Anti-DDoS Premium supports Secure Chinese Mainland Acceleration (Sec-CMA). This allows you to accelerate access from the Chinese mainland to services in regions outside the Chinese mainland. Sec-CMA provides traffic scrubbing capabilities of more than 2 Tbit/s. This improves the access speed and stability of your business.

Prerequisites

An Anti-DDoS Premium Sec-CMA instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Background information

Sec-CMA provides DDoS scrubbing capabilities and speeds up user access. Furthermore, you do not need to switch to an Anti-DDoS Premium instance to protect your services.
Note CMA does not provide DDoS scrubbing capabilities. If your services are under attack, you must switch to an Anti-DDoS Premium instance. If DDoS attacks occur frequently, you must continually switch to an Anti-DDoS Premium instance.
The following table lists the differences between CMA and Sec-CMA.
Module Feature Mitigation scope Switchover required Required instance specification
Secure Chinese Mainland Acceleration (Sec-CMA) This module supports acceleration and DDoS mitigation and provides traffic scrubbing capabilities of more than 2 Tbit/s. Traffic from Internet Service Providers (ISPs) in the Chinese mainland, excluding from China Mobile. If DDoS attacks occur, you do not need to switch to Anti-DDoS Premium to mitigate the DDoS attacks.
  • Traffic from ISPs in the Chinese mainland, excluding from China Mobile: Anti-DDoS Premium Sec-CMA
  • Traffic from all ISPs: Anti-DDoS Premium Insurance Plan or Unlimited Plan and Sec-CMA
Network Acceleration This module supports only acceleration. DDoS mitigation is not provided. If DDoS attacks occur, you must switch to Anti-DDoS Premium to mitigate the DDoS attacks. Traffic from all ISPs in the Chinese mainland: Anti-DDoS Premium Insurance Plan or Unlimited Plan and Sec-CMA

Protect traffic from the Chinese mainland ISPs, excluding China Mobile

To provide quick and stable access for users who use the Chinese mainland Internet Service Providers (ISPs), excluding China Mobile, you can use only Anti-DDoS Premium Sec-CMA.
Note Users of China Mobile or outside the Chinese mainland cannot access your services by using the IP addresses of Sec-CMA. For information about how to accelerate access for these users, see Protect traffic from all ISPs.
  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select Outside Chinese Mainland.
    If you select this region, the Anti-DDoS Premium console appears.
  3. Add your website or non-website services to your Anti-DDoS Premium Sec-CMA instance.
    • Website configuration: Select the dedicated IP address of your Anti-DDoS Premium Sec-CMA instance. For more information, see Add a website.
    • Port configuration for non-website services: Configure a port forwarding rule in an Anti-DDoS Premium Sec-CMA instance. For more information, see Manage forwarding rules.
  4. Redirect the traffic to the Anti-DDoS Premium Sec-CMA instance and protect your services.
    • Website configuration: Change the CNAME record to point the website to the CNAME address assigned by Anti-DDoS Premium. For more information, see Change DNS records to protect website services.
    • Port configuration for non-website services: After you create a port forwarding rule, set the IP address to be protected to the IP address of the Anti-DDoS Premium instance.

Protect traffic from all ISPs

If you want to provide quick and stable access for users in and outside the Chinese mainland irrespective of ISPs, you can use Anti-DDoS Premium Insurance Plan or Unlimited Plan and Sec-CMA. You must create a Sec-CMA rule in Sec-Traffic Manager.

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select Outside Chinese Mainland.
    If you select this region, the Anti-DDoS Premium console appears.
  3. Add your website or non-website services to the Sec-CMA instance of Anti-DDoS Premium Insurance Plan or Unlimited Plan.
    Note In this step, you do not need to change the DNS record.
    • Website configuration: When you select the dedicated IP address of your Anti-DDoS Premium instance, you must select the dedicated IP addresses of both the Anti-DDoS Premium Insurance Plan or Unlimited Plan instance and the Anti-DDoS Premium Sec-CMA instance. For more information, see Add a website.
    • Port configuration for non-website services: You must configure a port forwarding rule in both the Anti-DDoS Premium Insurance Plan or Unlimited Plan instance and the Anti-DDoS Premium Sec-CMA instance. For more information, see Manage forwarding rules.
    Note Before you add your non-website services to an Anti-DDoS Premium Sec-CMA instance, make sure that the services can be accessed by using domain names. This ensures that traffic can be automatically redirected to the Anti-DDoS Premium Sec-CMA instance. If your services are accessed by using IP addresses, traffic cannot be automatically redirected.
  4. Choose Provisioning > Sec-Traffic Manager. On the page that appears, click the General tab.
  5. Click Create Rule. In the dialog box that appears, configure the following parameters and click Next.
    • Interaction Scenario: Select Sec-MCA.
    • Name: Enter the name of the rule.
    • Sec-MCA: Select an Anti-DDoS Premium Sec-CMA instance.
    • Anti-DDoS Premium: Select an Anti-DDoS Premium Insurance Plan or Unlimited Plan instance.
    After you create a port forwarding rule, the system generates a CNAME address. You only need to change the DNS record to map the domain name to the CNAME address.
    • The traffic from the Chinese mainland ISPs, excluding China Mobile, is redirected to the IP address of the Anti-DDoS Premium Sec-CMA instance.
    • The traffic from China Mobile and regions outside the Chinese mainland is redirected to the IP address of Anti-DDoS Premium.
    Note When you add your services, make sure that you have selected the dedicated IP addresses of both the Anti-DDoS Premium Insurance Plan or Unlimited Plan instance and the Anti-DDoS Premium Sec-CMA instance.
  6. Change the DNS record for the domain name at your DNS service provider.
    After you map your domain name to the CNAME address generated in Sec-Traffic Manager, the traffic is automatically redirected to Sec-Traffic Manager.
    Note Automatic traffic redirection is achieved based on the CNAME address. Therefore, you must use the CNAME record.