Global Accelerator network isolation and security protection - Global Accelerator

Global Accelerator (GA) supports backend services that are deployed in virtual private clouds (VPCs). This prevents backend services from being exposed to the Internet and ensures secure network connectivity. GA can also be used with Alibaba Cloud security services to protect applications from attacks and enhance the security of backend service access.

Accelerate access to backend services that are deployed in VPCs

GA lets you add the following types of cloud resources in VPCs as backend services for endpoints:

Instance type	Cloud resource in a VPC
Standard GA instance	Elastic Compute Service (ECS) Classic Load Balancer (CLB) Application Load Balancer (ALB) Network Load Balancer (NLB) Elastic Network Interface (ENI) The private IP address and destination port of an ECS instance that is specified in a vSwitch
Basic GA instance	Secondary elastic network interface (ENI) Classic Load Balancer (CLB) Elastic Compute Service Network Load Balancer (NLB)

When you add the preceding backend services in VPCs as endpoints of a GA instance, client traffic accesses the accelerated IP address of the GA instance and enters the Alibaba Cloud global transmission network. The traffic is then directly routed to the corresponding backend service in the VPC. This allows the backend service in the VPC to provide services to the Internet without a public IP address.

For more information about endpoints, see Endpoints of standard Global Accelerator instances and Endpoints of basic Global Accelerator instances.

Attack mitigation

GA can be used with Alibaba Cloud security services to protect applications from attacks and enhance the security of backend service access.

Use DDoS protection to mitigate DDoS attacks

A DDoS attack is a malicious network attack that targets a system to make its services unavailable. You can select one of the following DDoS protection products based on your security protection requirements:

Protection product	Anti-DDoS Origin Basic	Anti-DDoS Origin	Anti-DDoS Pro and Anti-DDoS Premium
Mitigation capabilities	Low GA is integrated with Alibaba Cloud DDoS protection. You do not need to enable it. It provides up to 5 Gbps of basic DDoS protection for the accelerated IP addresses and public IP addresses of endpoints of GA instances free of charge. The maximum free mitigation capability varies by region.	High Anti-DDoS Origin lets you add GA instances as protected objects. It provides unlimited protection of up to several hundred Gbps for the accelerated IP addresses and public IP addresses of endpoints of GA instances. The maximum mitigation capability varies by region.	High GA can be connected to Anti-DDoS Pro and Anti-DDoS Premium. Based on the capabilities of Alibaba Cloud's global scrubbing centers, it provides mitigation capabilities of up to several Tbps for the secure CNAME (secure accelerated IP address) of the GA instance.
How it works	Set thresholds for traffic scrubbing: Anti-DDoS Basic sets scrubbing thresholds by default. To manually configure these thresholds, see Configure traffic scrubbing thresholds. The traffic scrubbing thresholds for assets are contingent on the specifications of the instances. For more information, see Cloud service specifications and scrubbing thresholds. Trigger traffic scrubbing: When the following two conditions are met, traffic scrubbing starts: Incoming traffic exhibits unusual patterns. The bits per second (BPS) and packets per second (PPS) of incoming traffic surpasses the predefined scrubbing threshold. Traffic scrubbing: Anti-DDoS Basic filters and scrubs all the incoming traffic to block network-layer and transport-layer attacks such as UDP reflection attacks and SYN-ACK flood attacks. Anti-DDoS Basic cannot mitigate application-layer attacks such as HTTP Flood attacks and CC attacks. Network-layer attack: These attacks include UDP reflection attacks, SYN-ACK flood attacks, and malformed packet attacks that violate IP protocols. These attacks aim at consuming server bandwidth, resulting in service disruption. Transport-layer attack: These attacks include TCP SYN flood attacks and connection exhaustion attacks. These attacks aim at disrupting connections and sessions, overwhelming the server capacity to handle legitimate traffic. Application-layer attack: These attacks include HTTP Flood attacks, CC attacks, and DNS Flood attacks. They are designed to exploit business-specific vulnerabilities, overwhelming server processing capacity and resulting in denial of service. Blackhole filtering: When inbound traffic surpasses the protection capacity (referred to as the blackhole triggering threshold), blackhole filtering is activated to mitigate potential damage from DDoS attacks. This measure protects assets and ensures that the operation of other assets is not impacted by a single cloud service under attack. During this process, Alibaba Cloud temporarily blocks incoming Internet traffic to the affected cloud service. For more information, see Blackhole filtering policy of Alibaba Cloud.	Anti-DDoS Origin mainly provides mitigation services against Layer 3 and Layer 4 distributed denial-of-service (DDoS) attacks. When traffic exceeds the default scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks. Anti-DDoS Origin uses a combination of passive scrubbing and active blocking. In addition to standard technologies such as reverse detection, blacklists and whitelists, and packet compliance, Anti-DDoS Origin ensures that the protected cloud resource can continue to provide services during an ongoing attack. Anti-DDoS Origin uses a bypass deployment method by building a DDoS attack detection and scrubbing system at the egress of the Alibaba Cloud data center.	Based on the forwarding rule that you configure for your service in Anti-DDoS Pro and Anti-DDoS Premium (that is, specify the website domain name and use the secure CNAME of GA as the server address), GA redirects traffic by pointing the DNS domain name resolution or service IP address of the service to the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. During normal service access, traffic is not forwarded through the Anti-DDoS instance. Instead, it is directly accelerated by GA to the origin server without increasing latency. When the service is under attack, GA automatically switches the CNAME to point to the IP address of the Anti-DDoS instance. The traffic is scrubbed by the Anti-DDoS instance and then sent to GA through the secure CNAME (secure accelerated IP address) of GA for acceleration. This ensures that the service remains stable and efficient during attacks.
References	View the basic protection threshold of a GA instance	Connect GA to Anti-DDoS Origin	Connect GA to Anti-DDoS Pro and Anti-DDoS Premium

Integrate GA with WAF to ensure application security

Web Application Firewall (WAF) identifies and protects against malicious requests in the service traffic of websites or applications. After WAF inspects and filters the traffic, it forwards legitimate traffic to the server. This prevents malicious intrusions that can degrade server performance and ensures the security of your website services and data.

For more information about WAF, see What is Web Application Firewall? and Get started with WAF 3.0.

Integrate GA with Cloud Firewall to implement fine-grained traffic control

Cloud Firewall provides a unified security isolation and control solution for your cloud network assets at the Internet Border, VPC border, and Internal Border. The Internet firewall operates at the Internet Border to provide unified control and protection for inbound and outbound traffic for all public assets. You can use the Internet firewall to implement fine-grained access control for traffic that flows between your public assets and the Internet. This reduces the exposure of public assets on the Internet and mitigates security risks to service traffic.

The public assets protected by the Internet firewall include the accelerated IP addresses of GA. For more information about how to enable Internet border protection for the accelerated IP addresses of GA, see Internet firewall.

For more information about how to use GA with Cloud Firewall to implement region-specific access control for traffic, see Use GA with Cloud Firewall to implement region-specific access control and acceleration.