GA supports data transmission encryption and disaster recovery to protect your cloud data.
Data transmission encryption
Bind SSL certificates to HTTPS listeners
When you configure HTTPS listeners for a standard GA instance, you must associate an SSL certificate to encrypt and authenticate your traffic.
The SSL certificate that you associate when creating an HTTPS listener serves as the default server certificate. You can associate additional certificates to support multiple domain names and configure domain name-based forwarding rules to route requests to different virtual endpoint groups.
-
For information about how to associate a certificate with a GA HTTPS listener, see Associate and manage certificates.
-
Use one GA instance to accelerate access to multiple HTTPS-capable domain names.
Certificates configured in Global Accelerator encrypt data sent from clients to the instance. Certificates installed on backend servers encrypt data sent from Global Accelerator to the servers.
TLS security policies for HTTPS
When you configure an HTTPS listener for a standard GA instance, you can select a TLS policy to strengthen security.
A TLS policy specifies the protocol versions and cipher suites available for HTTPS. Later TLS versions provide stronger security but lower browser compatibility.
-
For information about the TLS policies that are supported by GA, see TLS security policies.
-
To select a TLS policy, follow the "Add an HTTP or HTTPS listener" section in Add and manage intelligent routing listeners.
Data backup and disaster recovery
Disaster recovery for multiple acceleration regions
-
By default, the Free Trial edition of Alibaba Cloud DNS is selected. Only the Enterprise Standard and Enterprise Ultimate editions return IP addresses based on geographical locations. You must upgrade Alibaba Cloud DNS. For more information, see Intelligent DNS resolution. To upgrade Alibaba Cloud DNS, follow the "Step 5: Upgrade Alibaba Cloud DNS" section in Configure disaster recovery to ensure the high availability of applications that are deployed across regions.
-
The GA-assigned CNAME is scoped to the acceleration region. Requests may fail in cross-region scenarios.
For example, if the acceleration regions include only regions outside the Chinese mainland, excluding China (Hong Kong), the CNAME record does not take effect in the Chinese mainland, causing access failures for clients in the Chinese mainland. Consider the following options:
-
Solution 1: Configure intelligent DNS resolution based on client locations. Resolve traffic from outside the Chinese mainland to the GA CNAME, and resolve traffic from the Chinese mainland directly to the origin server.
In this case, traffic from outside the Chinese mainland enters GA through the accelerated IP address of the acceleration area outside the Chinese mainland. Traffic from the Chinese mainland connects directly to the origin server, which may cause latency and packet loss due to ISP and international link limitations.
-
Solution 2: Add an acceleration area in the Chinese mainland to the GA instance, and use the default DNS line to resolve requests to the GA CNAME.
GA automatically allocates an accelerated IP address based on the region from which a request is initiated. Traffic from outside the Chinese mainland is routed to GA through accelerated IP addresses in acceleration areas outside the Chinese mainland, and traffic from the Chinese mainland is routed to GA through accelerated IP addresses in the Chinese mainland.
Note: If the acceleration area includes the Chinese mainland and your service traffic is HTTP or HTTPS, you must obtain an ICP filing for your domain name. Otherwise, acceleration will fail.
-
If your clients span multiple acceleration regions, configure intelligent DNS resolution for the CNAME of a standard GA instance. Alibaba Cloud DNS returns accelerated IP addresses based on client locations, reducing resolution latency. If one acceleration region fails, Alibaba Cloud DNS redirects requests to nearby healthy regions, enabling cross-region disaster recovery.
-
For information about how to add a CNAME record, see Configure a CNAME record.
Disaster recovery for multiple endpoint groups and endpoints
You can enable health checks for the endpoint groups of your GA instance. When an endpoint fails a health check, GA automatically redirects new requests to other healthy endpoints. After an unhealthy endpoint recovers and passes health checks, GA automatically resumes routing traffic to it.
For information about health check configurations, see Enable and manage health checks.