What are the tiered protection feature and the related operations? - Anti-DDoS

You can create tiered protection rules to enable Anti-DDoS Proxy to work together with Anti-DDoS Origin. The tiered protection feature helps resolve the issue that the access latency of service traffic increases after you add your website to your Anti-DDoS Proxy instance. If you enable tiered protection, Anti-DDoS Origin protects your services, which does not increase access latency. If volumetric attacks occur, Anti-DDoS Proxy starts to protect your services instead. This topic describes how to create a tiered protection rule.

Supported instance types

Anti-DDoS Proxy (Chinese Mainland) of the Profession mitigation plan, Anti-DDoS Proxy (Chinese Mainland) of the Advanced mitigation plan, Anti-DDoS Proxy (Outside Chinese Mainland) of the Insurance mitigation plan, and Anti-DDoS Proxy (Outside Chinese Mainland) of the Unlimited mitigation plan.

Prerequisites

Your services use an Alibaba Cloud resource that is assigned a public IP address, such as an elastic IP address (EIP) or a Web Application Firewall (WAF), Elastic Compute Service (ECS), or Server Load Balancer (SLB) instance.
An Anti-DDoS Origin instance is purchased, and an asset is added to the instance for protection. The asset is assigned a public IP address. For more information, see Purchase an Anti-DDoS Origin instance and Add an object for protection.
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A website service is added to Anti-DDoS Proxy. For more information, see Add websites.
The Anti-DDoS Proxy instance forwards service traffic as expected. For more information, see Verify the forwarding configurations on your on-premises computer.

Create a tiered protection rule

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.

On the General Interaction tab, click Add Rule. In the panel that appears, configure a Tiered Protection rule and then click Next.

Parameter	Description
Interaction Scenario	Select Tiered Protection.
Rule Name	Enter a name for the rule. The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).
Anti-DDoS Pro	Select an Anti-DDoS Proxy instance.
Resource for Interaction	Configure a cloud resource. Select the region in which the cloud resource resides and enter the IP address of the cloud resource. Important You must enter an elastic IP address (EIP) or enter the IP address of a cloud resource that is added to the Anti-DDoS Origin Enterprise instance. The cloud resource can be an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, or Web Application Firewall (WAF) instance. For more information, see Add an object for protection. You can click Add IP Address of Cloud Resource to add more IP addresses. You can add up to 20 IP addresses. Note After you add multiple IP addresses, the IP addresses are associated with the specified Anti-DDoS Proxy instance. If one of the IP addresses is attacked, traffic is forwarded to other IP addresses. Traffic is forwarded to the Anti-DDoS Proxy instance only if all IP addresses are attacked. For more information about how to forward traffic to Anti-DDoS Proxy when one of the IP addresses is attacked, see Share one Anti-DDoS Proxy among multiple cloud resources.
Waiting Time of Switchback	Specify the waiting time before the service traffic is switched from your Anti-DDoS Proxy instance back to the IP address of a cloud resource. When the attack stops and the waiting time that you specify elapses, the service traffic is automatically switched back to the IP address of the cloud resource. You can specify a value that ranges from 30 to 120. Unit: minutes. We recommend that you set the value to 60.

Modify the hosts file on your on-premises computer to verify the tiered protection rule. This helps prevent incompatibility issues caused by inconsistent back-to-origin policies. For more information, see Verify the forwarding configurations on your local computer.
Visit the website of your DNS provider and change the DNS record to forward traffic to the CNAME of Sec-Traffic Manager. For more information, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.
After you change the DNS record, you can use a browser to test whether the website can be accessed. If the website cannot be accessed, troubleshoot the issue. For more information, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Proxy instance?.

Select the waiting time. After the tiered protection rule is created, Anti-DDoS Origin automatically protects the service traffic that is destined for the cloud resource. The service traffic is automatically switched to your Anti-DDoS Proxy instance for scrubbing only if volumetric DDoS attacks occur on the cloud resource. This way, only service traffic is forwarded to the cloud resource. After the service traffic is automatically switched to your Anti-DDoS Proxy instance, the instance switches the service traffic back to the cloud resource when the attacks stop and the waiting time that you specify elapses.

In addition to automatic switchover, you can also manually switch the service traffic to your Anti-DDoS Proxy instance and then manually switch the service traffic back to the cloud resource based on your business requirements.

What to do next

Switch to Anti-DDoS Proxy

If service traffic is scrubbed by your Anti-DDoS Proxy instance, the icon is displayed in the Resource for Interaction column. In this case, you can manually switch the service traffic back to the associated cloud resources. You can manually switch service traffic before blackhole filtering is triggered. This reduces adverse impacts on your services.

Important

Service traffic can be switched to your Anti-DDoS Proxy instance only if blackhole filtering is not triggered for the IP address of the instance.
After service traffic is switched to your Anti-DDoS Proxy instance, the service traffic cannot be automatically switched back to the associated cloud resources. To switch the service traffic back to the associated cloud resources, you must click Switchback to manually switch the service traffic.

On the General Interaction tab of the Sec-Traffic Manager page, find the rule whose Interaction Scenario is Tiered Protection.
Click Switch to Anti-DDoS in the Actions column. In the message that appears, click OK.

Switch back

If service traffic is scrubbed by your Anti-DDoS Proxy instance, the icon is displayed in the Anti-DDoS IP Address column. In this case, you can manually switch the service traffic back to the associated cloud resources.

Important

Before you manually switch the service traffic, make sure that the attacks stop and the associated cloud resources also work as expected. This prevents the associated cloud resources from being added to sandboxes and prevents service interruptions.
If you click Switch to Anti-DDoS to switch the service traffic to your Anti-DDoS Proxy instance, you must click Switchback to switch the service traffic back to the associated cloud resource.
If blackhole filtering is triggered for the IP addresses of all associated cloud resources, the switchback fails. If blackhole filtering is deactivated for some cloud resources, service traffic is first switched back to these cloud resources. After blackhole filtering is deactivated for the remaining cloud resources, service traffic is switched back to the remaining cloud resources.

On the General Interaction tab of the Sec-Traffic Manager page, find the rule whose Interaction Scenario is Tiered Protection.
Click Switchback in the Actions column. In the message that appears, click OK.

Edit a rule

On the General Interaction tab of the Sec-Traffic Manager page, find the rule whose Interaction Scenario is Tiered Protection.
Click Edit in the Actions column. Modify the Anti-DDoS Anti-DDoS Pro, Resource for Interaction, or Waiting Time of Switchback parameter. Then, click Next.

Delete a rule

Warning

Before you delete an interaction rule, make sure that the domain name of your website is not mapped to the CNAME of Sec-Traffic Manager. Otherwise, access to your website may fail after you delete the rule.

On the General Interaction tab of the Sec-Traffic Manager page, find the rule whose Interaction Scenario is Tiered Protection.
Click Delete in the Actions column. In the message that appears, click Delete.