To protect non-website services like client applications with Anti-DDoS Pro or Anti-DDoS Premium, you must configure port forwarding rules. These rules direct traffic through an Anti-DDoS instance for scrubbing before forwarding it to your origin server. This topic explains how to create these rules.
Precautions
You can batch configure rules only for Anti-DDoS Pro and Anti-DDoS Premium instances in the Chinese mainland. This feature is unavailable for instances outside the Chinese mainland.
The Application-layer Protection feature is available only for Anti-DDoS Pro and Anti-DDoS Premium instances in the Chinese mainland. It protects against application-layer attacks on non-HTTP/HTTPS protocols.
After all Anti-DDoS Proxy instances under your account are released for 30 days, the system automatically clears all associated domain and port forwarding rules. The 30-day countdown starts from the release of the last instance.
For instances on an Enhanced Function plan, creating a UDP port forwarding rule automatically blocks common ports used in UDP reflection attacks. This typically does not affect normal services. However, if your service requires one of these ports, you must manually unblock it. For more information, see Configure protection against UDP reflection attacks.
NoteIf you have customized the ports for protection against UDP reflection attacks, your custom settings prevail.
Prerequisites
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
Add a port forwarding rule
Add a single port forwarding rule
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose .
Select an Anti-DDoS Pro or Anti-DDoS Premium instance and click Create Port Forwarding Rule. After you configure the rule, click Confirm.
NoteRules marked with an
icon are automatically generated for website services and cannot be manually modified or deleted. These rules are removed automatically when the associated website configurations are no longer linked to the instance. For information about how to configure website services, see Add a website.If the server port in the website information is 80, a rule with Forwarding Protocol set to TCP and Forwarding Port set to 80 is automatically generated.
If the server port in the website information is 443, a rule with Forwarding Protocol set to TCP and Forwarding Port set to 443 is automatically generated.
Parameter
Description
Forwarding Protocol
Select the protocol for traffic forwarding. Valid values are TCP and UDP.
ImportantSecure Acceleration lines do not support UDP Port Config.
Forwarding Port
The port that is used by the Anti-DDoS Pro or Anti-DDoS Premium instance for forwarding.
NoteSet the Forwarding Port to be the same as the Origin Server Port for easier management.
To prevent the unauthorized setup of DNS protection servers, Anti-DDoS Pro and Anti-DDoS Premium do not support Port Config for port 53.
For the same Anti-DDoS Pro or Anti-DDoS Premium instance and forwarding protocol, the forwarding port of each rule must be unique. If you try to add a rule with the same protocol and forwarding port as an existing rule, the system reports a rule conflict.
Avoid conflicts with rules that are automatically generated by Website Config.
Origin Server Port
The port used by your Origin for services.
Back-to-origin Scheduling Algorithm
The default mode is Round-robin, which cannot be modified.
Application-layer Protection
This feature is available only for services that use the TCP protocol and are protected by an Anti-DDoS Pro or Anti-DDoS Premium instance of the Enhanced Edition. It protects against application-layer attacks that use protocols other than HTTP or HTTPS.
For a description of attack types, see Types of DDoS attacks that can be mitigated.
Set the back-to-origin new connection timeout period: 1 to 3 seconds.
When Anti-DDoS Pro or Anti-DDoS Premium attempts to establish a new connection with a back-end Origin Server, the connection times out if it is not successfully established within the specified period. This setting can prevent attackers from establishing TCP connections with the back-end Origin Server using a large number of fake HTTP requests, such as CC attacks, and then not sending valid data for an extended period.
Set the back-to-origin read/write connection timeout period: 60 to 600 seconds.
Read timeout: The period that Anti-DDoS Pro or Anti-DDoS Premium waits for a response from the back-end Origin Server after sending a request. If no data response is received from the Origin Server within this period, the connection is considered to have timed out.
Write timeout: During an operation where Anti-DDoS Pro or Anti-DDoS Premium sends data to the back-end Origin Server, if the data is not successfully sent within the specified period, the connection times out.
This setting can prevent attackers from establishing legitimate connections and then sending or receiving data at an extremely low rate, which would occupy back-end Origin Server resources for a long time.
Origin IP Address
The IP address of the Origin.
NoteThe Origin can be an Alibaba Cloud service or a service not hosted on Alibaba Cloud. If the Origin is an Alibaba Cloud service, make sure it belongs to the current Alibaba Cloud account. If the Origin belongs to another Alibaba Cloud account, contact your business manager before adding it.
You can add Origin IP addresses to implement automatic load balancing. Separate the IP addresses with commas (,). You can configure a maximum of 20 Origin IP addresses.
Batch add port forwarding rules
When you batch add port forwarding rules, you cannot enable the Enhanced Application-Layer Protection Port. If you need to enable it, first batch add the rules, and then batch modify the Enhanced Application-Layer Protection Port setting.
At the bottom of the Port Config page, click .
In the Add Rule dialog box, enter the rule configurations according to the format requirements and click OK.
Each line represents one rule and contains four fields separated by spaces: protocol, forwarding port, origin server port, and origin IP address.
In the Add Rule dialog box, select the rules you want to upload and click Upload.
What to do next
After you add the rules, you must allow back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium, verify that the local forwarding configuration is effective, and switch traffic of your non-website services to the Anti-DDoS Pro or Anti-DDoS Premium instance. This completes the setup for your non-website services.
On your Origin Server, allow the back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium. This prevents security software on your Origin Server from blocking the traffic forwarded from the instance. For more information, see Allow back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium.
To prevent service interruptions caused by incorrect rule configurations, verify on a local computer that the rule configuration has taken effect. For more information, see Verify that the forwarding configuration has taken effect.
WarningIf you switch over your services before the rule takes effect, your services may be interrupted.
Switch the traffic of your non-website services to the Anti-DDoS Pro or Anti-DDoS Premium instance.
Typically, you only need to replace the service IP address with the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance to officially switch your service traffic to the instance. The specific procedure may vary based on your service development platform.
NoteIf your services also use a domain name to specify the server address (for example, the domain name example.com is set as the server address in a game client, or the domain name is hardcoded in the client application), you do not need to configure Website Config. Instead, you must change the DNS resolution at your DNS provider to point the A record of the domain name to the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Change a DNS record.
In some scenarios, you may need to use a domain name to connect Layer 4 services and associate services with multiple Anti-DDoS IPs for automatic traffic switching. In this case, connect non-website services by adding a domain name and changing the CNAME record. For more information, see Use a CNAME record to connect non-website services.
More operations
Modify an Origin IP address
In the following figure, ① indicates the entry point for modifying the Origin IP address in a single rule, and ② indicates the entry point for batch modifying Origin IP addresses.
Modify the Enhanced Application-Layer Protection Port switch
In the following figure, ① indicates the entry point for modifying the switch for a single rule, and ② indicates the entry point for batch modifying the switch. Do not click Configure under Application-layer Protection. This button is the entry point for protection policies.
When you enable this feature in batches, the default back-to-origin new connection timeout is 3 seconds, and the default back-to-origin read/write connection timeout is 600 seconds.

Delete a port forwarding rule
For manually added rules, if you no longer require the Anti-DDoS IP to forward traffic for your services, you must first restore the original service IP address. Make sure your services are not using the Anti-DDoS IP, and then delete the corresponding rule. If you delete the rule without restoring the original service IP address, your services may be interrupted.
In the following figure, ① indicates the entry point for deleting a single rule, and ② indicates the entry point for batch deleting rules.
