how to create a secure acceleration rule - Anti-DDoS - Alibaba Cloud Documentation Center

Secure acceleration combines Sec-MCA with an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan. This creates a protection architecture that covers all carrier networks, keeping your services secure and accessible across global carrier networks.

How it works

Sec-MCA protects service traffic only from carriers in the Chinese mainland. To protect all service traffic, use Sec-MCA together with an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan.

The following example shows how Sec-MCA 2.0 interacts with an Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan:

Traffic from China Telecom, China Unicom, and China Mobile in the Chinese mainland is scheduled to the IP address of the Sec-MCA 2.0 instance.
All other traffic is scheduled to the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan.

Prerequisites

Before you begin, make sure that you have:

An Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan and a Sec-MCA 2.0 instance
Services that are not accessed directly by IP addresses. If your services are accessed directly by IP addresses, Sec-Traffic Manager cannot automatically schedule service traffic

Procedure

Add your website service to both the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan and the Sec-MCA 2.0 instance. Then, verify that service traffic is forwarded as expected.
- To add your service, see Add a website configuration or Configure port forwarding rules.
  
  Note
  Only add your service at this stage. Do not modify the domain name resolution.
- To verify that service traffic is forwarded as expected, see Verify traffic forwarding settings on a local machine.

Configure the secure acceleration rule.

Log on to the Anti-DDoS Proxy console.
In the top menu bar at the upper left corner, choose the Outside Chinese Mainland region.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
On the General Interaction tab, click Add Rule.

On the Add Rule page, configure a Sec-CMA rule with the following parameters, and click OK.

Parameter	Description
Interaction Scenario	Select Sec-CMA.
Rule Name	Enter a name for the rule. The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).
Sec-CMA	Select the IP address of the Sec-MCA instance.
Anti-DDoS Proxy (Outside Chinese Mainland)	Select the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Unlimited mitigation plan.

After you add the rule, Sec-Traffic Manager generates a CNAME for the rule. View the rule and its CNAME in the rule list.

Change the DNS records of the domain name as prompted and click Complete.
For the cloud service interaction rule to take effect, you must change the DNS records of your domain name on the website of your DNS service provider to map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need to only change the DNS records in the Alibaba Cloud DNS console.
Important
After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS records, we recommend that you modify the hosts file on your on-premises computer to verify the cloud service interaction rule. This helps prevent incompatibility issues caused by inconsistent back-to-origin policies. CDN allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Proxy to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Proxy to retrieve data from an Object Storage Service (OSS) object, the service traffic that is forwarded by Anti-DDoS Proxy cannot be identified by OSS. As a result, your services are interrupted. For more information about origin hosts, see Configure the default origin host.
For more information about how to verify traffic forwarding rules, see Verify the forwarding configurations on your on-premises computer.
For more information about how to change the DNS records of a domain name, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.

Manage existing rules

After you add a General Interaction rule, you can perform the following operations on the rule in the rule list.

Operation	Description
Edit	You can modify the cloud service interaction rule. However, you cannot change the values of Interaction Scenario and Rule Name for the rule.
Delete	You can delete the cloud service interaction rule. Warning Before you delete an interaction rule, make sure that the domain name of your website is not pointed to the CNAME of Sec-Traffic Manager. Otherwise, access to your website may fail after you delete the rule.
Switch to Anti-DDoS and Switchback	If Sec-MCA is subject to blackhole filtering or cannot meet your business requirements due to low network speeds, click Switch to Anti-DDoS. This switches all service traffic to the Anti-DDoS Pro or Anti-DDoS Premium instance (outside the Chinese mainland) under the Insurance or Unlimited mitigation plan. After the attack stops or the network becomes stable, click Switchback to switch traffic from the Chinese mainland back to Sec-MCA.