After you purchase an Anti-DDoS Origin Enterprise instance, you must add the public IP address of your asset to the Anti-DDoS Origin Enterprise instance for protection. Then, the Anti-DDoS Origin Enterprise instance protects your asset. This topic describes how to add an object to an Anti-DDoS Origin Enterprise instance for protection. This topic also describes the related operations that you can perform on the protected object.

Prerequisites

Procedure

Flowchart

Step 1: Add an object for protection

Note If the object is an EIP that has Anti-DDoS (Enhanced) enabled, you do not need to add your EIP to an Anti-DDoS Origin Enterprise instance. After you select your EIP that has Anti-DDoS (Enhanced) enabled on the Protected Asset IP page, you can view the public IP addresses that are assigned to your EIP.

The following sections describe the methods to add an object to the Anti-DDoS Origin Enterprise instance for protection.

Add an object on the Protected Asset IP page

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
  3. In the top navigation bar, select the resource group and region of your instance.
  4. On the Protected Asset IP page, select the Anti-DDoS Origin Enterprise instance that you purchased and click Add Protected Asset.
  5. If you use Anti-DDoS Origin Enterprise for the first time, you must follow the instructions that are provided on the page to complete the authorization for the assets within your Alibaba Cloud account.
  6. In the Add Protected Asset dialog box, enter the public IP address of your asset that you want to protect and click OK.
    Note
    • You must enter the public IP address of an asset within your Alibaba Cloud account. The asset must be in the same region as the Anti-DDoS Origin Enterprise instance.
    • You must separate multiple public IP addresses with commas (,).

Add an object on the Manage Instances page

You can also add your asset on the Manage Instances page. On the Manage Instances page, find the Anti-DDoS Origin Enterprise instance that you purchased and click Add Protected Asset in the Actions column.
Note Add Protected Asset appears only if no public IP addresses of assets are added to the instance. If the public IP address of an asset is added to the instance, you can click Manage in the Actions column. On the Protected Asset IP page, click Add Protected Asset.

Step 2: (Optional) Attach a mitigation policy

After you add an object to the instance for protection, Anti-DDoS Origin Enterprise provides the default protection capability against DDoS attacks. You can also attach a mitigation policy to the public IP address or port of your asset to allow or deny service traffic that has specific characteristics based on your business requirements. This improves the effects of DDoS mitigation. For more information, see Use the mitigation settings feature (public preview).

Step 3: (Optional) View the mitigation policy

After you attach a mitigation policy to the public IP address or port of your asset, you can perform the following steps to view the mitigation policy.

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
  3. In the top navigation bar, select the resource group and region of your instance.
  4. On the Protected Asset IP page, select the required instance or your EIP. Then, find the public IP address of your asset to view related mitigation settings.
    Parameter Description
    IP The public IP address that is protected by the instance or assigned to your EIP.
    Traffic Scrubbing Threshold The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and packets per second (pps). For more information, see Configure a traffic scrubbing threshold.
    Asset Type The type of the asset to which the public IP address belongs.
    Ports The number of ports for which the port-specific mitigation policy is configured. You can click the Expand arrow icon to the left of the public IP address to view the details of the port-specific mitigation policy.
    Note You can configure port-specific mitigation policies only for EIPs that have Anti-DDoS (Enhanced) enabled.
    Status The security status of the public IP address.
    Mitigation Policy The mitigation policy that is attached to the public IP address or a port of the public IP address.

    You can click the mitigation policy to go to the Mitigation Setting page to view the details of the mitigation policy.

    Note If Default is displayed in the Mitigation Policy column, no mitigation policies are attached to the public IP address or a port of the public IP address. The default protection capability is used.
    Actions
    • If your asset is an EIP that has Anti-DDoS (Enhanced) enabled, you can perform the following operations:
      • Add Port: Click Add Port to add a port of the public IP address to the port-specific mitigation policy.
      • Deactivate Black Hole: Click Deactivate Black Hole to deactivate blackhole filtering. This operation is supported only when the public IP address of your asset is in the Blackholing state.
      • View Applied Policy: Click View Applied Policy to view the details of the mitigation policy that is attached to the port.
    • If your asset is not an EIP that has Anti-DDoS (Enhanced) enabled, you can perform the following operations:
      • Delete: Click Delete to remove the mitigation policy that is attached to the public IP address of your asset.
      • Deactivate Black Hole: Click Deactivate Black Hole to deactivate blackhole filtering. This operation is supported only when the public IP address of your asset is in the Blackholing state.
      • View Applied Policy: Click View Applied Policy to view the details of the mitigation policy that is attached to the public IP address of your asset.
  5. If your asset is an EIP that has Anti-DDoS (Enhanced) enabled, click the Expand arrow icon to the left of a public IP address that is assigned to your EIP to view the details of port-specific mitigation policies.
    Parameter Description
    Port The port that is added to a mitigation policy.
    Protocol The protocol that is used by the port.
    Added At The time when the port is added to the mitigation policy.
    Protection Status The status of the mitigation policy for the port.
    • Protection Disabled: The port is added to the mitigation policy, but the policy is not enabled for the port. You can click Enable Protection in the Actions column to enable the mitigation policy for the port.
    • Protected
    Mitigation Policy The mitigation policy that is attached to the port. You can click the name of the mitigation policy to go to the Mitigation Setting page. On this page, you can click Modify Protection Rule to modify the rules that belong to the policy or click Add Object for Protection to attach the policy to multiple ports.
    Actions If Protected is displayed in the Protection Status column of the port, you can perform the following operations:
    • Disable Protection: Click Disable Protection to disable the mitigation policy for the port.
    • View Applied Policy: Click View Applied Policy to view the details of the mitigation policy.
      Note If you only add a port, but do not attach a port-specific mitigation policy to the port, the Actions column displays Associate Existing Policy instead of View Applied Policy.
    • Unbind Policy: Click Unbind Policy to detach the policy from the port.
    • Remove Port: Click Remove Port to remove the port.
    If Protection Disabled is displayed in the Protection Status column of the port, you can perform the following operations:
    • Enable Protection: Click Enable Protection to enable the mitigation policy for the port.
    • Associate Existing Policy: Click Associate Existing Policy to attach an existing mitigation policy to the port.
    • Remove Port: Click Remove Port to remove the port.

What to do next

Manage a protected object

You can attach a mitigation policy to a protected object.

  1. Click View Applied Policy in the Actions column of the required public IP address of your asset. On the page that appears, click Create Mitigation Policy in the upper-right corner.
  2. Find the policy that you want to attach to the public IP address and click Add Object for Protection in the Actions column. In the View Applicable Object panel, click Add Protected Asset.
  3. In the Add Object for Protection panel, search for the public IP address of your asset by region and instance. Select the public IP address and click the Rightwards arrow icon icon. Then, click Add.

If you want to change the mitigation policy for a protected object, you must remove the protected object from the policy and then attach another policy to the protected object. For more information, see Use the mitigation settings feature (public preview).

If you want to detach the mitigation policy from a protected object, you must remove the protected object from the policy. For more information, see Use the mitigation settings feature (public preview).

Manage a port-specific mitigation policy (only available for a EIP that has Anti-DDoS (Enhanced) enabled)

Add a port to a port-specific mitigation policy

  1. Find the required public IP address and click Add Port in the Actions column. In the dialog box that appears, specify Port Number and click OK.
  2. In the Port list, find the port that you added and click Associate Existing Policy in the Actions column.
  3. In the Associate Existing Policy dialog box, select a mitigation policy and click OK.
  4. Click Enable Protection in the Actions column.
    Warning When you add a port to a port-specific mitigation policy, a transient connection that lasts a few seconds occurs on your TCP-based services. We recommend that you add a port to a port-specific mitigation policy during off-peak hours.

Change the port-specific mitigation policy for a port

  1. Find the required public IP address and click the Expand arrow icon to the left of the IP address to expand the port list.
  2. Find the required port and click More in the Actions column. Then, click Unbind Policy to detach the mitigation policy from the port.
  3. Click Associate Existing Policy in the Actions column to attach another mitigation policy to the port.

Detach a port-specific mitigation policy from a port

  1. Find the required public IP address and click the Expand arrow icon to the left of the IP address to expand the port list.
  2. Find the required port and click More in the Actions column. Then, click Remove Port.

Manually deactivate blackhole filtering

If the Status column of a protected object displays Blackholing, you can manually deactivate blackhole filtering for the protected object.

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
  3. In the top navigation bar, select the resource group and region of your instance.
  4. Select the required protected object and find the public IP address for which you want to manually deactivate blackhole filtering. Then, click Deactivate Black Hole in the Actions column.
  5. In the Deactivate Black Hole message, view the remaining number of times that you can deactivate blackhole filtering and click OK.

FAQ

References