Alibaba Cloud CDN integrates with Anti-DDoS to mitigate DDoS attacks for accelerated domain names. This topic describes how to configure Anti-DDoS in the Alibaba Cloud CDN console.


An Anti-DDoS Pro or Premium instance is created. You can purchase Anti-DDoS Pro or Premium instances in the Anti-DDoS console. Anti-DDoS provides a scheduler that integrates Anti-DDoS with other services. We recommend that you configure Anti-DDoS in the Alibaba Cloud CDN console.

Feature overview

Anti-DDoS integrates with Alibaba Cloud CDN edge nodes to scrub network traffic and secure content delivery. After this feature is enabled, requests that are destined for edge nodes can be automatically redirected to the Anti-DDoS Pro or Premium instance when attacks are detected. After DDoS attacks stop, requests are sent to edge nodes again.

This feature is available only to private preview users.


Integration with Anti-DDoS is in invitational preview and available to enterprise users in the finance, retail, transportation, media, and public service sectors. Anti-DDoS is suitable for the following scenarios:
  • Finance

    Ensures the availability of services and improves user experience of cross-border content delivery. Protects user information, transactions, and data assets to minimize losses caused by attacks.

  • Retail

    Accelerates content delivery for enterprise websites, e-commerce and ticketing platforms, and collaborative software. Mitigates attacks to ensure service availability.

  • Media

    Accelerates the delivery of media content. Provides protection to avoid service disruptions caused by traffic spikes or attacks.

Submit an application

Join the DingTalk group 32615821 to request technical support.

Enable integration with Anti-DDoS

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. Choose Security Settings > Integration with Anti-DDoS.

    If this feature is not activated for your Alibaba Cloud account, click Activate Now to join the provided DingTalk group for technical support.

  5. Turn on Anti-DDoS Interaction.
  6. Set the Associated Anti-DDoS Service, Association Type, and Target parameters.
    Configure Anti-DDoS
    Note When you manage the security settings of a domain name, the following message appears if the domain name is not protected by Anti-DDoS: No Anti-DDoS Pro/Premium settings are found for the specified domain name.
    • If no Anti-DDoS Pro or Premium instance is created, you must purchase one in the Anti-DDoS console.
    • If you have already purchased an Anti-DDoS Pro or Premium instance, you must configure the Anti-DDoS Pro or Premium instance in the Anti-DDoS console to enable protection for your domain names.
  7. Click OK.

Assign the RAM role to Alibaba Cloud CDN

After you enable this feature, Alibaba Cloud CDN automatically creates the following service-linked role in Resource Access Management (RAM): AliyunServiceRoleForCDNAccessingDDoS. Alibaba Cloud CDN can assume this role to access the Anti-DDoS Pro or Premium instance. AliyunServiceRoleForCDNAccessingDDoS has the following permissions:
  • DescribeDomainAttackEvents: Queries events of attacks launched against a website.
  • DescribeDomainDDoSAttackEvents: Queries events of DDoS attacks.
  • DescribeDDoSEvents: Queries events of attacks launched against one or more Anti-DDoS Pro or Anti-DDoS Premium instances.
  • DescribeWebRules: Queries the forwarding rules of a website.
  • DescribeDomainQPSList: Queries the number of queries per second (QPS) of a website.
  • DescribeCdnLinkageRules: Queries the parameters set for the integration of Alibaba Cloud CDN and Anti-DDoS.

If you want to delete AliyunServiceRoleForCDNAccessingDDoS, you must disable the integration of Alibaba Cloud CDN and Anti-DDoS for all accelerated domain names. Then, you can delete the role in the RAM console. For more information, see Service-linked roles.