After you add your website to Anti-DDoS Proxy, you must prevent the IP address of the origin server from being exposed. If the IP address of the origin server is prone to exposure, configure access control lists (ACLs) on your origin server to allow inbound traffic only from the back-to-origin IP addresses of your Anti-DDoS Proxy instance.
Scope of ACL protection: ACLs take effect only when attacks reach the edge of the Alibaba Cloud network where your origin server resides. They help mitigate small volumes of HTTP flood attacks and web attacks, but cannot mitigate volumetric DDoS attacks. A volumetric DDoS attack reaching the network edge far exceeds what an origin server can handle and may trigger blackhole filtering for the origin server. If your origin IP is exposed and the server is blackholed, change the IP address immediately. For details, see Handle exposure of the origin IP address.
Choose your network architecture
Find the architecture that matches your deployment, then follow the corresponding ACL configuration method.
Anti-DDoS Proxy + ECS
Traffic source: The back-to-origin IP addresses of the Anti-DDoS Proxy instance are the source IPs forwarded to the origin server.
ACL method: Configure security group rules on the Elastic Compute Service (ECS) instance to allow traffic only from the back-to-origin IP addresses and deny all other inbound traffic.
Get the back-to-origin IP addresses from the Anti-DDoS Proxy console. For configuration steps, see Allow back-to-origin IP addresses to access the origin server.
Anti-DDoS Proxy + non-Alibaba Cloud origin server
Traffic source: The back-to-origin IP addresses of the Anti-DDoS Proxy instance are the source IPs forwarded to the origin server.
ACL method: Configure ACLs in the security software installed on the origin server—such as iptables or a firewall—to allow traffic only from the back-to-origin IP addresses and deny all other inbound traffic.
Anti-DDoS Proxy + Layer 4 Server Load Balancer (SLB) + ECS
Traffic source: The back-to-origin IP addresses of the Anti-DDoS Proxy instance are the source IPs forwarded to the origin server.
ACL method: Add the back-to-origin IP addresses to the whitelist of the SLB instance, then enable access control to allow traffic only from those addresses.
For configuration steps, see Enable access control.
Anti-DDoS Proxy + Layer 7 Application Load Balancer (ALB) + ECS
Traffic source: The back-to-origin IP addresses of the ALB instance are the source IPs forwarded to the origin server.
ACL method: Add the back-to-origin IP addresses of your Anti-DDoS Proxy instance to the whitelist of the ALB instance, then enable access control to allow traffic only from those addresses.
For configuration steps, see Access control.
Anti-DDoS Proxy + WAF, CDN, or DCDN + ECS
Two solutions are available. Solution 1 is recommended for Dynamic Content Delivery Network (DCDN) deployments.
If your origin server is not an ECS instance, the network architecture and ACL approach remain the same.
Solution 1 (recommended): Enable DDoS mitigation and WAF on DCDN
Traffic flow:
| Scenario | Path |
|---|---|
| Under attack | Anti-DDoS Proxy → DCDN → ECS |
| No attack | DCDN → ECS |
Traffic source: The back-to-origin IP addresses of DCDN are the source IPs forwarded to the origin server.
ACL method: When you use DCDN, the ECS IP address is hidden behind DCDN. In most cases, no ACL configuration is required. If you need to configure ACLs, contact Alibaba Cloud technical support.
Constraints:
This solution is available only for DCDN. If you use Alibaba Cloud CDN (CDN), use Solution 2 or migrate your website to DCDN.
Web Application Firewall (WAF) protection capabilities are integrated into DCDN points of presence (PoPs). Traffic does not need to be forwarded to WAF separately.
Solution 2: Route traffic through CDN or DCDN interaction, WAF, then ECS
Traffic flow:
| Scenario | Path |
|---|---|
| Under attack | Anti-DDoS Proxy → WAF → ECS |
| No attack | CDN → WAF → ECS |
Traffic source: The back-to-origin IP addresses of WAF are the source IPs forwarded to the origin server.
ACL method: Configure ACLs for the ECS instance to allow traffic only from the WAF back-to-origin IP addresses.
For configuration steps, see Configure protection for an origin server.