Global Accelerator (GA) can interact with WAF, a security service empowered by big data technologies of Alibaba Cloud Security, to provide a solution for high-security web application acceleration across borders. Based on high-bandwidth BGP lines and the global transmission network of Alibaba, GA allows web application service providers to deploy their services on a global scale. Users in different regions can connect to the nearest access points over the global transmission network for service delivery acceleration.

Prerequisites

Before you use the service, make sure that the following requirements are met:
  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, click Create an Alibaba Cloud account.
  • Your website has an Internet Content Provider (ICP) filing.

Background information

A web application service is deployed on Alibaba Cloud in the US (Silicon Valley) region. The backend servers provide web services through two elastic IP addresses of Alibaba Cloud. The forwarding port is TCP port 9000. Most users are located in China (Shanghai), China (Hangzhou), and China (Shenzhen). Web application services are often targeted by web application attacks. These attacks severely affect the security and availability of web application services. WAF

You can create a GA instance, specify China (Shanghai), China (Hangzhou), and China (Shenzhen) as the acceleration regions, and deploy WAF, as shown in the preceding figure. After the deployment is complete, WAF scans and filters malicious requests based on the configured protection policies. Only legitimate requests are forwarded to the origin servers. Requests from users in the China (Shanghai), China (Hangzhou), and China (Shenzhen) regions are scanned and filtered by WAF. Then, the scrubbed network traffic is forwarded from the nearest access points to the global transmission network through an accelerated IP address. This avoids network congestion and reduces network latency.

Procedure

Procedure

Step 1: Purchase a Global Accelerator instance

Each GA instance is an acceleration service running on a global scale.

Follow steps below to purchase a GA instance.

  1. Log on to the Global Accelerator console.
  2. On the Instances page, click Create Instance.
  3. On the buy page, set the required parameters, and click Buy Now.
    1. Select an instance specification. Select Medium Ⅰ in this topic.
      GA supports the following types of instance specifications: Small I, Small II, Small III, Medium I, Medium II, and Medium III. The acceleration performance varies, depending on the instance specification.
      Instance specification Number of acceleration regions Peak bandwidth Maximum number of concurrent connections
      Small I 1 20 Mbit/s 5,000
      Small II 2 40 Mbit/s 10,000
      Small III 3 60 Mbit/s 15,000
      Medium I 5 100 Mbit/s 25,000
      Medium II 8 160 Mbit/s 40,000
      Medium III 10 200 Mbit/s 50,000
    2. Select the subscription duration for the GA instance.

Step 2: Purchase and bind a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transmission over the Internet and inside Alibaba Cloud. To achieve global acceleration, you need to purchase a basic bandwidth plan and bind the basic bandwidth plan to a Global Accelerator instance.

To purchase and bind a basic bandwidth plan to a Global Accelerator instance, follow these steps:

  1. On the Instances page, click Buy Basic Bandwidth Plan.
  2. On the buy page, set the required parameters, and click Buy Now to complete the payment.
    1. Bandwidth Type: Select a bandwidth type. Select Basic in this topic.
      Basic bandwidth plans support three types of bandwidth: basic acceleration bandwidth, enhanced acceleration bandwidth, and premium acceleration bandwidth. The acceleration type, acceleration backend service, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type, as shown in the following table.
      Bandwidth type Acceleration type Acceleration backend service Acceleration scope
      Basic acceleration bandwidth Applications that are deployed on Alibaba Cloud Alibaba Cloud Elastic IP address By default, network connections within mainland China are accelerated. If you also purchase a cross-border bandwidth plan, network connections between mainland China and areas outside mainland China are also accelerated.
      Enhanced acceleration bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • Alibaba Cloud Elastic IP address
      • Custom IP address
      • Custom domain name
      By default, network connections within mainland China are accelerated. If you also purchase a cross-border bandwidth plan, network connections between mainland China and areas outside mainland China are also accelerated.
      Premium acceleration bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • Alibaba Cloud Elastic IP address
      • Custom IP address
      • Custom domain name
      By default, network connections are accelerated on a global scale. Network traffic transmitted from mainland China to areas outside mainland China is directed to the Hong Kong (China) region and then forwarded to the global network. If you also purchase a cross-border bandwidth plan, the acceleration of network connections between mainland China and areas outside mainland China is reinforced.
    2. Peak Bandwidth: Select the peak bandwidth of the basic bandwidth plan. Select 10Mb in this topic.
    3. Duration: Select the duration of the basic bandwidth plan.
  3. Return to the Instances page, and click Instance ID.
  4. On the page that appears, click the Bandwidth Manage tab.
  5. In the Basic Bandwidth Package section, click Bind in the Actions column for the Basic Bandwidth Package.
    Bind
    After the basic bandwidth plan is bound to the GA instance, the bandwidth plan is in the Bound state.

Step 3: Add an acceleration area

After you purchase a basic bandwidth plan, you must add one or more acceleration areas where end users are located, and allocate bandwidth to these areas.

To add an acceleration area, follow these steps:

  1. On the Instances page, click Instance ID.
  2. On the Basic Information page, click the Acceleration Areas tab, and then click Add Acceleration Area.
  3. In the Add Acceleration Area dialog box, configure the required parameters as follows, and click OK.
    1. Acceleration Area: Select the area that requires acceleration. Select China East in this topic.
    2. Regions: Select the region where the end users are located. Select China (Hangzhou) in this topic.
    3. Bandwidth: Specify the amount of bandwidth to be allocated to the region. Select 2 Mbit/s in this topic.
    4. Click + Add, specify China (Shanghai), and allocate 2 Mbit/s of bandwidth to the China (Shanghai) region.
  4. Repeat the preceding steps to add China (Shenzhen) to the acceleration area, and allocate 2 Mbit/s of bandwidth to the China (Shenzhen) region.
After the acceleration area is added, Global Accelerator assigns an accelerated IP address to each acceleration region. Add an acceleration area

Step 4: Add a listener

A listener monitors connection requests from clients. Clients can connect to the specified port of the origin server through the specified protocol.

To add a listener to a Global Accelerator instance, follow these steps:

  1. On the Instances page, click Instance ID created in Step 1.
  2. On the Basic Information page, click the Listeners tab. Then, click Add Listener.
  3. On the Configure Listener & Protocol page, configure the listener:
    1. Listener Name: Enter a name for the listener to be created. The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter or Chinese character.
    2. Protocol: Select a protocol for the listener. Select TCP in this topic.
    3. Port Number: Enter a port or port range for receiving and forwarding requests to the endpoints. Valid values: 1 to 65499. Enter 9000 in this topic.
    4. Client Affinity: Select whether to enable client affinity. If the Client Affinity feature is enabled, requests from a specific client are always routed to the same endpoint. Select Source IP Address in this topic.
    Listener
  4. Click Next to configure an endpoint group.

Step 5: Configure the endpoint group

Each listener is associated with an endpoint group. You can associate an endpoint group with listeners by specifying the regions to which you want to distribute network traffic. After the association is complete, traffic is distributed to the optimal endpoints in the associated endpoint groups.

To configure an endpoint group, follow these steps:

  1. Endpoint Group Name: Enter a name for the endpoint group.
  2. Select the region to be associated with the endpoint group. The selected region is where the target server is deployed.
    Select US (Silicon Valley) in this topic.
  3. Specify whether to deploy the backend service on Alibaba Cloud. Select Alibaba Cloud in this topic.
  4. Enable or disable the origin server to reserve client IP addresses in the specified region. If you enable this feature, the backend service can obtain the source IP addresses of clients. Disable this feature for the origin server in this topic.
    Note To use client IP address reservation, submit a ticket.
  5. Configure endpoints.
    1. Backend Service Type: Select EIP.
    2. Backend Service: Select the EIP that is used to provide backend services.
    3. Weight: Enter a number from 0 to 255 to set a weight for the endpoint. GA distributes network traffic to endpoints based on the predefined weights of the endpoints.
      Notice If you set the weight of an endpoint to 0, Global Accelerator stops distributing traffic to the endpoint. Proceed with caution.
    4. Click + Add endpoint to add an endpoint for another server in US (Silicon Valley), and specify the weight of the endpoint.
    Endpoint groups
  6. Click Next to confirm the configurations, and then click Next.

Step 6: Purchase and bind a cross-border acceleration bandwidth plan

The cross-border acceleration bandwidth plan can be used to optimize network acceleration between mainland China and regions outside mainland China.

Follow these steps to purchase and bind a cross-border acceleration bandwidth plan to the GA instance.

  1. On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
  2. On the buy page, configure the required parameters, and click Buy Now to complete the payment.
    1. Area A: Select the area to connect. Select Mainland China in this topic.
    2. Area B: Select the area to connect.
      • Global: User requests are automatically forwarded to the global optimal egress based on the region where the users are located.
      • China (Hong Kong): All user requests flow from China (Hong Kong) to the global transmission network.

      Select Global in this topic.

    3. Billing Method: Select a billing method for the cross-border acceleration bandwidth plan. Only Pay by Bandwidth is supported.
    4. Bandwidth: Select the bandwidth of the cross-border acceleration bandwidth plan.
      We recommend that you specify the same bandwidth value for the cross-border acceleration bandwidth plan and the basic bandwidth plan. Select 10 Mb in this topic.
    5. Duration: Select the subscription duration.
  3. Return to the Instances page. Find the target GA instance and click Instance ID.
  4. Click the Bandwidth Manage tab.
  5. In the Cross-region Bandwidth Package section, find the target cross-border bandwidth plan, and click Bind in the Actions column.
    Bind
    If the binding is successful, the cross-border bandwidth plan is in the Bound state.

Step 7: Activate WAF

WAF provides security protection based on big data technologies of Alibaba Cloud Security. It defends against common attacks defined by the Open Web Application Security Project (OWASP), including SQL injections, Cross-Site Scripting (XSS) attacks, exploits of vulnerabilities in web server plug-ins, Trojan uploads, and unauthorized access to core resources. WAF blocks volumetric HTTP flood attacks to prevent the exposure of website assets and data, and to ensure website security and availability.

This topic describes how to purchase a subscription WAF instance.

  1. Open the WAF product page on the Alibaba Cloud official site, and then log on with your Alibaba Cloud account.
  2. Click Buy Now.
  3. On the Web Application Firewall page, set the following parameters:
    1. Region: Select the region where the WAF instance is deployed.
      Network traffic is filtered by WAF and then forwarded to Global Accelerator. In this topic, China Mainland is selected.
    2. Plan: Select a WAF service plan.
      Different WAF service plans are applicable to different business scales and provide different protection features. For more information, see Editions and features. Enterprise is selected in this topic.
    3. Extra Domain: Specify the number of additional domain names.
      If you need to add multiple domains or more than 10 subdomains to WAF, you must purchase additional domains. For more information, see Additional domain. For this solution, you do not need to purchase additional domains.
    4. Exclusive IP: Specify the number of exclusive IP addresses.
      You can purchase an exclusive IP address when your website domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP. For this solution, you do not need to purchase an exclusive IP address.
    5. Extra Traffic: Specify the size of the bandwidth extension plan to be purchased. Unit: Mbit/s.
      If the total bandwidth of your websites exceeds the bandwidth provided by WAF, you can purchase a bandwidth extension plan. For more information, see Bandwidth extension plan. 100Mbps is selected in this topic.
    6. GSLB: Select whether to enable Global Server Load Balancing (GSLB).
      GSLB uses the multi-node resilience technology. It supports automatic traffic distribution and disaster recovery based on multiple nodes and lines. You can use GSLB to improve the reliability of your service. No is selected in this topic.
    7. Access Log Service: Select whether to enable Log Service.
      Log Service retrieves log data from WAF in real time and then stores the data in Logstores. You can query and analyze the log data, and generate analytics reports online. No is selected in this topic.
    8. Bot Manager: Select whether to enable the Bot Manager feature.
      To mitigate security threats caused by bot traffic, you can enable Bot Manager. For more information, see Set a bot threat intelligence rule and Set a threat intelligence rule to allow requests from specific crawlers. No is selected in this topic.
    9. Mobile App Protection: Select whether to enable mobile application protection.
      You can enable the mobile app protection feature if your business supports native applications and you have security needs for your business, such as trusted communications and prevention of abusing bot scripts. For more information, see Configure application protection. No is selected in this topic.
    10. Service Time: Select the duration of the WAF service.
  4. Click Buy Now and complete the payment.

Step 8: Add website configurations

After WAF is activated, you must configure the forwarding rules for the website protected by WAF.

Take the following steps to route user traffic to WAF before it reaches the domain name protected by WAF:

  1. Log on to the WAF console.
  2. In the top status bar, select the region where your WAF instance is deployed. Mainland China is selected in this topic.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, click Add Domain Name.
  5. On the Add Domain Name page, set the following parameters:
    1. Domain Name: Enter the domain name for which you want to enable WAF protection. www.example.com is entered in this topic.
      Note
      • Wildcard domain names such as *.aliyun.com are supported. WAF automatically matches all subdomains against the specified wildcard domain.
      • If you enter a wildcard domain and a precise domain name, such as *.aliyun.com and www.aliyun.com, the forwarding rules and protection policies of the exact domain name prevail over those of the wildcard domain.
      • Domain names with the .edu suffix are not supported. To use a .edu domain name, submit a ticket to request technical support.
    2. Protocol Type: Select the protocol that your website supports. HTTP is selected in this topic.
      Note
      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you add the website configuration. For more information, see Upload HTTPS certificates.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Enable HTTPS advanced settings.
      • To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
        • You have upgraded your WAF instance to the Business or Enterprise edition.
        • You have selected HTTPS.
    3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.
      Both IP and Destination Server (Domain Name) formats are supported. After your website is connected to WAF, WAF filters and redirects requests to this IP address. In this topic, select IP, and enter the accelerated IP addresses, which are assigned by GA instances to China (Shanghai), China (Hangzhou), and China (Shenzhen) after acceleration regions are added in Step 3.
    4. Destination Server Port: Specify the protocol port of the website.
      WAF only forwards connection and service requests sent to the specified origin server ports. It does not forward requests to the origin servers if the requests are destined for unspecified ports. Therefore, no security threats are posed on the origin server if you enable these ports or these ports have vulnerabilities.
      Notice Make sure that the protocol and port that you have specified in WAF are the same as those of the origin server whose IP address is specified as the server address. Port mapping is not allowed.
      The custom port 9000 is specified in this topic.
      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of the Business and Enterprise editions support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see Supported custom ports.
    5. Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load balancing.
    6. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. No is selected in this topic.
    7. Request Tag: Enter an unused Header Field Name and specify a Header Field Value to label the Web requests that are redirected to the origin server through WAF. WAF adds the specified header field to the filtered requests. This enables your origin server to identify the requests redirected by WAF.
      Note If a request already contains the specified header field, WAF overwrites the original field value with the specified value.
  6. Click Next.
    After you add the website configuration, on the Website Access page, move the pointer over the protected domain name to view CNAME address assigned by WAF. Website access

Step 9: Configure DNS settings

After you add the website configuration, you must modify the DNS record to map the website domain name to the CNAME address assigned by WAF so that the traffic is redirected to WAF.
Note If you use a third-party DNS service, log on to the system of the DNS provider to modify the DNS record.

Take the following steps to configure DNS settings:

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
  3. On the Configure page, find the DNS record, and click Edit in the Actions column.
  4. In the Edit Record dialog box, edit the host record.
    1. Type: Select CNAME.
    2. Value: Enter the CNAME address assigned by WAF in Step 8.
    3. Keep the remaining settings unchanged.
    Edit the record
  5. Click OK.

Step 10: Verify the settings

Take the following steps to verify how GA interacts with WAF to conduct security protection and content delivery acceleration on your website:

  1. Open the browser on a computer in the connected region. In this topic, select China (Hangzhou), China (Shanghai), or China (Shenzhen).
  2. Enter the CNAME address assigned by WAF to access the web application service deployed in the US (Silicon Valley) region.
    The test result shows that you can access the web application service deployed in US (Silicon) by visiting the CNAME address assigned by WAF. Verify the settings
  3. Open Command Prompt on a computer in the connected region. In this example, select China (Hangzhou), China (Shanghai), or China (Shenzhen).
  4. Run the following command to check the network latency of data transmission:
    curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<CNAME address assigned by WAF>[:<Port>]"
    In the request:
    • time_connect: The amount of time that it takes to establish a TCP connection.
    • time_starttransfer: The data transmission start time. It refers to the time period from when a client sends a request to when a backend server responds to the first byte.
    • time_total: The total connection time. It refers to the time period from when a client sends a connection request to when a backend server responds to the request.
    The test result shows that GA reduces the network latency when users from China (Shanghai), China (Hangzhou), and China (Shenzhen) access the web application service in the US (Silicon Valley) region.
    Figure 1. Before Global Accelerator is enabled
    Before Global Accelerator is enabled
    Figure 2. After Global Accelerator is enabled
    After Global Accelerator is enabled
    Note The performance of the acceleration service provided by GA after it interacts with WAF varies based on your workloads.