All Products
Search

This Product

    Alibaba Cloud DNS:Access policy

    Document Center

    Alibaba Cloud DNS:Access policy

    Last Updated:Jul 07, 2025

    Access policies include DNS intelligent resolution, primary IPAM pool collection/secondary IPAM pool collection, effective IPAM pool collection switching policy, and other related information. A GTM instance can create multiple access policies. You can set different resolution response IPAM pool collections for users from different networks or regions, ultimately achieving nearby access and automatic switchover in case of failures.

    Access policy types

    Geo-based access policy

    You can enable users from different regions/networks to access nearby services based on their geographic locations.

    Latency-based access policy

    This policy detects the access latency from the user's source region to the application address region and routes end user requests to the application server cluster with the lowest latency. This service is only available to Ultimate Edition users.

    Warning

    1. Alibaba Cloud deploys probing nodes in multiple regions around the world and selects a batch of IP addresses in each region. Each probing node tests these IP addresses, and the average latency value of each region is used as the latency between the probing point region and the target region.

    2. When an end user in a certain region initiates a DNS query request, the system matches the end user's region with the region of the Alibaba Cloud probing point. Based on the probing point's detection latency, the system returns the IP address with the lowest access latency. Therefore, this access latency determination is not real-time and does not represent the actual latency between the real client and the access server IP.

    3. Due to issues with the accuracy and update timeliness of the latency scheduling database, optimal latency may not be achieved in some regions.

    4. In scenarios based on latency scheduling accuracy and failover, user requests may be concentrated on a specific IP. Therefore, each service IP must have sufficient capacity to handle all online request traffic.

    Geo-based access policy

    Configuration parameter description

    1. Policy Name

      When adding or modifying an access policy, you can enter an access policy name that is easy to identify and remember.

    2. Resolution Request Source

      The resolution request source implements the DNS intelligent resolution effect. When a corresponding region is selected, users from that region accessing the application service will match the corresponding IPAM pool collection configured in the access policy. If you select Global, it represents all users.

      Rules:

      • If there is only one access policy, you must select Global for the access policy unless there are special business requirements.

      • If there are multiple access policies, one access policy must have Global selected as its region. Otherwise, some regions may not be able to access the application service.

      • You cannot select options that have been used in other access policies. These options are unavailable.

        • Except when the address pools in the primary IPAM pool collection are IPv4 and IPv6 respectively.

          • For example: If a global access policy already exists with an IPV4 address pool type in the primary IPAM pool collection, then if you want to create another global access policy, the address pool type in the primary IPAM pool collection must be IPV6.

      • If there are multiple access policies, you can only choose one method for setting the resolution request source: either "ISP line" or "Region line". You cannot use both simultaneously.

      • Currently, CNAME access domains can only be set as Custom Access Domain, and the resolution request source selection must be consistent with the access domain resolution line mode. That is, if the access domain resolution line mode is ISP Line, then the resolution request source can only select ISP line or global.

        Note

        Detailed lines require GTM Ultimate Edition, and the GTM associated domain needs to be bound to a Cloud DNS Enterprise Standard Edition or higher instance.

    3. Primary IPAM pool collection, secondary IPAM pool collection

      The primary IPAM pool collection refers to the IPAM pool collection that users access by default under normal circumstances. It is a combination of multiple address pools of the same type. When the primary IPAM pool collection is unavailable, the system will automatically switch between the primary IPAM pool collection and the secondary IPAM pool collection according to the effective IPAM pool collection switching policy.

      Address Pool Type: Currently supports IPV4, IPV6, and domain name.

      Select Address Pool: After determining the address pool type, select from the already created address pools.

      Add New Address Pool: If you have not created an address pool, you can go to the address pool configuration page through this entry to create an address pool.

      Load Balancing Policy: Currently supports Return All Addresses and Return Addresses By Weight. The load balancing policy in the access policy has higher priority than the load balancing policy in the address pool. The specific response effective policy is as follows:

      Address pool load balancing policy

      Access policy load balancing policy

      Final effective policy

      Return all addresses

      Return all addresses

      Return all addresses

      Return addresses by weight

      Return addresses by weight

      Return addresses by weight.

      Final address weight value = Address weight value in address pool × Address pool weight value in access policy

      Return all addresses

      Return addresses by weight

      Return addresses by weight.

      Final address weight value = Address pool weight value in access policy

      Return addresses by weight

      Return all addresses

      Return all addresses

      Minimum Number Of Available Addresses: The minimum number of healthy addresses in the address pool when the IPAM pool collection is available. When the number of healthy addresses is less than the minimum number of available addresses, the IPAM pool collection is unavailable.

    4. Effective IPAM Pool Collection Switching Policy

      The effective IPAM pool collection switching policy includes two types: Automatic Mode and Manual Mode.

      Note

      Automatic Mode: Automatically switches between the primary IPAM pool collection and the secondary IPAM pool collection based on their availability status (uses the primary IPAM pool collection when both primary and secondary are available).

      • If both primary and secondary IPAM pool collections are unavailable, the system uses the IPAM pool collection with more surviving addresses.

      • If both primary and secondary IPAM pool collections are unavailable, and they have the same number of surviving addresses (not zero), the system uses the primary IPAM pool collection.

      • If both primary and secondary IPAM pool collections are unavailable, and both have zero surviving addresses, there are two scenarios:

        (1) If the resolution request source is configured as a "non-global" detailed line, then the primary and secondary IPAM pool collections for that detailed line are all invalid, and the system downgrades to use the "global" line configuration.

        (2) If the resolution request source is configured as a "global" line, the system uses the primary IPAM pool collection and returns all addresses.

      Mode

      Condition

      Primary IPAM pool collection

      Secondary IPAM pool collection

      Manual Mode

      Specify primary IPAM pool collection

      • ✅ (and returns primary IPAM pool collection addresses according to load policy)

      Specify secondary IPAM pool collection

      • ✅ (and returns secondary IPAM pool collection addresses according to load policy)

      Automatic mode

      Primary IPAM pool collection is set, secondary IPAM pool collection is not set

      • ✅ (and returns primary IPAM pool collection addresses according to load policy)

      Both primary and secondary IPAM pool collections are set, primary IPAM pool collection is available

      • ✅ (and returns primary IPAM pool collection addresses according to load policy)

      Both primary and secondary IPAM pool collections are set, primary is unavailable, secondary IPAM pool collection is available

      • ✅ (and returns secondary IPAM pool collection addresses according to load policy)

      Both primary and secondary IPAM pool collections are set, both are unavailable, number of surviving addresses in primary IPAM pool collection > number of surviving addresses in secondary IPAM pool collection

      • ✅ (and returns all addresses in primary IPAM pool collection according to load policy, including non-surviving addresses)

      Important

      For latency-based access policies, non-surviving addresses are not returned.

      Both primary and secondary IPAM pool collections are set, both are unavailable, number of surviving addresses in primary IPAM pool collection < number of surviving addresses in secondary IPAM pool collection

      • ✅ (and returns all addresses in secondary IPAM pool collection according to load policy, including non-surviving addresses)

        Important

        For latency-based access policies, non-surviving addresses are not returned.

      Both primary and secondary IPAM pool collections are set, both are unavailable, number of surviving addresses in primary IPAM pool collection = number of surviving addresses in secondary IPAM pool collection

      • ✅ (and returns all addresses in primary IPAM pool collection according to load policy, including non-surviving addresses)

        Important

        For latency-based access policies, non-surviving addresses are not returned.

    Configuration method

    1. Access Cloud DNS-Global Traffic Management.

    2. Click the instance ID you want to operate on. You will be directed to the Basic Configuration page by default. Then, in the Access Policy Type section, select Geo-based Access Policy and click the Configure button.

    3. On the access policy page, click the Add Access Policy button to configure the Policy Name, Resolution Request Source, Primary IPAM Pool Collection, Secondary IPAM Pool Collection, and other settings.

      Note

      If the Select Address Pool option is empty, first select Add New Address Pool to go to the Address Pool Configuration tab and Add New Address Pool.

      image.png

      image.png

      image.png

    Latency-based access policy

    Configuration parameter description

    1. Policy Name

      When adding or modifying an access policy, you can enter an access policy name that is easy to identify and remember.

    2. Primary IPAM pool collection, secondary IPAM pool collection

      The primary IPAM pool collection refers to the IPAM pool collection that users access by default under normal circumstances. It is a combination of multiple address pools of the same type. When the primary IPAM pool collection is unavailable, the system will automatically switch between the primary IPAM pool collection and the secondary IPAM pool collection according to the effective IPAM pool collection switching policy.

      Address Pool Type: Currently supports IPV4, IPV6, and domain name.

      Select Address Pool: After determining the address pool type, select from the already created address pools.

      Add New Address Pool: If you have not created an address pool, you can go to the address pool configuration page through this entry to create an address pool.

      Address Pool Type: Latency-based access policies currently support address pool types including IPV4, IPV6, and domain name.

      Minimum Number Of Available Addresses: The minimum number of healthy addresses in the address pool when the IPAM pool collection is available. When the number of healthy addresses is less than the minimum number of available addresses, the IPAM pool collection is unavailable.​

      Maximum Number Of Returned Addresses:

      • The default setting is 1, which means that when the application service has multiple IP addresses, the system will return one resolution address with the lowest access latency.

      • When set to greater than 1 and less than 8, the system supports returning multiple resolution addresses with the lowest access latency.

        Latency Resolution Scheduling Optimization:

      • Latency resolution scheduling optimization mode can only be enabled when the maximum number of returned addresses is set to greater than 1.

      • When this mode is enabled, the system will intelligently return the optimal resolution addresses within the maximum number of returned addresses.

    Configuration method

    1. Access Cloud DNS-Global Traffic Management.

    2. Click the instance ID you want to operate on. You will be directed to the Basic Configuration page by default. Then, in the Access Policy Type section, select Latency-based Access Policy and click the Configure button.

    3. On the access policy page, click the Add Access Policy button to configure the Maximum Number Of Returned Addresses, Latency Resolution Scheduling Optimization, Primary/Secondary IPAM Pool Collection similar to the geo-based access policy.image.png

      Important

      In latency-based policies, only one access policy with the same address pool type is supported at a time. If you have already created a latency-based policy with an IPv4 address pool type, you are not allowed to create another latency-based policy with an IPv4 address pool type.