To use Anti-DDoS Pro or Anti-DDoS Premium to protect your non-website services, such as client-based games, mobile games, or apps, you must create forwarding rules on the Port Config page. You can also configure Layer 4 anti-DDoS protection, such as session persistence, health checks, and anti-DDoS protection policies.
Prerequisites
An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase mitigation plans for Anti-DDoS Pro and Anti-DDoS Premium.
Create a forwarding rule
- On the Port Config page, select an instance that you want to manage and click Create Rule.Note You can also create multiple rules at a time. For more information, see Create multiple forwarding rules at a time.
Automatically generate forwarding rules when you add website configurations:
If a rule is automatically generated after a domain name is added, the
icon is next to the protocol of the rule. For more information, see Add a website.
- If you specify port 80 of the origin server when you add a domain name to an instance, Anti-DDoS Pro or Anti-DDoS Premium generates a forwarding rule. This rule is used to forward traffic to the origin server over port 80 by using TCP.
- If you specify port 443 of the origin server when you add a domain name to an instance, Anti-DDoS Pro or Anti-DDoS Premium generates a forwarding rule. This rule is used to forward traffic to the origin server over port 443 by using TCP.
Note You cannot edit or delete rules that are automatically generated. To delete these rules, you must disassociate all the websites that use these rules from the Anti-DDoS Pro or Anti-DDoS Premium instance. - In the Create Rule dialog box, configure the parameters and click OK.
Parameter Description Forwarding Protocol The protocol that you want to use to forward traffic. Valid values: TCP and UDP. Forwarding Port The port that you want to use to forward traffic. Note- We recommend that you specify the same port for Forwarding Port and Origin Server Port.
- To prevent domain owners from creating their own DNS servers to protect services, Anti-DDoS Pro and Anti-DDoS Premium do not protect services that use port 53.
- You cannot specify a port that is already used as the forwarding port for another rule. In an instance, forwarding rules that use the same protocol must use different forwarding ports. If you attempt to create a rule with a protocol and forwarding port that are already used by another rule, an error message appears. This error message indicates that these rules overlap. Do not create a rule that overlaps with forwarding rules that are automatically generated. For more information, see Automatically generate forwarding rules when you add website configurations.
Origin Server Port The port of the origin server. Origin Server IP The IP address of the origin server. Note You can specify up to 20 origin server IP addresses to implement load balancing. Separate multiple IP addresses with commas (,).After you create forwarding rules, you can view the created rules on the Port Config page. You can also perform the following operations:- Configure Layer 4 anti-DDoS protection, such as session persistence, health checks, and anti-DDoS protection policies. For more information, see Configure port forwarding and anti-DDoS protection policies.
- Edit or delete rules. For more information, see Edit forwarding rules and Delete forwarding rules.
- Export multiple forwarding rules and Layer 4 anti-DDoS protection settings at a time. For more information, see Export multiple port configurations.
Create multiple forwarding rules at a time
- In the Create Rule dialog box, enter the required information as shown in the sample file and click
OK.
You can create a rule based on the following requirements.- Each line represents a rule.
- From left to right, the fields in each rule indicate the following parameters: forwarding protocol, forwarding port, origin server port, origin server IP address. Fields are separated with spaces. For more information about the related parameters, see Rule parameters.
- Check the entered information, select the rules that you want to create, and click
OK.
What to do next
After you create forwarding rules, you must perform the following operations to protect
your non-website services.
- Allow the back-to-origin IP address of Anti-DDoS Pro and Anti-DDoS Premium on the origin server. This ensures that the traffic from Anti-DDoS Pro or Anti-DDoS Premium is allowed by security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
- Verify that the forwarding rules have taken effect from the local computer to avoid
service exceptions caused by incorrect forwarding rule configurations. For more information,
see Verify the forwarding configuration on your local machine.
Warning If you switch your service traffic to instances before the forwarding rules take effect, your services may be interrupted.
- Redirect the traffic of your non-web services to the Anti-DDoS Pro or Anti-DDoS Premium
instance. You can redirect the traffic by using one of the following methods:
- If your service is reachable over the IP address, replace the service IP address with
the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance.
Note The method to replace the IP address depends on your platform.
- If your service is also reachable over a domain name, for example, aliyundemo.com that functions as the server address or is added to a client program, change the A record at the DNS resolution service provider of the domain name to direct the traffic to the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Change the DNS record.
- If your service is reachable over the IP address, replace the service IP address with
the exclusive IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance.