You can create cloud service interaction rules to enable Anti-DDoS Pro or Anti-DDoS Premium to work together with the Alibaba Cloud resources that have public IP addresses. The cloud service interaction feature prevents additional service access latency after your website is added to your Anti-DDoS Pro or Anti-DDoS Premium instance.
Prerequisites
- Your services use the Alibaba Cloud resources that have public IP addresses, such as an elastic IP address (EIP) or a Web Application Firewall (WAF), Elastic Compute Service (ECS), or Server Load Balancer (SLB) instance that has a public IP address.
- An Anti-DDoS Pro instance of the Profession mitigation plan or an Anti-DDoS Premium
instance of the Insurance or Unlimited mitigation plan is purchased.
Notice The clean bandwidth and queries per second (QPS) of the instance must meet the protection requirements of your services.
For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
- Your website is added to the Anti-DDoS Pro or Anti-DDoS Premium instance.
For more information, see Add a website.
- The Anti-DDoS Pro or Anti-DDoS Premium instance forwards service traffic as expected.
For more information, see Verify the forwarding configurations on your local computer.
Background information
After you add your service to the Anti-DDoS Pro or Anti-DDoS Premium instance, service traffic is automatically scrubbed by the instance. Then, only normal traffic is forwarded to the origin server. Even if no attacks occur, service traffic is forwarded by the instance, which increases service access latency.
If you want to avoid additional latency, you can create a cloud service interaction rule for Sec-Traffic Manager. This rule allows service traffic to be switched to the instance for scrubbing and then to the origin server only if an attack occurs. If no attacks occur, service traffic is directly forwarded to the origin server.
Create an interaction rule
If no DDoS attacks occur on your cloud resource after you enable the cloud service interaction rule, service traffic is not scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance and is directly forwarded from the client to the cloud resource. If DDoS attacks occur on your cloud resource after you enable the cloud service interaction rule, service traffic is automatically switched to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing, and only normal traffic is forwarded to the cloud resource. After service traffic is automatically switched to your Anti-DDoS Pro or Anti-DDoS Premium instance, the instance switches the service traffic back to the cloud resource when the attacks stop and the waiting time that you specify elapses.
In addition to automatic switchback, you can also manually switch the service traffic to your Anti-DDoS Pro or Anti-DDoS Premium instance for scrubbing and then to the cloud resource based on the protection requirements of your services. For more information, see What to do next.
What to do next
After a cloud service interaction rule is created, you can perform the following operations on the rule.
Operation | Description |
---|---|
Switch to DDoS | If traffic scrubbing by your Anti-DDoS Pro or Anti-DDoS Premium instance is not automatically
triggered, the ![]() ![]() Service traffic can be switched to your Anti-DDoS Pro or Anti-DDoS Premium instance
only if blackhole filtering is not triggered for the IP address of the instance.
Notice After you manually switch service traffic to your Anti-DDoS Pro or Anti-DDoS Premium
instance, the service traffic cannot be automatically switched back to the associated
cloud resources. To switch the service traffic back to the associated cloud resources,
you must click Switch back to manually switch the service traffic.
|
Switch back | If service traffic is scrubbed by your Anti-DDoS Pro or Anti-DDoS Premium instance,
the ![]() ![]() Notice
If blackhole filtering is triggered for the IP addresses of all associated cloud resources, the switchback fails. If blackhole filtering is deactivated for some cloud resources, service traffic is first switched back to these cloud resources. After blackhole filtering is deactivated for the remaining cloud resources, service traffic is also switched back to these cloud resources. |
Edit | You can modify the cloud service interaction rule. However, you cannot change the values of Interaction Scenario and Name for the rule. |
Delete | You can delete the cloud service interaction rule.
Warning Before you delete a rule, make sure that the domain name of your website is not mapped
to the CNAME provided by Sec-Traffic Manager. Otherwise, access to the website may
fail after you delete the rule.
|