Global Accelerator data security capabilities - Global Accelerator

Global Accelerator (GA) supports data transmission encryption and disaster recovery to protect your data in the cloud in an efficient manner.

Data transmission encryption

Associate SSL certificates with HTTPS listeners for secure access to domain names

When you configure listeners that use HTTPS protocol for a standard GA instance, you must associate an SSL certificate to ensure that your business is encrypted and authenticated.

The SSL certificate that you configured when you create an HTTPS listener is used as the default server certificate. You can associate additional certificates with the HTTPS listener. After you associate additional certificates with an HTTPS listener, you can associate the listener with multiple domain names. You can also configure domain name-based forwarding rules for the listener. This way, requests that are destined for different domain names can be forwarded to different virtual endpoint groups, and access to multiple HTTPS domain names can be accelerated.

For information about how to associate a certificate with a GA HTTPS listener, see Associate and manage certificates.
For information about how to use multiple certificates to accelerate access to multiple HTTPS domain names, see Use one GA instance to accelerate access to multiple HTTPS-capable domain names.

Note The SSL certificate is used to encrypt data that is transmitted from clients to GA. You can use the certificate that is installed on the backend servers to encrypt data that is transmitted from GA to the backend servers. The certificate on your GA instance can be the same as the one on the backend servers.

Use TLS policies to improve the security of websites that use HTTPS

When you configure an HTTPS listener for a standard GA instance, you can select a Transport Layer Security (TLS) policy to improve your business security.

A TLS policy contains TLS protocol versions and cipher suites that are available for HTTPS. A later version of TLS provides higher security but poorer compatibility with browsers. You can select a TLS policy based on your business requirements.

For information about the TLS policies that are supported by GA, see TLS security policies.
For information about how to select a TLS policy, see the "Add an HTTP or HTTPS listener" section of the Add and manage intelligent routing listeners topic.

Data backup and disaster recovery

Disaster recovery for multiple acceleration regions

Important

By default, the Free Trial edition of Alibaba Cloud Domain Name System (DNS) is selected. Only the Enterprise Standard edition and Enterprise Ultimate edition can return IP addresses based on geographical locations. You must upgrade your Alibaba Cloud DNS. For more information, see Intelligent DNS resolution. For information about how to upgrade Alibaba Cloud DNS, see the "Step 5: Upgrade Alibaba Cloud DNS" section of the Configure disaster recovery to ensure the high availability of applications that are deployed across regions topic.
The CNAME that is assigned by GA is scoped to the acceleration region. Requests may fail in cross-region scenarios. For example, if all the acceleration regions of a GA instance are outside the Chinese mainland, requests from the Chinese mainland fail to access the accelerated domain name because the domain name cannot be mapped to the CNAME that is assigned by GA in the Chinese mainland. We recommend that you add the Chinese mainland to your GA instance as an acceleration region or use an A or AAAA record.

If your clients are deployed in multiple acceleration regions, you can configure intelligent DNS resolution for the CNAME of a standard GA instance. This way, Alibaba Cloud DNS returns accelerated IP addresses based on the geographical locations of the clients. This lowers the resolution latency and accelerates access to your application. If a fault occurs in one of the acceleration regions, Alibaba Cloud DNS redirects requests to other acceleration regions that are close to the end users. This helps implement disaster recovery across acceleration regions.

For information about how to add a CNAME record, see Add a CNAME record for a domain name.
For information about how to configure Alibaba Cloud DNS for GA instances to implement disaster recovery, see Configure disaster recovery to ensure the high availability of applications that are deployed across regions.

Disaster recovery for multiple endpoint groups and endpoints

You can enable health checks for endpoint groups of a GA instance. After you enable health checks, GA periodically checks whether the endpoints are healthy. When GA detects an unhealthy endpoint, GA distributes new requests to other healthy endpoints. When the unhealthy endpoint recovers, GA distributes requests to the endpoint again.

For information about health check configurations, see Enable and manage health checks.