Global Accelerator (GA) provides enterprise mailbox service providers a cross-border acceleration solution based on big data technologies of Alibaba Cloud Security, and high-bandwidth BGP lines and the global transmission network of Alibaba. GA allows service providers to deploy their services on a global scale. Users can connect to the nearest access point over the global transmission network for service delivery acceleration. It interacts with Web Application Firewall (WAF) to ensure the security and efficiency of service delivery.

Prerequisites

Before you use the service, make sure that the following requirements are met:
  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, click Create an Alibaba Cloud account.
  • Your website has an Internet Content Provider (ICP) filing.

Background information

An enterprise mailbox server is deployed in the China (Beijing) region of Alibaba Cloud. The origin server provides mailbox services through two Alibaba Cloud Elastic IP addresses. The forwarding port is TCP port 9000. Most of the ERP system users are in China (Hong Kong) and Singapore. Users often suffer from the slow data transfer and logon timeout issues when they use the mailbox service, due to the unstable cross-border public network. The enterprise mailbox service frequently receives website attacks, which severely affect the security and availability of the mailbox service. To resolve these issues, you can deploy GA to interact with WAF to route user traffic to the nearest access point over the global transmission network. This improves the efficiency and security of cross-border data transmission.Mailbox service architecture

As shown in the preceding figure, you can create a GA instance, specify Germany (Frankfurt) and Singapore as acceleration areas, and deploy the WAF service outside China. After you deploy these services, you can connect to the nearest web protection nodes in Germany and Singapore by using the intelligent load balancing feature of WAF. WAF detects and blocks malicious traffic, and reroutes only the normal traffic to the origin servers based on protection policies. In this topic, requests from users in Germany (Frankfurt) and Singapore first pass through WAF for traffic scrubbing, and then are forwarded to accelerated IP addresses. In this way, users can connect to the nearest access point over the global transmission network. This reduces the network latency and reinforces the security of content delivery.

Procedure

Configuration process

Step 1: Create a GA instance

Each GA instance is an acceleration service running on a global scale.

To create a GA instance, follow these steps:

  1. Log on to the Global Accelerator console.
  2. On the Instances page, click Create Instance.
  3. On the buy page, set the required parameters, and click Buy Now.
    1. Select the specification of the GA instance that you want to purchase. Select Small Ⅱ in this topic.
      GA supports the following types of instance specifications: Small I, Small II, Small III, Medium I, Medium II, and Medium III. The acceleration performance varies, depending on the instance specification.
      Instance specification Number of acceleration regions Peak bandwidth Maximum number of concurrent connections
      Small I 1 20 Mbit/s 5,000
      Small II 2 40 Mbit/s 10,000
      Small III 3 60 Mbit/s 15,000
      Medium I 5 100 Mbit/s 25,000
      Medium II 8 160 Mbit/s 40,000
      Medium III 10 200 Mbit/s 50,000
    2. Select the subscription duration of the GA instance.

Step 2: Purchase and bind a basic bandwidth plan

A basic bandwidth plan provides bandwidth resources for data transmission over the global network and the internal network of Alibaba Cloud. To achieve global acceleration, you need to purchase a basic bandwidth plan and bind the basic bandwidth plan to a GA instance.

To purchase and bind a basic bandwidth plan to a GA instance, follow these steps:

  1. On the Instances page, click Purchase Basic Bandwidth Plan.
  2. On the buy page, configure the required parameters, and click Buy Now to complete the payment.
    1. Bandwidth Type: Select the type of the basic bandwidth plan. Select Enhanced in this topic.
      Basic bandwidth plans support three types of bandwidth: basic acceleration bandwidth, enhanced acceleration bandwidth, and premium acceleration bandwidth. The acceleration type, acceleration backend service, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type, as shown in the following table.
      Bandwidth type Acceleration type Acceleration backend service Acceleration scope
      Basic acceleration bandwidth Applications that are deployed on Alibaba Cloud Alibaba Cloud Elastic IP address By default, network connections within mainland China are accelerated. If you also purchase a cross-border bandwidth plan, network connections between mainland China and areas outside mainland China are also accelerated.
      Enhanced acceleration bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • Alibaba Cloud Elastic IP address
      • Custom IP address
      • Custom domain name
      By default, network connections within mainland China are accelerated. If you also purchase a cross-border bandwidth plan, network connections between mainland China and areas outside mainland China are also accelerated.
      Premium acceleration bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • Alibaba Cloud Elastic IP address
      • Custom IP address
      • Custom domain name
      By default, network connections are accelerated on a global scale. Network traffic transmitted from mainland China to areas outside mainland China is directed to the Hong Kong (China) region and then forwarded to the global network. If you also purchase a cross-border bandwidth plan, the acceleration of network connections between mainland China and areas outside mainland China is reinforced.
    2. Peak Bandwidth: Select the peak bandwidth of the basic bandwidth plan. Select 10 Mb in this topic.
    3. Duration: Select the duration of the basic bandwidth plan.
  3. Return to the Instances page, and click the ID of the GA instance that you have created.
  4. On the page that appears, click the Bandwidth Manage tab.
  5. In the Basic Bandwidth Plan field, find the target plan that you want to manage, and click Bind in the Actions column.
    If the binding is successful, the basic bandwidth plan is in the Bound state.Acceleration bandwidth 10 Mb

Step 3: Purchase and bind a cross-border acceleration bandwidth plan

The cross-border acceleration bandwidth plan can be used to optimize network acceleration between mainland China and regions outside mainland China.

Follow these steps to purchase and bind a cross-border acceleration bandwidth plan to the GA instance.

  1. On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
  2. On the buy page, configure the required parameters, and click Buy Now to complete the payment.
    1. Area A: Select the area to connect. Select Mainland China in this topic.
    2. Area B: Select the area to connect.
      • Global: User requests are automatically forwarded to the global optimal egress based on the region where the users are located.
      • China (Hong Kong): All user requests flow from China (Hong Kong) to the global transmission network.

      Select Global in this topic.

    3. Billing Method: Select a billing method for the cross-border acceleration bandwidth plan. Only Pay by Bandwidth is supported.
    4. Bandwidth: Select the bandwidth of the cross-border acceleration bandwidth plan.
      We recommend that you specify the same bandwidth value for the cross-border acceleration bandwidth plan and the basic bandwidth plan. Select 10Mb in this topic.
    5. Duration: Select the duration of the cross-border bandwidth plan.
  3. Return to the Instances page. Find the target GA instance and click the instance ID.
  4. On the page that appears, click the Bandwidth Manage tab.
  5. In the Cross-region Bandwidth Package section, find the target cross-border acceleration bandwidth plan, and click Bind in the Actions column.
    Cross-border binding
    After you bind the cross-border acceleration bandwidth plan to the GA instance, the status of the plan is changed to Bound.

Step 4: Add an acceleration area

After you purchase a basic bandwidth plan, you must add one or more acceleration areas where end users are located, and allocate bandwidth to these areas.

To add an acceleration area, follow these steps:

  1. On the Instances page, click the ID of the GA instance that you have created in step 1.
  2. On the instance details page, click the Acceleration Areas tab, and then click Add Acceleration Area.
  3. In the Add Acceleration Area dialog box, set the required parameters as follows, and click OK.
    1. Acceleration Area: Select the area where the GA service is deployed. In this topic, select Asia Pacific.
    2. Regions: Select the regions where the end users are located. Select Singapore.
    3. Bandwidth: Specify the amount of bandwidth that you want to allocate to the region. Select 5 Mbps in this topic.
  4. Repeat the preceding steps to add the Germany region in the Europe area as an acceleration area and allocate 5 Mbit/s of bandwidth to the Germany region.
After the acceleration area is added, Global Accelerator assigns an accelerated IP address to each region in the acceleration area for network acceleration purpose.Acceleration bandwidth 5 Mbit/s

Step 5: Create a listener

A listener monitors inbound connection requests from clients. GA forwards connection requests to the origin server based on the specified protocol and port.

To add a listener to a Global Accelerator instance, follow these steps:

  1. On the Instances page, click the ID of the GA instance that is created in Step 1.
  2. On the instance details page, click the Listeners tab. Then, click Add Listener.
  3. On the Configure Listener & Protocol page, configure the listener:
    1. Listener Name: Enter a name for the listener to be created. The name must be 2 to 128 characters in length and can contain letters, Chinese characters, digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.
    2. Protocol: Select a protocol for the listener. Select TCP in this topic.
    3. Port Number: Enter a port or port range for receiving and forwarding requests to the endpoints. Valid values: 1 to 65499. Enter 9000 in this topic.
    4. Client Affinity: Enable or disable client affinity. When client affinity is enabled, requests from a specific source (client) IP address are always routed to the same endpoint. Select Source IP Address in this topic.
    Listeners
  4. Click Next to configure an endpoint group.

Step 6: Configure an endpoint group

Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After the association is complete, traffic is distributed to the optimal endpoints in the associated endpoint groups.

To create an endpoint group, follow these steps:

  1. Endpoint Group Name: Enter a name for the endpoint group.
  2. Select the region where the endpoint group is located, that is, the region where the origin server is located.
    Select Beijing in this topic.
  3. Select whether to deploy the backend service on Alibaba Cloud or non-Alibaba Cloud. Select non-Alibaba Cloud.
  4. Select whether to enable or disable client IP address reservation in the specified region. After this feature is enabled, backend servers can obtain the source IP addresses of clients. Disable this feature for the origin server in this topic.
    Note To make client IP address reservation available for use in the whitelis, submit a ticket.
  5. Set the following parameters of endpoints:
    1. Backend Service Type: Select EIP.
    2. Backend Service: Select the EIP that is used to provide backend services.
    3. Weight: Enter a number from 0 to 255 to set a weight for the endpoint. GA distributes network traffic to endpoints based on the predefined weights of the endpoints.
      Notice Caution: If the weight of an endpoint is set to 0, GA stops distributing traffic to the endpoint.
  6. Click Next to view the configurations. After confirmation, click Next.

Step 7: Activate the WAF service

WAF is empowered by big data technologies of Alibaba Cloud Security. WAF helps you defend against common web attacks such as SQL injections, cross-site scripting (XSS), web shells, Trojans, and unauthorized downloads, and HTTP flood attacks. WAF protects your web resources from exposure and ensures the security and availability of your website.

  1. Enter the WAF product page on the Alibaba Cloud International site, and then log on with your Alibaba Cloud account.
  2. Click Buy Now.
  3. On the buy page, set the following parameters.
    1. Region: Select the region where the WAF instance is located.
      In this topic, network traffic is forwarded through WAF over the GA network. Select Overseas Region.
    2. Plan: Select the version of WAF service to be activated.
      Different WAF instance types support different business scales and protection features. For more information, see Editions and features. Select Enterprise in this topic.
    3. Extra Domain: Specify the number of additional domains to be activated.
      If you want to add multiple domains (or more than 10 subdomains) to WAF, you can activate additional domains. For more information, see Additional domains. Do not purchase any additional domain in this topic.
    4. Exclusive IP: Specify the number of exclusive IP addresses to be purchased.
      You can purchase an exclusive IP address when your website domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP. This topic does not involve the purchase of exclusive IP addresses.
    5. Extra Traffic: Specify the size of the bandwidth extension plan to be purchased. Unit: Mbit/s.
      If the total bandwidth of your websites exceeds the service bandwidth of WAF, you can purchase the bandwidth extension plan. For more information, see Bandwidth extension plans. Do not purchase any additional domains in this topic.
    6. GSLB: Select whether to enable Global Server Load Balancing (GSLB).
      GSLB uses the multi-node resilience technology. It distributes network traffic based on multiple nodes and lines for disaster recovery and high service reliability. Select Yes in this topic.
    7. Log Service: Select whether to enable Log Service.
      Log Service retrieves log data from WAF in real time and then stores the data in Logstores. You can query and analyze the log data, and generate analytics reports online. Select No in this topic.
    8. Bot Manager: Enable or disable the Bot Manager feature.
      To mitigate security threats caused by bot traffic, you can purchase Bot Manager. For more information, see Set a bot threat intelligence rule and Set a threat intelligence rule to allow requests from specific crawlers. Select No in this topic.
    9. Mobile App Protection: Enable or disable mobile application protection.
      You can enable the mobile app protection feature if your business supports native applications and you have security needs for your business, such as trusted communications and prevention of abusing bot scripts. For more information, see Configure application protection. Select No in this topic.
    10. Service Time: Select the validity period of the WAF service.
  4. Click Buy Now to complete the payment.

Step 8: Add website configurations

After you activate the WAF service, you must configure the forwarding rule for the website protected by WAF.

To forward network traffic of the protected domain name to WAF in DNS proxy mode, follow these steps.

  1. Log on to the WAF console.
  2. On the top of the page, select the region of the WAF instance that you want to manage. Select International.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, click Add Domain Name.
  5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
    Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
  6. Follow the Add Domain Name wizard to complete the configuration.
    1. Domain Name: Enter the domain name for which you want to enable WAF protection. Enter www.example.cn in this topic.
      Note
      • This parameter supports precise domain names such as www.aliyun.com and wildcard domain names such as *.aliyun.com.
        • If you use a wildcard domain name, WAF automatically matches all subdomains against the wildcard domain name.
        • If you configure both a wildcard domain name and a precise domain name for a website, forwarding rules and protection policies of the precise domain name prevail over those of the wildcard domain name.
      • The .edu domain names are not supported. If you want to use a .edu domain name, submit a ticket to request technical support.
    2. Protocol Type: Select the protocol supported by the website. Select HTTP in this topic.
      Note
      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Upload HTTPS certificates.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to accelerate your application. For more information, see Enable HTTPS advanced settings.
      • To enable protection for HTTP 2.0 requests, make sure the following conditions are met:
        • You have upgraded your WAF instance to the Business or Enterprise edition.
        • You have selected HTTPS.
    3. Server Address: Select a server address type and enter the address of the origin server.
      Both IP and Other address formats are supported. After you connect your website to WAF, WAF redirects filtered requests to the specified address. Select IP address in this topic. Then, enter the accelerated IP addresses that are assigned to the Germany (Frankfurt) and Singapore regions by the GA instance in the preceding steps.
    4. Server Port: Configure the protocol port of the website.
      WAF uses the specified ports to receive and forward user traffic for your website. The network traffic destined for the website domain name is only forwarded through the specified service ports. WAF does not forward traffic received on unspecified ports to the origin server. Therefore, no security threats are posed on the origin server if you enable these unspecified ports or these ports have vulnerabilities.
      Notice Make sure that the protocol and port that you have specified in WAF are the same as those of the origin server whose IP address is specified as the server address. Port mapping is not supported.
      Enter the custom port 9000 in this topic.
      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of the Business and Enterprise editions support more non-standard ports, and have limits on the total number of ports used by the protected domain name. For more information, see Customize server ports.
    5. Load Balancing Algorithm: If you have specified more than one origin IP address, select IP hash, Round Robin, or Least time. WAF distributes requests to these servers based on the specified algorithm. Selected Least time in this topic.
      Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.
    6. Whether a layer-7 proxy (such as Anti-DDoS Pro and CDN) is enabled: Select Yes or No based on the actual workload of your website. Select No in this topic.
    7. Traffic Labeling: Enter an unused Header Field Name and specify a Header Field Value to label the Web requests that are redirected to the origin server through WAF. WAF adds the specified header field to the filtered requests. This enables your origin server to identify the requests redirected by WAF.
      Note If a request already contains the specified header field, WAF overwrites the original field value with the specified value.
  7. Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME address allocated by WAF to receive inbound traffic.
    WebCNAME
  8. Click Next. Click Complete, and return to the website list.
    Note If you have enabled a third-party firewall for your server, disable the firewall or add the WAF IP address in the following figure to the whitelist of the enabled firewall so that the firewall will not block requests forwarded from WAF. If you are not using a third-party firewall, ignore the information in the following figure.
    WAF IP address

Step 9: Configure DNS settings

After you add the website configuration, you must modify the DNS record to map the website domain name to the CNAME address assigned by WAF so that the traffic is redirected to WAF.
Note If you use a third-party DNS service, log on to the system of the DNS provider to modify the DNS record.

Follow the steps to configure DNS settings.

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
  3. On the Configure page, find the DNS record, and click Edit in the Actions column.
  4. In the Edit Record dialog box, edit the host record.
    1. Type: Select CNAME.
    2. Value: Enter the CNAME address assigned by WAF.
    3. Keep the other settings unchanged.
    Edit the record
  5. Click OK.

Step 10: Verify the settings

To verify the performance of the acceleration and protection services after Global Accelerator interacts with WAF and GTM, follow these steps:

  1. Open a web browser on a client located in the region of an access point, such as China (Hong Kong), or Singapore in this topic.
  2. Enter the domain name of the enterprise mailbox service deployed in the China (Beijing) region to access the service.
    The test result shows that you can access the mailbox service deployed in the China (Beijing) region by visiting the domain name of the enterprise mailbox service.Verify the performance
  3. Launch the Command Prompt on your computer in the Germany (Frankfurt) or Singapore region in this topic.
  4. Run the following command to check the latency of data transmission.
    curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<the domain name of the enterprise mailbox service>[:<port>]"
    In the request:
    • time_connect: The amount of time that it takes to establish a TCP connection.
    • time_starttransfer: The data transmission start time. It refers to the time period from when a client sends a request to when a backend server responds to the first byte.
    • time_total: The total connection time. It refers to the time period from when a client sends a connection request to when a backend server responds to the request.
    The test result shows that GA has reduced the network latency of data transmission for users in Germany (Frankfurt) and Singapore when they access the mailbox service deployed in the China (Beijing) region.
    Figure 1. The latency of data transmission before GA is used
    Data transmission before GA is used
    Figure 2. The latency of data transmission after GA is used
    Data transmission after GA is used
    Note The acceleration performance after GA interacts with WAF varies based on your workloads.