If you add a non-website service, such as a port-based service that uses TCP, to Anti-DDoS
Pro or Anti-DDoS Premium and the origin server of the service is an Elastic Compute
Service (ECS) instance or a virtual private cloud (VPC), your service traffic may
be directly forwarded to the origin server. In this case, Anti-DDoS Pro or Anti-DDoS
Premium cannot protect your service, and risks may occur. To prevent the risks, we
recommend that you perform the following operations:
- Configure a security group rule for the ECS instance that is used as the origin server.
This rule allows only the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS
Premium instance to access your ECS instance and denies the traffic from other IP
addresses.
You can obtain the back-to-origin CIDR blocks of an Anti-DDoS Pro or Anti-DDoS Premium instance in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Allow back-to-origin IP addresses to access the origin server.
- If an IP address such as the egress IP address of your internal network is trusted and you want to use the IP address to access your ECS instance, configure a security group rule to allow the traffic from the trusted IP address.