This topic describes how to configure and enable the Blocked Regions policy. This policy allows you to block requests to access Anti-DDoS Pro or Anti-DDoS Premium instances from IP addresses in specified regions. Anti-DDoS Pro or Anti-DDoS Premium instances that use the Enhanced function plan support this policy. After you enable this policy, requests to access Anti-DDoS Pro or Anti-DDoS Premium instances from the specified regions are dropped.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced feature plan is available. For more information, see Purchase mitigation plans for Anti-DDoS Pro and Anti-DDoS Premium.

Background information

The Blocked Regions policy drops the requests that are initiated from IP addresses of specific regions in China and specific countries and regions outside China. This way, requests from regions where your service is not involved are blocked. If all valid requests are initiated from regions inside China, you can configure the Blocked Regions policy to block requests from only regions outside China.
Note This policy takes effect on Anti-DDoS Pro or Anti-DDoS Premium instances. You must configure this policy for each Anti-DDoS Pro or Anti-DDoS Premium instance.
Blocked Regions and Diversion from Origin Server

The Blocked Regions policy blocks requests from specific regions in scrubbing centers. This policy drops blocked requests near the destination servers. Anti-DDoS Pro or Anti-DDoS Premium instances identify and filter requests based on the region of the source IP addresses. This policy cannot reduce the volume of attack traffic. Therefore, it is suitable for mitigating connection flood attacks.

The Diversion from Origin Server policy drops requests from specific regions based on the attack source by using core routers on the network provided by an Internet Service Provider (ISP). For more information, see Configure diversion from the origin server.
Note The Diversion from Origin Server policy is available only for Anti-DDoS Pro.

Blocked Regions and Blocked Regions (Domain Names)

The Blocked Regions policy configured for Anti-DDoS Pro or Anti-DDoS Premium instances has a higher priority than the Blocked Regions (Domain Names) policy when both the policies are in effect.

For example, if you configure the Blocked Regions policy for an Anti-DDoS Pro or Anti-DDoS Premium instance to block requests from regions outside China, users outside China cannot access domain names associated with this instance even if the Blocked Regions (Domain Names) policy is configured to allow access from these regions. If you want to block regions outside China for some services, we recommend that you configure blocked regions for domain names rather than for Anti-DDoS Pro or Anti-DDoS Premium instances. For more information, see Configure blocked regions for domain names.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the Protection for Infrastructure tab, select the instance for which you want to configure blocked regions from the list on the left side.
    Note You can search for instances based on instance IDs or descriptions.
  5. In the Blocked Regions section, click Change Settings.
  6. In the Configure Blocked Regions panel, select the regions that you want to block and click OK.
  7. Go back to the Blocked Regions section and turn on Status to apply the settings.