What is Sec-Traffic Manager - Anti-DDoS - Alibaba Cloud Documentation Center

Sec-Traffic Manager is provided by Anti-DDoS Proxy to help you configure rules on the interaction between Anti-DDoS Proxy and cloud services. The rules take effect only in specific scenarios. Sec-Traffic Manager ensures service continuity if no DDoS attacks occur and helps mitigate DDoS attacks. Sec-Traffic Manager provides features such as cloud service interaction, tiered protection, Alibaba Cloud CDN (CDN) interaction, Dynamic Content Delivery Network (DCDN) interaction, network acceleration, and secure acceleration.

What is the difference with or without Sec-Traffic Manager?

If you add website services to Anti-DDoS Proxy, you need to only add the domain names of the website services. For more information, see Add one or more websites. If you add non-website services to Anti-DDoS Proxy, you need to only add the ports of the non-website services. For more information, see Configure port forwarding rules.

After you add services to Anti-DDoS Proxy, all traffic, including service and attack traffic, is forwarded to Anti-DDoS Proxy. Attack traffic is filtered out, and only service traffic is forwarded to the origin server. During normal service access, service traffic is also forwarded by Anti-DDoS Proxy. This may cause a low service latency.

To resolve this issue, you can enable the cloud service interaction feature of Sec-Traffic Manager. If no attacks occur, service traffic is directly forwarded to the origin server without increasing latency. If attacks occur, traffic is switched to Anti-DDoS Proxy for scrubbing and forwarding.

In addition to the preceding scenarios, Sec-Traffic Manager enables interactions between Anti-DDoS Proxy and Anti-DDoS Origin, CDN, DCDN, the Chinese Mainland Acceleration (CMA) mitigation plan, and the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan. For more information, see Interaction scenarios.

Note

Sec-Traffic Manager is a feature of Anti-DDoS Pro and Anti-DDoS Premium that is used to configure service access. No extra fees are charged for using Sec-Traffic Manager.

Interaction scenarios

The following table describes the interaction scenarios of Sec-Traffic Manager and the related topics.

A cross (×) indicates that Anti-DDoS Proxy (Chinese Mainland) does not support the interaction scenario.

Interaction scenario	Description	Anti-DDoS Proxy (Chinese Mainland)	Anti-DDoS Proxy (Outside Chinese Mainland)	References
Cloud service interaction	Your services use Alibaba Cloud public IP resources and are protected by Anti-DDoS Pro and Anti-DDoS Premium to achieve the following effects: If no DDoS attacks occur, service traffic is directly forwarded to the origin server. Anti-DDoS Proxy is dormant to prevent a high latency. If DDoS attacks occur, Anti-DDoS Proxy scrubs traffic and forwards service traffic to the origin server. Note Anti-DDoS Proxy can interact with Alibaba Cloud Global Accelerator (GA). For more information, see What is Global Accelerator?.	√	√	Use the cloud service interaction feature
Tiered protection	Your services are protected by both Anti-DDoS Origin and Anti-DDoS Pro and Anti-DDoS Premium to achieve the following effects: Anti-DDoS Origin is used to defend against daily attacks. Service traffic is sent directly to the origin server without adding latency. If volumetric DDoS attacks are detected, Anti-DDoS Proxy scrubs traffic and forwards service traffic to the origin server.	√	√	Use the tiered protection feature
CDN or DCDN interaction	Your website services have Alibaba Cloud CDN or DCDN acceleration enabled and are protected by Anti-DDoS Pro and Anti-DDoS Premium to achieve the following effects: If no DDoS attacks occur, the nearest CDN or DCDN node is used for acceleration. If DDoS attacks occur, Anti-DDoS Proxy is automatically used.	√	√	Use the CDN or DCDN interaction feature
Network acceleration	Your services are protected by both an Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland) instance of the Insurance or Unlimited mitigation plan and an MCA to achieve the following effects: When no attacks are present, service traffic flows through the MCA IP, which improves access speed. If DDoS attacks occur, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan is automatically used. Note Network acceleration is suitable for scenarios in which services are deployed outside the Chinese mainland and the users of the services are from the Chinese mainland. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.	×	√	Use the network acceleration feature
Secure acceleration	Your services are protected by both an Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland) instance of the Insurance or Unlimited mitigation plan and an Sec-MCA to achieve the following effects: If you use Sec-MCA 2.0: Traffic from China Telecom, China Unicom, and China Mobile in the Chinese mainland is routed to the Sec-MCA IP address. All other traffic is routed to the IP address of Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland). If you use Sec-MCA 1.0: Traffic from China Telecom and China Unicom in the Chinese mainland is routed to the Sec-MCA IP address. Traffic from China Mobile in the Chinese mainland and from outside the Chinese mainland is routed to the IP address of Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland). Note The Sec-MCA is suitable for scenarios where users in the Chinese mainland require accelerated access to services outside the Chinese mainland and also require DDoS protection. For more information, see Configure secure acceleration for Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland).	×	√	Create a secure acceleration rule