Use GA and Anti-DDoS Origin to securely accelerate global services - Global Accelerator

In global business expansion, enterprises often face network latency issues and distributed denial of service (DDoS) attacks. Global Accelerator (GA) and Anti-DDoS Origin can be deployed together to accelerate global user access, prevent DDoS attacks, ensure high availability and security, improve user experience, and reduce security risks.

Examples

An enterprise website is deployed on Alibaba Cloud in the US (Silicon Valley) region. The website provides services to end users in multiple regions around the world by using a custom domain name. The forwarding port is HTTP port 80. The website faces the following issues:

The cross-border network is unstable. Network issues, such as high network latency, network jitter, and packet loss, may frequently occur.
The website frequently encounters DDoS attacks, resulting in service interruptions.
The backend servers are unstable and services may be interrupted.

You can use GA and Anti-DDoS Origin to effectively solve the issues faced by cross-domain website services.

GA: Client requests can be routed to the nearest access point of the Alibaba Cloud acceleration network through the configured acceleration region. Through intelligent routing and automatic network scheduling, requests can be forwarded to the origin server in US (Silicon Valley). This effectively improves service access speed. At the same time, by enabling health checks, you can improve service reliability and availability and avoid the impact of abnormal nodes on services.
Anti-DDoS Origin: You can add GA instances as protected objects to protect the accelerated IP addresses of GA and public IP addresses of endpoints. When the traffic exceeds the default traffic scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks.

Limits

You can directly purchase Anti-DDoS Origin instances only in the Chinese mainland. If you want to purchase an Anti-DDoS Origin instance outside the Chinese mainland, contact your account manager. For more information about how to contact the account manager, see Contact us.

Prerequisites

Services are deployed on ECS01 and ECS02 in the US (Silicon Valley). In this example, the Alibaba Cloud Linux 3 operating system is used. NGINX is used to configure the backend HTTP service that uses port 80.
Example: Deploy the test service on ECS01
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World !  This is ECS01, service running on port 80." > index.html
```
Two A records are created to map the custom domain name to the public IP addresses of the backend servers.
If you use a third-party DNS service, refer to the user guide provided by the service provider.
If you need to provide external services through HTTPS 443, you need to create and apply for a certificate, or upload a third-party certificate to Certificate Management Service and associate the custom domain name with the certificate.
An Anti-DDoS Origin instance is purchased.

Procedure

Step 1: Configure GA

In this example, a pay-as-you-go standard GA instance is used.

On the Standard Instance > Instances page of the GA console, click Create Standard Pay-as-you-go Instance.
In the Basic Instance Configuration step, configure the basic information and click Next.
In the Configure Acceleration Area step, add an acceleration region, allocate bandwidth to the region, and then click Next.
In this example, the Acceleration Region parameter is set to China (Hong Kong), and the ISP Line Type parameter is set to BGP (Multi-ISP). You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add and manage acceleration areas.
Important
If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.
In the Configure listeners step, configure the forwarding protocol and the port, and then click Next.
In this example, the Routing Type parameter is set to Intelligent Routing, the Protocol parameter is set to HTTP, and the Port parameter is set to 80. You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add and manage intelligent routing listeners
Note
If you want to use HTTPS 443 to provide external services, you can select HTTPS for Protocol and 443 for Port, associate the created certificate with the listener, and configure the mapping between listener port 443 and the backend service port 80 in the Port Mapping parameter of the endpoint group. This way, users can securely access the HTTP website over HTTPS.
In the Configure an endpoint group step, configure the endpoint and click Next.
In this example, US (Silicon Valley) is selected for the Region parameter. ECS01 and ECS02 are configured for the Backend Service parameter. Then, Health Check is enabled and Compliance Commitments Regarding Cross-border Data Transfers is selected. You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Configure the endpoint groups of intelligent routing listeners
On the Configuration Review step, confirm the configurations and click Submit.
On the Instances page, find the created GA instance and obtain the CNAME assigned to the GA instance in the CNAME column.

Step 2: Configure Anti-DDoS Origin

On the Protected Objects page of the Anti-DDoS Origin console, click Add Object for Protection to add the GA instance as a protected object.

添加防护对象

After the GA instance is added, you can view the protected GA instance on the GA Assets tab of the Protected Objects page. You can also view the protected public IP addresses of the GA instance on the IP Address Asset tab.

Step 3: Configure a CNAME record

Configure a CNAME record to map the service domain name to the CNAME assigned by the GA instance. This accelerates access to the service.

In this example, if you already created an A record that points to the backend server, you can specify the China (Hong Kong) region when you add a CNAME record that points to the GA instance. If the CNAME record works as expected, apply the CNAME record to other regions or retain only the CNAME record that points to the GA instance.

On the Authoritative DNS Resolution page, find the domain name that you want to use and click DNS Settings in the Actions column.
Note
For a domain name that is not registered with Alibaba Cloud, you must add the domain name to the Alibaba Cloud DNS console before you can configure DNS records.
On the DNS Settings page, click Add DNS Record, configure a CNAME record, and then click OK.
In this example, the Record Type parameter is set to CNAME, the Hostname parameter is set to www, the DNS Request Source parameter is set to Asia_Hong Kong, and the Record Value parameter is set to the CNAME of the GA instance. You can use the default values for other parameters or modify the parameters based on your business requirements. For more information, see Add DNS records

Step 4: Verify the result

Verify the GA acceleration performance

In this example, a detection point in the China (Hong Kong) region is used. Before and after you configure GA, you can use the network detection tool to check the response time.

Test the network latency before GA is configured.
You can view information such as the response time. The IP address in the Parsing result IP column is the public IP address assigned to the ECS instance.
Test the network latency after GA is configured.
You can view information such as the response time. The accelerated IP address of the GA instance is displayed in the Parsing result IP column.

The test results show that the network latency of data transmission from the China (Hong Kong) region to the US (Silicon Valley) region is reduced.

Note

The acceleration performance varies based on the actual workload.

Verify GA health checks

Enter the domain name of the website in the browser to access the website deployed in the US (Silicon Valley) region.
The results show that you can use the domain name to access the website. Refresh the browser multiple times, and the responses are returned by ECS01 and ECS02.
Simulate a fault: Stop ECS01.
After a period of time, view the health check status on the Endpoint Group tab of the GA instance.
Refresh the browser multiple times and the service can still be accessed normally, but only ECS02 returns responses.

Verify the performance of Anti-DDoS Origin

You can use the following features provided by the Anti-DDoS Origin to view the protection performance.

On the Business Monitoring page, you can view the traffic trends and DDoS attack events of protected assets in real time.
On the Attack Analysis page, you can query and analyze the details of attacks on the Anti-DDoS Origin instance, including the attack type, attack traffic volume, and duration.
The Protection Logs page records the processing of traffic by Anti-DDoS Origin, including attack detection and traffic scrubbing. By analyzing the protection logs, you can further verify the effectiveness of the protection policies.

References

GA fees include GA instance fees, CU fees, and data transfer fees.
For cross-border scenarios, BGP (Multi-ISP) Pro lines are used by default. If you require higher network quality, use cross-border Express Connect circuits. For more information, see Select and purchase GA resources.
For more information about Anti-DDoS Origin, see the following topics:
- What is Anti-DDoS Origin?
- Anti-DDoS Origin 2.0 (Pay-as-you-go)