Anti-DDoS Proxy supports Layer 4 and Layer 7 health checks for non-website services with multiple origin IP addresses. When a health check detects that an origin server is unavailable, Anti-DDoS Proxy automatically stops routing traffic to it, maintaining service continuity.
Before you begin
A non-website service with multiple origin IPs: Health checks only take effect when a port forwarding rule has two or more origin IP addresses. Do not enable health checks for rules with a single origin IP. For setup instructions, see Configure port forwarding rules.
Application-layer Protection must be disabled: Health checks cannot be configured when Application-layer Protection is enabled in the port forwarding settings. If you enable Application-layer Protection after configuring health checks, the existing health check configuration is retained but stops taking effect.
Back-to-origin IPs allowed at the origin: Anti-DDoS Proxy uses back-to-origin IPs to probe origin servers. This probing only assesses the server's health and has no additional impact. Allow these IPs in the origin server's access control policy to ensure proper health checks. For the IP list, see Allow back-to-origin IP addresses to access the origin server.
Configure a health check for one forwarding rule
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Port Config.
Select your Anti-DDoS Proxy instance, find the forwarding rule, and click Health Check under Configure.
Turn on Health Check, fill in the parameters, and click OK.
Select the health check type that matches your forwarding protocol, then configure the parameters.
Layer 4 health check — for TCP and UDP forwarding rules
Parameter Description Default Health Check Port The port that Anti-DDoS Proxy probes on the backend server. Valid values: 1–65,535. Same as the origin port in the forwarding rule Layer 7 health check — for TCP forwarding rules only
Anti-DDoS Proxy sends an HTTP HEAD request to the specified path to check origin server health. A server is considered healthy if it responds within the timeout period.
Parameter Description Default Domain Name The host header value used in the HTTP HEAD request. Enter a value only if the origin server requires a specific host field. Origin IP address Health Check Path The URI of the health check page. Required. For example, if the domain is example.aliyundoc.comand the path is/healthcheck.html, Anti-DDoS Proxy probeshttp://example.aliyundoc.com/healthcheck.html.— Health Check Port The port that Anti-DDoS Proxy probes on the backend server. Valid values: 1–65,535. Same as the origin port in the forwarding rule Advanced settings — available for both Layer 4 and Layer 7
Note: Leave advanced settings at their defaults unless you have a specific reason to change them. Expand the Advanced Settings section to access these parameters.
Each scrubbing node in the Anti-DDoS Pro or Anti-DDoS Premium cluster determines origin server health using two criteria: whether the server responds at all, and whether it responds within the timeout period. A server is declared unhealthy when the same scrubbing node records consecutive failed checks equal to the Unhealthy Threshold. It returns to healthy status after consecutive successful checks reach the Healthy Threshold.
Parameter Description Default Response Timeout Period How long Anti-DDoS Proxy waits for a response before declaring a probe failed. Valid values: 1–30 seconds. — Health Check Interval Time between consecutive probes from the same scrubbing node. Valid values: 1–30 seconds. Because each scrubbing node probes independently, backend server logs will not reflect this exact interval. — Unhealthy Threshold Consecutive failed probes before a backend server is declared unhealthy. Valid values: 1–10. — Healthy Threshold Consecutive successful probes before a backend server is declared healthy. Valid values: 1–10. —
After you enable the health check, the Health Check status for the forwarding rule updates to Enabled.
Configure health checks for multiple forwarding rules
Batch health check configuration and session persistence configuration share the same console page and dialog box.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Port Config.
Select your Anti-DDoS Proxy instance and choose Batch Operations > Add Session/healthCheck Configuration.
In the Add Session and Health Check Settings dialog box, enter the configuration following the format requirements below, then click OK.
Tip: Export existing settings to a TXT file, edit the file, then paste the content back into the dialog box. For instructions, see Export configurations of multiple websites.
Format requirements:
Each line represents one forwarding rule.
Fields are separated by spaces.
Forwarding ports must match the ports configured in the port forwarding rules.
The fields in each line, from left to right:
Position Field Notes 1 Forwarding port Must match the port in the forwarding rule 2 Forwarding protocol TCP, HTTP, or UDP 3 Session persistence timeout In seconds. Valid values: 30–3,600 4 Health check type — 5 Health check port — 6 Response timeout In seconds 7 Check interval In seconds 8 Unhealthy threshold — 9 Healthy threshold — 10 Health check path Required for HTTP health checks 11 Domain name Optional for HTTP health checks Health check type recommendations:
For UDP forwarding rules: use a UDP health check.
For TCP forwarding rules: use a TCP (Layer 4) or HTTP (Layer 7) health check.
What's next
For background on how health checks work in the underlying load balancing infrastructure, see CLB health checks.