Alibaba Cloud Content Delivery Network (CDN) integrates with Anti-DDoS to mitigate DDoS attacks for accelerated domain names. This topic describes how to configure Anti-DDoS in the Alibaba Cloud CDN console.


This feature is in invitational preview and primarily intended for users in the finance, retail, transportation, media, and government sectors. You can join the DingTalk group 32615821 to request support. An Anti-DDoS Pro or Premium instance is created. You can purchase Anti-DDoS Pro or Premium instances in the Anti-DDoS console. Anti-DDoS provides a scheduler that integrates Anti-DDoS with other services. We recommend that you configure Anti-DDoS in the Alibaba Cloud CDN console.

Background information

You can use this feature if you require both content delivery acceleration and DDoS mitigation. After this feature is enabled, requests destined for CDN nodes can be automatically redirected to the Anti-DDoS Pro or Premium instance when attacks are detected. After DDoS attacks stop, requests are sent to CDN nodes again.

This feature is applicable to various scenarios, including but not limited to:
  • Finance

    Ensures high availability of services and improves the experience of users across countries. Protects user information, transactions, and data assets to minimize the risk of significant loss caused by attacks.

  • Retail

    Accelerates the delivery of website content and services of e-commerce and ticketing platforms and collaborative software. Mitigates attacks to ensure the availability of services.

  • Media

    Accelerates the delivery of media content. Provides protection to avoid service disruptions caused by traffic spikes or attacks.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. Choose Security Settings > Integration with Anti-DDoS.

    If this feature is not activated for your Alibaba Cloud account, click Activate Now to join the DingTalk group to request support.

  5. Turn on the Anti-DDoS Interaction switch.
  6. Set the Associated Anti-DDoS Service, Association Type, and Target parameters.
    Configure Anti-DDoS
    Note When you manage the security settings of a domain name, the following message appears if the domain name is not protected by Anti-DDoS: No Anti-DDoS Pro/Premium settings are found for the specified domain name.
    • If you have not purchased an Anti-DDoS Pro or Premium instance, you must purchase one in the Anti-DDoS console.
    • If you have already purchased an Anti-DDoS Pro or Premium instance, you must configure the Anti-DDoS Pro or Premium instance in the Anti-DDoS console to have your domain name protected.
  7. Click OK.


On the Integration with Anti-DDoS tab, check whether the settings take effect. ddos-2


After you enable this feature, Alibaba Cloud CDN automatically creates the following service-linked role in Resource Access Management (RAM): AliyunServiceRoleForCDNAccessingDDoS. Alibaba Cloud CDN can assume this role to access the Anti-DDoS Pro or Premium instance. AliyunServiceRoleForCDNAccessingDDoS has the following permissions:
  • DescribeDomainAttackEvents: Queries events of attacks launched against a website.
  • DescribeDomainDDoSAttackEvents: Queries events of DDoS attacks.
  • DescribeDDoSEvents: Queries events of attacks launched against one or more Anti-DDoS Pro or Anti-DDoS Premium instances.
  • DescribeWebRules: Queries the forwarding rules of a website.
  • DescribeDomainQPSList: Queries the number of queries per second (QPS) of a website.
  • DescribeCdnLinkageRules: Queries the parameters set for the integration of Alibaba Cloud CDN and Anti-DDoS.

If you want to delete AliyunServiceRoleForCDNAccessingDDoS, you must disable the integration of Alibaba Cloud CDN and Anti-DDoS for all accelerated domain names. You can then delete the role in the RAM console. For more information, see Service-linked roles.