Global Accelerator (GA) supports data transmission encryption and disaster recovery to protect your data in the cloud in an efficient manner.
Data transmission encryption
Associate SSL certificates with HTTPS listeners for secure access to domain names
When you configure listeners that use HTTPS protocol for a standard GA instance, you must associate an SSL certificate to ensure that your business is encrypted and authenticated.
The SSL certificate that you configured when you create an HTTPS listener is used as the default server certificate. You can associate additional certificates with the HTTPS listener. After you associate additional certificates with an HTTPS listener, you can associate the listener with multiple domain names. You can also configure domain name-based forwarding rules for the listener. This way, requests that are destined for different domain names can be forwarded to different virtual endpoint groups, and access to multiple HTTPS domain names can be accelerated.
For information about how to associate a certificate with a GA HTTPS listener, see Associate and manage certificates.
For information about how to use multiple certificates to accelerate access to multiple HTTPS domain names, see Use one GA instance to accelerate access to multiple HTTPS-capable domain names.
The certificates are used to encrypt data that is transmitted from clients to GA. You can use the certificates that are installed on the backend servers to encrypt data that is transmitted from GA to the backend servers. The certificates on your GA instance can be the same as the certificates on the backend servers.
Use TLS policies to improve the security of websites that use HTTPS
When you configure an HTTPS listener for a standard GA instance, you can select a Transport Layer Security (TLS) policy to improve your business security.
A TLS policy contains TLS protocol versions and cipher suites that are available for HTTPS. A later version of TLS provides higher security but poorer compatibility with browsers. You can select a TLS policy based on your business requirements.
For information about the TLS policies that are supported by GA, see TLS security policies.
For information about how to select a TLS policy, see the "Add an HTTP or HTTPS listener" section of the Add and manage intelligent routing listeners topic.
Data backup and disaster recovery
Disaster recovery for multiple acceleration regions
By default, the Free Trial edition of Alibaba Cloud Domain Name System (DNS) is selected. Only the Enterprise Standard edition and Enterprise Ultimate edition can return IP addresses based on geographical locations. You must upgrade your Alibaba Cloud DNS. For more information, see Intelligent DNS resolution. For information about how to upgrade Alibaba Cloud DNS, see the "Step 5: Upgrade Alibaba Cloud DNS" section of the Configure disaster recovery to ensure the high availability of applications that are deployed across regions topic.
The CNAME that is assigned by GA is scoped to the acceleration region. Requests may fail in cross-region scenarios.
For example, if the acceleration regions include only regions outside the Chinese mainland, excluding China (Hong Kong), the CNAME record does not take effect in the Chinese mainland, which leads to access failures for clients in the Chinese mainland. You can refer to the following configuration options:
Solution 1: Configure intelligent resolution based on the region. Traffic from regions outside the Chinese mainland is routed to the CNAME of GA, and traffic from the Chinese mainland is directly routed to the origin server. For more information, see Scenario 2: Intelligent DNS resolution based on regional lines.
In this setup, overseas traffic is routed to GA by using the accelerated IP address in the corresponding acceleration region. Traffic from the Chinese mainland goes directly to the origin server and may be affected by ISP limitations or international network latency, potentially leading to high latency or packet loss.
Solution 2: Add a region in the Chinese mainland as an acceleration region of GA and configure default resolution lines.
GA automatically assigns an acceleration IP address based on the region of a request. In this case, overseas traffic is routed through the accelerated IP address in the region outside the Chinese mainland, while traffic from the Chinese mainland is routed through the accelerated IP address in the Chinese mainland.
Note: If the acceleration regions include a region in the Chinese mainland and the service uses HTTP and HTTPS traffic, you must obtain an ICP number for the custom domain name. Otherwise, acceleration fails.
If your clients are deployed in multiple acceleration regions, you can configure intelligent DNS resolution for the CNAME of a standard GA instance. This way, Alibaba Cloud DNS returns accelerated IP addresses based on the geographical locations of the clients. This lowers the resolution latency and accelerates access to your application. If a fault occurs in one of the acceleration regions, Alibaba Cloud DNS redirects requests to other acceleration regions that are close to the end users. This helps implement disaster recovery across acceleration regions.
For information about how to add a CNAME record, see Add a CNAME record for a domain name.
For information about how to configure Alibaba Cloud DNS for GA instances to implement disaster recovery, see Configure disaster recovery to ensure the high availability of applications that are deployed across regions.
Disaster recovery for multiple endpoint groups and endpoints
You can enable health checks for endpoint groups of a GA instance. After you enable health checks, GA periodically checks whether the endpoints are healthy. When GA detects an unhealthy endpoint, GA distributes new requests to healthy endpoints. When the unhealthy endpoint recovers, GA distributes requests to the endpoint again.
For information about health check configurations, see Enable and manage health checks.