If you have added the domain name of your website to Alibaba Cloud CDN (CDN) or Dynamic Route for CDN (DCDN) and Anti-DDoS Pro or Anti-DDoS Premium, you can enable CDN or DCDN interaction to protect your website. If no attacks occur, service traffic is directly forwarded to the nearest CDN or DCDN node for acceleration. If attacks occur, the traffic is automatically forwarded to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing. Then, normal traffic is forwarded to the origin server.

Prerequisites

  • The domain name is added to CDN or DCDN. For more information, see Add a domain name to Alibaba Cloud CDN or Add a domain name to DCDN.

    For more information about the limits of interaction between CDN or DCDN and Anti-DDoS Pro or Anti-DDoS Premium, see Limits.

  • An Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan is purchased, and your website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
    Notice The specifications, such as the bandwidth and QPS of the Anti-DDoS Pro or Anti-DDoS Premium instance, must meet the protection requirements of your website. This ensures that the instance can process service traffic after the traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium.

    If you use an Anti-DDoS Premium Secure Mainland China Acceleration (Sec-MCA) instance, you cannot enable CDN or DCDN interaction.

  • The Anti-DDoS Pro or Anti-DDoS Premium instance can properly forward traffic. For more information, see Verify the forwarding configuration on your local machine.

Limits

The following table describes the requirements that must be met before you can use CDN or DCDN interaction.
Item Description
Service type CDN or DCDN interaction applies only to HTTP and HTTPS services and does not support video live streaming.
Service scenario CDN or DCDN interaction does not apply to the following service scenarios:
  • Your service is attacked more than three times per week.
  • Your service requires that anti-DDoS mitigation settings immediately take effect.
    Note After service traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium, the settings take effect based on the time to live (TTL) values of your DNS records.
  • Your service bandwidth exceeds 3 Gbit/s, and the QPS exceeds 10,000.
    Note If your service bandwidth and QPS exceed the limits, submit a ticket to contact technical support.
Domain name status in CDN or DCDN A CDN- or DCDN-accelerated domain name cannot be added to a sandbox.
Note If your domain name is added to a sandbox by CDN or DCDN, we recommend that you use only Anti-DDoS Pro or Anti-DDoS Premium and do not enable CDN or DCDN interaction.
Traffic switchover between CDN or DCDN and Anti-DDoS Pro or Anti-DDoS Premium To enable CDN or DCDN interaction, you must configure a QPS threshold to trigger traffic switchover between CDN or DCDN and Anti-DDoS Pro or Anti-DDoS Premium. The following requirements must be met:
  • Switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium
    • If the QPS exceeds the threshold for 3 consecutive times within 3 minutes or for more than 6 times within 10 minutes and the traffic on CDN or DCDN does not exceed 10 Gbit/s, the traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium.
      Note The maximum service bandwidth that an Anti-DDoS Pro or Anti-DDoS Premium instance can protect is 10 Gbit/s.
    • If a domain name is added to a sandbox and the traffic on CDN or DCDN does not exceed 10 Gbit/s, the traffic is switched to Anti-DDoS Pro or Anti-DDoS Premium.
  • Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN
    • If the QPS remains less than 80% of the threshold and the success rate of protection against HTTP flood attacks remains less than 10% for more than 12 consecutive hours, the traffic is switched back to CDN or DCDN.
    • The IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance cannot be in blackhole filtering or traffic scrubbing in the last 1 hour. Your domain name is not added to a sandbox.
    • Service traffic can be switched back to CDN or DCND only in the time range from 08:00 to 23:00.

Procedure

The following procedure describes how to configure CDN or DCDN interaction in the Anti-DDoS Pro console. You can also configure CDN or DCDN interaction in the CDN console. For more information, see Configure Anti-DDoS.

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. Click the CDN/DCDN Interaction tab.
  5. Find the domain name for which you want to create a CDN or DCDN interaction rule and click Add Interaction in the Actions column.
  6. In the Add Interaction panel, configure the parameters and click Next. Create Rule
    Parameter Description
    Anti-DDoS Instance The Anti-DDoS Pro or Anti-DDoS Premium instance to which the domain name is added.

    Make sure that the Anti-DDoS Pro or Anti-DDoS Premium instance uses the Enhanced function plan. If the system prompts To use the CDN interaction feature, you must purchase the Enhanced Function plan for this instance., click Purchase to upgrade the instance.

    If the system prompts No Anti-DDoS instance selected, add your domain name to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.

    Cloud Service If your domain name is added to Alibaba Cloud CDN or Dynamic Route for CDN, you do not need to manually select a service.

    If your domain name is not added to Alibaba Cloud CDN or Dynamic Route for CDN, select Alibaba Cloud CDN or Dynamic Route for CDN and add the domain name as required.

    Request per Second The minimum QPS that triggers traffic switchover to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Limits.
    Note We recommend that you set the value to more than two to three times the historical peak QPS of your website to deal with traffic spikes. Do not set a QPS lower than 500 even if the QPS of your website is low.
    After the rule is created, Sec-Traffic Manager assigns a CNAME address for the rule. You can view the CNAME address and interaction status of the domain name on the CDN/DCDN Interaction tab.
  7. Modify the DNS records.
    Modify the DNS records of your domain name on the website of the DNS service provider to point the domain name to the CNAME address provided by Sec-Traffic Manager. For more information, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.

What to do next

  • Edit an interaction rule: Click the CDN/DCDN Interaction tab. Find the domain name whose interaction rule you want to edit and click Edit in the Actions column. Then, change the Request per Second under Trigger Condition parameter.
  • Delete an interaction rule: Click the CDN/DCDN Interaction tab. Find the domain name whose interaction rule you want to delete and click Delete in the Actions column.
    Warning Before you delete an interaction rule, make sure that the service traffic is no longer directed to the CNAME address assigned by Sec-Traffic Manager. Otherwise, the service traffic cannot be forwarded after you delete the rule.