Global Accelerator (GA) supports backend services deployed in virtual private clouds (VPCs), keeping them off the public Internet.GA also integrates with Alibaba Cloud security services to protect applications and secure backend access.
Accelerate access to VPC-based backend services
GA supports the following VPC-based cloud resources as endpoint backend services:
Instance type | Cloud resource in a VPC |
Standard GA instance |
|
Basic GA instance |
|
When these VPC resources serve as endpoints of a GA instance, client traffic reaches the accelerated IP address of the GA instance, enters the Alibaba Cloud global transmission network, and routes directly to the backend service in the VPC. The backend service in the VPC can then serve Internet users without a public IP address.
For more information about endpoints, see Endpoint groups and endpoints and Add and manage endpoint groups and endpoints.
Attack mitigation
GA integrates with Alibaba Cloud security services to protect applications and secure backend access.
DDoS protection
A DDoS attack floods a system to make it unavailable. Choose a DDoS protection product based on your requirements:
Protection product | |||
Mitigation capabilities | Low GA provides up to 5 Gbps of free basic DDoS protection for accelerated IP addresses and endpoint public IP addresses of GA instances. No activation required. Maximum free mitigation varies by region. | High Anti-DDoS Origin protects GA instances with up to several hundred Gbps of unlimited mitigation for accelerated IP addresses and endpoint public IP addresses of GA instances. Maximum mitigation varies by region. | High Anti-DDoS Proxy leverages Alibaba Cloud global scrubbing centers to provide up to several Tbps of mitigation for the secure CNAME (secure accelerated IP address) of the GA instance. |
How it works | Anti-DDoS Basic uses a configurable scrubbing threshold. When triggered, it filters all inbound Internet traffic to defend against network-layer and transport-layer attacks such as UDP reflection and SYN/ACK Flood attacks. It does not defend against application-layer attacks such as HTTP Flood and CC attacks. Anti-DDoS Basic also uses AI-based analysis that learns traffic patterns to detect attacks. Scrubbing triggers only when AI detects an attack and inbound traffic reaches the configured BPS or PPS threshold, preventing false positives from normal traffic fluctuations. If inbound traffic exceeds the blackhole triggering threshold, Alibaba Cloud temporarily blocks all inbound Internet traffic to the cloud product to prevent further damage to the cloud product or other assets. For more information, see Alibaba Cloud blackhole policy. | Anti-DDoS Origin primarily mitigates Layer 3 and Layer 4 DDoS attacks. When traffic exceeds the default scrubbing threshold, it automatically triggers scrubbing. Anti-DDoS Origin combines passive scrubbing with active blocking, using reverse detection, blacklists and whitelists, and packet compliance. It deploys a detection and scrubbing system in bypass mode at Alibaba Cloud data center egresses, keeping protected services operational during attacks. | Configure a forwarding rule in Anti-DDoS Proxy by specifying the website domain name and the secure CNAME of GA as the server address. GA redirects traffic by pointing DNS resolution or the service IP address to the Anti-DDoS Proxy instance.
|
References |
WAF integration for application security
Web Application Firewall (WAF) detects and blocks malicious requests in website and application traffic, forwarding only legitimate traffic to the server. This prevents intrusions that degrade performance and protects your data.
For more information about WAF, see What is WAF? and Get started with WAF 3.0.
Cloud Firewall integration for traffic control
Cloud Firewall provides unified security isolation and control for cloud network assets at the Internet Border, VPC border, and Internal Border. The Internet firewall controls inbound and outbound traffic for all public assets, enabling fine-grained access control that reduces public exposure and mitigates security risks.
Protected public assets include the accelerated IP addresses of GA. For more information about how to enable Internet border protection for the accelerated IP addresses of GA, see Internet firewall.
For more information about how to use GA with Cloud Firewall to implement region-specific access control for traffic, see Use GA together with Cloud Firewall to implement region-specific access control and acceleration.