How to configure Sec-CMA for Anti-DDoS Proxy (Outside Chinese mainland) - Anti-DDoS

Secure Chinese Mainland Acceleration (Sec-CMA) gives users in the Chinese mainland fast access to your services hosted outside the Chinese mainland, with built-in DDoS traffic scrubbing. Unlike Chinese Mainland Acceleration (CMA), Sec-CMA scrubs attack traffic inline — no line switching is required when an attack occurs.

Choose an instance type

Select the Sec-CMA instance that matches your carrier coverage and mitigation requirements.

Instance type	Mitigation capacity	Carrier coverage	Advanced mitigation sessions	Purchase additional sessions
Sec-CMA 1.0	2 Tbps	China Telecom, China Unicom	2 per calendar month	Yes. Purchase a global advanced mitigation session.
Sec-CMA 1.0 (Basic Edition)	2 Tbps	China Telecom, China Unicom	1 per calendar month	Yes. Purchase a global advanced mitigation session.
Sec-CMA 2.0 (Insurance)	Over 2 Tbps	China Telecom, China Unicom, China Mobile	2 per calendar month	No. Upgrade to Sec-CMA 2.0 (Unlimited).
Sec-CMA 2.0 (Unlimited)	Over 2 Tbps	China Telecom, China Unicom, China Mobile	Unlimited	Not applicable

Note

To purchase Sec-CMA 1.0 (Basic Edition), contact your presales business manager.

Decision guide:

Use Sec-CMA 2.0 if you need to cover China Mobile traffic or require over 2 Tbps mitigation capacity.
Use Sec-CMA 1.0 if China Telecom and China Unicom coverage is sufficient.
To protect traffic from all carriers and from outside the Chinese mainland, pair any Sec-CMA instance with an Anti-DDoS Proxy (Outside Chinese Mainland) instance running the Insurance or Unlimited mitigation plan, and configure a Sec-Traffic Manager scheduling rule.

Limits

Before configuring Sec-CMA, note the following constraints:

UDP not supported (Port Config only): When adding a service using Port Config, UDP ports are not supported. Use Website Config for UDP-based services.
CNAME required for automatic scheduling: Automatic traffic scheduling requires CNAME-based DNS resolution. Services accessed directly by IP address cannot be automatically scheduled.
Chinese mainland traffic only: Sec-CMA handles only traffic from the Chinese mainland. Requests from outside the Chinese mainland are not routed through Sec-CMA. To cover outside-Chinese-mainland traffic, pair Sec-CMA with an Anti-DDoS Proxy (Outside Chinese Mainland) instance using the Insurance or Unlimited mitigation plan.

Use Sec-CMA 2.0

Protect China Telecom, China Unicom, and China Mobile traffic

Use Sec-CMA 2.0 alone when you only need to cover Chinese mainland carrier traffic.

Log on to the Anti-DDoS Proxy console.Anti-DDoS Proxy console
In the top navigation bar, select Outside Chinese Mainland as the region. The console switches to Anti-DDoS Proxy (Outside Chinese Mainland).
Add your service to the Sec-CMA 2.0 instance.
- Website Config: When adding the service, set Instance to your Sec-CMA 2.0 instance. See Add one or more websites.
- Port Config: Configure port forwarding rules in the Sec-CMA 2.0 instance. See Configure port forwarding rules.
Switch traffic to the Sec-CMA 2.0 instance.
- Website Config: Resolve your domain name to the CNAME of Anti-DDoS Proxy. See Use a CNAME or IP address to resolve a domain name to Anti-DDoS Pro.
- Port Config: Set the service address to the IP address of the Sec-CMA 2.0 instance.

Protect all carrier lines

Pair Sec-CMA 2.0 with an Anti-DDoS Proxy (Outside Chinese Mainland) instance (Insurance or Unlimited mitigation plan) to cover all carriers and route traffic from outside the Chinese mainland. The following steps use the Unlimited mitigation plan as an example.

Log on to the Anti-DDoS Proxy console.Anti-DDoS Proxy console
In the top navigation bar, select Outside Chinese Mainland as the region.
Add your service to both instances.
- Website Config: Set Instance to both the Unlimited mitigation plan instance and the Sec-CMA 2.0 instance. See Add one or more websites.
- Port Config: Configure port forwarding rules in both the Unlimited mitigation plan instance and the Sec-CMA 2.0 instance. See Configure port forwarding rules.
Configure a secure acceleration rule in Sec-Traffic Manager. After the rule is created, a CNAME is generated. Traffic is automatically scheduled as follows:
- China Telecom, China Unicom, and China Mobile traffic → Sec-CMA 2.0 instance IP
- Other carriers and traffic from outside the Chinese mainland → Unlimited mitigation plan instance IP
1. Go to Instances > Sec-Traffic Manager and click the General Interaction tab.
2. Click Add Rule, configure the rule, and click Next.
  Field
  Value
  Interaction Scenario
  Select Sec-CMA
  Rule Name
  Enter a custom name
  Sec-CMA
  Select the Sec-CMA 2.0 instance
  Anti-DDoS Proxy (Outside Chinese Mainland)
  Select the Unlimited mitigation plan instance
Note
Make sure that you have configured services for all exclusive IP addresses assigned to the scheduling nodes and that they can forward traffic to your origin server.
At your DNS provider, update the DNS record for your domain name to the CNAME generated by the Sec-Traffic Manager rule.

Use Sec-CMA 1.0

Sec-CMA 1.0 covers China Telecom and China Unicom but does not protect China Mobile traffic.

Protect China Telecom and China Unicom traffic

Use Sec-CMA 1.0 alone when China Telecom and China Unicom coverage is sufficient.

Log on to the Anti-DDoS Proxy console.Anti-DDoS Proxy console
In the top navigation bar, select Outside Chinese Mainland as the region.
Add your service to the Sec-CMA 1.0 instance.
- Website Config: When adding the service, set Instance to your Sec-CMA 1.0 instance. See Add one or more websites.
- Port Config: Configure port forwarding rules in the Sec-CMA 1.0 instance. See Configure port forwarding rules.
Switch traffic to the Sec-CMA 1.0 instance.
- Website Config: Resolve your domain name to the CNAME of Anti-DDoS Proxy. See Use a CNAME or IP address to resolve a domain name to Anti-DDoS Pro.
- Port Config: Set the service address to the IP address of the Sec-CMA 1.0 instance.

Protect all carrier lines

Pair Sec-CMA 1.0 with an Anti-DDoS Proxy (Outside Chinese Mainland) instance (Insurance or Unlimited mitigation plan) to handle China Mobile traffic and requests from outside the Chinese mainland. The following steps use the Unlimited mitigation plan as an example.

Log on to the Anti-DDoS Proxy console.Anti-DDoS Proxy console
In the top navigation bar, select Outside Chinese Mainland as the region.
Add your service to both instances.
- Website Config: Set Instance to both the Unlimited mitigation plan instance and the Sec-CMA 1.0 instance. See Add one or more websites.
- Port Config: Configure port forwarding rules in both the Unlimited mitigation plan instance and the Sec-CMA 1.0 instance. See Configure port forwarding rules.
Configure a secure acceleration rule in Sec-Traffic Manager. After the rule is created, a CNAME is generated. Traffic is automatically scheduled as follows:
- China Telecom and China Unicom traffic → Sec-CMA 1.0 instance IP
- China Mobile traffic and requests from outside the Chinese mainland → Unlimited mitigation plan instance IP
1. Go to Instances > Sec-Traffic Manager and click the General Interaction tab.
2. Click Add Rule, configure the rule, and click Next.
  Field
  Value
  Interaction Scenario
  Select Sec-CMA
  Rule Name
  Enter a custom name
  Sec-CMA
  Select the Sec-CMA 1.0 instance
  Anti-DDoS Proxy (Outside Chinese Mainland)
  Select the Unlimited mitigation plan instance
Note
Make sure that you have configured services for all exclusive IP addresses assigned to the scheduling nodes and that they can forward traffic to your origin server.
At your DNS provider, update the DNS record for your domain name to the CNAME generated by the Sec-Traffic Manager rule.

Field	Value
Interaction Scenario	Select Sec-CMA
Rule Name	Enter a custom name
Sec-CMA	Select the Sec-CMA 2.0 instance
Anti-DDoS Proxy (Outside Chinese Mainland)	Select the Unlimited mitigation plan instance