You can create tiered protection rules to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with Anti-DDoS Origin Enterprise. The tiered protection feature helps resolve the issue that the access latency of normal traffic is increased after you add your website to your Anti-DDoS Pro or Anti-DDoS Premium instance. If you enable tiered protection, Anti-DDoS Origin protects your services, which does not increase access latency. If volumetric attacks occur, Anti-DDoS Pro or Anti-DDoS Premium starts to protect your services instead.

Prerequisites

  • Your services use the Alibaba Cloud resources that have public IP addresses, such as an elastic IP address (EIP) or a Web Application Firewall (WAF), Elastic Compute Service (ECS), or Server Load Balancer (SLB) instance that has a public IP address.
  • An Anti-DDoS Origin Enterprise instance is purchased. The IP address of your cloud resource or an elastic IP address (EIP) is added to the instance for protection. The cloud resource can be an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, or Web Application Firewall (WAF) instance.
    Notice The Anti-DDoS Origin Enterprise instance must reside in the same region as your cloud resource.

    For more information, see Purchase an Anti-DDoS Origin Enterprise instance and Add a cloud service to Anti-DDoS Origin Enterprise for protection.

  • An Anti-DDoS Pro instance of the Profession mitigation plan or an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan is purchased.
    Notice The clean bandwidth and queries per second (QPS) of the instance must meet the protection requirements of your services.

    For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

  • Your website is added to the Anti-DDoS Pro or Anti-DDoS Premium instance.

    For more information, see Add a website.

  • The Anti-DDoS Pro or Anti-DDoS Premium instance forwards service traffic as expected.

    For more information, see Verify the forwarding configuration on your local machine.

Create a tiered protection rule

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. On the General tab, click Create Rule.
  5. In the Create Rule panel, configure a tiered protection rule and click Next.
    Figure 1. Sample configuration of a tiered protection rule in the Anti-DDoS Pro console
    Tiered protection rule
    Parameter Description
    Interaction Scenario Select Tiered Protection.
    Name Enter a name for the rule.

    The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).

    Anti-DDoS Instance IP Select an Anti-DDoS Pro or Anti-DDoS Premium instance.
    Cloud Service Cloud Resource IP: Select the region where the cloud resource resides and enter the IP address of the cloud resource.
    Notice You must enter an EIP or enter the IP address of a cloud resource that is added to the Anti-DDoS Origin Enterprise instance. The cloud resource can be an ECS instance, SLB instance, or WAF instance. For more information, see Add a cloud service to Anti-DDoS Origin Enterprise for protection.
    You can click Add Cloud Resource IP to add more IP addresses. You can add a maximum of 20 IP addresses.
    Note After you add multiple IP addresses, these IP addresses are associated with the specified Anti-DDoS Pro or Anti-DDoS Premium instance. If one of the IP addresses is attacked, service traffic is forwarded to other IP addresses. Service traffic is forwarded to the Anti-DDoS Pro or Anti-DDoS Premium instance only if all IP addresses are attacked. For more information about how to forward service traffic to Anti-DDoS Pro or Anti-DDoS Premium when one of the IP addresses is attacked, see Share one Anti-DDoS Pro or Anti-DDoS Premium instance among multiple cloud resources.
    The waiting time of switching back Specify the waiting time before the service traffic is switched from your Anti-DDoS Pro or Anti-DDoS Premium instance back to the IP address of a cloud resource. When the attack stops and the waiting time that you specify elapses, the service traffic is automatically switched back to the IP address of the cloud resource.

    You can specify a value that ranges from 30 to 120. Unit: minutes. We recommend that you set the value to 60.

  6. Change the DNS records of the domain name as prompted and click Complete.
    For the cloud service interaction rule to take effect, you must change the DNS records of your domain name on the website of the DNS service provider to map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need only to change the DNS records in the Alibaba Cloud DNS console.
    Notice After you change the DNS records of your domain name, the cloud service interaction rule takes effect. Before you change the DNS records, we recommend that you modify the hosts file on your computer to verify the cloud service interaction rule. This helps avoid incompatibility issues caused by inconsistent back-to-origin policies. Alibaba Cloud CDN (CDN) allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Pro or Anti-DDoS Premium to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Pro or Anti-DDoS Premium to retrieve data from an Object Storage Service (OSS) object, the normal traffic that is forwarded by Anti-DDoS Pro or Anti-DDoS Premium cannot be identified by OSS. As a result, your services are interrupted. For more information about origin hosts, see Origin hosts.

    For more information about how to verify traffic forwarding rules, see Verify the forwarding configuration on your local machine.

    For more information about how to change the DNS records of a domain name, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.

After the tiered protection rule is created, Anti-DDoS Origin Enterprise automatically protects the service traffic that is destined for the IP address. The service traffic is automatically switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if volumetric DDoS attacks occur on the IP address. This way, only normal traffic is forwarded to the cloud resource. After the service traffic is automatically switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the instance switches the service traffic back to the cloud resource when the attacks stop and the waiting time that you specify elapses. This way, Anti-DDoS Origin Enterprise continues to protect your services.

In addition to automatic switchover, you can also manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance and then manually switch the service traffic back to the cloud resource based on the protection requirements of your services. For more information, see What to do next.

What to do next

After a cloud service interaction rule is created, you can perform the following operations on the rule.

Operation Description
Switch to DDoS If traffic scrubbing by your Anti-DDoS Pro or Anti-DDoS Premium instance is not automatically triggered, the Green icon is displayed in the Cloud Service column. In this case, you can manually switch service traffic to the instance for scrubbing. You can manually switch service traffic before blackhole filtering is triggered. This reduces adverse impacts on your services. Switch to DDoS
Service traffic can be switched to your Anti-DDoS Pro or Anti-DDoS Premium instance only if blackhole filtering is not triggered for the IP address of the instance.
Notice After you manually switch service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, the service traffic cannot be automatically switched back to the associated cloud resources. To switch the service traffic back to the associated cloud resources, you must click Switch back to manually switch the service traffic.
Switch back If service traffic is scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance, the Green icon is displayed in the Anti-DDoS Instance IP column. In this case, you can manually switch the service traffic back to the associated cloud resources. Switch back
Notice
  • Before you manually switch the service traffic, make sure that the attacks stop and the associated cloud resources also work as expected. This prevents the associated cloud resources from being added to sandboxes and prevents service interruptions.
  • If you click Switch to DDoS to switch service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, you can switch the service traffic back to the associated cloud resource only by clicking Switch back.

If blackhole filtering is triggered for the IP addresses of all associated cloud resources, the switchback fails. If blackhole filtering is deactivated for some cloud resources, service traffic is first switched back to these cloud resources. After blackhole filtering is deactivated for the remaining cloud resources, service traffic is also switched back to these cloud resources.

Edit You can modify the cloud service interaction rule. However, you cannot change the values of Interaction Scenario and Name for the rule.
Delete You can delete the cloud service interaction rule.
Warning Before you delete a rule, make sure that the domain name of your website is not mapped to the CNAME provided by Sec-Traffic Manager. Otherwise, access to the website may fail after you delete the rule.