All Products
Search
Document Center

Anti-DDoS:Use an Anti-DDoS Premium instance of the MCA mitigation plan

Last Updated:Feb 22, 2024

An Anti-DDoS Premium instance of the Chinese Mainland Acceleration (MCA) mitigation plan must be used together with an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan. After you add your service that is deployed outside the Chinese mainland to an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan, you can use an Anti-DDoS Premium instance of the MCA mitigation plan to accelerate service access for users in the Chinese mainland if no attacks occur.

Prerequisites

  • An Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan is purchased.
  • An Anti-DDoS Premium instance of the MCA mitigation plan is purchased.

For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Background information

After you use an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan together with an Anti-DDoS Premium instance of the MCA mitigation plan to protect your service, the Anti-DDoS Premium instance of the MCA mitigation plan can accelerate service access if no attacks occur. If your service is under attack, Anti-DDoS automatically switches the traffic to the Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan to mitigate the attacks.

Anti-DDoS Premium

Procedure

  1. Log on to the Anti-DDoS Pro console.

  2. In the top navigation bar, select Outside Chinese Mainland.

    If you select this region, the Anti-DDoS Proxy (Outside Chinese Mainland) console appears.

  3. Add your service to the Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan and to the Anti-DDoS Premium instance of the MCA mitigation plan.
    • You can add your website service on the Website Config page.
      In the left-side navigation pane, choose Provisioning > Website Config. On the Website Config page, click Add Domain. On the page that appears, configure the parameters to add your website service. For more information, see Add one or more websites.
      Important
      • When you configure the Instance parameter in the Enter Site information step, you must select both an Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Premium instance of the MCA mitigation plan.
      • You need to only configure the parameters in the Enter Site information step. After your website service is added, you do not need to follow the instructions that are provided on the page to change the DNS record.
    • You can add your non-website service on the Port Config page.
      In the left-side navigation pane, choose Provisioning > Port Config. On the Port Config page, click Create Rule. In the dialog box that appears, configure the parameters to add your non-website service. For more information, see Configure port forwarding rules.
      Important
      • Before you add your non-website service to an Anti-DDoS Premium instance of the MCA mitigation plan, make sure that the service can be accessed by using domain names. If your non-website service can be accessed only by using IP addresses, you cannot add the service to an Anti-DDoS Premium instance of the MCA mitigation plan.
      • You must configure the same forwarding rules for both the Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Premium instance of the MCA mitigation plan.
  4. Create a network acceleration rule.
    In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager. On the General tab of the Sec-Traffic Manager page, click Create Rule. In the dialog box that appears, configure the parameters to create a network acceleration rule. For more information, see Create a network acceleration rule. Network Acceleration
    After the network acceleration rule is created, Anti-DDoS generates a CNAME. You need to only change the DNS record of your domain name to map the domain name to the CNAME.
    Important The automatic traffic redirection is achieved based on the CNAME. Therefore, you must use the CNAME.
  5. Change the DNS record of your domain name on the website of your DNS service provider.
    To allow the network acceleration rule to take effect, you must change the DNS record of your domain name on the website of the DNS service provider and map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need to only change the DNS record in the Alibaba Cloud DNS console.
    Important After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS record, we recommend that you modify the hosts file on your computer to verify the network acceleration rule. This helps avoid incompatibility issues that are caused by inconsistent back-to-origin policies.

    For more information about how to verify network acceleration rules, see Verify the forwarding configurations on your local computer.

    For more information about how to change the DNS record of a domain name, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.

Result

If no attacks occur after a network acceleration rule is created, service access of users in the Chinese mainland is accelerated by using the Anti-DDoS Premium instance of the MCA mitigation plan. If attacks occur, traffic is switched to the Anti-DDoS Premium instance of the Insurance or Unlimited mitigation plan for scrubbing. This way, only service traffic is forwarded to the origin server.