Sec-Traffic Manager is a free feature of Anti-DDoS Pro and Anti-DDoS Premium that intelligently routes traffic between Anti-DDoS Proxy and other cloud services based on whether a DDoS attack is in progress. During normal operations, traffic flows directly to your origin server—bypassing Anti-DDoS Proxy to keep latency low. When an attack is detected, traffic automatically shifts to Anti-DDoS Proxy for scrubbing before reaching your origin server.
Sec-Traffic Manager is included with Anti-DDoS Pro and Anti-DDoS Premium at no additional cost.
How it works
Without Sec-Traffic Manager, all traffic—both legitimate and attack traffic—is routed through Anti-DDoS Proxy. Anti-DDoS Proxy filters out attack traffic and forwards clean traffic to the origin server. This applies even during normal operations, which adds latency to every request.
With Sec-Traffic Manager, the routing path changes based on attack status:
Normal traffic: Service traffic goes directly to the origin server. Anti-DDoS Proxy stays dormant, so no additional latency is introduced.
Under attack: Traffic is automatically rerouted through Anti-DDoS Proxy, which scrubs the attack traffic and forwards clean traffic to the origin server.
Beyond cloud service interaction, Sec-Traffic Manager also coordinates routing between Anti-DDoS Proxy and Anti-DDoS Origin, Alibaba Cloud CDN (CDN), Dynamic Content Delivery Network (DCDN), the Chinese Mainland Acceleration (CMA) mitigation plan, and the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan.
Interaction scenarios
The table below summarizes each interaction scenario, how it routes traffic, and which Anti-DDoS Proxy variant supports it.
A cross (×) indicates that Anti-DDoS Proxy (Chinese Mainland) does not support the scenario.
| Scenario | Description | Anti-DDoS Proxy (Chinese Mainland) | Anti-DDoS Proxy (Outside Chinese Mainland) | References |
|---|---|---|---|---|
| Cloud service interaction | For services using Alibaba Cloud public IP resources and protected by Anti-DDoS Pro and Anti-DDoS Premium. Normal traffic: Service traffic flows directly to the origin server; Anti-DDoS Proxy stays dormant to prevent added latency. Under attack: Anti-DDoS Proxy scrubs traffic and forwards clean traffic to the origin server. Anti-DDoS Proxy can also interact with Alibaba Cloud Global Accelerator (GA). | √ | √ | Use the cloud service interaction feature |
| Tiered protection | For services protected by both Anti-DDoS Origin and Anti-DDoS Pro and Anti-DDoS Premium. Normal traffic: Anti-DDoS Origin handles daily attacks; service traffic flows directly to the origin server with no added latency. Under attack: When volumetric DDoS attacks are detected, Anti-DDoS Proxy takes over, scrubs traffic, and forwards clean traffic to the origin server. | √ | √ | Use the tiered protection feature |
| CDN or DCDN interaction | For website services with Alibaba Cloud CDN or DCDN acceleration enabled and protected by Anti-DDoS Pro and Anti-DDoS Premium. Normal traffic: Requests are served by the nearest CDN or DCDN node. Under attack: Traffic is automatically rerouted through Anti-DDoS Proxy. | √ | √ | Use the CDN or DCDN interaction feature |
| Network acceleration | For services protected by an Anti-DDoS Pro and Anti-DDoS Premium (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan, combined with a CMA. Suited for services deployed outside the Chinese mainland whose users are primarily from the Chinese mainland. Normal traffic: Traffic flows through the CMA IP address, improving access speed. Under attack: The Anti-DDoS Proxy (Outside Chinese Mainland) Insurance or Unlimited mitigation plan instance takes over automatically. For setup details, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan. | × | √ | Use the network acceleration feature |
| Secure acceleration | For services protected by an Anti-DDoS Pro and Anti-DDoS Premium (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan, combined with a Sec-CMA. Suited for users in the Chinese mainland who need both accelerated access to services outside the Chinese mainland and DDoS protection. Traffic is routed based on the Sec-MCA version in use. Sec-MCA 2.0: Traffic from China Telecom, China Unicom, and China Mobile in the Chinese mainland is routed to the Sec-MCA IP address. All other traffic is routed to the Anti-DDoS Pro and Anti-DDoS Premium (Outside Chinese Mainland) IP address. Sec-MCA 1.0: Traffic from China Telecom and China Unicom in the Chinese mainland is routed to the Sec-MCA IP address. Traffic from China Mobile in the Chinese mainland and from outside the Chinese mainland is routed to the Anti-DDoS Pro and Anti-DDoS Premium (Outside Chinese Mainland) IP address. For setup details, see Configure secure acceleration for Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland). | × | √ | Create a secure acceleration rule |
Add services to Anti-DDoS Proxy
Before configuring Sec-Traffic Manager rules, add your services to Anti-DDoS Proxy:
Website services: Add one or more websites
Non-website services: Configure port forwarding rules