Global applications must handle access from users worldwide and require centralized management and protection of all inbound and outbound traffic. Global Accelerator GA leverages Alibaba Cloud’s premium Border Gateway Protocol (BGP) bandwidth and global transmission network to deliver a highly reliable, high-performance network acceleration service. The Internet firewall of Cloud Firewall provides fine-grained traffic control and protection capabilities. By integrating GA and Cloud Firewall, you can significantly enhance the security, performance, and stability of your applications.
Scenario example
A company deploys its application in US (Silicon Valley), with most clients located in China. The company faces two main issues:
-
Instability in cross-border public networks causes frequent latency, jitter, and packet loss for clients.
-
Overseas traffic includes a high proportion of malicious attacks, web crawlers, and visits from non-target users. These not only pose security risks but also generate unnecessary traffic, increasing server load and degrading overall performance.
To address these issues, the company decided to use GA to improve the access experience for clients in China and use the Internet Border access control policy feature of Cloud Firewall to block traffic from outside China.
Limits
Cloud Firewall's Internet firewall supports the following public network asset types: accelerated IP addresses of GA (that is, GA EIP type), but these accelerated IP addresses must meet the following conditions:
-
The GA instance to which the accelerated IP belongs must be a Standard Instance.
-
The accelerated IP type must be Elastic IP Address.
-
The acceleration region of the accelerated IP must not be an Alibaba Cloud point of presence (POP).
To check whether an acceleration region is an Alibaba Cloud POP, see ListAvailableBusiRegions.
Prerequisites
-
Your origin server already runs an application service.
This topic uses Alibaba Cloud Linux 3 as the operating system and configures a backend HTTP 80 service using Nginx.
-
You have already purchased the Cloud Firewall service. For more information, see Purchase Cloud Firewall service.
Procedure
Step 1: Configure a GA instance
This topic uses pay-as-you-go medium GA instances as an example.
On the page of the GA console, click Create Standard Pay-as-you-go Instance.
In the Basic Instance Configuration step, configure the basic information and click Next.

In the Configure Acceleration Area step, add an acceleration region, allocate bandwidth to the region, and then click Next.
In this example, the Acceleration Region parameter is set to China (Hong Kong), and the ISP Line Type parameter is set to BGP (Multi-ISP). You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add and manage acceleration areas.
ImportantIf the acceleration regions include regions in the Chinese mainland, you must apply for an ICP number for the domain name to provide services.
If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.

-
On the Configure Listeners wizard page, set the forwarding protocol and port, then click Next.
In this scenario, set Protocol to HTTP and Port to 80. Keep other listener parameters at their defaults or adjust as needed.
-
On the Configure an Endpoint Group wizard page, configure the backend service for endpoints and click Next.
In this scenario, select US (Silicon Valley) for Region, choose Custom IP for Backend Service Type, enter your origin server’s public IP address for Backend Service, read and select Compliance Commitments Regarding Cross-border Data Transfers, and keep other endpoint group parameters at their defaults or adjust as needed.

-
On the Configuration Review wizard page, confirm your GA settings and click Submit.
-
Optional: After creation completes, under the task details list, click Go to Instance Details. On the instance details page, view configuration information under tabs such as Instance Information, Listeners, and Acceleration Areas.
For example, accelerated IP addresses for GA can be obtained from the Acceleration Areas tab.
Step 2: Configure Cloud Firewall
-
On the Firewall Switch page of the Cloud Firewall console, select the Internet Firewall tab. On the IPv4 tab, find the accelerated IP address for your GA, and click Actions in the Enable Protection column.
You can select the asset type as GA EIP and enter the instance ID of GA to filter assets. After enabling, the firewall status column shows Protected, indicating that it has been successfully enabled. For more information about enabling the firewall switch, see Internet firewall.
-
In the Cloud Firewall console, navigate to . Select the Inbound tab and click Create Policy.
-
In the Create Inbound Policy panel, select the Create Policy tab, configure the policy, click OK, and follow prompts to create an address book if needed.
For this scenario, use the settings in the following table. Adjust as needed for your use case. For detailed instructions on access control policy configuration, see Configure Internet border access control policies.
Configuration item
Description
Example value for this scenario
Source Type
The initiator of network traffic. Select a source type and enter the source address that sends traffic.
Location
Source
All Locations Outside China (regions outside China)
Destination Type
The recipient of network traffic. Select a destination type and enter the destination address that receives traffic.
IP, enter the accelerated IP address of GA (with a /32 suffix)
Protocol Type
Transport-layer protocol type. Options include TCP, UDP, ICMP, and ANY. Select ANY if you are unsure of the specific protocol.
ANY
Application
Set the application type for incoming traffic.
ANY
Port
Set the destination port type and destination port.
Port. Enter 0/0 to allow all ports.
Action
Define how traffic matching this policy is handled.
-
Allow: Permit the traffic.
-
Deny: Block the traffic without sending any notification.
-
Monitor: Allow traffic by default. After monitoring for a period, change the action to Allow or Deny as needed.
Deny
Priority
Set the policy priority. Default is Lowest, meaning lowest priority.
Highest
Policy Validity Period
Set the time period during which the policy applies. Traffic is matched against the policy only within this period.
Always
Status
Enable or disable the policy. If you create a policy in disabled state, you can enable it later from the policy list.
Enable
-
Step 3: Verify results
Verify Cloud Firewall access control policy effectiveness
This topic tests access from clients in China (Hong Kong) and Germany (Frankfurt).
-
From clients in the China (Hong Kong) region and the Germany (Frankfurt) region, access the accelerated IP address of GA through a browser and check whether you can access the backend service normally.
-
A client in the China (Hong Kong) region accesses the accelerated IP address of GA, and the result is as follows: the client in the China (Hong Kong) region successfully accesses the backend service, and the page displays
Hello World! This is the Silicon Valley data center test page. When clients in the Germany (Frankfurt) region access the accelerated IP address of GA, the result is as follows:
The page appears blank and fails to load content properly, indicating that the Cloud Firewall access control policy has successfully blocked access requests from that region.
Verification confirms that the Internet Border access control policy configuration of Cloud Firewall has taken effect and has successfully blocked traffic from regions outside China.
-
-
In the Access Control Policy List, check the Hits column to view policy matches. Click the hit count to go to the Traffic Logs page for details.
For example, you can set the Destination IP Address in the query conditions to the accelerated IP address of GA, and the Application Protocol Detection Status to Blocked by Policy, to view details of the blocked traffic.
In the filtered traffic log table, the Action column shows Drop and the Rule Source column shows Access Control, confirming successful interception by the access control policy.
You can also use Log Audit to review attack events and operation logs. For more information, see Log audit.
-
On the Intrusion Prevention page, under the Internet Protection tab, view protection statistics and detailed protection records.
For example, you can enter an accelerated IP address whose destination IP address is GA above the protection details list to search and view Cloud Firewall's protection details against attack traffic.
For more information about intrusion prevention capabilities, see Intrusion prevention.
Verify GA acceleration effectiveness
This topic uses a detection point in China (Hong Kong) as an example. Use the one-time probe tool to conduct network probes on the origin server's public IP address and the accelerated IP address of GA before and after you configure GA, and then compare the results to evaluate the acceleration effect. For specific steps, see Use the network probe tool to test acceleration performance.
-
Perform a network probe on the accelerated IP addresses of GA to check network latency after configuring GA.

-
Probe the origin server’s public IP address to check network latency before GA configuration.

Verification confirms that GA reduces latency for clients in China (Hong Kong) accessing services in US (Silicon Valley).
Actual GA acceleration results depend on your specific business testing.
References
-
For more information about how GA is billed, see GA billing overview.
-
To learn how Cloud Firewall is billed, see Cloud Firewall billing overview.
-
To learn more about Cloud Firewall’s mitigation capabilities, see Feature comparison.