All Products
Search

This Product

    Global Accelerator:Accelerate multiple HTTPS domains with a GA instance

    Document Center

    Global Accelerator:Accelerate multiple HTTPS domains with a GA instance

    Last Updated:Dec 25, 2025

    Accelerate multiple HTTPS domains by configuring multiple certificates on a single Global Accelerator (GA) instance.

    Use cases

    This topic uses the following scenario: A company is headquartered in US (Silicon Valley) and has two servers on Alibaba Cloud. Both servers host web services and are accessible through different domain names. Clients are primarily located in the China (Hong Kong) region. The company's web services face the following challenges:

    • Unstable Internet connections often cause high latency, jitter, and packet loss.

    • Multiple servers provide services through different domain names. Accelerating each domain name separately results in high costs.

    image

    To address these issues, the company plans to use Global Accelerator (GA) and configure an HTTPS listener. An HTTPS listener accelerates multiple HTTPS domains by using the following features:

    • Support for multiple certificates: Associate multiple domain names with a single HTTPS listener by binding multiple certificates to it.

    • Domain-based forwarding rules: Create forwarding rules to route requests for different domain names to specific backend servers.

    • Data encryption: Client requests are encrypted, ensuring the security of data in transit.

    The following table describes the web server details and the traffic forwarding plan after implementing GA.

    Parameter

    Domain name 1 (xxxtest.cloud)

    Endpoint 2 xxxtest.fun

    Listener protocol

    HTTPS

    Listener port

    443

    Certificate

    Default certificate A

    Additional certificate B

    Forwarding rule

    Default forwarding rule

    Custom forwarding rule

    Endpoint group

    Default endpoint group

    Virtual endpoint group

    Server

    Server 1

    Server 2

    Server service agreement

    HTTP

    HTTPS

    Server service port

    80

    443

    Server public IP address

    47.XX.XX.62

    47.XX.XX.34

    Note

    Certificates configured in GA encrypt data on the client-to-GA path. Certificates on the backend servers encrypt data on the GA-to-backend-server path. The certificates configured in GA can be the same as those installed on the backend servers.

    Prerequisites

    • An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase an SSL certificate and Submit a certificate application.

    • The certificate is uploaded to the backend servers. For more information, see Use Cloud Assistant to upload a file to ECS instances.

    • An HTTP service that uses port 80 is deployed on Server 1 and an HTTPS service that uses port 443 is deployed on Server 2.

    • You have configured A records for domain name 1 xxxtest.cloud and domain name 2 xxxtest.fun to point the domain names to the public IP addresses of the backend servers.

    Note

    In this example, Nginx is used to configure backend HTTP 80 and HTTPS 443 services, and Alibaba Cloud DNS is used to configure DNS records. If you use a third-party DNS service, refer to the documentation from your service provider.

    Procedure

    image
    Note

    This topic shows you how to configure a standard pay-as-you-go GA instance to accelerate multiple HTTPS domains. Before you create a standard pay-as-you-go GA instance, note the following information:

    • Pay-as-you-go GA instances use the Pay-by-data-transfer bandwidth billing method and do not need to be associated with a bandwidth plan. The fees for data transfer over the GA network are settled and billed by Cloud Data Transfer (CDT). For more information, see Data transfer fee.

    • The first time you use a pay-as-you-go GA instance, you must Activate the Service.

    Step 1: Configure basic information about an instance

    1. Log on to the GA console.

    2. On the Instances page, click Create Standard Pay-as-you-go Instance.

    3. In the Basic Instance Configuration step, configure the parameters based on the following table and click Next.

      Parameter

      Description

      GA Instance Name

      Enter a name for the GA instance.

      Instance Billing Method

      Pay-As-You-Go is selected by default.

      You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees for pay-as-you-go standard Global Accelerator instances.

      Resource Group

      Select the resource group to which the standard Global Accelerator instance belongs.

      The resource group must be created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.

    Step 2: Configure an acceleration area

    Specify acceleration regions and allocate bandwidth to each acceleration region.

    In the Configure Acceleration Area step, configure the parameters based on the following table and click Next.

    Parameter

    Description

    Acceleration Area

    Select one or more regions from the drop-down list and click Add.

    In this example, the China (Hong Kong) region in the Asia Pacific section is selected.

    Assign Bandwidth

    Maximum Bandwidth

    Specify the maximum bandwidth for the acceleration region. Each acceleration region supports a bandwidth range of 2 to 10,000 Mbit/s.

    The maximum bandwidth is used for bandwidth throttling. The data transfer fees are managed by CDT.

    In this example, the default value 200 Mbit/s is used.

    Important

    If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.

    IP Protocol

    Select the IP version that is used to connect to Global Accelerator.

    In this example, the default value IPv4 is selected.

    ISP Line Type

    Select an ISP line type for the Global Accelerator instance.

    BGP (Multi-ISP) is selected in this example.

    Step 3: Configure a listener

    A listener listens for connection requests and distributes the requests to endpoints based on the port and the protocol that you specify. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoint in the endpoint group.

    In the Configure listeners step, configure the listeners, and click Next.

    Parameter

    Description

    Listener Name

    Enter a name for the listener.

    Routing Type

    Select a route type.

    In this example, Intelligent Routing is selected.

    Protocol

    Select a protocol type for the listener.

    In this example, HTTPS is selected.

    Port

    Specify the listener port that is used to receive and forward requests to endpoints. The port number must be in the range of 1 to 65499.

    In this example, the value is set to 443.

    Server Certificate

    Select the server certificate that you obtained.

    In this example, Certificate A is selected.

    TLS Security Policies

    Select the TLS security policy required by your service.

    A TLS security policy contains the supported TLS protocol versions and cipher suites for HTTPS. For more information about TLS security policies, see TLS security policies.

    If no configuration is specified in this example, the default policy tls_cipher_policy_1_0 is used.

    Client Affinity

    Specify whether to enable client affinity. When client affinity is enabled for a stateful application, GA directs all requests from the same client to the same endpoint.

    In this example, Source IP Address is selected.

    Custom HTTP Headers

    Select the HTTP header fields that you want to add.

    In this example, the default configurations are used.

    Click to view HTTP header field information.

    • Use GA-ID to retrieve the ID of the GA instance.

    • Use GA-AP to retrieve information about the acceleration region of the GA instance.

    • Use GA-X-Forwarded-Proto to retrieve the listener protocol of the GA instance.

    • Use GA-X-Forwarded-Port to retrieve the listener port of the GA instance.

    • Use X-Real-IP to retrieve the real IP address of the client.

    Step 4: Configure endpoint groups and endpoints

    1. In the Configure an endpoint group step, configure the endpoint group and endpoints, and then click Next.

      Only the key parameters are described here. For more, see Add and manage endpoint groups of smart routing listeners.

      Parameter

      Description

      Region

      Select the region in which the endpoint group is deployed.

      In this example, US (Silicon Valley) is selected.

      Endpoint Configuration

      Endpoints are destinations of client requests. You can configure endpoints based on the following information:

      • Backend Service Type: Select Alibaba Cloud Public IP Address.

      • Backend Service: Enter the IP address of the backend service. In this example, enter the public IP address of Server 1: 47.XX.XX.62.

      • Weight: Enter a weight for the endpoint. Valid values: 0 to 255. Global Accelerator routes traffic to endpoints in proportion to the weights that you configure. In this example, keep the default value 255.

      Warning

      If the weight of an endpoint is set to 0, Global Accelerator stops distributing traffic to that endpoint. Proceed with caution.

      Preserve Client IP

      By default, client IP address preservation is enabled for HTTPS listeners. This feature lets you view client IP addresses on backend servers. HTTP listeners can retrieve client IP addresses from the X-Forwarded-For HTTP header. For more information, see Preserve client IP addresses.

      Backend Service Protocol

      Select the protocol that is used by backend servers.

      The default configuration is HTTP.

      Port Mapping

      If the listener port is not the same port over which the endpoint provides services, you must set this parameter.

      • Listener Port: Enter the port of the current listener. In this example, 443 is entered.

      • Endpoint Port: Enter the port used by your endpoint. In this example, 80 is entered.

      Traffic Distribution Ratio

      Specify a traffic distribution ratio for the endpoint group.

      The valid values are 0 to 100.

      In this example, the default value 100% is used.

      Health Check

      Specify whether to enable or disable the health check feature.

      After enabling the feature, you can use health checks to check the status of endpoints. For more information about health checks, see Enable and manage health checks.

      In this example, health checks remain disabled by default.

    2. On the Configuration Review wizard page, confirm the information and click Submit.

      Note

      It takes 3 to 5 minutes to create a GA instance.

    3. Optional: After the task is complete, click Enter Instance Details below the task details list. On the instance details page, select tabs such as Instance Information, Listeners, and Acceleration Areas to view the instance configuration information.

    4. Configure a virtual endpoint group.

      1. On the instance details page, click the Listeners tab.

      2. On the Listeners tab, find the listener that you want to manage and click the endpoint group ID in the Default Endpoint Group column.

      3. On the Endpoint Group tab, click Add Virtual Endpoint Group in the Virtual Endpoint Group section.

      4. On the Add Endpoint Group page, configure the parameters based on the following information and click Create.

        The configurations of the virtual endpoint group are the same as those of the default endpoint group that you created in Step 4-1, except for the following parameters.

        • Backend Service Type: Select Alibaba Cloud Public IP Address.

        • Backend Service: Enter the public IP address of Server 2, 47.XX.XX.34.

        • Backend Service Protocol: Select HTTPS.

        • Port Mapping: No port mapping is needed.

          If the listener port is the same as the port used by your endpoint, you do not need to configure port mapping. GA automatically sends requests to the endpoint on the same port as the listener port.

    Step 5: Associate an additional certificate

    To associate multiple domain names with a single listener, bind an additional certificate to the HTTPS listener. Combined with domain-based forwarding rules, this allows you to route requests for different domains to different virtual endpoint groups.

    The following steps show how to bind Certificate B to the HTTPS listener to associate the domain name 2 xxxtest.fun with it.

    1. On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.

    2. On the listener details page, click the Certificates tab.

    3. On the Certificates tab, click Associate Certificate in the Additional Certificate section.

    4. In the Associate Certificate dialog box, configure the additional certificate with the following information, and click OK.

      • Certificate: Select the certificate that you want to associate. In this example, Certificate B is used.

      • Associated Domain Name: Select the domain under this certificate for which you want to use GA for acceleration. In this example, 2 xxxtest.fun is selected.

    Step 6: Add a forwarding rule

    When an HTTPS listener receives a request, it first tries to match a custom forwarding rule. If a rule matches, the listener forwards the request to the corresponding endpoint group. If the request does not match any custom forwarding rules, the listener forwards it to the default endpoint group through the default forwarding rule.

    The following steps describe how to create a custom forwarding rule for the virtual endpoint group that is associated with Server 2. This rule forwards all requests to the endpoint 2 xxxtest.fun to Server 2.

    1. On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.

    2. On the listener details page, click the Forwarding Rule tab.

    3. On the Forwarding Rule tab, click Add Forwarding Rule.

    4. In the Add Forwarding Rule area, configure the forwarding rule based on the following information, and click OK.

      Parameter

      Description

      Name

      Enter a name for the forwarding rule.

      If (Matching All Conditions)

      Configure forwarding conditions.

      In this example, Domain Names is selected, and the domain name to be matched 2 xxxtest.fun is entered.

      Then

      Select a forwarding action type and forwarding target.

      In this example, Forward is selected and the virtual endpoint group that you created in Step 4: Configure an endpoint group and endpoints is selected.

    Step 7: Configure CNAME records

    You need to map domain name 1 xxxtest.cloud and domain name 2 xxxtest.fun to the CNAME record of your Global Accelerator instance to forward access requests to Global Accelerator for acceleration.

    1. On the Public Zone page, find the target custom domain name 1 xxxtest.cloud, and click Settings in the Actions column.

      Note

      For domain names that are not registered with Alibaba Cloud, you must first add the domain name to the Cloud DNS console before you can configure domain name resolution settings.

    2. On the Settings page, find the existing A record and click Edit in the Actions column.

    3. In the Edit Record panel, set Record Type to CNAME, set Record Value to the CNAME assigned to the Global Accelerator instance, and then click OK.

      You can view the CNAME assigned to the Global Accelerator instance on the Instances page.

    4. Follow the preceding steps to change the existing A record to a CNAME record for domain name 2 xxxtest.fun.

    Note

    If you want to return resolution results based on the region where a client resides, make sure that Alibaba Cloud DNS is upgraded to Enterprise Ultimate Edition. For more information, see Renewal and upgrade.

    After upgrading, you can change the default DNS line of an existing A record to a specific regional line and add a CNAME record that points to the CNAME address of the GA instance.

    Step 8: Test the connectivity

    Use both domain names to test the connectivity to the web application that is deployed in the US (Silicon Valley) region. Then, check whether access to the domain names is accelerated.

    Note

    • This example uses an Alibaba Cloud Linux 3 operating system for testing. The test commands may vary for different operating systems. Refer to your operating system's guide for specific commands.

    • The acceleration effect depends on your actual business test results.

    Test the network connectivity

    1. Open the CLI on an on-premises machine in the China (Hong Kong) region.

    2. Run the following command for domain name 1 xxxtest.cloud and domain name 2 xxxtest.fun to verify that the CNAME configuration has taken effect.

      ping <Website domain name>

      If the CNAME in the output is the same as the CNAME assigned by GA, the CNAME record takes effect.

      CNAME生效验证.png

    3. Run the following command for domain name 1 xxxtest.cloud and domain name 2 xxxtest.fun to test if the website is accessible and the certificate is correctly retrieved.

      curl -v https://<The domain name> --resolve <The domain name>:<The listener port>:<The accelerated IP address>

      This example shows the test result for domain name 1, xxxtest.cloud. If the response contains the server certificate information and HTTPS response information, the domain name is accessible.

      测试ECS01连通及证书是否正常.png

    Test acceleration

    To verify the acceleration performance, see Test the acceleration performance of GA.