All Products
Search

This Product

    Anti-DDoS:Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan

    Document Center

    Anti-DDoS:Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan

    Last Updated:Mar 31, 2026

    The Chinese Mainland Acceleration (CMA) mitigation plan pairs with an Insurance or Unlimited mitigation plan to serve two goals: accelerate access for users in the Chinese mainland when no attack is occurring, and automatically switch all traffic to the scrubbing instance the moment an attack is detected.

    This page covers the complete setup: adding your service to both instances, creating the network acceleration rule that generates a CNAME, and pointing your DNS at that CNAME.

    Architecture diagram showing CMA and Insurance/Unlimited instances

    Prerequisites

    Before you begin, ensure that you have:

    • An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan

    • An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan

    To purchase instances, see Purchase an Anti-DDoS Proxy instance.

    How it works

    When both instances are configured and your domain points at the CNAME generated by Sec-Traffic Manager:

    • No attack: Traffic from users in the Chinese mainland routes through the CMA instance for low-latency acceleration.

    • Under attack: Anti-DDoS automatically redirects all traffic to the Insurance or Unlimited instance for scrubbing. Only clean traffic is forwarded to your origin server.

    The automatic traffic redirection relies entirely on the CNAME. Your DNS record must point at this CNAME — not directly at the instance IP — for the failover to work.

    Set up the CMA mitigation plan

    The setup consists of five steps:

    1. Open the Anti-DDoS Proxy (Outside Chinese Mainland) console.

    2. Add your service to both instances.

    3. Create a network acceleration rule.

    4. Verify the configuration before going live.

    5. Update your DNS record.

    Step 1: Open the Anti-DDoS Proxy (Outside Chinese Mainland) console

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select Outside Chinese Mainland.

    You are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.

    Step 2: Add your service to both instances

    Add your service to both the Insurance or Unlimited instance and the CMA instance. The method depends on whether your service is website-based or non-website-based.

    Website service

    1. In the left-side navigation pane, choose Provisioning > Website Config.

    2. Click Add Website and configure the parameters.

      Important

      In the Enter Website Information step, set the Instance parameter to select both the Insurance or Unlimited instance and the CMA instance. Complete only the Enter Website Information step — do not change the DNS record based on the on-page instructions. You will update the DNS record in Step 5 using the CNAME from Sec-Traffic Manager.

    For details on the parameters, see Add one or more websites.

    Non-website service

    Non-website services must be accessible via domain names — services accessible only by IP address cannot be added to a CMA instance.

    1. In the left-side navigation pane, choose Provisioning > Port Config.

    2. Click Create Rule and configure the forwarding parameters.

      Important

      Configure identical forwarding rules on both the Insurance or Unlimited instance and the CMA instance.

    For details, see Configure port forwarding rules.

    Step 3: Create a network acceleration rule

    1. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.

    2. On the General Interaction tab, click Add Rule.

    3. Configure the parameters to create a network acceleration rule. For details, see Create a network acceleration rule.

    After the rule is created, Anti-DDoS generates a CNAME. You will use this CNAME in Step 5.

    Sec-Traffic Manager showing the network acceleration rule

    Step 4: Verify the configuration before going live

    Before updating your DNS record, verify the network acceleration rule using your local hosts file. This lets you confirm that back-to-origin policies are working correctly without affecting live traffic.

    See Verify the forwarding configurations on your computer for the full verification procedure.

    Step 5: Update your DNS record

    Point your domain at the CNAME generated by Sec-Traffic Manager. Update the DNS record on your DNS service provider's platform.

    If your DNS is managed by Alibaba Cloud DNS, update the record in the Alibaba Cloud DNS console.

    For step-by-step instructions, see Change the CNAME to redirect traffic to Sec-Traffic Manager.

    Important

    The network acceleration rule takes effect only after the DNS record is updated. Complete this step after you have verified the configuration in Step 4.

    Result

    After the DNS record is updated:

    • When no attack occurs, traffic from users in the Chinese mainland is accelerated through the CMA instance.

    • When an attack is detected, Anti-DDoS automatically switches all traffic to the Insurance or Unlimited instance for scrubbing, and only service traffic is forwarded to your origin server.