You can use tiered protection for service interaction between Anti-DDoS Origin Enterprise and Anti-DDoS Pro or Anti-DDoS Premium. You can create a tiered protection rule to prevent common attacks by using Anti-DDoS Origin Enterprise. In this case, service traffic is directly sent to the origin server, which does not bring additional latency. If volumetric DDoS attacks occur, service traffic is forwarded to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing. Normal service traffic is then forwarded to the origin server.
Prerequisites
- Your service uses Alibaba Cloud resources that have public IP addresses, such as an EIP or a WAF, ECS, or SLB instance with a public IP address.
- An Anti-DDoS Origin Enterprise instance is purchased, and the public IP address of your service is added to Anti-DDoS
Origin Enterprise. For more information, see Add a protection target.
Note The Anti-DDoS Origin Enterprise instance must be in the same region as the protected cloud resource, such as an EIP or an ECS, SLB, and WAF instance.
- An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased, and your service is added to Anti-DDoS Pro or Anti-DDoS Premium.
For more information, see Add a website (website service) and Create forwarding rules(non-website service).
Notice The bandwidth and QPS of the Anti-DDoS Pro or Anti-DDoS Premium instance must meet protection requirements of your service. This ensures that the instance can process service traffic after the traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium.
- The Anti-DDoS Pro or Anti-DDoS Premium instance can properly forward traffic. For more information, see Verify the forwarding configuration on your local machine.
Procedure
What to do next
- Switch traffic back: Assume that the general interaction rule takes effect and service
traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium. If the waiting time of switching back has not arrived, you can click Switch back to manually switch the traffic back to the cloud resource.
Note The Switch back button appears only when service traffic is switched to Anti-DDoS or Anti-DDoS Premium and the waiting time of switching back does not arrive.The following exceptions may occur when you perform this operation:
- If all cloud resources are in blackhole filtering, the operation fails.
- If some cloud resources are in blackhole filtering and some are normal, traffic is switched to the normal cloud resources. After blackhole filtering is deactivated, traffic is automatically switched to other cloud resources.
- Edit an interaction rule: On the General tab, find the rule that you want to edit and click Edit in the Actions column. You can modify parameters except Interaction Scenario and Name.
- Delete an interaction rule: On the General tab, find the rule that you want to delete and click Delete in the Actions column.
Warning Before you delete an interaction rule, make sure that the service traffic is no longer directed to the CNAME address assigned by Sec-Traffic Manager. Otherwise, your service becomes unavailable after you delete the rule.