Anti-DDoS Pro, or between CDN or DCDN and Anti-DDoS Premium

To enable CDN or DCDN, you must set the QPS threshold to trigger the traffic switchover between CDN or DCDN and Anti-DDoS Pro, or between CDN or DCDN and Anti-DDoS Premium. The traffic switchover is subject to the following limits:
  • From CDN or DCDN to Anti-DDoS Pro, or to Anti-DDoS Premium
    • If the QPS exceeds the threshold three times within three minutes or more than six times within 10 minutes and the bandwidth of the service on CDN or DCDN is at most 10 Gbit/s, a switchover is triggered.
      Note The maximum bandwidth that an Anti-DDoS Pro or Anti-DDoS Premium instance can protect is lower than 10 Gbit/s.
    • If a domain name is added to a sandbox and the bandwidth of the service on CDN or DCDN is at most 10 Gbit/s, a switchover is triggered.
  • From Anti-DDoS Pro or Anti-DDoS Premium to CDN, or to DCDN
    • If the QPS remains less than 80% of the threshold and the protection success rate for HTTP flood attacks remains less than 10% for more than 12 consecutive hours, the traffic is switched from Anti-DDoS Pro or Anti-DDoS Premium to CDN, or to DCDN.
    • The IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance cannot be in a black hole, the configured domain name is not in the sandbox, and no traffic is scrubbed or routed to a black hole in the last 60 minutes.
    • Switchovers can be triggered only from 08:00 to 23:00.

Configure Sec-Traffic Manager

Feature Description
Cloud service interaction Cloud service interaction switches service traffic between an Anti-DDoS Pro or Anti-DDoS Premium instance and one or more protected cloud resources. The configuration procedure is as follows:
  1. Configure traffic forwarding for Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  2. Verify that the Anti-DDoS Pro or Anti-DDoS Premium instance can forward traffic to the origin server. For more information, see Verify the forwarding configuration on your local machine.
  3. Configure Sec-Traffic Manager.
    • To switch service traffic between an Anti-DDoS Pro or Anti-DDoS Premium instance and a protected resource, see Create general scheduling rules.
    • To switch service traffic between an Anti-DDoS Pro or Anti-DDoS Premium instance and multiple protected resources, use one of the following modes:
      • Service traffic is rerouted to Anti-DDoS Pro or Anti-DDoS Premium only if all protected cloud resources are overwhelmed by inbound traffic. To use this interaction mode, create a scheduling rule in the same way as you switch service traffic between an Anti-DDoS Pro or Anti-DDoS Premium instance and a protected cloud resource but specify multiple protected resources for interaction.
      • Protected cloud resources share the inbound traffic of a service. If a protected resource is attacked, the traffic on the protected cloud resource is switched to an Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Configure protected resources to share the inbound traffic of a service.
  4. Change the DNS record to reroute traffic to Sec-Traffic Manager. Change the CNAME record to resolve domain names to the CNAME record assigned by Sec-Traffic Manager.
    Note For information about how to change the CNAME record of DNS, see Modify the CNAME record to reroute traffic by using Sec-Traffic Manager.
Tiered protection Tiered protection switches service traffic between an Anti-DDoS Pro or Anti-DDoS Premium instance and one or more cloud resources protected by Anti-DDoS Origin. The procedure for configuring tiered protection is the same as you configure cloud service interaction.
Network acceleration
Note This feature is available only for Anti-DDoS Premium.
The configuration procedure is as follows:
  1. Configure traffic forwarding for Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  2. Verify that the Anti-DDoS Pro or Anti-DDoS Premium instance can forward traffic to the origin server. For more information, see Verify the forwarding configuration on your local machine.
  3. Configure Sec-Traffic Manager. For more information, see Create general scheduling rules.
  4. Change the DNS record to reroute traffic to Sec-Traffic Manager. Change the CNAME record to resolve domain names to the CNAME record assigned by Sec-Traffic Manager.
    Note For information about how to change the CNAME record of DNS, see Modify the CNAME record to reroute traffic by using Sec-Traffic Manager.
CDN or DCDN interaction The configuration procedure is as follows:
  1. Configure CDN or DCDN and add the protected domain name to CDN or DCDN. Make sure that the settings take effect. For more information, see Add a domain.
    Note If a security group is configured for the origin server, you must add the back-to-origin IP addresses of CDN or DCDN to the whitelist of the origin server.
  2. Configure traffic forwarding for Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  3. Verify that the Anti-DDoS Pro or Anti-DDoS Premium instance can forward traffic to the origin server. For more information, see Verify the forwarding configuration on your local machine.
  4. Configure Sec-Traffic Manager. For more information, see Create a CDN or DCDN interaction rule.
  5. Change the DNS record to reroute traffic to Sec-Traffic Manager. Change the CNAME record to resolve domain names to the CNAME record assigned by Sec-Traffic Manager.
    Note For information about how to change the CNAME record of DNS, see Modify the CNAME record to reroute traffic by using Sec-Traffic Manager.

Create general scheduling rules

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. On the General tab, click Create Rule.Create a general scheduling rule
  5. In the Create Rule dialog box, set the parameters and click Next.
    Figure 1. An example on how to configure a cloud service interaction rule in the Anti-DDoS Pro console
    Create a general scheduling rule
    Figure 2. An example on how to configure network acceleration in the Anti-DDoS Premium console
    Configuration for network acceleration
    Parameter Description
    Interaction Scenario The scenario where the rule is applied. Valid values:
    • Network Acceleration
      Note This option is available only for Anti-DDoS Premium.
    • Tiered Protection
      Note Only cloud resources protected by Anti-DDoS Origin are supported, such as ECS, EIP, SLB, and WAF instances.
    • Cloud Service Interaction
    Name The name of the rule that you want to create. The rule name can be up to 128 characters in length and can contain letters, digits, and underscores (_).
    Anti-DDoS Instance IP The IP address of the target Anti-DDoS Pro or Anti-DDoS Premium instance.
    Mainland China Acceleration IP The IP address that you use to accelerate user access in the Network Acceleration interaction scenario.
    Note This parameter is available only for Anti-DDoS Premium.
    Cloud Resource The cloud resources for which you want to create an interaction in the Cloud Service Interaction and Tiered Protection scenarios. You must select the region where the target cloud resources are deployed and enter the IP addresses of cloud resources. You can click Add Cloud Resource IP to add more cloud resources as required. You can add a maximum of 20 resources.
    The waiting time of switching back The waiting time to switch service traffic back to cloud resources after service traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium.

    To meet the requirements of deactivating the blackhole status and avoid frequent switchover, the minimum value of this parameter is 30 minutes. We recommend that you set this parameter to 60 minutes.

    After a scheduling rule is created, Sec-Traffic Manager assigns a CNAME record to the scheduling rule. To apply the scheduling rule, you must go to the DNS provider of the cloud resource to change the CNAME record and configure it to resolve the domain name to the CNAME record assigned by Sec-Traffic Manager. Scheduling rules and their CNAME records are displayed in the list.

Manually switch traffic from Anti-DDoS Pro or Anti-DDoS Premium to cloud resources

After a scheduling rule takes effect, if the traffic on cloud resources is switched to Anti-DDoS Pro or Anti-DDoS Premium, you can switch the traffic back to the cloud resources as required.

The following exceptions may occur when you perform this operation:
  • If all the cloud resources are in the black hole state, this operation will fail.
  • If some of the cloud resources are in the black hole state, traffic is switched to the cloud resources that are not in the black hole state. After the black hole state of a cloud resource is deactivated, traffic can be switched to the cloud resource.
  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. On the General tab, find the target scheduling rule, click Switch back in the Actions column, and click OK in the message that appears.
    Note The Switch back action is available only if the duration that traffic has been switched to Anti-DDoS or Anti-DDoS Premium is greater than the value of The waiting time of switching back.

Create a CDN or DCDN interaction rule

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. Click the CDN/DCDN Interaction tab.
    The CDN/DCDN Interaction tab displays all the websites added to Anti-DDoS Pro or Anti-DDoS Premium.
  5. Find the website for which you want to create a CDN or DCDN interaction rule and click Add Interaction.Create a CDN or DCDN interaction rule
  6. On the Add Interaction page, verify Domain and set Trigger Condition to the lowest request rate that triggers a switchover. Click Next.
    To create a CDN or DCDN interaction rule, Domain must meet the following requirements:
    • Anti-DDoS Instance: The instance uses the Enhanced function plan.
    • Cloud Service: Alibaba Cloud CDN or DCDN is configured for the domain.
    Note We recommend that you set Request per Second to at least two times greater than the historical traffic peak in case of a traffic spike, and set Request per Second to more than 500 for websites that have a low QPS.
    After a scheduling rule is created, Sec-Traffic Manager assigns a CNAME record to this rule. To apply the scheduling rule, you must go to the DNS provider of the cloud resource to change the DNS record. Change the CNAME record and configure it to resolve the domain name to the CNAME record assigned by Sec-Traffic Manager. Then, the state of CDN/DCDN Interaction that corresponds to the target website becomes Enabled. The CNAME record is also displayed on the tab.

Configure protected resources to share the inbound traffic of a service

The following example shows how to configure the traffic switchover between an Anti-DDoS Pro or Anti-DDoS Premium instance and multiple cloud resources protected by Anti-DDoS Origin. In this scenario, protected resources share the inbound traffic of a service. If any protected resource is attacked, the traffic on the resource is rerouted to an Anti-DDoS Pro or Anti-DDoS Premium instance.

  1. Configure Anti-DDoS Origin. Add multiple resources to Anti-DDoS Origin for protection. For example, three IP addresses are added. For more information, see Add a protection target.
  2. Configure Sec-Traffic Manager. Create a tiered protection rule for each of the added IP addresses and associate the three rules with the same Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Create general scheduling rules.
  3. Change DNS records. Add three CNAME records that use the same host record. Set the record values to the CNAME records of the three tiered protection rules created in step 2. For more information, see Modify the CNAME record to reroute traffic by using Sec-Traffic Manager.
  4. Verify the DNS records. At the DNS verification website , check whether the added CNAME records take effect.