How to use cloud service interaction with Anti-DDoS Proxy - Anti-DDoS

By default, all traffic routes through Anti-DDoS Proxy continuously. This adds latency and cost even when no attack is occurring. Cloud service interaction routes traffic directly to your cloud resource during normal operations. When an attack is detected, traffic automatically diverts to Anti-DDoS Proxy for scrubbing. This on-demand model removes unnecessary network hops, reducing latency and optimizing costs.

Before you begin

Supported cloud resources

Your service runs on one of the following Alibaba Cloud resources with a public IP address:

Elastic IP Address (EIP)
Elastic Compute Service (ECS) instance
Server Load Balancer (SLB) instance
Web Application Firewall (WAF) instance

Anti-DDoS Proxy instance

One of the following Anti-DDoS Proxy instances:

Anti-DDoS Proxy (Chinese Mainland): Profession.
Anti-DDoS Proxy (Outside Chinese Mainland): Insurance or Unlimited.

Important

The instance must have sufficient clean bandwidth and queries per second (QPS) to meet your service requirements. For details, see Purchase an Anti-DDoS Proxy instance.

Configuration requirements

Your website is already added to the Anti-DDoS Proxy instance.
You have verified that Anti-DDoS Proxy forwards traffic correctly.

How it works

Cloud service interaction uses DNS-based intelligent routing to dynamically direct traffic based on the security status of your cloud resources.

Important

Cloud service interaction uses DNS to route traffic. If all your cloud resources enter blackhole filtering simultaneously, your service becomes unreachable until the blackhole is lifted. During traffic switching, your service may experience brief interruptions. The actual downtime depends on how quickly the client-side DNS cache refreshes.

Traffic flows through three states:

State	Traffic path	Description
Normal (no attack)	Client > Cloud resource	Traffic goes directly to your cloud resource without passing through Anti-DDoS Proxy. This delivers the lowest latency and best performance.
Under attack	Client > Anti-DDoS Proxy > Cloud resource	The system automatically updates the DNS record to point your domain to the Anti-DDoS Proxy CNAME address. Malicious traffic is scrubbed, and only legitimate traffic is forwarded to your cloud resource.
Recovery (attack stopped)	Client > Cloud resource	After the attack stops, Anti-DDoS Proxy waits for a configured period (the failback waiting period) before routing traffic back. When this period elapses, the system restores the DNS record to point to your cloud resource IP address.

Create a cloud service interaction rule

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
- Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
On the General Interaction tab, click Create Rule.

In the Create Rule panel, configure the remaining parameters described in the following table, and then click Next.

Parameter	Description
Interaction Scenario	Select Cloud Service Interaction.
Rule Name	Enter a name of up to 128 characters. Only letters, digits, and underscores (_) are supported.
Anti-DDoS Pro or Anti-DDoS Premium Instance	Select the Anti-DDoS Proxy instance to associate with this rule.
Resource for Interaction	Enter the public IP address of the cloud resource you want to protect. The following types are accepted: EIP (Elastic IP Address) ECS instance IP SLB instance IP WAF instance IP Click Add IP Address of Cloud Resource to add more addresses. You can add up to 20 IP addresses. Note When you add multiple IP addresses, all addresses share the same Anti-DDoS Proxy instance. If one IP address is attacked, traffic is redistributed to the remaining addresses. Traffic switches to Anti-DDoS Proxy only when all addresses are under attack simultaneously. For independent failover of each IP address, see Multi-path failover.
Waiting Time of Switchback	The failback waiting period (how long Anti-DDoS Proxy waits after an attack stops before routing traffic back to your cloud resource). Valid range: 30 to 120 minutes. Note We recommend 60 minutes.

Update your DNS records as prompted:To activate the rule, point your domain's DNS record to the CNAME provided by Sec-Traffic Manager. Follow these steps:

Verify locally before updating DNS:Before you update your public DNS records, verify the rule by modifying the hosts file on your local computer. This helps you catch origin forwarding policy conflicts before they affect production traffic. For detailed steps, see Locally validate your forwarding configuration.
Typical risk cases: CDN + Anti-DDoS Proxy + OSS conflict
If you use CDN together with Anti-DDoS Proxy to serve content from Object Storage Service (OSS), be aware of the following:
- CDN can customize the origin Host header to match the OSS bucket name, so OSS correctly identifies the request.
- Anti-DDoS Proxy does not modify the origin Host header. It passes through the original Host header from the client request.
- When an attack triggers a failover to Anti-DDoS Proxy, the Host header may no longer match what OSS expects, causing requests to fail. To prevent this, bind the Anti-DDoS Proxy CNAME in your local hosts file and verify the scenario before updating public DNS.

Update your DNS records:After you verify the rule locally, update your domain's DNS record to point to the CNAME provided by Sec-Traffic Manager.

Domain registrar	How to update
Alibaba Cloud	Update the record in the Alibaba Cloud DNS console.
Third-party provider	Log on to your domain registrar's management console and update the DNS record for your domain.

Validation Results
After the DNS update, verify that your website is accessible.
Note
- After you update the DNS record,the rule may take some time to fully take effect due to DNS propagation (TTL).For details, see Modify a CNAME record for Traffic Scheduler.
- If you encounter issues, see Troubleshoot slow response, high latency, and access failures for services protected by Anti-DDoS Proxy.

Switch traffic

Cloud service interaction supports two switching modes to accommodate different operational scenarios.

Note

Both automatic and manual switching use DNS. The actual switching time depends on DNS propagation and network convergence. Plan based on your service's tolerance for downtime.

Mode	Description	When to use
Automatic	The system monitors traffic in real time and automatically switches to or exits Anti-DDoS Proxy mode based on attack detection.	24/7 unattended protection with no manual intervention required.
Manual	You manually trigger failover or failback from the console based on your operational needs.	Preemptive switching before major events. Complex attack scenarios not covered by automatic policies. Fault investigation and drills.

Automatic switching

Direction	Trigger condition
Cloud resource > Anti-DDoS Proxy	All protected resource IP addresses enter blackhole filtering.
Anti-DDoS Proxy > Cloud resource	The attack has stopped and the configured failback waiting period has elapsed.

Manual switching

You can manually switch traffic from the General Interaction tab on the Sec-Traffic Manager page.

Switch to Anti-DDoS

Procedure:
1. On the Sec-Traffic Manager page, click the General Interaction tab.
2. Locate the rule whose interaction scenario is cloud service interaction and DDoS mitigation scrubbing has not been automatically triggered (Indicated by the icon under Resource for Interaction).
3. Click Switch to Anti-DDoS in the Actions column to initiate the failover.
Restrictions:
- You cannot switch traffic to Anti-DDoS Proxy when the Proxy instance is in blackhole state, or when the switchback waiting time has not elapsed since the last blackhole event.
- After a manual failover, traffic does not fail back automatically. You must click Switchback to return traffic to the protected resource.

Switchback

Procedure:
1. On the Sec-Traffic Manager page, click the General Interaction tab.
2. Locate the rule whose interaction scenario is cloud service interaction and traffic is currently being scrubbed by Anti-DDoS Proxy (Indicated by the icon under Anti-DDoS Pro or Anti-DDoS Premium Instance).
3. Click Switchback in the Actions column, and then confirm the operation.
Restrictions:
- If all associated protected resources are in blackhole filtering, the failback fails.
- If some resources have filtering while others have not.
  - Traffic fails back to the available resources first.
  - The remaining resources resume traffic automatically after their blackhole filtering is deactivated.

Manage rules

After you create a rule, you can perform the following operations from the General Interaction tab.

Operation

Description

Edit

Modify the rule parameters. Interaction Scenario and Rule Name cannot be changed after the rule is created.

Delete

Delete the rule.

Before you delete a rule, remove the Sec-Traffic Manager CNAME from your domain's DNS records. Deleting a rule while the CNAME is still active causes your website to become inaccessible.