edit-icon download-icon

Use CNAME to connect a layer-4 service

Last Updated: Mar 20, 2018

In most cases, you can directly specify the clients to access the Anti-DDoS Pro IP address for layer-4 access (non-web service protection). However, in some cases, you may need to use a domain name to connect your layer-4 service to Anti-DDoS Pro. In such cases, you can add a layer-7 domain name, and use the same CNAME to resolve the domain name to the different Anti-DDoS Pro lines for CNAME auto scheduling.

This article takes an example to describe how to connect your layer-4 service to Anti-DDoS Pro by using CNAME resolution.

Assumptions

Assume that you want the traffic accessing the game server domain name (game.aliyundemo.com) to be redirected to your Anti-DDoS Pro IP address, the game’s TCP ports are 1234 and 5678, and the origin site IP address is 1.1.1.1.

Procedure

Follow these steps to proceed with the configuration:

  1. Add the domain name to Web Service to obtain the CNAME.

    1. Log on to the Anti-DDoS Pro console, and access the Web Service page.

    2. Click Add Domain to add game.aliyundemo.com under protection.

      Note:

      • If this domain name does not relate to a real website business, you can select whatever Protocol and enter anything in Origin site IP. Because this rule does not affect the Port 1234 and Port 5678 that are required by the actual business. Access requests sent to these two ports are forwarded to the Anti-DDoS Pro IP addresses by the following Non-Web Service forwarding rules in Step 2.
      • If this domain name relates to a real website business, you must specify the correct protocol type and origin site IP. This CNAME can also be used in domain name resolution for layer-4 service protection.
      • When selecting ISP line, assign China Telecom, China Unicom, and BGP lines at the same time to the domain name so that Anti-DDoS Pro IP addresses on different lines use the same CNAME.

    After the domain name is added, record the CNAME under its Domain Info for further use in setting DNS resolution of Step 3.

  2. Configure a forwarding rule under Non-Web Service. Follow Non-website access to configure two forwarding rules for the TCP ports 1234 and 5678.

    Note:

    • You must configure the corresponding non-website forwarding rules for all the Anti-DDoS Pro IP addresses enabled in Step 1.
    • You can use the Export Rules and Add batch rules functions to facilitate the operations.
  3. Go to your DNS service provider to add a CNAME record for game.aliyundemo.com, resolving it to the CNAME generated in Step 1.

When the procedure is complete, requests from clients can be intelligently resolved to the Anti-DDoS Pro IP addresses based on their network types. Anti-DDoS Pro can then correctly forward requests sent from the clients to origin based on the layer-4 forwarding configuration.

Additionally, you can enable CNAME Auto switch for layer-4 services on the Web Service page.

Thank you! We've received your feedback.