Anti-DDoS Origin paid editions allow enterprises that own multiple Alibaba Cloud accounts to purchase an instance by using one account and share the instance with other accounts. This helps reduce costs and protect assets in a comprehensive manner. In this topic, assets that are assigned public IP addresses are referred to as assets for short. This topic describes how to use the multi-account management feature to allow multiple accounts to share one instance.
Limits
The multi-account management feature is supported only for Anti-DDoS Origin 2.0 Enterprise instances. Before you use the multi-account management feature, you must contact your account manager for approval.
A management account and the members must belong to the same resource directory and enterprise entity. The enterprise entity must pass the enterprise real-name verification.
You can purchase Anti-DDoS Origin 2.0 Enterprise instances and add objects to the instances for protection as a member. You can add an asset to only one instance for protection. If you want to add an asset protected by an instance of a member to an instance of the management account, you must remove the asset from the instance of the member and then add the asset to the instance of the management account.
After you add the asset of a member to an instance of a management account, you can use only the management account to view the mitigation settings and attack events of the asset only in the Traffic Security console.
If you use a management account to remove a member in the Traffic Security console, the system removes the assets of the member from the instances of the management account.
Step 1: Enable a resource directory and build an organizational structure for your enterprise
Before you use the multi-account management feature, you must add multiple Alibaba Cloud accounts to a resource directory. For more information about Resource Directory, see Resource Directory overview.
Anti-DDoS Origin paid editions do not support delegated administrator accounts. Do not create a delegated administrator account to manage an Anti-DDoS Origin instance of a paid edition. We recommend that you log on to the Resource Management console by using the Alibaba Cloud account that you use to purchase the instance, enable a resource directory, and then invite other members to share the instance.
Log on to the Resource Management console with an Alibaba Cloud account and enable a resource directory. The Alibaba Cloud account that you use is the management account of the resource directory.
For more information, see Enable a resource directory.
In the Resource Management console, build an organizational structure for your enterprise. You can create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.
For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.
Step 2: Configure the multi-account management feature
Log on to the Traffic Security console by using the management account.
In the left-side navigation pane, choose .
Click Add Member. In the message that appears, read the prompt and click Next.
ImportantAfter members are added, the management account can access and query the assets of the members.
Select the members that you want to add, click the
icon, and then click OK. After you add members, you can use the instance of the management account to protect the assets of the members.
Step 3: Add the assets of the members as protected objects
Log on to the Traffic Security console by using the management account. In the top navigation bar, select All Regions.
In the left-side navigation pane, choose .
Select an Anti-DDoS Origin 2.0 Enterprise instance, click Add Object for Protection, and then click the Add Assets of Members tab.
Select the members whose assets you want to protect. In the Objects to Select section, select the assets that you want to protect, click the
icon, and then click OK. After the assets are added, the value of Mitigation Policy is Default. This indicates that the default mitigation capability of Anti-DDoS Origin paid editions is provided for the asset. If you want to allow or deny service traffic that has specific characteristics, you can create a custom mitigation policy and attach the policy to the assets. For more information, see Use the mitigation settings feature (public preview).
Step 4: View the attack events on the assets of members
Log on to the Traffic Security console by using the management account. In the top navigation bar, select All Regions.
In the left-side navigation pane, choose .
On the Attack Analysis page, select an account scope to view the details of attack events.
All accounts: You can view the attack events of assets that belong to the management account and members.
A single member: You can view only the assets of a member.
