Global Accelerator (GA) solves two problems at once for globally deployed services: cross-border latency and DDoS attacks. By routing user traffic through Alibaba Cloud's private acceleration network and integrating with dedicated DDoS protection products, you get both low-latency access and multi-layer defense without trading one for the other.
Choose a DDoS protection product
GA includes basic DDoS protection automatically — no setup required. For services that face high-volume attacks, you can add a dedicated protection layer.
| Anti-DDoS Origin Basic | Anti-DDoS Origin | Anti-DDoS Pro and Anti-DDoS Premium | |
|---|---|---|---|
| Mitigation capacity | Up to 5 Gbps (free; covers accelerated IPs and endpoint public IPs) | Up to several hundred Gbps; varies by region | Up to several Tbps via global scrubbing centers |
| How traffic is protected | Built into GA automatically. Uses BPS/PPS scrubbing thresholds combined with AI-based analysis to detect and scrub network-layer and transport-layer attacks (UDP reflection, SYN/ACK Flood). Does not defend against application-layer attacks (HTTP Flood, CC attacks). When traffic exceeds the blackhole filtering threshold, Alibaba Cloud temporarily blocks all inbound traffic. | Deployed in bypass mode at the Alibaba Cloud data center egress. When traffic exceeds the scrubbing threshold, Anti-DDoS Origin automatically triggers traffic scrubbing using passive scrubbing (primary) and active blocking (supplementary), with technologies such as reverse detection, whitelists/blacklists, and packet compliance. Mitigates Layer 3 and Layer 4 attacks. | During normal traffic: GA accelerates traffic directly to the origin server with no added latency. During an attack: GA switches the CNAME to point to the Anti-DDoS instance. Scrubbed traffic returns to GA via the secure CNAME (secure accelerated IP address) and is forwarded to the origin server. |
| References | View the basic protection threshold of a GA instance | Connect GA to Anti-DDoS Origin | Connect GA to Anti-DDoS Pro and Anti-DDoS Premium |
Use cases
Connect GA to Anti-DDoS Origin
Scenario
A company's website runs on two ECS servers (ECS01, ECS02) in the US (Silicon Valley) region, serving users worldwide over a custom domain on HTTP port 80. The site faces two problems:
Cross-border network instability: latency, jitter, and packet loss on public internet routes.
Frequent high-volume DDoS attacks causing unstable service responses.
Deploying GA with Anti-DDoS Origin addresses both: GA routes traffic through the private acceleration network to reduce latency, and Anti-DDoS Origin adds GA instances as protected objects to guard accelerated IPs and endpoint public IPs against DDoS attacks.
Normal traffic path: Client requests connect to the nearest GA acceleration area, then route through the private network to the origin server in US (Silicon Valley) — no latency penalty.
Under attack: When traffic exceeds the Anti-DDoS Origin scrubbing threshold, traffic scrubbing is triggered automatically. Scrubbed traffic continues to be accelerated through GA to the origin server.
Limitations
Anti-DDoS Origin is available for direct purchase only in the Chinese mainland. To purchase an instance outside the Chinese mainland, contact your account manager. For details, see Contact us.
Prerequisites
Before you begin, make sure that you have:
Services deployed on ECS01 and ECS02 in the US (Silicon Valley) region (this example uses Alibaba Cloud Linux 3 with an Nginx HTTP 80 service)
A DNS A record pointing your custom domain name to the public IPs of both backend servers
(Optional) An SSL certificate bound to your custom domain if you plan to serve HTTPS traffic on port 443
An Anti-DDoS Origin instance purchased
Example: deploy a test service on ECS01
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS01, service running on port 80." > index.htmlStep 1: Configure Global Accelerator
This example uses a pay-as-you-go standard GA instance.
On the Standard Instance > Instances page of the GA console, click Create Standard Pay-as-you-go Instance.
In the Basic Instance Configuration step, configure the basic information and click Next.
In the Configure Acceleration Area step, add an acceleration area and allocate bandwidth, then click Next. Set Acceleration Region to China (Hong Kong) and ISP Line Type to BGP (Multi-ISP). Adjust other parameters as needed. For details, see Add and manage acceleration areas.
Important- If any acceleration area is in the Chinese mainland, apply for an ICP number for the domain name before providing services. - Set maximum bandwidth based on your traffic volume. A value that is too low causes throttling and packet loss.
In the Configure listeners step, configure the forwarding protocol and port, then click Next. Set Routing Type to Intelligent Routing, Protocol to HTTP, and Port to 80. For details, see Add and manage smart routing listeners.
To serve external traffic over HTTPS 443, select HTTPS for Protocol and 443 for Port, associate the listener with your certificate, and configure a port mapping (443→80) in the endpoint group. This lets users access the HTTP website securely over HTTPS.
On the Configure Endpoint Group page, set the region to US (Silicon Valley), add ECS01 and ECS02 as backend services, and enable Health Check. Read and select the Cross-border Data Transfer Compliance Commitment, then click Next. For details on other endpoint group parameters, see Create and manage endpoint groups of intelligent routing listeners.
In the Configuration Review step, confirm the configuration and click Submit.
On the Instances page, find the GA instance and copy the CNAME from the CNAME column.
On each backend server, allow the vSwitch CIDR block that GA uses to connect over the private network. Add an inbound rule in the ECS security group and make sure the vSwitch has at least 8 available private IP addresses.
Step 2: Configure Anti-DDoS Origin
On the Protected Objects page of the Anti-DDoS Origin console, click Add Protected Object and add the GA instance.
After the GA instance is added:
The GA Assets tab shows the protected GA instance.
The IP Assets tab shows the protected public IPs: accelerated IPs and endpoint public IPs.
Step 3: Configure a CNAME record
Map your custom domain name to the GA CNAME so traffic is routed through GA for accelerated access.
If you already have an A record pointing to the backend servers, add a CNAME record for the China (Hong Kong) region first. Once you confirm it works, extend the CNAME to other regions or replace the A record entirely.
On the Authoritative DNS Resolution page, find your domain name and click DNS Settings.
If your domain is not registered with Alibaba Cloud, add it to the Alibaba Cloud DNS console before configuring DNS records.
Click Add DNS Record, configure the CNAME record, and click OK. Set Record Type to CNAME, Hostname to www, DNS Request Source to Asia_Hong Kong, and Record Value to the GA CNAME. For details, see Add DNS records.
Step 4: Verify the results
Verify acceleration performance
Use a network probe tool from a Hong Kong (China) probe point to measure the response time before and after configuring GA. For instructions, see Use the network dial test tool to test acceleration.
Test latency before configuring GA. The Resolved IP column shows the ECS public IP.
Test latency after configuring GA. The Resolved IP column now shows the GA accelerated IP.
The results confirm that GA reduces latency for clients in Hong Kong (China) accessing services in the US (Silicon Valley) region.
Actual acceleration performance depends on your specific network conditions and business traffic.
Verify health check behavior
Open a browser and enter the custom domain name. The site loads successfully, and refreshing multiple times alternates between ECS01 and ECS02.
Simulate a failure by stopping ECS01. After a short interval, check the Health Check Status on the Endpoint Group tab of the GA instance. Refreshing the browser shows the service remains accessible, with ECS02 now handling all requests.
Verify Anti-DDoS Origin protection
Use these Anti-DDoS Origin console features to monitor protection effectiveness:
Business Monitoring: Real-time traffic trends and DDoS attack event records for protected assets.
Attack Analysis: Query and analyze attack events by type, traffic volume, and duration.
Mitigation Logs: Detailed logs of how Anti-DDoS Origin handled traffic, including attack detection and scrubbing events.
Connect GA to Anti-DDoS Pro and Anti-DDoS Premium
Scenario
A multinational game runs on ECS01 and ECS02 in the US (Silicon Valley) region, serving players worldwide through a custom domain. The service faces:
Cross-border network instability: latency, jitter, and packet loss.
Large-scale DDoS attacks that cause complete service outages.
Combining GA with Anti-DDoS Pro or Anti-DDoS Premium handles both.
Normal traffic path: GA routes requests through the private acceleration network directly to the origin server — no added latency, no Anti-DDoS overhead.
Under attack: GA uses DNS resolution to reroute traffic to Anti-DDoS scrubbing centers. After scrubbing, traffic returns to GA via the secure CNAME (secure accelerated IP address) and is forwarded to the origin server, keeping the game server accessible.
Limitations
Connecting GA to Anti-DDoS Pro and Anti-DDoS Premium is not enabled by default. Contact your business manager to activate the feature.
To purchase the Premium Edition of Anti-DDoS Pro and Anti-DDoS Premium (Chinese mainland), or the Sec-MCA 1.0 / Sec-MCA 1.0 (Basic Edition) editions (outside the Chinese mainland), contact your business manager.
Only pay-as-you-go standard GA instances support this integration. Subscription-based standard GA instances and basic GA instances are not supported.
Prerequisites
Before you begin, make sure that you have:
Services deployed on ECS01 and ECS02 in the US (Silicon Valley) region (this example uses Alibaba Cloud Linux 3 with an Nginx HTTP 80 service)
A DNS A record pointing your custom domain name to the public IPs of both backend servers
(Optional) An SSL certificate bound to your custom domain if you plan to serve HTTPS traffic on port 443
An Anti-DDoS Pro or Anti-DDoS Premium instance purchased
This example uses an Anti-DDoS Pro or Anti-DDoS Premium (Outside Chinese Mainland) instance with the Mitigation Plan and Standard Function for clients in Hong Kong (China).
If any configured GA acceleration area (client region) includes the Chinese mainland, also purchase an Anti-DDoS Pro or Anti-DDoS Premium (Chinese Mainland) instance and make sure your custom domain name has completed ICP filing.
Example: deploy a test service on ECS01
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS01, service running on port 80." > index.htmlStep 1: Configure Global Accelerator
On the Standard Instance > Instances page of the GA console, click Create Standard Pay-as-you-go Instance.
In the Basic Instance Configuration step, configure the basic information and click Next.
In the Configure Acceleration Area step, add an acceleration area and allocate bandwidth, then click Next. Set Acceleration Region to China (Hong Kong) and ISP Line Type to BGP (Multi-ISP). Adjust other parameters as needed. For details, see Add and manage acceleration areas.
Important- If any acceleration area is in the Chinese mainland, apply for an ICP number for the domain name before providing services. - Set maximum bandwidth based on your traffic volume. A value that is too low causes throttling and packet loss.
In the Configure listeners step, configure the forwarding protocol and port, then click Next. Set Routing Type to Intelligent Routing, Protocol to HTTP, and Port to 80. For details, see Add and manage smart routing listeners.
To serve external traffic over HTTPS 443, select HTTPS for Protocol and 443 for Port, associate the listener with your certificate, and configure a port mapping (443→80) in the endpoint group. This lets users access the HTTP website securely over HTTPS.
On the Configure an endpoint group page, set the region to US (Silicon Valley), add ECS01 and ECS02 as backend services, and enable Health Check. Read and select the Compliance Commitments Regarding Cross-border Data Transfers, then click Next. For details on other endpoint group parameters, see Create and manage endpoint groups of intelligent routing listeners.
In the Configuration Review step, confirm the configuration and click Submit.
On the Instances page, find the GA instance and copy the CNAME from the CNAME column.
On each backend server, allow the vSwitch CIDR block that GA uses to connect over the private network. Add an inbound rule in the ECS security group and make sure the vSwitch has at least 8 available private IP addresses.
Step 2: Connect the GA instance to Anti-DDoS Pro or Anti-DDoS Premium
On the Standard Instance > Instances page in the GA console, find the GA instance and click  > Associate with Anti-DDoS Pro/Premium in the Actions column.
In the Associate with Anti-DDoS Pro/Premium dialog box, select the Anti-DDoS Pro or Anti-DDoS Premium instance and click OK. Because the GA acceleration area is Hong Kong (China) in this example, select an Anti-DDoS Pro or Anti-DDoS Premium (Outside Chinese Mainland) instance. If the acceleration area includes the Chinese mainland, also select an Anti-DDoS Premium or Anti-DDoS Pro (Chinese Mainland) instance and complete the Website Config in Step 3.
To the right of the instance ID, hover over the Anti-DDoS Pro/Premium icon. In the Anti-DDoS Proxy tooltip, copy the Secure GA CNAME.
After connecting GA to Anti-DDoS Pro and Anti-DDoS Premium, each acceleration area gets four accelerated IP addresses. Two are secure accelerated IP addresses mapped to the GA secure CNAME. During an attack, scrubbed traffic from Anti-DDoS Pro/Premium enters the acceleration network through the GA secure CNAME.
Step 3: Add a website to Anti-DDoS Pro or Anti-DDoS Premium
On the Website Config page of the Anti-DDoS Pro Proxy (Outside Chinese Mainland) console, click Add Website.
In the Add Website panel, complete the Website Config wizard and click Next. Configure the following: Read and select the Compliance Commitments Regarding Cross-border Data Transfer. For details on other parameters, see Add websites.
WarningFor Server Address, enter the GA secure CNAME — not the GA CNAME. Using the regular GA CNAME creates a traffic loop.
Parameter Value Instance Your Anti-DDoS Pro or Anti-DDoS Premium instance Websites Your custom domain name Server Address Select Origin Domain Name and enter the GA secure CNAME from Step 2 Protocol Type and Server Port Must match the GA listener protocol and port (HTTP, 80) 
In the Forwarding Settings wizard, keep the default configuration and click Next.
On the Finish page, click Complete and Return to Domain Name List.
On the origin server, add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of your security software and security groups to prevent back-to-origin traffic from being blocked.
Step 4: Configure a CNAME record
Map your custom domain name to the GA CNAME so traffic is routed through GA for accelerated access.
If you already have an A record pointing to the backend servers, add a CNAME record for the China (Hong Kong) region first. Once you confirm it works, extend the CNAME to other regions or replace the A record entirely.
On the Authoritative DNS Resolution page, find your domain name and click DNS Settings.
If your domain is not registered with Alibaba Cloud, add it to the Alibaba Cloud DNS console before configuring DNS records.
Click Add DNS Record, configure the CNAME record, and click OK. Set Record Type to CNAME, Hostname to www, DNS Request Source to Asia_Hong Kong, and Record Value to the GA CNAME. For details, see Add DNS records.
Step 5: Verify the results
Verify acceleration performance
Use a network probe tool from a Hong Kong (China) probe point to measure the response time before and after configuring GA. For instructions, see Use the network dial test tool to test acceleration.
Test latency before configuring GA. The Resolved IP column shows the ECS public IP.
Test latency after configuring GA. The Resolved IP column now shows the GA accelerated IP.
The results confirm that GA reduces latency for clients in Hong Kong (China) accessing services in the US (Silicon Valley) region.
Actual acceleration performance depends on your specific network conditions and business traffic.
Verify health check behavior
Open a browser and enter the custom domain name. The site loads successfully, and refreshing multiple times alternates between ECS01 and ECS02.
Simulate a failure by stopping ECS01. After a short interval, check Health Check Status on the Endpoint Group tab of the GA instance. Refreshing the browser shows the service remains accessible, with ECS02 now handling all requests.
Verify Anti-DDoS Pro or Anti-DDoS Premium protection
Use
curlto connect to your custom domain by specifying the Anti-DDoS instance IP. A successful connection confirms the link between GA and Anti-DDoS Pro/Premium is working.WarningBefore going live, complete this connectivity test. Also make sure that: - You do not unsubscribe from the Anti-DDoS Pro or Anti-DDoS Premium instance before releasing the GA instance. - The Anti-DDoS Pro or Anti-DDoS Premium instance remains active and has not expired.
curl 170.33.XX.XX -H "Host: <your-custom-domain-name>"
Use these Anti-DDoS Pro and Anti-DDoS Premium console features to monitor protection and respond to anomalies:
Attack Analysis: Records and details of attack events on the Anti-DDoS instance.
Advanced Mitigation Logs: Usage of advanced mitigation sessions. Requires an instance that includes advanced mitigation sessions or an additional global advanced mitigation session.
CloudMonitor Alerts: Set up alert monitoring and a real-time dashboard. CloudMonitor sends alerts when anomalies occur, helping you shorten response time and restore service faster.
What's next
GA billing: GA fees include the instance fee, CU fee, and traffic fee.
Acceleration quality: Cross-border scenarios use premium bandwidth by default. For higher network quality, consider leased line cross-border acceleration. See premium bandwidth cross-border accelerationleased line cross-domain accelerationAcceleration configuration selection.
Anti-DDoS resources: