If your enterprise has multiple Alibaba Cloud accounts, Anti-DDoS Origin lets you purchase an instance with one account and share it with other accounts. This method helps reduce costs and provides comprehensive asset protection. This topic describes how to configure multiple accounts to share a single Anti-DDoS Origin instance.
Supported instance types
Anti-DDoS Origin 2.0 Enterprise (Subscription) instances and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances.
The multi-account management feature requires approval. To use this feature, contact your business manager.
Account types
Before you use the multi-account management feature, you must create a resource directory. A resource directory includes the following three account types. For more information, see What is Resource Directory?.
Management account: A management account is used to enable a resource directory. The management account is the super administrator of the resource directory and has full control over the resource directory, folders, and members.
Delegated administrator account: A management account can designate a member account in the resource directory as a delegated administrator account. The management account grants this account permissions to access the organization and member information of the resource directory.
Member account: You can create new member accounts in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.
Anti-DDoS Origin instances purchased by a management account or a delegated administrator account can protect the assets that are assigned public IP addresses of member accounts. However, we recommend that you use the management account for organization management tasks and the delegated administrator account for business management tasks. Separating these tasks improves management flexibility and efficiency.
After you configure the resource directory, you must also associate the member accounts with the management account or the delegated administrator account in the Traffic Security console. This enables Anti-DDoS to protect the assets of the member accounts.
A member account can be associated with either the management account or the delegated administrator account, but not both.
An Anti-DDoS Origin instance that belongs to the management account can protect only the assets of its associated member accounts. Likewise, an Anti-DDoS Origin instance that belongs to the delegated administrator account can protect only the assets of its associated member accounts.
Usage notes
The management account, delegated administrator account, and member accounts must belong to the same resource directory and have the same enterprise identity verification.
Member accounts can also purchase their own Anti-DDoS Origin instances. However, an asset that is assigned a public IP address can be protected by only one Anti-DDoS Origin instance.
For example, an asset of a member account is already protected by an Anti-DDoS Origin instance that the member account purchased. If you want to use a delegated administrator account for centralized protection, you must first remove the asset from the member account's instance. Then, you can add the asset to the Anti-DDoS Origin instance of the delegated administrator account.
If you use a management account or delegated administrator account to disassociate a member account in the Traffic Security console, protection is automatically removed from the assets of that member account. The instance of the management or delegated administrator account no longer protects those assets.
Each Alibaba Cloud account, whether a management or delegated administrator account, can add a maximum of 50 member accounts.
Billing
When you use an Anti-DDoS Origin instance from a management or delegated administrator account to protect the assets of a member account, the following billing rules apply:
Anti-DDoS Origin 2.0 Enterprise (Subscription) instance: No extra fees are charged for protecting the assets of member accounts.
Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: Fees incurred from protecting the assets of member accounts are charged to the account that owns the instance.
View information about the assets of a member account
When you use an Anti-DDoS Origin instance of a management account or delegated administrator account to protect the assets of a member account, the visibility of asset statistics in the console varies depending on the account type. The following table provides details.
: The statistics do not include the asset.
: The statistics include the asset.
Console page | Management account/Delegated administrator account | Member account |
Overview | ||
Asset Center | ||
Event Center | ||
Statistical Report | ||
Business Monitoring | ||
Protected Object | ||
Mitigation Settings | ||
Attack Analysis | ||
Mitigation Logs | ||
Operation Logs | ||
CloudMonitor Alerts | ||
Billing Center |
The following procedure uses a management account for organization management tasks and a delegated administrator account for business management tasks. If you do not configure a delegated administrator account, you can use the management account to perform all the steps.
Step 1: Enable a resource directory and build an organizational structure
Before you use the multi-account management feature, you must add your enterprise's Alibaba Cloud accounts to a resource directory.
Log on to the Resource Management console with your management account and enable a resource directory. For more information, see Enable a resource directory.
In the Resource Management console, use the management account to build your enterprise's organizational structure. You can create new members or invite existing Alibaba Cloud accounts to join your organization.
For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.
In the Resource Management console, use the management account to designate a member account as a delegated administrator account. For more information, see Manage delegated administrator accounts.
Step 2: Associate member accounts with the delegated administrator account
You must associate member accounts with a delegated administrator account to view the assets of the member accounts.
Log on to the Traffic Security console with a delegated administrator account.
In the left-side navigation pane, choose .
Click Add Member. Read the information in the dialog box, and then click Next.
ImportantAfter you add a member account, the delegated administrator account is authorized to access the assets of the member account.
Select the member accounts that you want to add, click the
icon, and then click OK.After the member accounts are added, you can use the instance of the delegated administrator account to protect the assets of the member accounts.
Step 3: Use the instance of the delegated administrator account to protect the assets of a member account
To protect the assets of a member account, you must add the assets to the protected objects of the delegated administrator account's instance.
New EIPs with Anti-DDoS (Enhanced) that belong to a member account are automatically added to the protected objects of the delegated administrator account. If a member account already has a pay-as-you-go instance and existing EIPs with Anti-DDoS (Enhanced), these EIPs remain protected by the member account's instance. To migrate their protection to the delegated administrator account, perform the following steps:
Release the EIP with Anti-DDoS (Enhanced).
Disable the pay-as-you-go instance of the member account.
Purchase a new EIP with Anti-DDoS (Enhanced) for the member account. The new EIP is automatically added to the protected objects of the delegated administrator account.
Log on to the Traffic Security console with a delegated administrator account.
In the left-side navigation pane, choose .
Select the target Anti-DDoS Origin instance, click Add Object for Protection, and then click the Add Assets of Members tab.
Select a member account. In the Objects to Select section, select the assets that you want to protect, click the
icon, and then click OK.
Step 4: Configure mitigation policies for the assets of a member account
After you add the assets of a member account to the protected objects, the Mitigation Policy is set to Default. This means the assets are protected by the default mitigation capabilities of Anti-DDoS Origin.
If your business requires you to allow or block service traffic that has specific features, you can log on to the Traffic Security console with the delegated administrator account and attach a custom scenario-specific template to the assets. For more information, see Mitigation Settings.
Step 5: View attack events on the assets of member accounts
Log on to the Traffic Security console with a delegated administrator account.
In the left-side navigation pane, choose .
On the Attack Analysis page, select an account scope to view the details of attack events.
All accounts: Includes assets from the management account and member accounts that are assigned public IP addresses.
Delegated administrator account: You can view only the assets that are assigned public IP addresses in this account.
Member account: You can view only the assets that are assigned public IP addresses within this account.
