how to create a secure acceleration rule - Anti-DDoS - Alibaba Cloud Documentation Center

Secure acceleration combines Sec-MCA with an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan. This creates a protection architecture that covers all carrier networks to ensure the security and accessibility of your services across global carrier networks. This topic describes how to configure a secure acceleration rule.

Background information

Sec-MCA protects service traffic only from carriers in the Chinese mainland. You must use it with an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan to protect all service traffic. This topic provides an example of an interaction between Sec-MCA 2.0 and an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan. This setup achieves the following:

Traffic from China Telecom, China Unicom, and China Mobile in the Chinese mainland is scheduled to the IP address of the Sec-MCA 2.0 instance.
Other traffic is scheduled to the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan.

Conditions

If your services are accessed directly using IP addresses, you cannot use Sec-Traffic Manager to automatically schedule service traffic.

Procedure

Add your website service to both an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan and a Sec-MCA 2.0 instance. Then, ensure that service traffic can be forwarded as expected.
- To add your service, see Add a website configuration or Configure port forwarding rules.
  Note
  You only need to add your service. You do not need to modify the domain name resolution.
- To verify that service traffic is forwarded as expected, see Verify traffic forwarding settings on a local machine.

Configure a secure acceleration rule.

Log on to the Anti-DDoS Proxy console.
In the top menu bar at the upper left corner, choose the Outside Chinese Mainland region.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
On the General Interaction tab, click Add Rule.

On the Add Rule page, configure a Sec-CMA rule, and click OK.

Parameter	Description
Interaction Scenario	Select Sec-CMA.
Rule Name	Enter a name for the rule. The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).
Sec-CMA	Select the IP address of the Sec-MCA instance.
Anti-DDoS Proxy (Outside Chinese Mainland)	Select the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan.

After you add the rule, Sec-Traffic Manager generates a CNAME for the rule. You can view the rule and its CNAME in the rule list.

Change the DNS records of the domain name as prompted and click Complete.
For the cloud service interaction rule to take effect, you must change the DNS records of your domain name on the website of your DNS service provider to map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need to only change the DNS records in the Alibaba Cloud DNS console.
Important
After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS records, we recommend that you modify the hosts file on your on-premises computer to verify the cloud service interaction rule. This helps prevent incompatibility issues caused by inconsistent back-to-origin policies. CDN allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Proxy to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Proxy to retrieve data from an Object Storage Service (OSS) object, the service traffic that is forwarded by Anti-DDoS Proxy cannot be identified by OSS. As a result, your services are interrupted. For more information about origin hosts, see Configure the default origin host.
For more information about how to verify traffic forwarding rules, see Verify the forwarding configurations on your on-premises computer.
For more information about how to change the DNS records of a domain name, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.

Related operations

After you add a General Interaction rule, you can perform the following operations on the rule in the rule list.

Operation	Description
Edit	You can modify the cloud service interaction rule. However, you cannot change the values of Interaction Scenario and Rule Name for the rule.
Delete	You can delete the cloud service interaction rule. Warning Before you delete an interaction rule, make sure that the domain name of your website is not pointed to the CNAME of Sec-Traffic Manager. Otherwise, access to your website may fail after you delete the rule.
Switch to Anti-DDoS and Switchback	If Sec-MCA is subject to blackhole filtering or cannot meet your business requirements due to low network speeds, you can click Switch to Anti-DDoS. This switches all service traffic to the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan. After the attack stops or the network becomes stable, you can click Switchback to switch traffic from the Chinese mainland back to Sec-MCA.