Global Accelerator network isolation and security protection - Global Accelerator

Global Accelerator (GA) supports backend services that are deployed in virtual private clouds (VPCs). This prevents backend services from being exposed to the Internet and ensures secure network connectivity. GA can also be used with Alibaba Cloud security services to protect applications from attacks and enhance the security of backend service access.

Accelerate access to backend services that are deployed in VPCs

GA lets you add the following types of cloud resources in VPCs as backend services for endpoints:

Instance type	Cloud resource in a VPC
Standard GA instance	Elastic Compute Service (ECS) Classic Load Balancer (CLB) Application Load Balancer (ALB) Network Load Balancer (NLB) Elastic Network Interface (ENI) The private IP address and destination port of an ECS instance that is specified in a vSwitch
Basic GA instance	Secondary elastic network interface (ENI) Classic Load Balancer (CLB) Elastic Compute Service Network Load Balancer (NLB)

When you add the preceding backend services in VPCs as endpoints of a GA instance, client traffic accesses the accelerated IP address of the GA instance and enters the Alibaba Cloud global transmission network. The traffic is then directly routed to the corresponding backend service in the VPC. This allows the backend service in the VPC to provide services to the Internet without a public IP address.

For more information about endpoints, see Endpoints of standard Global Accelerator instances and Endpoints of basic Global Accelerator instances.

Attack mitigation

GA can be used with Alibaba Cloud security services to protect applications from attacks and enhance the security of backend service access.

Use DDoS protection to mitigate DDoS attacks

A DDoS attack is a malicious network attack that targets a system to make its services unavailable. You can select one of the following DDoS protection products based on your security protection requirements:

Protection product	Anti-DDoS Origin Basic	Anti-DDoS Origin	Anti-DDoS Pro and Anti-DDoS Premium
Mitigation capabilities	Low GA is integrated with Alibaba Cloud DDoS protection. You do not need to enable it. It provides up to 5 Gbps of basic DDoS protection for the accelerated IP addresses and public IP addresses of endpoints of GA instances free of charge. The maximum free mitigation capability varies by region.	High Anti-DDoS Origin lets you add GA instances as protected objects. It provides unlimited protection of up to several hundred Gbps for the accelerated IP addresses and public IP addresses of endpoints of GA instances. The maximum mitigation capability varies by region.	High GA can be connected to Anti-DDoS Pro and Anti-DDoS Premium. Based on the capabilities of Alibaba Cloud's global scrubbing centers, it provides mitigation capabilities of up to several Tbps for the secure CNAME (secure accelerated IP address) of the GA instance.
How it works	Anti-DDoS Basic uses a default scrubbing threshold, which you can also set manually. When traffic meets the conditions for scrubbing, Anti-DDoS Basic filters and scrubs all inbound traffic from the Internet to defend against common network-layer and transport-layer attacks, such as UDP reflection attacks and SYN/ACK Flood attacks. However, Anti-DDoS Basic does not defend against application-layer attacks, such as HTTP Flood attacks and CC attacks. In addition to the BPS and PPS scrubbing thresholds that you configure, Anti-DDoS Basic uses AI-based intelligent analysis. By leveraging the big data capabilities of Alibaba Cloud, Anti-DDoS Basic learns your traffic patterns and uses algorithms to detect attacks. Traffic scrubbing is triggered only when the AI-based intelligent analysis detects a DDoS attack and the inbound traffic reaches the BPS or PPS threshold that you set. This method prevents false positives that can be caused by fixed thresholds, for example, when normal service traffic fluctuations exceed the scrubbing threshold. If inbound traffic exceeds the mitigation capability (the blackhole triggering threshold), the cloud product is subject to blackhole filtering. This prevents DDoS attacks from causing further damage to the cloud product or affecting other assets. Blackhole filtering means that Alibaba Cloud temporarily blocks all inbound traffic from the Internet to the cloud product. For more information, see Blackhole filtering policy of Alibaba Cloud.	Anti-DDoS Origin primarily mitigates Layer 3 and Layer 4 DDoS attacks. When traffic exceeds the default scrubbing threshold, Anti-DDoS Origin automatically triggers traffic scrubbing to mitigate DDoS attacks. Anti-DDoS Origin uses passive scrubbing as its primary mitigation method and active blocking as a supplementary method. It uses standard technologies such as reverse detection, blacklists and whitelists, and packet compliance to mitigate DDoS attacks. This ensures that your protected cloud service can continue to operate normally during an attack. Anti-DDoS Origin works by deploying a DDoS attack detection and traffic scrubbing system at the egress of an Alibaba Cloud data center. This system is deployed in bypass mode.	Based on the forwarding rule that you configure for your service in Anti-DDoS Pro and Anti-DDoS Premium (that is, specify the website domain name and use the secure CNAME of GA as the server address), GA redirects traffic by pointing the DNS domain name resolution or service IP address of the service to the IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance. During normal service access, traffic is not forwarded through the Anti-DDoS instance. Instead, it is directly accelerated by GA to the origin server without increasing latency. When the service is under attack, GA automatically switches the CNAME to point to the IP address of the Anti-DDoS instance. The traffic is scrubbed by the Anti-DDoS instance and then sent to GA through the secure CNAME (secure accelerated IP address) of GA for acceleration. This ensures that the service remains stable and efficient during attacks.
References	View the basic protection threshold of a GA instance	Connect GA to Anti-DDoS Origin	Connect GA to Anti-DDoS Pro and Anti-DDoS Premium

Integrate GA with WAF to ensure application security

Web Application Firewall (WAF) identifies and protects against malicious requests in the service traffic of websites or applications. After WAF inspects and filters the traffic, it forwards legitimate traffic to the server. This prevents malicious intrusions that can degrade server performance and ensures the security of your website services and data.

For more information about WAF, see What is Web Application Firewall? and Get started with WAF 3.0.

Integrate GA with Cloud Firewall to implement fine-grained traffic control

Cloud Firewall provides a unified security isolation and control solution for your cloud network assets at the Internet Border, VPC border, and Internal Border. The Internet firewall operates at the Internet Border to provide unified control and protection for inbound and outbound traffic for all public assets. You can use the Internet firewall to implement fine-grained access control for traffic that flows between your public assets and the Internet. This reduces the exposure of public assets on the Internet and mitigates security risks to service traffic.

The public assets protected by the Internet firewall include the accelerated IP addresses of GA. For more information about how to enable Internet border protection for the accelerated IP addresses of GA, see Internet firewall.

For more information about how to use GA with Cloud Firewall to implement region-specific access control for traffic, see Use GA with Cloud Firewall to implement region-specific access control and acceleration.