After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, all traffic destined for the origin server of the website is forwarded by Anti-DDoS Pro or Anti-DDoS Premium. You can configure access control lists (ACLs) to protect the origin server. For example, you can allow inbound traffic only from the back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance. This topic describes how to configure ACLs for origin servers based on different network architectures.

Note ACLs for an origin server can help mitigate small volumes of HTTP flood attacks and web attacks. The ACLs cannot help mitigate volumetric DDoS attacks that bypass Anti-DDoS Pro or Anti-DDoS Premium and directly target the origin server. DDoS attacks may even trigger blackhole filtering for the origin server.
Network architecture of your website ACL configuration description
Anti-DDoS Pro or Anti-DDoS Premium + Elastic Compute Service (ECS) instance

The origin server is an ECS instance. The back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you configure ACLs for the origin server by configuring the security group rules of the ECS instance. You can configure security group rules to allow traffic from only the back-to-origin CIDR blocks and deny all traffic from other IP addresses to protect the origin server. You can obtain the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS Premium instance in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see How to view the Anti-DDoS Pro IP addresses?.

Anti-DDoS Pro or Anti-DDoS Premium + Origin server that is not deployed on Alibaba Cloud

The origin server is an ECS instance. The back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you configure ACLs for the origin server in the security software installed on the origin server, such as iptables and a firewall, to allow traffic only from the back-to-origin CIDR blocks and deny all traffic from other IP addresses to protect the origin server.

Anti-DDoS Pro or Anti-DDoS Premium + Layer 4 Server Load Balancer (SLB) instance + ECS instance

The origin server is an ECS instance. The back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you add the back-to-origin CIDR blocks of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the SLB instance to configure ACLs for the origin server. Then, enable access control to allow traffic only from the back-to-origin CIDR blocks to protect the origin server. For more information, see Enable access control.

Anti-DDoS Pro or Anti-DDoS Premium + Layer 7 Application Load Balancer (ALB) instance + ECS instance The origin server is an ECS instance. The back-to-origin CIDR blocks of the ALB instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you add the back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of the ALB instance to configure ACLs for the origin server. Then, enable access control to allow traffic only from the back-to-origin CIDR blocks to protect the origin server. For more information, see Enable access control for ALB instances.

Anti-DDoS Pro or Anti-DDoS Premium + Web Application Firewall (WAF) or Alibaba Cloud CDN (CDN) + ECS instance The origin server is an ECS instance. The back-to-origin CIDR blocks of WAF or CDN are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you configure ACLs for the origin server in WAF or CDN. For more information, see Configure protection for an origin server.

Anti-DDoS Pro or Anti-DDoS Premium + WAF or CDN + Origin server that is not deployed on Alibaba Cloud