All Products
Search

This Product

    Anti-DDoS:Configure port forwarding rules

    Document Center

    Anti-DDoS:Configure port forwarding rules

    Last Updated:Apr 01, 2024

    To use Anti-DDoS Proxy to protect your non-website services, such as client-based applications, you must create port forwarding rules. Then, Anti-DDoS Proxy scrubs traffic that is destined for your services and then forwards only service traffic to your origin server based on the port forwarding rules. This topic describes how to create port forwarding rules for non-website services.

    Prerequisites

    An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

    Create a port forwarding rule

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

      • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Provisioning > Port Config.

    4. On the Port Config page, select the instance for which you want to create a port forwarding rule.

      Note

      If the 叹号 icon is displayed next to a protocol in the Forwarding Protocol column of a port forwarding rule, the rule is automatically generated when you added a website. This port forwarding rule is used to forward the traffic of website services. You cannot modify or delete rules that are automatically generated. If the websites that use these port forwarding rules are removed from your instance, the port forwarding rules are automatically deleted. For more information about how to configure website services, see Add one or more websites.

      • If you specify port 80 for the origin server when you add a domain name to your instance, Anti-DDoS Proxy automatically generates a port forwarding rule. This port forwarding rule is used to forward TCP traffic to the origin server over port 80.

      • If you specify port 443 for the origin server when you add a domain name to your instance, Anti-DDoS Proxy automatically generates a port forwarding rule. This port forwarding rule is used to forward TCP traffic to the origin server over port 443.

      • Create a port forwarding rule

        Click Add Rule. In the dialog box that appears, configure the parameters based on your business requirements and click OK.

        Parameter

        Description

        Forwarding Protocol

        The protocol that you want to use to forward traffic. Valid values: TCP and UDP.

        Redirection Port

        The port that you want to use to forward traffic.

        Note

        • We recommend that you specify the same value for both Redirection Port and Origin Server Port.

        • To prevent domain owners from creating their own DNS servers, Anti-DDoS Proxy does not protect services that use port 53.

        • For an instance, forwarding rules that use the same protocol must use different forwarding ports. If you attempt to create a rule with a protocol and forwarding port that are configured for another rule, an error message indicating that these rules overlap appears.

        • Make sure that the rule you want to create does not conflict with the rules that are automatically generated when you add a website to your instance.

        Origin Server Port

        The port of the origin server.

        Origin IP Address

        The IP address of the origin server.

        Note

        You can specify a maximum of 20 origin IP addresses to implement load balancing. Separate multiple IP addresses with commas (,). You can add a maximum of 20 IP addresses.

      • Create multiple port forwarding rules at a time

        1. On the Port Config page, choose Batch Operations > Add Rule.

        2. In the Add Rule dialog box, enter the required information as shown in the sample file and click OK.

          Each line represents a rule. From left to right, the fields in each rule indicate the following information: protocol, forwarding port, origin server port, and origin IP address. Fields are separated by spaces.

        3. In the Add Rule dialog box, select the rules that you want to create and click OK.

    What to do next

    After you create port forwarding rules, you must allow the back-to-origin IP address of your instance on the origin server, verify that the forwarding rules are in effect on your computer, and then switch the traffic of your non-website services to your instance.

    1. Allow the back-to-origin IP address of your instance on the origin server. This way, the traffic from your instance is allowed by the security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.

    2. Verify that the port forwarding rules are in effect on your computer to prevent service exceptions caused by invalid forwarding rule configurations. For more information, see Verify traffic forwarding settings on a local machine.

      Warning

      If you switch your service traffic to your instance before the port forwarding rules take effect, your services may be interrupted.

    3. Switch the traffic of your non-website services to your instance

      In most cases, you can replace the service IP address with the exclusive IP address of your instance to switch the traffic of your non-website services to your instance. The method to replace the IP address varies based on your platform.

      Note

      • If your service is also accessible over a domain name that functions as the server address, you do not need to add the domain name to your instance. For example, the domain name example.com is used as the server address of a game or is hard-coded in a client program. In this case, you must change the A record at the DNS provider of the domain name to redirect the traffic to the exclusive IP address of your instance. For more information, see Change the DNS record.

      • In some scenarios, you may need to use a domain name to add your Layer 4 service to multiple Anti-DDoS Proxy instances and configure an automatic mechanism to switch traffic among these instances. We recommend that you add the domain name of your service to Anti-DDoS Proxy and modify the CNAME of the domain name. For more information, see Modify CNAME records to protect transport-layer services.

    Related operations

    Modify port forwarding rules

    You can modify port forwarding rules and change the origin server IP addresses in the rules. If the forwarding protocol or port of traffic is changed, we recommend that you create a forwarding rule.

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

      • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Provisioning > Port Config.

    4. On the Port Config page, select the instance for which you want to modify one or more port forwarding rules.

      • Modify a port forwarding rule

        1. Find the rule that you want to modify and click Edit in the Actions column.

        2. In the Edit Rule dialog box, change the value of Origin IP Address and click OK.

      • Modify multiple port forwarding rules at a time

        Note

        If you use an Anti-DDoS Proxy (Chinese Mainland) instance, you can modify multiple port forwarding rules at a time. If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance, you cannot modify multiple port forwarding rules at a time

        1. Choose Batch Operations > Edit Rule below the rule list. In the Edit Rule dialog box, enter the required information as shown in the sample file and click OK.

        2. In the Edit Rule dialog box, select the rules that you want to create and click OK.

    Delete port forwarding rules

    Warning

    You can delete manually created forwarding rules that are no longer in use. Before this operation, ensure that inbound traffic is no longer forwarded to Anti-DDoS Proxy instances. If you delete a forwarding rule before you restore the IP address of your service from that of your Anti-DDoS Proxy instance to the actual IP address, your service may be interrupted.

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

      • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Provisioning > Port Config.

    4. On the Port Config page, select the instance for which you want to delete one or more port forwarding rules.

      • To delete a rule, find the rule that you want to delete and click Delete in the Actions column.

      • To delete multiple rules at a time, select the rules that you want to delete and click Batch Delete below the rule list.

    5. In the message that appears, click OK.