After you add your service to Anti-DDoS Pro or Anti-DDoS Premium, all traffic sent to the origin server is forwarded by Anti-DDoS Pro or Anti-DDoS Premium. You can configure access control policies to protect the origin server. For example, allow inbound traffic only from the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium. This topic describes the methods to configure protection policies for the origin server in different network architectures.

Note Protection policies for the origin server can defend against small volumes of HTTP flood attacks and web attacks. These protection policies cannot prevent large-scale DDoS attacks that bypass Anti-DDoS Pro or Anti-DDoS Premium and directly target the origin server. DDoS attacks may even trigger blackhole filtering for the origin server.
Website architecture Protection configuration
Anti-DDoS Pro or Anti-DDoS Premium + ECS instance The source IP addresses of requests forwarded to the ECS instance are the actual source IP addresses. You do not need to configure protection policies for the ECS instance.
Warning Protection policies may block back-to-origin traffic from Anti-DDoS Pro or Anti-DDoS Premium.
Anti-DDoS Pro or Anti-DDoS Premium + Origin server that is not deployed on Alibaba Cloud The source IP addresses of requests forwarded to the server are the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.

Configure security software, such as iptables and a firewall, to allow traffic only from the back-to-origin IP addresses and deny all other traffic to protect the origin server.

Anti-DDoS Pro or Anti-DDoS Premium + SLB instance + ECS instance The source IP addresses of requests forwarded to the ECS instance are the actual source IP addresses. You do not need to configure protection policies for the ECS instance.

Add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the SLB instance. Enable access control to allow traffic only from the back-to-origin IP addresses and deny all other traffic. For more information, see Enable access control.

Anti-DDoS Pro or Anti-DDoS Premium + WAF or Alibaba Cloud CDN + ECS instance The source IP addresses of requests forwarded to the ECS instance are the back-to-origin IP addresses of WAF or CDN.

Configure protection policies in WAF or CDN. For more information, see Configure protection for your origin server.

Anti-DDoS Pro or Anti-DDoS Premium + WAF or Alibaba Cloud CDN + Origin server that is not deployed on Alibaba Cloud