This topic describes how to configure Server Load Balancer (SLB) and Anti-DDoS Origin
to protect a website that is hosted on an Elastic Compute Service (ECS) instance.
This combination provides better protection than Anti-DDoS Origin Enterprise alone.
Background information
To use Anti-DDoS Origin Enterprise to protect your website, we recommend that you
deploy an SLB instance for the ECS instance where your website is hosted. Then, add
the IP address of the SLB instance to Anti-DDoS Origin Enterprise for protection.
The SLB instance can discard traffic whose protocol and port are not specified in
the SLB listener. This helps mitigate distributed denial of service (DDoS) attacks.
The preceding solution defends against different types of DDoS attacks, such as reflection
attacks, User Datagram Protocol (UDP) flood attacks, and SYN flood attacks (large
packets). The reflection attacks include Simple Service Discovery Protocol (SSDP),
Network Time Protocol (NTP), and Memcached attacks.
The following procedure describes how to implement this combination solution.
Procedure
- Create an Internet-facing SLB instance.
For more information, see
Create an SLB instance.
When you create an Internet-facing SLB instance, note the following points:
- SLB does not support cross-region deployment. Make sure that the ECS instance and
the SLB instance are in the same region.
- Anti-DDoS Origin provides protection only for Alibaba Cloud services that have public
IP addresses. Therefore, you must create an Internet-facing SLB instance.
For more information, see
Before you begin.
After an Internet-facing SLB instance is created, you can obtain the
IP Address of the SLB instance on the
Instances page in the
SLB console.
- Configure the Internet-facing SLB instance.
For more information, see
Configure an SLB instance.
When you configure the Internet-facing SLB instance, note the following points:
- In the Protocol and Listener step, specify only the listening protocol and ports that are required. You can select
TCP, UDP, HTTP, or HTTPS. Traffic whose protocol and port are not specified in the SLB listener is discarded
and not forwarded to the backend ECS instance.
- In the Backend Servers step, select the instance where your website is hosted.
Note The Internet-facing SLB instance communicates with the backend ECS instance over the
internal network. Therefore, we recommend that you disable Internet access to the
backend ECS instance after you configure the SLB instance. Make sure that the SLB
instance functions properly.
After the SLB instance is configured, the SLB instance forwards requests from a client
to the backend ECS instance based on the existing configurations.
- Change the DNS settings.
- If your website is accessed by using its IP address, you can add the IP address of
the Internet-facing SLB instance obtained in Step 1 as the IP address of your website.
In this case, you do not need to change the DNS settings.
- If your website is accessed by using its domain name, you must resolve the domain
name to the IP address of the SLB instance obtained in Step 1. For more information,
see Resolve a domain name.
- Add the IP address of the SLB instance to the Anti-DDoS Origin Enterprise instance
for protection.
After you add the IP address of the SLB instance, the Anti-DDoS Origin Enterprise
instance provides
unlimited protection. The Anti-DDoS Origin Enterprise instance automatically scrubs service traffic to
mitigate DDoS attacks.