If you add a non-website service, such as a port-based service that uses TCP, to Anti-DDoS Pro or Anti-DDoS Premium and the origin server of the service is an Elastic Compute Service (ECS) instance or a virtual private cloud (VPC), your service traffic may be directly forwarded to the origin server. In this case, Anti-DDoS Pro or Anti-DDoS Premium cannot protect your service, and risks may occur. To prevent the risks, we recommend that you perform the following operations:
  • Configure a security group rule for the ECS instance that is used as the origin server. This rule allows only the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS Premium instance to access your ECS instance and denies the traffic from other IP addresses.

    You can obtain the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS Premium instance in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see How to view the Anti-DDoS Pro IP addresses?

  • If an IP address such as the egress IP address of your internal network is trusted and you want to use the IP address to access your ECS instance, configure a security group rule to allow the traffic from the trusted IP address.