If you provide a service such as a portal website, an e-commerce website, or a community website and you want to improve user experience and prevent traffic surges or attacks from affecting the stability of your services, you can use the Alibaba Cloud CDN (CDN) or Dynamic Route for CDN (DCDN) interaction feature to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN. Anti-DDoS Pro or Anti-DDoS Premium can ensure the stability and reliability of your origin server and CDN or DCDN can accelerate access to your service. This topic describes how to use the CDN or DCDN interaction feature to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN.
Background information
You can use the CDN or DCDN interaction feature to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN. If no DDoS attacks occur after you enable the feature, the nearest CDN or DCDN node is used to accelerate service access. This helps ensure the fast delivery of your service. To ensure service stability, traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if DDoS attacks occur.
- Solution 1: Enable DDoS mitigation in the DCDN console. You can enable DDoS mitigation without complicated configurations. For more information, see DDoS mitigation.
- Solution 2: Configure the feature in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Create a CDN or DCDN interaction rule.
Limits
- You can enable the feature only for HTTP and HTTPS services. You cannot enable the feature for live video streaming. The feature is not recommended for the following service scenarios:
- Your service is attacked more than three times per week.
- Your service requires DDoS mitigation settings to immediately take effect. After service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the settings take effect based on the time to live (TTL) values of your domain name system (DNS) records.
- Your service bandwidth and queries per second (QPS) exceed the upper limits. Note If your service bandwidth exceeds 3 Gbit/s and the QPS exceeds 10,000, contact technical support by using Intelligent Customer Service.
- A CDN- or DCDN-accelerated domain name cannot be added to a sandbox. If a domain name is added to a sandbox, we recommend that you use only Anti-DDoS Pro or Anti-DDoS Premium without enabling the CDN or DCDN interaction feature.
Supported mitigation plans
Anti-DDoS Pro instances of the Profession and Advanced mitigation plans and Anti-DDoS Premium instances of the Insurance and Unlimited mitigation plans.
Prerequisites
- The domain name of your service is added to CDN or DCDN. For more information, see Add a domain name for CDN interaction or Add a domain name for DCDN interaction.
- An Anti-DDoS Pro or Anti-DDoS Premium instance of the Enhanced function plan is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance. Important The protection requirements of your service are met by the clean bandwidth and QPS of the instance. If the protection requirements are not met, upgrade the instance. For more information, see Upgrade an instance.
- Your service is added to the instance for protection and the instance forwards service traffic as expected. For more information, see Add a website and Verify the forwarding configurations on your local computer.
Create a CDN or DCDN interaction rule
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium. - In the left-side navigation pane, choose CDN/DCDN Interaction tab. . On the page that appears, click the
- Find the domain name that you want to manage and click Add Interaction in the Actions column. In the Add Interaction panel, configure the parameters and click Next.
Parameter Description Anti-DDoS Instance The Anti-DDoS Pro or Anti-DDoS Premium instance to which your domain name is added. Note- If the system returns the message To use the CDN interaction feature, you must purchase the Enhanced Function plan for this instance., upgrade the instance as prompted.
- If the system returns the message You have not selected any Anti-DDoS instances., add your domain name to your Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Add a website.
Cloud Service - If your domain name is added to CDN or DCDN, the cloud service is automatically selected. No manual operations are required.
- If your domain name is not added to CDN or DCDN, select Alibaba Cloud CDN or Alibaba Cloud DCDN and add your domain name as prompted. For more information, see Add a domain name for CDN interaction or Add a domain name for DCDN interaction.
Request per Second The minimum QPS threshold. If the QPS reaches this threshold, traffic switchover to Anti-DDoS Pro or Anti-DDoS Premium is triggered. For more information, see Switch traffic. Note We recommend that you set the value to more than two to three times the historical peak QPS of your service to handle traffic spikes. Do not specify a value that is less than 500 even if the QPS of your service is low. - Follow the on-screen instructions to visit the website of your DNS provider and change the DNS record to forward traffic to the CNAME of Sec-Traffic Manager. Important After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS record, we recommend that you modify the hosts file on your computer to verify the network acceleration rule. This helps avoid incompatibility issues that are caused by inconsistent back-to-origin policies. For more information, see Verify the forwarding configurations on your local computer.
Alibaba Cloud CDN (CDN) allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Pro or Anti-DDoS Premium to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Pro or Anti-DDoS Premium to retrieve data from an Object Storage Service (OSS) object, the normal traffic that is forwarded by Anti-DDoS Pro or Anti-DDoS Premium cannot be identified by OSS. As a result, your service is interrupted.
In this example, the DNS service is provided by Alibaba Cloud DNS. If you use a third-party DNS service, log on to the system of the DNS provider to change the DNS record.
Switch traffic
After an interaction rule is created and if the conditions for a switchover are met, service traffic is automatically switched between your Anti-DDoS Pro or Anti-DDoS Premium instance and CDN or DCDN. In addition to automatic switchover, you can also manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance and then manually switch the service traffic back to the CDN or DCDN node based on the protection requirements of your services.
Automatic switchover
Switch type | Condition |
---|---|
Switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium | If one of the following conditions is met, a switchover is triggered:
|
Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN | If all of the following conditions are met, a switchover is triggered:
Important Service traffic can be switched back to CDN or DCDN only in the time range from 08:00 to 23:00. |
Manual switchover
Switch type | Description |
---|---|
Switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS Premium | If traffic scrubbing by your Anti-DDoS Pro or Anti-DDoS Premium instance is not automatically triggered, you can manually switch the service traffic to the instance for scrubbing. You can manually switch service traffic before blackhole filtering is triggered. This reduces adverse impacts on your services. ![]() Service traffic can be switched to your Anti-DDoS Pro or Anti-DDoS Premium instance only if blackhole filtering is not triggered for the IP address of the instance. Important After you manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, the service traffic cannot be automatically switched back to the CDN or DCDN node. To switch the service traffic back to the CDN or DCDN node, you must manually switch the service traffic. |
Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDN | If service traffic is scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance, you can manually switch the service traffic back to the CDN or DCDN node. ![]() Important
|
What to do next
Modify an interaction rule
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium. - In the left-side navigation pane, choose CDN/DCDN Interaction tab. . On the page that appears, click the
- Find the domain name that you want to manage and click Edit in the Actions column. In the Edit Interaction panel, modify the Anti-DDoS Instance or Request per Second parameters.
- Click Next, and then click OK.
Delete an interaction rule
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium. - In the left-side navigation pane, choose CDN/DCDN Interaction tab. . On the page that appears, click the
- Find the domain name that you want to manage and click Delete in the Actions column. In the Delete rule message, click OK.