If you provide a service such as a portal website, an e-commerce website, or a community website and you want to improve user experience and prevent traffic surges or attacks from affecting the stability of your services, you can use the Alibaba Cloud CDN (CDN) or Dynamic Route for CDN (DCDN) interaction feature to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN. Anti-DDoS Pro or Anti-DDoS Premium can ensure the stability and reliability of your origin server and CDN or DCDN can accelerate access to your service. This topic describes how to use the CDN or DCDN interaction feature to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN.

Background information

You can use the CDN or DCDN interaction feature to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with CDN or DCDN. If no DDoS attacks occur after you enable the feature, the nearest CDN or DCDN node is used to accelerate service access. This helps ensure the fast delivery of your service. To ensure service stability, traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing only if DDoS attacks occur.

The feature supports the following configuration solutions:
  • Solution 1: Enable DDoS mitigation in the DCDN console. You can enable DDoS mitigation without complicated configurations. For more information, see DDoS mitigation.
  • Solution 2: Configure the feature in the Anti-DDoS Pro or Anti-DDoS Premium console. For more information, see Create a CDN or DCDN interaction rule.

Limits

  • You can enable the feature only for HTTP and HTTPS services. You cannot enable the feature for live video streaming. The feature is not recommended for the following service scenarios:
    • Your service is attacked more than three times per week.
    • Your service requires DDoS mitigation settings to immediately take effect. After service traffic is switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the settings take effect based on the time to live (TTL) values of your domain name system (DNS) records.
    • Your service bandwidth and queries per second (QPS) exceed the upper limits.
      Note If your service bandwidth exceeds 3 Gbit/s and the QPS exceeds 10,000, contact technical support by using Intelligent Customer Service.
  • A CDN- or DCDN-accelerated domain name cannot be added to a sandbox. If a domain name is added to a sandbox, we recommend that you use only Anti-DDoS Pro or Anti-DDoS Premium without enabling the CDN or DCDN interaction feature.

Supported mitigation plans

Anti-DDoS Pro instances of the Profession and Advanced mitigation plans and Anti-DDoS Premium instances of the Insurance and Unlimited mitigation plans.

Prerequisites

Create a CDN or DCDN interaction rule

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager. On the page that appears, click the CDN/DCDN Interaction tab.
  4. Find the domain name that you want to manage and click Add Interaction in the Actions column. In the Add Interaction panel, configure the parameters and click Next.
    ParameterDescription
    Anti-DDoS InstanceThe Anti-DDoS Pro or Anti-DDoS Premium instance to which your domain name is added.
    Note
    • If the system returns the message To use the CDN interaction feature, you must purchase the Enhanced Function plan for this instance., upgrade the instance as prompted.
    • If the system returns the message You have not selected any Anti-DDoS instances., add your domain name to your Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Add a website.
    Cloud Service
    • If your domain name is added to CDN or DCDN, the cloud service is automatically selected. No manual operations are required.
    • If your domain name is not added to CDN or DCDN, select Alibaba Cloud CDN or Alibaba Cloud DCDN and add your domain name as prompted. For more information, see Add a domain name for CDN interaction or Add a domain name for DCDN interaction.
    Request per SecondThe minimum QPS threshold. If the QPS reaches this threshold, traffic switchover to Anti-DDoS Pro or Anti-DDoS Premium is triggered. For more information, see Switch traffic.
    Note We recommend that you set the value to more than two to three times the historical peak QPS of your service to handle traffic spikes. Do not specify a value that is less than 500 even if the QPS of your service is low.
  5. Follow the on-screen instructions to visit the website of your DNS provider and change the DNS record to forward traffic to the CNAME of Sec-Traffic Manager.
    Important After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS record, we recommend that you modify the hosts file on your computer to verify the network acceleration rule. This helps avoid incompatibility issues that are caused by inconsistent back-to-origin policies. For more information, see Verify the forwarding configurations on your local computer.

    Alibaba Cloud CDN (CDN) allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Pro or Anti-DDoS Premium to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Pro or Anti-DDoS Premium to retrieve data from an Object Storage Service (OSS) object, the normal traffic that is forwarded by Anti-DDoS Pro or Anti-DDoS Premium cannot be identified by OSS. As a result, your service is interrupted.

    In this example, the DNS service is provided by Alibaba Cloud DNS. If you use a third-party DNS service, log on to the system of the DNS provider to change the DNS record.

    1. Log on to the Alibaba Cloud DNS console. On the Domain Name Resolution page, find the domain name that you want to manage and click DNS Settings in the Actions column.
    2. On the DNS Settings page, find the DNS record that you want to change and click Modify in the Actions column.
      Note If you cannot find the DNS record that you want to change in the list, you can click Add Record to add a record.
    3. In the Modify DNS Record panel, set Record Type to CNAME and Record Value to the CNAME of Sec-Traffic Manager. Then, click OK.
      After you change the DNS record, you can use a browser to test whether the website is accessible. If the website is inaccessible, troubleshoot the issue. For more information, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?.

Switch traffic

After an interaction rule is created and if the conditions for a switchover are met, service traffic is automatically switched between your Anti-DDoS Pro or Anti-DDoS Premium instance and CDN or DCDN. In addition to automatic switchover, you can also manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance and then manually switch the service traffic back to the CDN or DCDN node based on the protection requirements of your services.

Automatic switchover

Switch typeCondition
Switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS PremiumIf one of the following conditions is met, a switchover is triggered:
  • The QPS exceeds the threshold for 3 consecutive times within 3 minutes or for more than 6 times within 10 minutes, and the traffic on the CDN or DCDN node does not exceed 10 Gbit/s.
  • Your domain name is added to a sandbox, and the traffic on the CDN or DCDN node does not exceed 10 Gbit/s.
Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDNIf all of the following conditions are met, a switchover is triggered:
  • The QPS remains less than 80% of the threshold, and the success rate of mitigation against HTTP flood attacks remains less than 10% for more than 12 consecutive hours.
  • Blackhole filtering or traffic scrubbing is not triggered for the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance in the last 1 hour.
  • Your domain name is not added to a sandbox.
Important Service traffic can be switched back to CDN or DCDN only in the time range from 08:00 to 23:00.

Manual switchover

Switch typeDescription
Switchover from CDN or DCDN to Anti-DDoS Pro or Anti-DDoS PremiumIf traffic scrubbing by your Anti-DDoS Pro or Anti-DDoS Premium instance is not automatically triggered, you can manually switch the service traffic to the instance for scrubbing. You can manually switch service traffic before blackhole filtering is triggered. This reduces adverse impacts on your services. Switchover from CDN to Anti-DDoS Pro or Anti-DDoS Premium
Service traffic can be switched to your Anti-DDoS Pro or Anti-DDoS Premium instance only if blackhole filtering is not triggered for the IP address of the instance.
Important After you manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, the service traffic cannot be automatically switched back to the CDN or DCDN node. To switch the service traffic back to the CDN or DCDN node, you must manually switch the service traffic.
Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN or DCDNIf service traffic is scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance, you can manually switch the service traffic back to the CDN or DCDN node. Switchover from Anti-DDoS Pro or Anti-DDoS Premium to CDN
Important
  • Before you switch the service traffic back to the CDN or DCDN node, make sure that the attacks stop and CDN or DCDN acceleration works as expected. This prevents the CDN- or DCDN-accelerated domain name from being added to a sandbox and prevents service interruptions.
  • If you manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance, you must manually switch the service traffic back to the CDN or DCDN node.

What to do next

Modify an interaction rule

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager. On the page that appears, click the CDN/DCDN Interaction tab.
  4. Find the domain name that you want to manage and click Edit in the Actions column. In the Edit Interaction panel, modify the Anti-DDoS Instance or Request per Second parameters.
  5. Click Next, and then click OK.

Delete an interaction rule

Warning Before you delete an interaction rule, make sure that the domain name of your service is not mapped to the CNAME provided by Sec-Traffic Manager. Otherwise, access to your service may fail after you delete the rule.
  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager. On the page that appears, click the CDN/DCDN Interaction tab.
  4. Find the domain name that you want to manage and click Delete in the Actions column. In the Delete rule message, click OK.

References