You can create Alibaba Cloud CDN (CDN) or Dynamic Route for CDN (DCDN) interaction rules to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN. If no DDoS attacks occur after you enable CDN or DCDN interaction, the nearest CDN or DCDN node is used to accelerate service access. Service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if DDoS attacks occur.
Prerequisites
- The domain name is added to CDN or DCDN.
For more information, see Add a domain name to Alibaba Cloud CDN for CDN interaction or Add a domain name for DCDN interaction.
- An Anti-DDoS Pro instance of the Enhanced function plan and Profession mitigation plan or an Anti-DDoS Premium instance of
the Insurance or Unlimited mitigation plan is purchased.
Notice The clean bandwidth and queries per second (QPS) of the instance must meet the protection requirements of your services.
For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Your website is added to the Anti-DDoS Pro or Anti-DDoS Premium instance for protection.
For more information, see Add a website.
- The Anti-DDoS Pro or Anti-DDoS Premium instance forwards service traffic as expected.
For more information, see Verify the forwarding configuration on your local machine.
Usage notes
Item | Description |
---|---|
Service type | You can enable CDN or DCDN interaction only for HTTP and HTTPS services. You cannot enable this feature for live video streaming. |
Service scenario | You can enable CDN or DCDN interaction in the following service scenarios:
|
Status of CDN- or DCDN-accelerated domain names | A CDN- or DCDN-accelerated domain name cannot be added to a sandbox.
Note If CDN or DCDN adds your domain name to a sandbox, we recommend that you use only
Anti-DDoS Pro or Anti-DDoS Premium and do not enable CDN or DCDN interaction.
|
Conditions for automatic switchover
When you create a CDN or DCDN interaction rule, you must configure a QPS threshold to trigger automatic traffic switchover between CDN or DCDN and Anti-DDoS Pro or Anti-DDoS Premium.
- Conditions for the switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium
- The QPS exceeds the threshold for 3 consecutive times within 3 minutes or for more than 6 times within 10 minutes, and the traffic on the CDN or DCDN node does not exceed 10 Gbit/s.
- A domain name is added to a sandbox, and the traffic on the CDN or DCDN node does not exceed 10 Gbit/s.
- Conditions for the switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN
- The QPS remains less than 80% of the threshold, and the success rate of protection against HTTP flood attacks remains less than 10% for more than 12 consecutive hours.
- The IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance cannot be in blackhole filtering or traffic scrubbing in the last 60 minutes. Your domain name is not added to a sandbox.
- Service traffic can be switched back to CDN or DCDN only in the time range from 08:00 to 23:00.
Create a CDN or DCDN interaction rule
The following procedure describes how to create a CDN or DCDN interaction rule in the Anti-DDoS Pro console. You can also configure CDN interaction in the CDN console. For more information, see Configure Anti-DDoS.
After a CDN or DCDN interaction rule is created, if the QPS of the domain name does not meet the conditions for the switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium, service traffic is routed to the nearest CDN or DCDN node to accelerate service access. In this case, service traffic is not scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance. Service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if the QPS of the domain name meets the conditions for the switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium. This way, only normal service traffic is forwarded to the origin server. After service traffic is automatically switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the instance switches the service traffic back to the CDN or DCDN node if the conditions for the switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN are met.
In addition to automatic switchover, you can also manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance and then manually switch the service traffic back to the CDN or DCDN node based on the protection requirements of your services. For more information, see What to do next.
What to do next
After a CDN or DCDN interaction rule is created, you can perform the following operations on the rule.
Operation | Description |
---|---|
Switch to DDoS | If traffic scrubbing by your Anti-DDoS Pro or Anti-DDoS Premium instance is not automatically
triggered, you can manually switch the service traffic to the instance for scrubbing.
You can manually switch service traffic before blackhole filtering is triggered. This
reduces adverse impacts on your services. ![]() Service traffic can be switched to your Anti-DDoS Pro or Anti-DDoS Premium instance
only if blackhole filtering is not triggered for the IP address of the instance.
Notice After you manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium
instance, the service traffic cannot be automatically switched back to the CDN or
DCDN node. To switch the service traffic back to the CDN or DCDN node, you must click
Switch back to manually switch the service traffic.
|
Switch back | If service traffic is scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance,
you can manually switch the service traffic back to the CDN or DCDN node. ![]() Notice
|
Edit | You can modify the CDN or DCDN interaction rule and change the value of QPS to modify the conditions for the switchover to Anti-DDoS Pro or Anti-DDoS Premium. |
Delete | You can delete the CDN or DCDN interaction rule.
Warning Before you delete an interaction rule, make sure that the domain name of your website
is not mapped to the CNAME provided by Sec-Traffic Manager. Otherwise, access to the
website may fail after you delete the rule.
|