All Products
Search
Document Center

Global Accelerator:Network security

Last Updated:Jun 18, 2026

Global Accelerator (GA) supports backend services deployed in virtual private clouds (VPCs), keeping them off the public Internet.GA also integrates with Alibaba Cloud security services to protect applications and secure backend access.

Accelerate access to VPC-based backend services

GA supports the following VPC-based cloud resources as endpoint backend services:

Instance type

Cloud resource in a VPC

Standard GA instance

  • Elastic Compute Service (ECS)

  • Classic Load Balancer (CLB)

  • Application Load Balancer (ALB)

  • Network Load Balancer (NLB)

  • Elastic Network Interface (ENI)

  • Private IP address and destination port of an ECS instance in a vSwitch

Basic GA instance

  • Secondary ENI

  • CLB

  • ECS

  • NLB

When these VPC resources serve as endpoints of a GA instance, client traffic reaches the accelerated IP address of the GA instance, enters the Alibaba Cloud global transmission network, and routes directly to the backend service in the VPC. The backend service in the VPC can then serve Internet users without a public IP address.

For more information about endpoints, see Endpoint groups and endpoints and Add and manage endpoint groups and endpoints.

Attack mitigation

GA integrates with Alibaba Cloud security services to protect applications and secure backend access.

DDoS protection

A DDoS attack floods a system to make it unavailable. Choose a DDoS protection product based on your requirements:

Protection product

Anti-DDoS Origin Basic

Anti-DDoS Origin

Anti-DDoS Proxy

Mitigation capabilities

Low

GA provides up to 5 Gbps of free basic DDoS protection for accelerated IP addresses and endpoint public IP addresses of GA instances. No activation required. Maximum free mitigation varies by region.

High

Anti-DDoS Origin protects GA instances with up to several hundred Gbps of unlimited mitigation for accelerated IP addresses and endpoint public IP addresses of GA instances. Maximum mitigation varies by region.

High

Anti-DDoS Proxy leverages Alibaba Cloud global scrubbing centers to provide up to several Tbps of mitigation for the secure CNAME (secure accelerated IP address) of the GA instance.

How it works

Anti-DDoS Basic uses a configurable scrubbing threshold. When triggered, it filters all inbound Internet traffic to defend against network-layer and transport-layer attacks such as UDP reflection and SYN/ACK Flood attacks. It does not defend against application-layer attacks such as HTTP Flood and CC attacks.

Anti-DDoS Basic also uses AI-based analysis that learns traffic patterns to detect attacks. Scrubbing triggers only when AI detects an attack and inbound traffic reaches the configured BPS or PPS threshold, preventing false positives from normal traffic fluctuations.

If inbound traffic exceeds the blackhole triggering threshold, Alibaba Cloud temporarily blocks all inbound Internet traffic to the cloud product to prevent further damage to the cloud product or other assets. For more information, see Alibaba Cloud blackhole policy.

Anti-DDoS Origin primarily mitigates Layer 3 and Layer 4 DDoS attacks. When traffic exceeds the default scrubbing threshold, it automatically triggers scrubbing.

Anti-DDoS Origin combines passive scrubbing with active blocking, using reverse detection, blacklists and whitelists, and packet compliance. It deploys a detection and scrubbing system in bypass mode at Alibaba Cloud data center egresses, keeping protected services operational during attacks.

Configure a forwarding rule in Anti-DDoS Proxy by specifying the website domain name and the secure CNAME of GA as the server address. GA redirects traffic by pointing DNS resolution or the service IP address to the Anti-DDoS Proxy instance.

  • During normal access, traffic bypasses Anti-DDoS and is accelerated directly by GA to the origin server with no added latency.

  • Under attack, GA automatically switches the CNAME to the Anti-DDoS instance. Traffic is scrubbed and then forwarded to GA through the secure CNAME (secure accelerated IP address) for acceleration, keeping the service stable.

References

Anti-DDoS Basic

GA and Anti-DDoS Origin

GA and Anti-DDoS Pro and Premium

WAF integration for application security

Web Application Firewall (WAF) detects and blocks malicious requests in website and application traffic, forwarding only legitimate traffic to the server. This prevents intrusions that degrade performance and protects your data.

For more information about WAF, see What is WAF? and Get started with WAF 3.0.

Cloud Firewall integration for traffic control

Cloud Firewall provides unified security isolation and control for cloud network assets at the Internet Border, VPC border, and Internal Border. The Internet firewall controls inbound and outbound traffic for all public assets, enabling fine-grained access control that reduces public exposure and mitigates security risks.

Protected public assets include the accelerated IP addresses of GA. For more information about how to enable Internet border protection for the accelerated IP addresses of GA, see Internet firewall.

For more information about how to use GA with Cloud Firewall to implement region-specific access control for traffic, see Use GA together with Cloud Firewall to implement region-specific access control and acceleration.