All Products
Search
Document Center

Anti-DDoS:Configure port forwarding rules

Last Updated:Nov 27, 2024

To use Anti-DDoS Proxy to protect your non-website services, such as client-based applications, you must create port forwarding rules. Then, Anti-DDoS Proxy scrubs traffic that is destined for your services and then forwards only service traffic to your origin server based on the port forwarding rules. This topic describes how to add port forwarding rules for non-website services.

Usage notes

  • Batch configuration of rules is supported exclusively by Anti-DDoS Proxy (Chinese Mainland) and not by Anti-DDoS Proxy (Outside Chinese Mainland).

  • The Application-layer Protection switch is only available for Anti-DDoS Proxy (Chinese Mainland). Activating this switch provides protection against application layer attacks that do not utilize HTTP or HTTPS protocols.

  • After all Anti-DDoS Proxy instances under your Alibaba Cloud account are released for one month, the system will automatically clear all domain names and port forwarding configurations associated with Anti-DDoS Proxy for that account. If you have multiple Anti-DDoS Proxy instances, the countdown for clearing starts from the release time of the last instance.

  • When you purchase an Anti-DDoS Proxy instance with the Enhanced Function Plan, common ports that are often targeted for UDP reflection attacks are automatically blocked after you configure UDP port forwarding rules. Typically, this blocking does not disrupt your services. However, if your services require access to these ports, you need to unblock them manually. For more information, see Configure the UDP reflection attack mitigation feature.

    Note

    Custom settings for the ports under UDP reflection attack protection override the default configurations.

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

Add port forwarding rules

Add a port forwarding rule

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Provisioning > Port Config.

  4. Select an Anti-DDoS Proxy instance, click Add Rule, configure the rule, and click OK.

    Note

    If the 叹号 icon is displayed next to a protocol in the Forwarding Protocol column of a port forwarding rule, the rule is automatically generated when you added a website. This port forwarding rule is used to forward the traffic of website services. You cannot modify or delete rules that are automatically generated. If the websites that use these port forwarding rules are removed from your instance, the port forwarding rules are automatically deleted. For more information about how to configure website services, see Add one or more websites.

    • If you specify port 80 for the origin server when you add a domain name to your instance, Anti-DDoS Proxy automatically generates a port forwarding rule. This port forwarding rule is used to forward TCP traffic to the origin server over port 80.

    • If you specify port 443 for the origin server when you add a domain name to your instance, Anti-DDoS Proxy automatically generates a port forwarding rule. This port forwarding rule is used to forward TCP traffic to the origin server over port 443.

    Parameter

    Description

    Application-layer Protection

    This parameter is only available for TCP-based non-website services to protect against application layer attacks that do not use HTTP or HTTPS protocols.

    For more information on attack types, see Scenario-specific anti-DDoS solutions.

    Forwarding Protocol

    The protocol that you want to use to forward traffic. Valid values: TCP and UDP.

    Redirection Port

    The port that you want to use to forward traffic.

    Note
    • We recommend that you specify the same value for both Redirection Port and Origin Server Port.

    • To prevent domain owners from creating their own DNS servers, Anti-DDoS Proxy does not protect services that use port 53.

    • For an instance, forwarding rules that use the same protocol must use different forwarding ports. If you attempt to create a rule with a protocol and forwarding port that are configured for another rule, an error message indicating that these rules overlap appears.

    • Make sure that the rule you want to create does not conflict with the rules that are automatically generated when you add a website to your instance.

    Origin Server Port

    The port of the origin server.

    Back-to-origin Scheduling Algorithm

    The polling mode is used by default and cannot be changed.

    Origin IP Address

    The IP address of the origin server.

    Note

    You can specify a maximum of 20 origin IP addresses to implement load balancing. Separate multiple IP addresses with commas (,).

Add port forwarding rules in batch

When adding multiple port forwarding rules in a batch, the Application-layer Protection feature cannot be enabled. To activate this feature, add the rules first, then modify the Application-layer Protection switch in batch mode.

  1. Navigate to the Port Config page, click Batch Operations > Add Rule.

  2. In the Add Rule dialog box, enter the required information as shown in the sample file, and click OK.

    Each line represents a rule. From left to right, the fields in each rule indicate the following information: protocol, forwarding port, origin server port, and origin IP address. Fields are separated by spaces.

  3. In the Add Rule dialog box, select the rules to add, and click Upload.

What to do next

After you add port forwarding rules, you must allow the back-to-origin IP address of your instance on the origin server, verify that the forwarding rules are in effect on your computer, and then switch the traffic of your non-website services to your instance.

  1. Allow the back-to-origin IP address of your instance on the origin server. This way, the traffic from your instance is allowed by the security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.

  2. Verify that the port forwarding rules are in effect on your computer to prevent service exceptions caused by invalid forwarding rule configurations. For more information, see Verify traffic forwarding settings on a local machine.

    Warning

    If you switch your service traffic to your instance before the port forwarding rules take effect, your services may be interrupted.

  3. Switch the traffic of your non-website services to your instance

    In most cases, you can replace the service IP address with the exclusive IP address of your instance to switch the traffic of your non-website services to your instance. The method to replace the IP address varies based on your platform.

    Note
    • If your service is also accessible over a domain name that functions as the server address, you do not need to add the domain name to your instance. For example, the domain name example.com is used as the server address of a game or is hard-coded in a client program. In this case, you must change the A record at the DNS provider of the domain name to redirect the traffic to the exclusive IP address of your instance. For more information, see Change the DNS record.

    • In some scenarios, you may need to use a domain name to add your Layer 4 service to multiple Anti-DDoS Proxy instances and configure an automatic mechanism to switch traffic among these instances. We recommend that you add the domain name of your service to Anti-DDoS Proxy and modify the CNAME of the domain name. For more information, see Modify CNAME records to protect transport-layer services.

Related operations

Modify the origin IP address

The illustration below shows where to modify the origin IP address for one rule (①) and for multiple rules (②).image

Modify the application-layer protection switch

The illustration below displays two switch options: one for toggling the switch of one rule (①), and another for toggling the switch of multiple rules in batch mode (②). Please avoid clicking Configure under Application-layer Protection tab, as this button directs you to configure protection policies.

image

Delete port forwarding rules

Warning

You can delete manually added forwarding rules that are no longer in use. Before this operation, ensure that inbound traffic is no longer forwarded to Anti-DDoS Proxy instances. If you delete a forwarding rule before you restore the IP address of your service from that of your Anti-DDoS Proxy instance to the actual IP address, your service may be interrupted.

The illustration below shows where to delete one rule (①) and multiple rules (②).

image