How to configure Sec-CMA for Anti-DDoS Proxy (Outside Chinese mainland) - Anti-DDoS

Anti-DDoS Proxy (Outside Chinese Mainland) supports Secure Acceleration (Sec-CMA). Sec-CMA accelerates access to services outside the Chinese mainland for users within the Chinese mainland and provides mitigation for high-volume DDoS attacks. This topic describes how to add your services to Sec-CMA.

Overview

To reduce the latency that occurs when users in the Chinese mainland access origin servers outside the Chinese mainland, Alibaba Cloud Anti-DDoS provides two access acceleration solutions: Sec-CMA and Chinese Mainland Acceleration (CMA).

Sec-CMA

Sec-CMA provides built-in DDoS traffic scrubbing capabilities. It offers access acceleration and advanced mitigation for all protected services. When a DDoS attack occurs, you do not need to switch to an Anti-DDoS Proxy (Outside Chinese Mainland) line to mitigate the attack. Sec-CMA scrubs traffic directly while ensuring fast access to your services.

Important

Sec-CMA protects only service traffic from the Chinese mainland. Access requests from outside the Chinese mainland are not routed. If you have access requests from outside the Chinese mainland, use Sec-CMA with an Anti-DDoS Proxy (Outside Chinese Mainland) instance that uses the Insurance or Unlimited mitigation plan. You can add your services using the Sec-Traffic Manager solution.

Sec-CMA provides four types of instances. The following table describes the differences between these instances.

Instance type	Mitigation capabilities	Protected carrier lines	Advanced mitigation sessions	Supports purchasing mitigation sessions
Sec-CMA 1.0	2 Tbps	China Telecom and China Unicom in the Chinese mainland	2 per calendar month	Yes. Purchase a global advanced mitigation session.
Sec-CMA 1.0 (Basic Edition) Note Contact a presales business manager to purchase the instance.	2 Tbps	China Telecom and China Unicom in the Chinese mainland	1 per calendar month	Yes. Purchase a global advanced mitigation session.
Sec-CMA 2.0 (Insurance)	Over 2 Tbps	China Telecom, China Unicom, and China Mobile in the Chinese mainland	2 per calendar month	No. You can upgrade to Sec-CMA 2.0 (Unlimited).
Sec-CMA 2.0 (Unlimited)	Over 2 Tbps	China Telecom, China Unicom, and China Mobile in the Chinese mainland	Unlimited	Not applicable

CMA

CMA provides only access acceleration and does not have DDoS traffic scrubbing capabilities. You must deploy it with an Anti-DDoS Proxy (Outside Chinese Mainland) instance that uses the Insurance or Unlimited mitigation plan. When a DDoS attack occurs, you must switch to an Anti-DDoS Proxy (Outside Chinese Mainland) line to mitigate the attack. If attacks are frequent, this requires frequent line switching.

Usage notes

When you add a service to Sec-CMA using Port Config, UDP ports are not supported.

Use Sec-CMA 2.0

Protect lines of China Telecom, China Unicom, and China Mobile in the Chinese mainland

You can use Sec-CMA 2.0 alone. The following figure shows the architecture.

Log on to the Anti-DDoS Proxy console.
In the top menu bar at the upper left corner, choose the Outside Chinese Mainland region.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your service to a Sec-CMA 2.0 instance.
- Website Config: When you add the service, set the Instance parameter to the Sec-CMA 2.0 instance. For more information, see Add one or more websites.
- Port Config: Configure port forwarding rules in the Sec-CMA 2.0 instance. For more information, see Configure port forwarding rules.
Switch your service traffic to the Sec-CMA 2.0 instance to enable secure acceleration.
- Website Config: Resolve the domain name to the CNAME of Anti-DDoS Proxy. For more information, see Use a CNAME or IP address to resolve a domain name to Anti-DDoS Pro.
- Port Config: Set the service address to the IP address of the Sec-CMA 2.0 instance.

Protect all carrier lines

You must use Sec-CMA 2.0 with an Anti-DDoS Proxy (Outside Chinese Mainland) instance that uses the Insurance or Unlimited mitigation plan. The following figure shows the architecture.

Log on to the Anti-DDoS Proxy console.
In the top menu bar at the upper left corner, choose the Outside Chinese Mainland region.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your service to Anti-DDoS Proxy. This topic uses an Anti-DDoS Proxy (Outside Chinese Mainland) instance that uses the Unlimited mitigation plan as an example.
- Website Config: When you add the service, you must set Instance to both the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance and the Sec-CMA 2.0 instance. For more information, see Add one or more websites.
- Port Config: Configure port forwarding rules in the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance and the Sec-CMA instance. For more information, see Configure port forwarding rules.
  Important
  Domain name resolution must be configured using the CNAME method. Therefore, service traffic cannot be automatically scheduled for services that are directly accessed using IP addresses.
Configure a secure acceleration rule in Sec-Traffic Manager.
1. On the Instances > Sec-Traffic Manager page, click the General Interaction tab.
2. Click Add Rule, set the rule conditions, and then click Next.
  - Interaction Scenario: Select Sec-CMA.
  - Rule Name: Enter a custom rule name.
  - Sec-CMA: Select the Sec-CMA 2.0 instance of Anti-DDoS Proxy (Outside Chinese Mainland).
  - Anti-DDoS Proxy (Outside Chinese Mainland): Select the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance.
  After the scheduling rule is created, a CNAME is generated. To enable automatic traffic scheduling through Sec-Traffic Manager, point the DNS record of your domain name to this CNAME:
  - Traffic from China Telecom, China Unicom, and China Mobile carriers in the Chinese mainland is scheduled to the IP address of the Sec-CMA 2.0 instance.
  - Traffic from other carriers in the Chinese mainland and from outside the Chinese mainland is scheduled to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance.
  Note
  Make sure that you have configured the services for all exclusive IP addresses selected for the scheduling nodes and that they can forward traffic to the origin server.
At your domain name resolution service provider, modify the DNS record for the domain name.
Resolve the domain name to the CNAME provided by the Sec-Traffic Manager rule to switch service traffic to Sec-Traffic Manager and enable automatic scheduling.
Note
The automatic traffic scheduling feature is based on CNAMEs. Therefore, you must use the CNAME method for domain name resolution.

Use Sec-CMA 1.0

Sec-CMA 1.0 does not protect China Mobile lines.

Protect China Telecom and China Unicom in the Chinese mainland

You can use an Anti-DDoS Proxy (Outside Chinese Mainland) Sec-CMA 1.0 instance alone. The following figure shows the architecture.

Log on to the Anti-DDoS Proxy console.
In the top menu bar at the upper left corner, choose the Outside Chinese Mainland region.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your service to a Sec-CMA 1.0 instance.
- Website Config: When you add the service, set Instance to the Sec-CMA 1.0 instance. For more information, see Add one or more websites.
- Port Config: Configure port forwarding rules in the Sec-CMA 1.0 instance. For more information, see Configure port forwarding rules.
Switch your service traffic to the Sec-CMA 1.0 instance to enable secure acceleration.
- Website Config: Resolve the domain name to the CNAME of Anti-DDoS Proxy. For more information, see Use a CNAME or IP address to resolve a domain name to Anti-DDoS Pro.
- Port Config: Set the service address to the IP address of the Sec-CMA 1.0 instance.

Protect all carrier lines

You must use Sec-CMA 1.0 with an Anti-DDoS Proxy (Outside Chinese Mainland) instance that uses the Insurance or Unlimited mitigation plan. The following figure shows the architecture.

Log on to the Anti-DDoS Proxy console.
In the top menu bar at the upper left corner, choose the Outside Chinese Mainland region.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your service to Anti-DDoS Proxy. This topic uses an Anti-DDoS Proxy (Outside Chinese Mainland) instance that uses the Unlimited mitigation plan as an example.
- Website Config: When you add the service, you must set Instance to both the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance and the Sec-CMA 1.0 instance. For more information, see Add one or more websites.
- Port Config: Configure port forwarding rules in the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance and the Sec-CMA 1.0 instance. For more information, see Configure port forwarding rules.
  Important
  Domain name resolution must be configured using the CNAME method. Therefore, service traffic cannot be automatically scheduled for services that are directly accessed using IP addresses.
Configure a secure acceleration rule in Sec-Traffic Manager.
1. On the Instances > Sec-Traffic Manager page, click the General Interaction tab.
2. Click Add Rule, set the rule conditions, and then click Next.
  - Interaction Scenario: Select Sec-CMA.
  - Rule Name: Enter a custom rule name.
  - Sec-CMA: Select the Sec-CMA 1.0 instance of Anti-DDoS Proxy (Outside Chinese Mainland).
  - Anti-DDoS Proxy (Outside Chinese Mainland): Select the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance.
  After the scheduling rule is created, a CNAME is generated. To enable automatic traffic scheduling through Sec-Traffic Manager, point the DNS record of your domain name to this CNAME:
  - Traffic from China Telecom and China Unicom carriers in the Chinese mainland is scheduled to the IP address of the Sec-CMA 1.0 instance.
  - Traffic from China Mobile carriers in the Chinese mainland and from outside the Chinese mainland is scheduled to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) Unlimited mitigation plan instance.
  Note
  Make sure that you have configured the services for all exclusive IP addresses selected for the scheduling nodes and that they can forward traffic to the origin server.
At your domain name resolution service provider, modify the DNS record for the domain name.
Resolve the domain name to the CNAME provided by the Sec-Traffic Manager rule to switch service traffic to Sec-Traffic Manager and enable automatic scheduling.
Note
The automatic traffic scheduling feature is based on CNAMEs. Therefore, you must use the CNAME method for domain name resolution.