All Products
Search
Document Center

Global Accelerator:Data security

Last Updated:Jun 08, 2026

GA supports data transmission encryption and disaster recovery to protect your cloud data.

Data transmission encryption

Bind SSL certificates to HTTPS listeners

When you configure HTTPS listeners for a standard GA instance, you must associate an SSL certificate to encrypt and authenticate your traffic.

The SSL certificate that you associate when creating an HTTPS listener serves as the default server certificate. You can associate additional certificates to support multiple domain names and configure domain name-based forwarding rules to route requests to different virtual endpoint groups.

Note

Certificates configured in Global Accelerator encrypt data sent from clients to the instance. Certificates installed on backend servers encrypt data sent from Global Accelerator to the servers.

TLS security policies for HTTPS

When you configure an HTTPS listener for a standard GA instance, you can select a TLS policy to strengthen security.

A TLS policy specifies the protocol versions and cipher suites available for HTTPS. Later TLS versions provide stronger security but lower browser compatibility.

Data backup and disaster recovery

Disaster recovery for multiple acceleration regions

Important
  • By default, the Free Trial edition of Alibaba Cloud DNS is selected. Only the Enterprise Standard and Enterprise Ultimate editions return IP addresses based on geographical locations. You must upgrade Alibaba Cloud DNS. For more information, see Intelligent DNS resolution. To upgrade Alibaba Cloud DNS, follow the "Step 5: Upgrade Alibaba Cloud DNS" section in Configure disaster recovery to ensure the high availability of applications that are deployed across regions.

  • The GA-assigned CNAME is scoped to the acceleration region. Requests may fail in cross-region scenarios.

    For example, if the acceleration regions include only regions outside the Chinese mainland, excluding China (Hong Kong), the CNAME record does not take effect in the Chinese mainland, causing access failures for clients in the Chinese mainland. Consider the following options:

    • Solution 1: Configure intelligent DNS resolution based on client locations. Resolve traffic from outside the Chinese mainland to the GA CNAME, and resolve traffic from the Chinese mainland directly to the origin server.

      In this case, traffic from outside the Chinese mainland enters GA through the accelerated IP address of the acceleration area outside the Chinese mainland. Traffic from the Chinese mainland connects directly to the origin server, which may cause latency and packet loss due to ISP and international link limitations.

    • Solution 2: Add an acceleration area in the Chinese mainland to the GA instance, and use the default DNS line to resolve requests to the GA CNAME.

      GA automatically allocates an accelerated IP address based on the region from which a request is initiated. Traffic from outside the Chinese mainland is routed to GA through accelerated IP addresses in acceleration areas outside the Chinese mainland, and traffic from the Chinese mainland is routed to GA through accelerated IP addresses in the Chinese mainland.

      Note: If the acceleration area includes the Chinese mainland and your service traffic is HTTP or HTTPS, you must obtain an ICP filing for your domain name. Otherwise, acceleration will fail.

If your clients span multiple acceleration regions, configure intelligent DNS resolution for the CNAME of a standard GA instance. Alibaba Cloud DNS returns accelerated IP addresses based on client locations, reducing resolution latency. If one acceleration region fails, Alibaba Cloud DNS redirects requests to nearby healthy regions, enabling cross-region disaster recovery.

Disaster recovery for multiple endpoint groups and endpoints

You can enable health checks for the endpoint groups of your GA instance. When an endpoint fails a health check, GA automatically redirects new requests to other healthy endpoints. After an unhealthy endpoint recovers and passes health checks, GA automatically resumes routing traffic to it.

For information about health check configurations, see Enable and manage health checks.