All Products
Search

This Product

    Anti-DDoS:Configure health checks for port forwarding rules

    Document Center

    Anti-DDoS:Configure health checks for port forwarding rules

    Last Updated:May 29, 2026

    Anti-DDoS Proxy provides Layer 4 and Layer 7 health checks for your non-website services. If your service has multiple origin IP addresses, you can use health checks to monitor the availability of your backend servers. Anti-DDoS Proxy forwards traffic only to healthy servers to ensure service availability. This topic describes how to configure health checks.

    Precautions

    • If a port forwarding rule has only one origin IP address, do not enable health checks for the rule.

    • Health checks are not supported if you enable Application-layer Protection in the port forwarding configuration.

    • If you do not enable Application-layer Protection in the port forwarding configuration, health checks are supported. If you enable Application-layer Protection after you configure health checks, the existing health check configurations become inactive but are not deleted.

    • Anti-DDoS Proxy uses its back-to-origin IP addresses to perform active probes on your origin server. These probes check only the health status of the origin server and do not affect its services. To ensure that health checks work as expected, you must add these back-to-origin IP addresses to the access control policy of your origin server. For more information, see Add the back-to-origin IP addresses of Anti-DDoS Proxy to an allowlist.

    Prerequisites

    You have added your non-website service to Anti-DDoS Proxy and configured multiple origin IP addresses. For more information, see Configure port forwarding rules.

    Configure a health check for a single port

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Onboarding > Port Config.

    4. Select an Anti-DDoS Proxy instance. Find the forwarding rule that you want to manage and click Configure in the Health Check column.

    5. Enable Health Check, complete the health check configuration, and then click OK.

      Anti-DDoS Proxy supports Layer 4 and Layer 7 health checks. The following table describes the parameters.

      Note

      Both Layer 4 Health Check and Layer 7 Health Check support advanced settings. To view the settings, expand Advanced Settings. In most cases, you do not need to change the advanced settings.

      Type

      Parameter

      Description

      Layer 4 Health Check

      Health Check Port

      The port that the health check service uses to probe the backend server. Valid values: 1 to 65535. The default value is the origin server port in the port forwarding rule.

      Note

      This parameter applies to TCP and UDP rules.

      Layer 7 Health Check

      Domain Name, Health Check Path

      For a Layer 7 health check, Anti-DDoS Proxy sends HTTP HEAD requests to a predefined check path to evaluate the health status of the origin server.

      Note

      This parameter applies only to TCP rules for HTTP services.

      • Domain Names: If the origin server limits the host field for HTTP HEAD requests, do not specify a domain name. The origin IP address is used by default. In other scenarios, specify a domain name.

      • Health Check Path: Required. The URI of the page file for the health check.

      For example, if you set Domain Names to example.aliyundoc.com and Health Check Path to /healthcheck.html, Anti-DDoS Proxy sends HTTP HEAD requests to http://example.aliyundoc.com/healthcheck.html.

      Health Check Port

      The port that the health check service uses to probe the backend server. Valid values: 1 to 65535. The default value is the origin server port in the port forwarding rule.

      Advanced Settings

      Response Timeout Period

      The maximum timeout period for a health check response. Valid values: 1 to 30. Unit: seconds.

      If a backend server does not return a valid response within the specified timeout period, the health check fails.

      Health Check Interval

      The interval between health checks. Valid values: 1 to 30. Unit: seconds.

      Note

      All nodes in the Anti-DDoS Proxy cluster independently and concurrently perform health checks on backend servers based on this setting. The check times of different Anti-DDoS Proxy nodes are not synchronized. If you check the logs on a specific backend server, you may find that the health check requests from Anti-DDoS Proxy IP addresses do not follow the specified interval.

      Unhealthy Threshold

      The number of consecutive health check failures that must occur for a healthy backend server to be considered unhealthy. This is measured by a single Anti-DDoS Proxy node. Valid values: 1 to 10. Unit: times.

      Healthy Threshold

      The number of consecutive health check successes that must occur for an unhealthy backend server to be considered healthy. This is measured by a single Anti-DDoS Proxy node. Valid values: 1 to 10. Unit: times.

      After you enable health checks, the Health Check status of the port forwarding rule changes to Enabled.

    Batch configure health checks and session persistence

    You can batch configure health checks and session persistence at the same time in the console. Therefore, the procedures are described together.

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Onboarding > Port Config.

    4. Select the Anti-DDoS Proxy instance that you want to manage. Below the rule list, choose Add > Session and Health Check Settings from the Batch Operations drop-down list.

    5. In the Add Session and Health Check Settings dialog box, enter the session persistence and health check configurations in the required format, and then click OK.

      Note

      You can also batch export the current configurations, modify the exported TXT file, and then paste the content into the dialog box. For more information, see Batch export.

      The session persistence and health check configurations must be in the following format:

      • Each line contains the session persistence and health check configuration for a single forwarding rule.

      • Each configuration line contains the following fields from left to right, separated by spaces: forwarding port, forwarding protocol (TCP, HTTP, or UDP), session persistence timeout (seconds, 30 to 3600), health check type, health check port, check timeout, check interval, unhealthy threshold, healthy threshold, check path (required if the forwarding protocol is HTTP), and domain name (optional if the forwarding protocol is HTTP).

      • The forwarding port must belong to an existing forwarding rule.

      • If the forwarding protocol is UDP, configure a UDP health check. If the forwarding protocol is TCP, configure a TCP (Layer 4) or HTTP (Layer 7) health check.

      • If the forwarding protocol is HTTP, the check path is required and the domain name is optional.

    References

    For more information about health checks, see Overview of Server Load Balancer health checks.