Create forwarding rules - Anti-DDoS Pro & Premium User Guide| Alibaba Cloud Documentation Center

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can switch the region (Mainland China and Outside Mainland China), and the system switches between Anti-DDoS Pro and Anti-DDoS Premium accordingly for you to manage and configure Anti-DDoS Pro or Premium instances. Ensure that you switch to the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase Anti-DDoS Pro and Anti-DDoS Premium instances.

Create a forwarding rule

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your Anti-DDoS instance.
- Mainland China: Anti-DDoS Pro
- Outside Mainland China: Anti-DDoS Premium
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select an instance that you want to manage and click Create Rule.
Note
- If a rule is automatically generated after a website is added, the icon is next to the protocol of the rule. For more information, see Automatically generate forwarding rules when you add website configurations.
- You can also create multiple rules at a time. For more information, see Create multiple forwarding rules at a time.

In the Create Rule dialog box, set the parameters and click OK. Configure a rule


Parameter	Description
Forwarding Protocol	The protocol that you want to use to forward traffic. Valid values: TCP and UDP
Forwarding Port	The port that you want to use to forward traffic. Note We recommend that you set the same port for Forwarding Port and Origin Server Port. To prevent domain owners from creating their own DNS servers to protect services, Anti-DDoS Pro and Anti-DDoS Premium do not protect services that use port 53. You cannot specify a port that is in use. Forwarding rules for an instance that use the same protocol must use different forwarding ports. If you attempt to create a rule with a protocol and forwarding port that are already used by another rule, an error message indicating that these rules overlap appears. Do not create a rule that overlaps with forwarding rules that are automatically generated. For more information, see Automatically generate forwarding rules when you add website configurations.
Origin Server Port	The port of the origin server that you want to use to create the rule.
Origin Server IP	The IP address of the origin server that you want to use to create the rule. Note You can specify a maximum of 20 origin server IP addresses to implement load balancing. Separate multiple IP addresses with commas (,). You can add a maximum of 20 IP addresses.

You can view the created rule on the Port Config page.

Create multiple forwarding rules at a time

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your Anti-DDoS instance.
- Mainland China: Anti-DDoS Pro
- Outside Mainland China: Anti-DDoS Premium
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select the instance that you want to manage, click Batch Operations below the rule list, and select Create Rule.
In the Create Rule dialog box, enter the required information as shown in the sample file and click OK.
The format is described as follows.
- Each line represents a rule.
- From left to right, the fields in each rule indicate the following parameters: forwarding protocol, forwarding port, origin server port, origin server IP address. Fields are separated with spaces. For more information about the parameters, see rule parameters.
Confirm the entered information, select the rules that you want to create, and click OK.
After the rules are uploaded, close the Create Rule dialog box.
You can view the created rules on the Port Config page.

What to do next

After you create forwarding rules, you need to perform the following operations to protect your non-website services.

Set back-to-origin IP addresses on the origin server to allow access from Anti-DDoS Pro and Anti-DDoS Premium. This ensures that the traffic from Anti-DDoS Pro or Anti-DDoS Premium is allowed by security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
Verify that the forwarding rules have taken effect from the local computer to avoid service exceptions caused by incorrect forwarding rule configurations. For more information, see Verify the forwarding configuration on your local machine.

Warning If you redirect your service traffic to the Anti-DDoS Pro or Anti-DDoS Premium instance before the forwarding rules take effect, your services may be interrupted.
Redirect the traffic of your non-web services to the Anti-DDoS Pro or Anti-DDoS Premium instance. You can redirect the traffic using either one of the following methods:
- If your service is reachable over the IP address, replace the service IP address with the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance.
  
  Note The method to replace the IP address depends on your platform.
- If your service is also reachable over a domain name, for example, aliyundemo.com that functions as the server address or is added to a client program, change the A record at the DNS resolution service provider of the domain name to direct the traffic to the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see change the DNS record.

References

After you create forwarding rules, you can also perform the following operations on the Port Config page.

Configure Layer 4 anti-DDoS protection, such as session persistence, health checks, and anti-DDoS protection policies. For more information, see Configure port forwarding and anti-DDoS protection policies.
Edit or delete rules. For more information, see Edit forwarding rules and Delete forwarding rules.
Export multiple forwarding rules and Layer 4 anti-DDoS protection settings at a time. For more information, see Export multiple port configurations.

Automatically generate forwarding rules when you add website configurations

If you have added a domain name to an Anti-DDoS Pro or Anti-DDoS Premium instance, a forwarding rule is automatically generated to redirect traffic. For more information about how to add a domain name, see Add a website. You can view the rule that is automatically generated, with the Exclamation point icon next to the protocol of the rule, on the Port Config page.

If you specify port 80 of the origin server when you add a domain name to an instance, Anti-DDoS Pro or Anti-DDoS Premium generates a rule that forwards traffic to the origin server over port 80 by using TCP.
If you specify port 443 of the origin server when you add a domain name to an instance, Anti-DDoS Pro or Anti-DDoS Premium generates a rule that forwards traffic to the origin server over TCP port 443.
Anti-DDoS Pro and Anti-DDoS Premium do not generate rules that have already been generated for another website.

You cannot edit or delete rules that are automatically generated. To delete these rules, you need to disassociate all the websites that use these rules from the Anti-DDoS Pro or Anti-DDoS Premium instance.