All Products
Search
Document Center

Anti-DDoS:Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance

Last Updated:Aug 16, 2023

This topic describes how to purchase an Anti-DDoS Pro or Anti-DDoS Premium instance

Instance types

  • Anti-DDoS Pro: Profession and Advanced mitigation plans

  • Anti-DDoS Premium: Insurance, Unlimited, Chinese Mainland Acceleration (CMA), CMA 2.0, Secure Chinese Mainland Acceleration (Sec-CMA), and Sec-CMA (Basic) mitigation plans

Note

To purchase an Anti-DDoS Pro instance of the Advanced mitigation plan or an Anti-DDoS Premium instance of the Sec-CMA (Basic) mitigation plan, submit a ticket to contact a pre-sales account manager.

How to select an instance type

You can purchase an Anti-DDoS instance based on the regions where your servers are deployed and where your users are located. The following list describes the different scenarios:

Region where your servers are deployed

Region where your users are located

Purchase suggestion

Regions in the Chinese mainland

Regions in the Chinese mainland or outside the Chinese mainland

We recommend that you purchase an Anti-DDoS Pro instance of the Profession or Advanced mitigation plan.

Important

You cannot use Anti-DDoS Pro instances to protect the domains for which you do not complete Internet Content Provider (ICP) filing. Before you use an Anti-DDoS Pro instance to protect your website, you must complete ICP filing for the domain of your website.

Regions outside the Chinese mainland

Regions outside the Chinese mainland

We recommend that you purchase an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan.

Regions outside the Chinese mainland

Regions in the Chinese mainland

If you purchase an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan, users in the Chinese mainland experience network latency. The average network latency is approximately 300 milliseconds. We recommend that you consider the following solution:

  • If you need to only ensure stable and fast access for users in the Chinese mainland, purchase an Anti-DDoS Premium instance of the Sec-CMA or Sec-CMA (Basic) mitigation plan. This solution is not applicable to China Mobile users in the Chinese mainland.

    Note

    The Sec-CMA and Sec-CMA (Basic) mitigation plans can be used to mitigate DDoS attacks and accelerate service access. You do not need to purchase an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan. For more information, see Configure Anti-DDoS Premium Sec-CMA.

  • If the preceding solution cannot meet your business requirements, we recommend that you purchase an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Premium instance of the CMA or CMA 2.0 mitigation plan.

    Note

    You must use Sec-Traffic Manager to configure network acceleration rules for the Anti-DDoS Premium instance. If no DDoS attacks are detected, the Anti-DDoS Premium instance of the CMA mitigation plan accelerates requests that are destined for protected services. If DDoS attacks are detected, the Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan protects the services against DDoS attacks. For more information, see Overview.

Supported clean QPS and connections

  • The following table describes the mappings between the numbers of connections that are supported by an Anti-DDoS Pro or Anti-DDoS Premium instance and the clean queries per second (QPS) of the instance when the burstable QPS feature is disabled for the instance.

    Clean QPS

    Number of new connections

    Number of concurrent connections

    0 < QPS ≤ 5,000

    5,000

    100,000

    5,000 < QPS ≤ 10,000

    10,000

    200,000

    10,000 < QPS ≤ 30,000

    30,000

    500,000

    30,000 < QPS ≤ 50,000

    50,000

    1,000,000

    50,000 < QPS ≤ 100,000

    80,000

    1,500,000

    100,000 < QPS ≤ 150,000

    100,000

    2,000,000

  • The following section describes the supported burstable QPS and connections if the burstable QPS feature is enabled for an Anti-DDoS Pro instance:

    • If the instance uses an IPv4 address, the burstable QPS for the instance is 300,000, the number of new connections 100,000, and the number of concurrent connections 2,000,000.

    • If the instance uses an IPv6 address, the burstable QPS for the instance is 150,000, the number of new connections 100,000, and the number of concurrent connections 2,000,000.

  • The following section describes the supported burstable QPS and connections if the burstable QPS feature is enabled for an Anti-DDoS Premium instance:

    The burstable QPS for the instance is 100,001, the number of new connections 100,000, and the number of concurrent connections 2,000,000.

Note

If your service requires higher specifications for new connections or concurrent connections, submit a ticket to contact your account manager.

Procedure

Important

After you purchase an instance, you cannot request a refund. Evaluate your business requirements before you purchase an instance.

  1. Visit the Anti-DDoS Pro buy page or Anti-DDoS Premium buy page based on your business requirements.

  2. Configure the following parameters.

    The following table describes all parameters of Anti-DDoS Pro and Anti-DDoS Premium instances. For more information about the parameters of an Anti-DDoS Pro or Anti-DDoS Premium instance, see the buy page of each instance type.

    Parameter

    Description

    Product Type

    Select Anti-DDoS Pro or Anti-DDoS Premium.

    IP Version

    Select the IP protocol that is supported by the instance. Valid values: IPv4 and IPv6.

    Important

    Mitigation Plan or Plan

    Select a mitigation plan.

    Basic Bandwidth

    Specify the basic protection bandwidth for the instance. The basic protection bandwidth specifies the threshold of attack traffic that the instance can mitigate.

    Burstable Bandwidth

    Specify the burstable protection bandwidth for the instance. The burstable protection bandwidth specifies the maximum mitigation capacity that is provided by the instance. For more information, see Billing of the burstable protection bandwidth feature.

    • If you set Burstable Bandwidth and Basic Bandwidth to the same value, the maximum mitigation capacity is equal to the specified basic protection bandwidth. In this case, you are charged only for basic protection.

    • If you set Burstable Bandwidth to a value greater than the value of Basic Bandwidth and attack traffic is between the specified basic protection bandwidth and the specified burstable protection bandwidth, burstable protection is triggered to defend against the attack. Pay-as-you-go bills are generated for the attack traffic that exceeds the value of Basic Bandwidth.

    After you purchase an instance, you can modify the burstable protection bandwidth of the instance in the console based on your business requirements. For more information, see Modify the burstable protection bandwidth of an instance.

    Service Bandwidth or Clean Bandwidth

    Select the clean bandwidth of normal workloads that you want the instance to protect.

    Warning

    If the bandwidth resources that you specify cannot meet your business requirements, packet loss may occur and your business may be affected. In this case, we recommend that you purchase more bandwidth resources. For more information, see Upgrade an instance.

    How to estimate the actual bandwidth usage

    You can select an appropriate clean bandwidth based on the daily inbound and outbound traffic peaks of your workloads that you want the instance to protect. Make sure that the clean bandwidth of the instance is greater than the peak bandwidth of inbound or outbound traffic, whichever is higher. In most cases, the peak bandwidth of outbound traffic is higher than that of inbound traffic.

    You can estimate the actual bandwidth usage based on the traffic statistics that are collected in the Elastic Compute Service (ECS) console or by using monitoring tools on your origin server. The traffic refers to the service traffic of your workloads. For example, you can add your website to Anti-DDoS Pro or Anti-DDoS Premium for protection. If no attacks are launched against your website, Anti-DDoS Pro or Anti-DDoS Premium forwards service traffic to the origin server. If your website is attacked, Anti-DDoS Pro or Anti-DDoS Premium blocks malicious traffic and forwards only service traffic to the origin server. The ECS console displays only the statistics about inbound and outbound service traffic that flows through the origin server. If your workloads are deployed on multiple origin servers, you must sum up the traffic volumes on all origin servers. 正常业务流量For example, you want to add three websites to an instance. The peak of outbound service traffic on each website is 50 Mbit/s or lower. The total bandwidth that is required by the three websites is 150 Mbit/s or lower. In this case, make sure that the clean bandwidth of the purchased instance is higher than 150 Mbit/s.

    95th Percentile Burstable Clean Bandwidth

    Specify whether to enable the burstable clean bandwidth feature. For more information, see Billing of the burstable clean bandwidth feature. Valid values:

    • Disable: disables the burstable clean bandwidth feature.

    • Daily 95th Percentile: enables the burstable clean bandwidth feature and uses the daily 95th percentile metering method.

    • Monthly 95th Percentile: enables the burstable clean bandwidth feature and uses the monthly 95th percentile metering method.

    The maximum clean bandwidth is equal to the sum of the clean bandwidth and the burstable clean bandwidth. The following list describes the maximum clean bandwidth that is supported by each type of instance:

    • Anti-DDoS Pro of the Profession and Advanced mitigation plans: 20 Gbit/s.

    • Anti-DDoS Premium of the Insurance and Unlimited mitigation plans: 5 Gbit/s. Anti-DDoS Premium of the CMA mitigation plan: 1 Gbit/s. Anti-DDoS Premium of the CMA 2.0 mitigation plan: 2 Gbit/s. Anti-DDoS Premium of the Sec-CMA and Sec-CMA (Basic) mitigation plans: 500 Mbit/s.

    Important
    • By default, the burstable clean bandwidth is nine times the clean bandwidth that you select for the instance. The sum of the clean bandwidth and the burstable clean bandwidth does not exceed the maximum clean bandwidth that is supported by the instance.

      For example, you purchase an Anti-DDoS Pro instance of the Profession mitigation plan, set the clean bandwidth to 3 Gbit/s, enable the burstable clean bandwidth feature, and use the daily 95th percentile metering method. The maximum clean bandwidth that is supported by the instance is 20 Gbit/s. In this case, the burstable clean bandwidth is 17 Gbit/s.

    • If you set the Service Bandwidth or Clean Bandwidth parameter to a value that is greater than the supported maximum clean bandwidth and you set the 95th Percentile Burstable Clean Bandwidth parameter to Daily 95th Percentile or Monthly 95th Percentile, no error messages are displayed. However, the burstable clean bandwidth feature is automatically disabled.

    • If you disable the burstable clean bandwidth feature when you purchase an instance, you can still enable the feature in the console. For more information, see Configure the burstable clean bandwidth.

    Functional package or Function Plan

    Select a function plan for the instance. Valid values: Standard Function and Enhanced Function.

    For more information, see Function plan.

    Domains

    Specify the number of domains that the instance can protect. The value must be an integer multiple of 10.

    The domains that are specified for the instance can be subdomains and wildcard domains. The number of unique second-level domains that correspond to the subdomains or wildcard domains cannot exceed the quotient obtained by dividing the value of the Domains parameter by 10.

    For an Anti-DDoS Pro instance of the Profession mitigation plan, the default value of the Domains parameter is 50. If you use the default value, you can specify only up to five second-level domains. You can also specify subdomains and wildcard domains that correspond to the second-level domains. The total number cannot exceed 50.

    If you want to enable protection for aliyundoc.com and aliyun.com, you can specify their subdomains, such as www.aliyundoc.com and abc.aliyun.com. You can also specify the wildcard domains, such as *.aliyundoc.com and *.aliyun.com.

    Clean QPS or Request Rate

    Specify the number of concurrent QPS that the instance can process when no attacks occur. HTTP and HTTPS requests are supported.

    For more information about the mappings between the clean QPS and the numbers of connections that are supported, see Supported clean QPS and connections.

    Warning

    If the clean QPS that you specify cannot meet your business requirements, packet loss may occur and your business may be affected. In this case, we recommend that you specify a higher clean QPS or enable the burstable QPS feature.

    95th Percentile Burstable QPS

    Specify whether to enable the burstable QPS feature. For more information about the billing of the burstable QPS feature, see Billing of the burstable QPS feature. Valid values:

    • Disable: disables the burstable QPS feature.

    • Daily 95th Percentile: enables the burstable QPS feature and uses the daily 95th percentile metering method.

    • Monthly 95th Percentile: enables the burstable QPS feature and uses the monthly 95th percentile metering method.

    For more information about the mappings between the clean QPS and the numbers of connections that are supported, see Supported clean QPS and connections.

    Important

    The following section describes the scenarios in which the burstable QPS feature is not supported:

    • An Anti-DDoS Pro instance uses an IPv4 address and the clean QPS of the instance is greater than 300,000.

    • An Anti-DDoS Pro instance uses an IPv6 address and the clean QPS of the instance is greater than 150,000.

    • The clean QPS of an Anti-DDoS Premium instance is greater than 100,001.

    If you disable the burstable QPS feature when you purchase an instance, you can still enable the feature in the console. For more information, see Configure the burstable QPS.

    Ports

    Specify the number of TCP and UDP ports for which you can configure forwarding rules.

    Resource Group

    Select the resource group to which the instance belongs in Resource Management. By default, the resource group is Default Resource Group.

    For more information about resource groups, see Create a resource group.

    Quantity

    Specify the number of instances that you want to purchase.

    Duration or Subscription

    Select a subscription duration for the instance.

    If you select Auto-renewal, the instance is automatically renewed before the instance expires. The following list describes the auto-renewal period:

    • Monthly subscription: The instance is automatically renewed for one month.

    • Annual subscription: The instance is automatically renewed for one year.

    For more information, see Renew an instance.

  3. Confirm your configurations and click Buy Now. Read and select Terms of Service. Then, click Pay to complete the purchase.

References