You can create Alibaba Cloud CDN (CDN) or Dynamic Route for CDN (DCDN) interaction rules to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN. If no DDoS attacks occur after you enable CDN or DCDN interaction, the nearest CDN or DCDN node is used to accelerate service access. Service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if DDoS attacks occur.

Prerequisites

Usage notes

The following table describes the requirements that must be met before you can use CDN or DCDN interaction.
Item Description
Service type You can enable CDN or DCDN interaction only for HTTP and HTTPS services. You cannot enable this feature for live video streaming.
Service scenario You can enable CDN or DCDN interaction in the following service scenarios:
  • Your service is attacked more than three times per week.
  • Your service requires DDoS mitigation settings to immediately take effect.
    Note After service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the settings take effect based on the time to live (TTL) values of your domain name system (DNS) records.
  • Your service bandwidth and QPS exceed the upper limits.
    Note If your service bandwidth exceeds 3 Gbit/s and the QPS exceeds 10,000, submit a ticket to contact technical support.
Status of CDN- or DCDN-accelerated domain names A CDN- or DCDN-accelerated domain name cannot be added to a sandbox.
Note If CDN or DCDN adds your domain name to a sandbox, we recommend that you use only Anti-DDoS Pro or Anti-DDoS Premium and do not enable CDN or DCDN interaction.

Conditions for automatic switchover

When you create a CDN or DCDN interaction rule, you must configure a QPS threshold to trigger automatic traffic switchover between CDN or DCDN and Anti-DDoS Pro or Anti-DDoS Premium.

The following conditions must be met before an automatic switchover can be triggered:
  • Conditions for the switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium
    • The QPS exceeds the threshold for 3 consecutive times within 3 minutes or for more than 6 times within 10 minutes, and the traffic on the CDN or DCDN node does not exceed 10 Gbit/s.
    • A domain name is added to a sandbox, and the traffic on the CDN or DCDN node does not exceed 10 Gbit/s.
  • Conditions for the switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN
    • The QPS remains less than 80% of the threshold, and the success rate of protection against HTTP flood attacks remains less than 10% for more than 12 consecutive hours.
    • The IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance cannot be in blackhole filtering or traffic scrubbing in the last 60 minutes. Your domain name is not added to a sandbox.
    • Service traffic can be switched back to CDN or DCDN only in the time range from 08:00 to 23:00.

Create a CDN or DCDN interaction rule

The following procedure describes how to create a CDN or DCDN interaction rule in the Anti-DDoS Pro console. You can also configure CDN interaction in the CDN console. For more information, see Configure Anti-DDoS.

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
  4. Click the CDN/DCDN Interaction tab.
  5. Find the domain name for which you want to create a CDN or DCDN interaction rule and click Add Interaction in the Actions column.
  6. In the Add Interaction panel, configure the parameters and click Next. Configure interaction settings
    Parameter Description
    Anti-DDoS Instance The Anti-DDoS Pro or Anti-DDoS Premium instance to which the domain name is added.

    Make sure that the Anti-DDoS Pro or Anti-DDoS Premium instance uses the Enhanced function plan. If the system returns the message To use the CDN interaction feature, you must purchase the Enhanced Function plan for this instance., upgrade the instance as prompted.

    If the system returns the message You have not selected any Anti-DDoS instances., add your domain name to the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Add a website.

    Cloud Service If your domain name is added to CDN or DCDN, the cloud service is automatically selected. No manual operations are required.

    If your domain name is not added to CDN or DCDN, select Alibaba Cloud CDN or Alibaba Cloud DCDN and add the domain name as prompted.

    Request per Second The minimum QPS threshold. If the QPS reaches this threshold, traffic switchover to Anti-DDoS Pro or Anti-DDoS Premium is triggered. For more information, see Conditions for automatic switchover.
    Note We recommend that you set the value to more than two to three times the historical peak QPS of your website to handle traffic spikes. Do not specify a value that is less than 500 even if the QPS of your website is low.
  7. Change the DNS records of the domain name as prompted and click Complete.
    For the cloud service interaction rule to take effect, you must change the DNS records of your domain name on the website of the DNS service provider to map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need only to change the DNS records in the Alibaba Cloud DNS console.
    Notice After you change the DNS records of your domain name, the cloud service interaction rule takes effect. Before you change the DNS records, we recommend that you modify the hosts file on your computer to verify the cloud service interaction rule. This helps avoid incompatibility issues caused by inconsistent back-to-origin policies. Alibaba Cloud CDN (CDN) allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Pro or Anti-DDoS Premium to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Pro or Anti-DDoS Premium to retrieve data from an Object Storage Service (OSS) object, the normal traffic that is forwarded by Anti-DDoS Pro or Anti-DDoS Premium cannot be identified by OSS. As a result, your services are interrupted. For more information about origin hosts, see Origin hosts.

    For more information about how to verify traffic forwarding rules, see Verify the forwarding configuration on your local machine.

    For more information about how to change the DNS records of a domain name, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.

After a CDN or DCDN interaction rule is created, if the QPS of the domain name does not meet the conditions for the switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium, service traffic is routed to the nearest CDN or DCDN node to accelerate service access. In this case, service traffic is not scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance. Service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if the QPS of the domain name meets the conditions for the switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium. This way, only normal service traffic is forwarded to the origin server. After service traffic is automatically switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the instance switches the service traffic back to the CDN or DCDN node if the conditions for the switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN are met.

In addition to automatic switchover, you can also manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance and then manually switch the service traffic back to the CDN or DCDN node based on the protection requirements of your services. For more information, see What to do next.

What to do next

After a CDN or DCDN interaction rule is created, you can perform the following operations on the rule.

Operation Description
Switch to DDoS If traffic scrubbing by your Anti-DDoS Pro or Anti-DDoS Premium instance is not automatically triggered, you can manually switch the service traffic to the instance for scrubbing. You can manually switch service traffic before blackhole filtering is triggered. This reduces adverse impacts on your services. Switchover from CDN to Anti-DDoS Pro or Anti-DDoS Premium
Service traffic can be switched to your Anti-DDoS Pro or Anti-DDoS Premium instance only if blackhole filtering is not triggered for the IP address of the instance.
Notice After you manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, the service traffic cannot be automatically switched back to the CDN or DCDN node. To switch the service traffic back to the CDN or DCDN node, you must click Switch back to manually switch the service traffic.
Switch back If service traffic is scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance, you can manually switch the service traffic back to the CDN or DCDN node. Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN
Notice
  • Before you switch the service traffic back to the CDN or DCDN node, make sure that the attacks stop and CDN or DCDN acceleration also works as expected. This prevents the CDN- or DCDN-accelerated domain name from being added to a sandbox and prevents service interruptions.
  • If you click Switch to DDoS to switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, you must click Switch back to switch the service traffic back to the CDN or DCDN node.
Edit You can modify the CDN or DCDN interaction rule and change the value of QPS to modify the conditions for the switchover to Anti-DDoS Pro or Anti-DDoS Premium.
Delete You can delete the CDN or DCDN interaction rule.
Warning Before you delete an interaction rule, make sure that the domain name of your website is not mapped to the CNAME provided by Sec-Traffic Manager. Otherwise, access to the website may fail after you delete the rule.