All Products
Search
Document Center

Global Accelerator:Use GA with Cloud Firewall for regional access control and acceleration

Last Updated:Jun 21, 2026

Global applications must handle access from users worldwide and require centralized management and protection of all inbound and outbound traffic. Global Accelerator GA leverages Alibaba Cloud’s premium Border Gateway Protocol (BGP) bandwidth and global transmission network to deliver a highly reliable, high-performance network acceleration service. The Internet firewall of Cloud Firewall provides fine-grained traffic control and protection capabilities. By integrating GA and Cloud Firewall, you can significantly enhance the security, performance, and stability of your applications.

Scenario example

A company deploys its application in US (Silicon Valley), with most clients located in China. The company faces two main issues:

  • Instability in cross-border public networks causes frequent latency, jitter, and packet loss for clients.

  • Overseas traffic includes a high proportion of malicious attacks, web crawlers, and visits from non-target users. These not only pose security risks but also generate unnecessary traffic, increasing server load and degrading overall performance.

To address these issues, the company decided to use GA to improve the access experience for clients in China and use the Internet Border access control policy feature of Cloud Firewall to block traffic from outside China.

Limits

Cloud Firewall's Internet firewall supports the following public network asset types: accelerated IP addresses of GA (that is, GA EIP type), but these accelerated IP addresses must meet the following conditions:

  • The GA instance to which the accelerated IP belongs must be a Standard Instance.

  • The accelerated IP type must be Elastic IP Address.

  • The acceleration region of the accelerated IP must not be an Alibaba Cloud point of presence (POP).

    To check whether an acceleration region is an Alibaba Cloud POP, see ListAvailableBusiRegions.

Prerequisites

  • Your origin server already runs an application service.

    This topic uses Alibaba Cloud Linux 3 as the operating system and configures a backend HTTP 80 service using Nginx.

    Example commands to deploy a test service on ECS

    yum install -y nginx
    systemctl start nginx.service
    cd /usr/share/nginx/html/
    echo "Hello World ! This is This is the Silicon Valley data center test page." > index.html
  • You have already purchased the Cloud Firewall service. For more information, see Purchase Cloud Firewall service.

Procedure

Step 1: Configure a GA instance

This topic uses pay-as-you-go medium GA instances as an example.

  1. On the Standard Instance > Instances page of the GA console, click Create Standard Pay-as-you-go Instance.

  2. In the Basic Instance Configuration step, configure the basic information and click Next.

    GA基础配置.png

  3. In the Configure Acceleration Area step, add an acceleration region, allocate bandwidth to the region, and then click Next.

    In this example, the Acceleration Region parameter is set to China (Hong Kong), and the ISP Line Type parameter is set to BGP (Multi-ISP). You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add and manage acceleration areas.

    Important
    • If the acceleration regions include regions in the Chinese mainland, you must apply for an ICP number for the domain name to provide services.

    • If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.

    GA加速区域.png

  4. On the Configure Listeners wizard page, set the forwarding protocol and port, then click Next.

    In this scenario, set Protocol to HTTP and Port to 80. Keep other listener parameters at their defaults or adjust as needed.

  5. On the Configure an Endpoint Group wizard page, configure the backend service for endpoints and click Next.

    In this scenario, select US (Silicon Valley) for Region, choose Custom IP for Backend Service Type, enter your origin server’s public IP address for Backend Service, read and select Compliance Commitments Regarding Cross-border Data Transfers, and keep other endpoint group parameters at their defaults or adjust as needed.

    GA 跨境合规 INTL.png

  6. On the Configuration Review wizard page, confirm your GA settings and click Submit.

  7. Optional: After creation completes, under the task details list, click Go to Instance Details. On the instance details page, view configuration information under tabs such as Instance Information, Listeners, and Acceleration Areas.

    For example, accelerated IP addresses for GA can be obtained from the Acceleration Areas tab.

Step 2: Configure Cloud Firewall

  1. On the Firewall Switch page of the Cloud Firewall console, select the Internet Firewall tab. On the IPv4 tab, find the accelerated IP address for your GA, and click Actions in the Enable Protection column.

    You can select the asset type as GA EIP and enter the instance ID of GA to filter assets. After enabling, the firewall status column shows Protected, indicating that it has been successfully enabled. For more information about enabling the firewall switch, see Internet firewall.

  2. In the Cloud Firewall console, navigate to Protect > Access Control > Policy Configuration. Select the Inbound tab and click Create Policy.

  3. In the Create Inbound Policy panel, select the Create Policy tab, configure the policy, click OK, and follow prompts to create an address book if needed.

    For this scenario, use the settings in the following table. Adjust as needed for your use case. For detailed instructions on access control policy configuration, see Configure Internet border access control policies.

    Configuration item

    Description

    Example value for this scenario

    Source Type

    The initiator of network traffic. Select a source type and enter the source address that sends traffic.

    Location

    Source

    All Locations Outside China (regions outside China)

    Destination Type

    The recipient of network traffic. Select a destination type and enter the destination address that receives traffic.

    IP, enter the accelerated IP address of GA (with a /32 suffix)

    Protocol Type

    Transport-layer protocol type. Options include TCP, UDP, ICMP, and ANY. Select ANY if you are unsure of the specific protocol.

    ANY

    Application

    Set the application type for incoming traffic.

    ANY

    Port

    Set the destination port type and destination port.

    Port. Enter 0/0 to allow all ports.

    Action

    Define how traffic matching this policy is handled.

    • Allow: Permit the traffic.

    • Deny: Block the traffic without sending any notification.

    • Monitor: Allow traffic by default. After monitoring for a period, change the action to Allow or Deny as needed.

    Deny

    Priority

    Set the policy priority. Default is Lowest, meaning lowest priority.

    Highest

    Policy Validity Period

    Set the time period during which the policy applies. Traffic is matched against the policy only within this period.

    Always

    Status

    Enable or disable the policy. If you create a policy in disabled state, you can enable it later from the policy list.

    Enable

Step 3: Verify results

Verify Cloud Firewall access control policy effectiveness

This topic tests access from clients in China (Hong Kong) and Germany (Frankfurt).

  1. From clients in the China (Hong Kong) region and the Germany (Frankfurt) region, access the accelerated IP address of GA through a browser and check whether you can access the backend service normally.

    • A client in the China (Hong Kong) region accesses the accelerated IP address of GA, and the result is as follows: the client in the China (Hong Kong) region successfully accesses the backend service, and the page displays Hello World! This is the Silicon Valley data center test page.

    • When clients in the Germany (Frankfurt) region access the accelerated IP address of GA, the result is as follows:

      The page appears blank and fails to load content properly, indicating that the Cloud Firewall access control policy has successfully blocked access requests from that region.

    Verification confirms that the Internet Border access control policy configuration of Cloud Firewall has taken effect and has successfully blocked traffic from regions outside China.

  2. In the Access Control Policy List, check the Hits column to view policy matches. Click the hit count to go to the Traffic Logs page for details.

    For example, you can set the Destination IP Address in the query conditions to the accelerated IP address of GA, and the Application Protocol Detection Status to Blocked by Policy, to view details of the blocked traffic.

    In the filtered traffic log table, the Action column shows Drop and the Rule Source column shows Access Control, confirming successful interception by the access control policy.

    You can also use Log Audit to review attack events and operation logs. For more information, see Log audit.

  3. On the Intrusion Prevention page, under the Internet Protection tab, view protection statistics and detailed protection records.

    For example, you can enter an accelerated IP address whose destination IP address is GA above the protection details list to search and view Cloud Firewall's protection details against attack traffic.

    For more information about intrusion prevention capabilities, see Intrusion prevention.

Verify GA acceleration effectiveness

This topic uses a detection point in China (Hong Kong) as an example. Use the one-time probe tool to conduct network probes on the origin server's public IP address and the accelerated IP address of GA before and after you configure GA, and then compare the results to evaluate the acceleration effect. For specific steps, see Use the network probe tool to test acceleration performance.

  1. Perform a network probe on the accelerated IP addresses of GA to check network latency after configuring GA.

    加速后 INTL.png

  2. Probe the origin server’s public IP address to check network latency before GA configuration.

    加速前 INTL.png

Verification confirms that GA reduces latency for clients in China (Hong Kong) accessing services in US (Silicon Valley).

Note

Actual GA acceleration results depend on your specific business testing.

References