This topic describes how Global Accelerator (GA) interacts with Anti-DDoS Pro to accelerate content delivery based on high-bandwidth BGP lines and the global transmission network of Alibaba. GA allows service providers to deploy their services across regions. Global users can connect to the nearest access points over the global network for content delivery acceleration. With tap mode deployment, Anti-DDoS Pro is triggered under certain conditions. This ensures service continuity and reinforces security when DDoS attacks are detected.

Prerequisites

Before you start, make sure that the following requirements are met:

Background information

An Internet application service is deployed on Alibaba Cloud in the US (Silicon Valley) region. The backend servers provide services over the Internet through two Elastic IP addresses of Alibaba Cloud. The forwarding port is TCP port 9000. Most of the end users are located in China (Shanghai), China (Hangzhou), and China (Shenzhen). Internet application services are sometimes targeted by DDoS attacks. Anti-DDoS protection must be enabled when the Internet application services are under attack.Deployment architecture

As shown in the preceding figure, you can create a Global Accelerator instance, specify the China (Shanghai), China (Hangzhou), and China (Shenzhen) regions as the acceleration regions, and deploy Anti-DDoS Pro in tap mode. After the deployment is complete, if there is no attack detected, requests from users in the China (Shanghai), China (Hangzhou), and China (Shenzhen) regions are forwarded to the global acceleration network of Alibaba Cloud from the nearest access points through the accelerated IP addresses. Nearest access is conducted based on intelligent routing and automatic network traffic distribution. When a DDoS attack is detected, Anti-DDoS Pro is enabled to scrub user traffic. Then, the user traffic flows to the global acceleration network of Alibaba Cloud from the nearest access points.

Deployment procedure

Deployment process

Step 1: Create a Global Accelerator instance

Each Global Accelerator instance is considered a running global acceleration service.

To create a Global Accelerator instance, follow these steps:

  1. Log on to the Global Accelerator console.
  2. On the Instances page, click Create Instance.
  3. On the buy page, configure the required parameters, and click Buy Now.
    1. Select an instance specification. Select Medium Ⅰ in this topic.
      GA supports the following types of instance specifications: Small I, Small II, Small III, Medium I, Medium II, and Medium III. The acceleration performance varies, depending on the instance specification.
      Instance specification Number of acceleration regions Peak bandwidth Maximum number of concurrent connections
      Small I 1 20 Mbit/s 5,000
      Small II 2 40 Mbit/s 10,000
      Small III 3 60 Mbit/s 15,000
      Medium I 5 100 Mbit/s 25,000
      Medium II 8 160 Mbit/s 40,000
      Medium III 10 200 Mbit/s 50,000
    2. Select the subscription duration of the Global Accelerator instance.

Step 2: Purchase and bind a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transmission over the Internet and inside Alibaba Cloud. To achieve global acceleration, you need to purchase a basic bandwidth plan and bind the basic bandwidth plan to a Global Accelerator instance.

To purchase and bind a basic bandwidth plan to a Global Accelerator instance, follow these steps:

  1. On the Instances page, click Buy Basic Bandwidth Plan.
  2. On the buy page, configure the required parameters, and click Buy Now to settle the payment.
    1. Bandwidth Type: Select the type of the basic bandwidth plan. Select Basic in this topic.
      Basic bandwidth plans support three types of bandwidth: basic acceleration bandwidth, enhanced acceleration bandwidth, and premium acceleration bandwidth. The acceleration type, acceleration backend service, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type, as shown in the following table.
      Bandwidth type Acceleration type Acceleration backend service Acceleration scope
      Basic acceleration bandwidth Applications that are deployed on Alibaba Cloud Alibaba Cloud Elastic IP address By default, network connections within mainland China are accelerated. If you also purchase a cross-border bandwidth plan, network connections between mainland China and areas outside mainland China are also accelerated.
      Enhanced acceleration bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • Alibaba Cloud Elastic IP address
      • Custom IP address
      • Custom domain name
      By default, network connections within mainland China are accelerated. If you also purchase a cross-border bandwidth plan, network connections between mainland China and areas outside mainland China are also accelerated.
      Premium acceleration bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • Alibaba Cloud Elastic IP address
      • Custom IP address
      • Custom domain name
      By default, network connections are accelerated on a global scale. Network traffic transmitted from mainland China to areas outside mainland China is directed to the Hong Kong (China) region and then forwarded to the global network. If you also purchase a cross-border bandwidth plan, the acceleration of network connections between mainland China and areas outside mainland China is reinforced.
    2. Peak Bandwidth: Select the peak bandwidth of the basic bandwidth plan. Select 10 Mb in this topic.
    3. Duration: Select the duration of the basic bandwidth plan.
  3. Return to the Instances page, and click the ID of the created Global Accelerator instance.
  4. On the page that appears, click the Bandwidth Manage tab.
  5. In the Basic Bandwidth Package section, find the target bandwidth plan, and then click Bind in the Actions column.
    Bind
    The basic bandwidth plan is now in the Bound state.

Step 3: Add an acceleration area

After you purchase a basic bandwidth plan, you must add an acceleration area, specify the regions where end users are located, and allocate bandwidth to these regions.

To add an acceleration area, follow these steps:

  1. On the Instances page, click the ID of the Global Accelerator instance created in Step 1.
  2. On the instance details page, click the Acceleration Areas tab. Then, click Add Acceleration Area.
  3. In the Add Acceleration Area dialog box, configure the required parameters as follows, and click OK.
    1. Acceleration Area: Select the area that requires acceleration. Select China East in this topic.
    2. Regions: Select the region where the end users are located. In this topic, China (Hangzhou) is selected.
    3. Bandwidth: Specify the amount of bandwidth to be allocated to the region. Select 2 Mbit/s in this topic.
    4. Click + Add, specify China (Shanghai), and allocate 2 Mbit/s of bandwidth to the China (Shanghai) region.
  4. Repeat the preceding steps to add China (Shenzhen) to the acceleration area and allocate 2 Mbit/s of bandwidth to the China (Shenzhen) region.
After the acceleration area is added, Global Accelerator assigns an accelerated IP address to each acceleration region.Add an acceleration area

Step 4: Create a listener

A listener monitors connection requests from clients. User traffic is forwarded to the specified port of the origin server through the specified protocol.

To add a listener to a Global Accelerator instance, follow these steps:

  1. On the Instances page, click the ID of the Global Accelerator instance created in Step 1.
  2. On the instance details page, click the Listeners tab. Then, click Add Listener.
  3. On the Configure Listener & Protocol page, configure the listener:
    1. Listener Name: Enter a name for the listener to be created. The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter or Chinese character.
    2. Protocol: Select a protocol for the listener. Select TCP in this topic.
    3. Port Number: Enter a port number or port range. Requests are received and then forwarded from the specified ports to the endpoints. Valid values: 1 to 65499. Enter 9000 in this topic.
    4. Client Affinity: Select whether to enable client affinity. When client affinity is enabled, requests from a specific source (client) IP address are always routed to the same endpoint. In this topic, select Source IP Address.
    5. Reserve Client IP: Select whether to reserve the client IP address. When this feature is enabled, Proxy Protocol is used to carry the IP address of the client to the origin server. In this example, this feature is disabled.
      Note
      • To use the reserve client IP feature, submit a ticket.
      • Before you enable this feature, ensure that Proxy Protocol is supported and configured in your origin server. For more information, see Reserve client IP addresses.
      • If the origin server uses Layer-7 Server Load Balancers (SLB) of Alibaba Cloud (with HTTP/HTTPs listeners), the IP address information of the client cannot be reserved using the Proxy Protocol. If the origin server uses a Layer-7 load balancing service from other cloud service providers or deployed in on-premises data centers, you must check whether the origin server supports Proxy Protocol. After you confirm that origin server supports Proxy Protocol, you can enable the reserve client IP feature.
    Listener
  4. Click Next to configure an endpoint group.

Step 5: Configure the endpoint group

Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After the association is complete, traffic is distributed to the optimal endpoints in the associated endpoint group.

To create an endpoint group, follow these steps:

  1. Endpoint Group Name: Enter a name for the endpoint group.
  2. Select the region to be associated with the endpoint group, that is, the region where the origin server is deployed.
    In this topic, select United States (Silicon Valley).
  3. Configure endpoints.
    1. Backend Service Type: Select EIP.
    2. Backend Service: Select the Elastic IP address that is specified as the backend service.
    3. Weight: Enter a number from 0 to 255 to set a weight for the endpoint. GA distributes network traffic to endpoints based on the predefined weights of the endpoints.
      Notice If you set the weight of an endpoint to 0, Global Accelerator stops distributing traffic to the endpoint. Proceed with caution.
    4. Click + Add endpoint to add an endpoint for another server in US (Silicon Valley), and specify the weight of the endpoint.
    Endpoint groups
  4. Click Next to confirm the configurations, and then click Next.

Step 6: Purchase and bind a cross-border bandwidth plan

The cross-border bandwidth plan can be used to optimize the network acceleration between mainland China and regions outside mainland China.

To purchase and bind a cross-border bandwidth plan to a Global Accelerator instance, follow these steps:

  1. On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
  2. On the buy page, configure the required parameters as follows, and click Buy Now to settle the payment.
    1. Area A: Select an area for cross-border communication. Select Mainland China in this topic.
    2. Area B: Select an area for cross-border communication.
      • Global: Client requests are automatically forwarded to the optimal global egress.
      • China (Hong Kong): All user requests are routed to China (Hong Kong) and then forwarded to Area B.

      In this topic, select Global.

    3. Billing Method: Select a billing method for the cross-border bandwidth plan. Currently, only Pay by Bandwidth is available.
    4. Bandwidth: Specify the bandwidth of the cross-border bandwidth plan.
      We recommend that you specify the same bandwidth value for both the cross-border bandwidth plan and the basic bandwidth plan. In this topic, select 10 Mb.
    5. Subscription Duration: Specify the subscription duration.
  3. Return to the Instances page. Find the target Global Accelerator instance and click the instance ID.
  4. Click the Bandwidth Manage tab.
  5. In the Cross-region Bandwidth Package section, find the target cross-border bandwidth plan, and click Bind in the Actions column.
    Bind
    After the cross-border bandwidth plan is bound to the Global Accelerator instance, the status of the plan is changed to Bound.

Step 7: Activate an Anti-DDoS Pro instance

Anti-DDoS Pro owns the largest BGP bandwidth resources in mainland China, and is capable of mitigating up to 1.5 Tbit/s of DDoS attacks.

To purchase an Anti-DDoS Pro instance, follow these steps:

  1. Log on to the Anti-DDoS Pro console.
  2. On the Instances page, click Purchase Instances.
  3. On the buy page, complete the configuration to purchase the Anti-DDoS Pro instance.
    1. Mitigation Plan: By default, Professional is selected and cannot be changed.
    2. Basic Protection: Select the basic protection bandwidth of the Anti-DDoS Pro instance. In this topic, select 30Gb.
    3. Burstable Protection: Select the maximum burstable protection bandwidth of the Anti-DDoS Pro instance. Burstable protection is provided against attacks exceeding the basic protection bandwidth. In this topic, select 300Gb.
    4. Resource Group: Select the resource group to which the Anti-DDoS Pro instance belongs.
    5. Clean Bandwidth: Select the service bandwidth of the Anti-DDoS Pro instance. Service bandwidth refers to the maximum clean bandwidth of this instance when it is not being attacked. In this topic, select 100Mbps.
    6. Function Plan: Select a function plan, which can be Standard Function or Enhanced Function. In this topic, select Enhanced Function.
      For more information about the differences between standard and enhanced functions, see Function plan.
    7. Domains: Specify the number of HTTP/HTTPS domain names that can be protected by the instance. In this topic, select 50.
      For more information about the number of protected domain names, see Domains.
    8. Clean QPS: Select Clean QPS. Clean QPS is the maximum rate of HTTP/HTTPS concurrent requests allowed when the instance is not under DDoS attack. In this topic, select 3000.
    9. Ports: Select the maximum number of forwarding ports that the Anti-DDoS Pro instance can use during network traffic forwarding over TCP/UDP. In this topic, select 50.
    10. Quantity: Select the number of instances to be purchased with the current configurations.
    11. Duration: Select the duration of the instance.
  4. Click Buy Now to settle the payment.

Step 8: Add domain

The configurations of a website specified in the Anti-DDoS Pro console define how network traffic is transmitted between a website and an Anti-DDoS Pro instance.

Follow these steps to add the website that needs protection to Anti-DDoS Pro:

  1. Log on to the Anti-DDoS Pro console.
  2. In the top status bar, select the region of the service. Select Mainland China in this topic.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. On the Website Config page, click Add Domain.
  5. On the Add Domain page, enter the website information.
    1. Function Plan: Select a function plan for the Anti-DDoS Pro instance to be associated. Select Enhanced in this topic.
    2. Instance: Select the Anti-DDoS Pro instance to be associated. You can select up to eight instances for one domain. The instances associated with a domain must use the same function plan.
    3. Domain: Enter the website domain to be protected. Enter www.example.com in this topic.
    4. Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. This topic uses the default setting.
    5. Enable HTTP2: Indicates whether to enable HTTP2 when the domain is associated with an enhanced Anti-DDoS Pro instance. After HTTP2 is enabled, the protocol type is HTTP2.0.
    6. Server IP: Select the address type of the origin server, and specify the address of the origin server. In this topic, select Origin Server IP, and then enter the accelerated IP addresses assigned by the Global Accelerator instance to the China (Shanghai), China (Hangzhou), and China (Shenzhen) regions.
    7. Server Port: Specify the server port according to the protocol type. In this topic, the server port is 9000.
  6. Click Add.

Step 9: Configure Sec-Traffic Manager

Anti-DDoS Pro provides Sec-Traffic Manager to set the interaction rules between Anti-DDoS Pro and other cloud resources. You can set rules to trigger and enable Anti-DDoS Pro in specific scenarios. This helps you keep workloads running smoothly if no DDoS attacks occur, and provides more effective protection when DDoS attacks occur.

To configure Sec-Traffic Manager, follow these steps:

  1. Log on to the Anti-DDoS Pro console.
  2. In the top status bar, select the region of the service. Select Mainland China in this topic.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. On the Cloud Service Interaction tab, click Create Rule.
  5. On the Create Rule page that appears, configure the parameters and click Next.
    1. Interaction Scenario: Select an interaction scenario for the rule. In this topic, select Cloud Service Interaction.
    2. Name: Enter the rule name.
      The name can be 1 to 128 characters in length and can contain letters, digits, and underscores (_).
    3. Anti-DDoS Instance IP: Select the Anti-DDoS instance to be interacted with.
    4. Cloud Resource: Select the region where the cloud resource is deployed, and then enter the IP address of the cloud resource.
      You can click Add Cloud Resource IP to add more cloud resources. You can add up to 20 cloud resources.

      In this topic, select East China 1, East China 2, and South China 1, and then enter the accelerated IP addresses assigned by the Global Accelerator instance to the China (Hangzhou), China (Shanghai), and China (Shenzhen) regions in Step 3.

    5. The waiting time of switching back: The waiting time for triggering the switching back process after GA interacts with Anti-DDoS Pro.
      Considering the waiting time of deactivating a blackhole and prevention of frequent protection triggering and workload switching, the waiting time of switching back to Anti-DDoS Pro must be at least 30 minutes. In this topic, the waiting time of switching back is set to 60 minutes.
  6. Click Finished.
    After a rule is created, Sec-Traffic Manager assigns a CNAME address to this rule.Sec-Traffic Manager

Step 10: Resolve the domain name to Sec-Traffic Manager

After a scheduling rule in Sec-Traffic Manager is created, you must update the CNAME record of the domain to redirect website traffic to Sec-Traffic Manager. The rule takes effect only after you update the CNAME record.
Note If you use third-party DNS services, log on to the system of the DNS provider to modify the CNAME record.

To resolve the domain name to Sec-Traffic Manager, follow these steps:

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
  3. On the Configure page, find the DNS records, and click Edit in the Actions column.
  4. In Edit Record dialog box, select Type as CNAME, and change Value to the CNAME address of the new rule assigned by Sec-Traffic Manager in step 9.Edit the record
  5. Click OK.

Step 11: Verify the settings

To test the performance of protection and acceleration services provided by Global Accelerator and Anti-DDoS Pro in tap mode, follow these steps:

  1. Open the browser on a computer in the connected region. In this topic, select China (Hangzhou), China (Shanghai), or China (Shenzhen).
  2. Use the CNAME address assigned by Sec-Traffic Manager to access the Internet application services deployed in the US (Silicon Valley) region.
    The test result shows that you can use the CNAME address assigned by Sec-Traffic Manager to access the Internet application services in the US (Silicon Valley) region.Verify the settings
  3. Run the dig <CNAME address assigned by Sec-Traffic Manager> command to view the result.
    • When the origin server is not under attack, the IP address of the Global Accelerator instance is displayed.
    • When the origin server is under attack, the IP address of the Anti-DDoS Pro instance is displayed.