To protect a non-website (Layer 4) service with Anti-DDoS Proxy, you can point your service directly to an Anti-DDoS Proxy IP address using port forwarding rules. Use the CNAME method described in this topic when you need automatic traffic failover across multiple Anti-DDoS Proxy IPs.
If you only need a single Anti-DDoS Proxy IP without failover, use port forwarding rules directly. See Configure port forwarding rules.
Example scenario
This topic uses a gaming service as an example. The service runs on TCP ports 1234 and 5678, and its origin server IP address is 1.1.XX.XX. Users connect to the service by resolving the domain name demo.aliyundoc.com, which must return an Anti-DDoS Proxy IP.
The configuration involves three steps: add a website configuration to get a CNAME record, create port forwarding rules on each Anti-DDoS Proxy IP, then update the DNS record for your domain to point to that CNAME.
Prerequisites
Before you begin, ensure that you have:
Two or more Anti-DDoS Proxy instances (this example uses two instances with the Enhanced function plan)
Access to the DNS provider for your domain
Procedure
Step 1: Add a website configuration and get the CNAME record
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose Provisioning > Website Config.
On the Website Config page, click Add Website, configure the following parameters, and then click Add. For more information, see Add a website configuration. After you add the website, Anti-DDoS Proxy assigns a CNAME record to the domain. Save this CNAME record for use in Step 3.
Parameter Description Example Function Plan and Instance The Anti-DDoS Proxy instances to associate. Select at least two instances. Two instances with the Enhanced function plan Websites The domain name of your service. demo.aliyundoc.comProtocol Type and Server Port Keep the default settings. — Server Address Select Origin IP Address. For non-website services, enter any IP address — traffic forwarding is handled by the port forwarding rules you create in Step 2, not by this field. Any valid IP address
Step 2: Add port forwarding rules
Add port forwarding rules for each Anti-DDoS Proxy IP that you associated with the domain in Step 1. This example uses two IPs and two ports, so you create four rules in total.
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select one of the Anti-DDoS Proxy IPs and click Create Rule.
In the Create Rule dialog box, configure the following parameters and click OK.
Parameter Description Example Forwarding Protocol The protocol used by your service. TCP Redirection Port The port exposed on the Anti-DDoS Proxy IP. Set it to match the origin server port. 1234 Origin Server Port The port on your origin server. 1234 Origin IP Address The IP address of your origin server. 1.1.XX.XXAdd another rule for the same Anti-DDoS Proxy IP. Set both Redirection Port and Origin Server Port to
5678.
Repeat this process for your other Anti-DDoS Proxy IP, adding the same two rules for ports 1234 and 5678. For more information, see Configure port forwarding rules.
Step 3: Update the DNS record
At your DNS provider, change the DNS record for demo.aliyundoc.com to a CNAME record and point it to the CNAME record you obtained in Step 1.
For more information, see Point a domain name to Anti-DDoS Proxy using a CNAME record or an IP address.
What's next
After the DNS change propagates, verify that your domain resolves to an Anti-DDoS Proxy IP. Run nslookup demo.aliyundoc.com or dig demo.aliyundoc.com to confirm that the CNAME resolution is active.