All Products
Search
Document Center

Global Accelerator:Use a GA instance to accelerate multiple domain names over HTTPS

Last Updated:May 22, 2024

This topic describes how to use a Global Accelerator (GA) instance to accelerate multiple domain names over HTTPS by configuring multiple certificates.

Scenarios

The example in this topic is based on the following scenario. An enterprise deployed two servers in the US (Silicon Valley) region for its headquarters. A web application that provides Internet-facing services by using different domain names is deployed on both servers. Most employees of the company need to access the web application from the China (Hong Kong) region. The company faces the following challenges:

  • The network connections that are established over the Internet are unstable. Network issues, such as network latency, network jitter, and packet loss, frequently occur.

  • Multiple servers provide Internet-facing services through two domain names. The company must configure content delivery acceleration for both domain names, which increases costs.

image

To resolve the issue, you can deploy GA and configure HTTPS listeners. HTTPS listeners support the following features that can accelerate access to multiple HTTPS domain names:

  • Allows you to associate an HTTPS listener with multiple certificates and multiple domain names.

  • Supports domain name-based forwarding rules, which are used to match requests against domain names and forward the requests to backend servers based on the match results.

  • Supports request encryption, which increases the security of data transmission.

The following table describes the web servers of the company and the forwarding rules that are used by the HTTPS listener after the company uses GA to accelerate its web application.

Configuration item

Domain name 1 (xxxtest.cloud)

Domain name 2 (xxxtest.fun)

Listener protocol

HTTPS

Listener port

443

Certificate

Default certificate (Certificate A)

Additional certificate (Certificate B)

Forwarding rule

Default forwarding rule

Custom forwarding rule

Endpoint group

Default endpoint group

Virtual endpoint group

Server

Server 1

Server 2

Service protocol

HTTP

HTTPS

Service port

80

443

Server public IP address

47.XX.XX.62

47.XX.XX.34

Note

The certificates are used to encrypt data that is transmitted from clients to GA. You can use the certificates that are installed on the backend servers to encrypt data that is transmitted from GA to the backend servers. The certificates on your GA instance can be the same as the certificates on the backend servers.

Prerequisites

  • An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase an SSL certificate and Submit a certificate application.

  • The certificate is uploaded to the backend servers. For more information, see Upload files to ECS instances.

  • An HTTP service that uses port 80 is deployed on Server 1 and an HTTPS service that uses port 443 is deployed on Server 2 by using NGINX.

  • The A records that map backend domain name 1 (xxx test.cloud) and backend domain name 2 (xxx test.fun) to the public IP addresses of the backend servers are created.

Note

In this example, NGINX is used to deploy the backend services and Alibaba Cloud DNS is used to configure DNS records.

  • For information about how to deploy NGINX, see Step 2: Install NGINX.

  • For information about how to configure DNS records, see Add a DNS record. If you use a third-party DNS resolution service, refer to the user guide provided by the service provider.

Procedure

image
Note

In this topic, a pay-as-you-go standard Global Accelerator instance is used to show how to configure Global Accelerator to accelerate multiple domain names over HTTPS. Before you create a pay-as-you-go standard Global Accelerator instance, take note of the following information:

  • GA instances use the pay-by-data-transfer metering method. You do not need to associate a basic bandwidth plan with pay-as-you-go GA instances. The billing of data transfer over the GA network is managed by Cloud Data Transfer (CDT). For more information, see Pay-by-data-transfer.

  • The first time you use a pay-as-you-go Global Accelerator instance, go to the pay-as-you-go GA activation page and activate Global Accelerator as prompted.

Step 1: Configure the basic information about an instance

  1. Log on to the GA console.

  2. On the Instances page, click Create GA Instance. Select Subscription Standard Instance or Pay-as-you-go Standard Instance based on your business requirements.

    In this example, Pay-as-you-go Standard Instance is selected.

  3. In the Basic Instance Configuration step, configure the following parameters and click Next.

    Parameter

    Description

    GA Instance Name

    Enter a name for the GA instance.

    Instance Billing Method

    Pay-As-You-Go is selected by default.

    You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees for pay-as-you-go standard GA instances.

    Resource Group

    Select the resource group to which the standard GA instance belongs.

    The resource group must be a resource group created in Resource Management by the current Alibaba Cloud account. For more information, see Create a resource group.

Step 2: Add an acceleration area

By adding an acceleration area, you can specify the regions of the GA users and allocate bandwidth to the regions.

In the Configure acceleration areas step, configure the parameters and click Next. The following table describes the parameters.

Parameter

Description

Acceleration Area

Select one or more regions from the drop-down list and click Add.

In this example, the China (Hong Kong) region of Asia Pacific is selected.

Assign Bandwidth

Bandwidth

Specify the bandwidth for the acceleration region. Each acceleration region supports a bandwidth range of 2 to 10,000 Mbit/s.

The maximum bandwidth is used for bandwidth throttling. The data transfer fees are managed by CDT.

In this example, the default value 200 Mbit/s is used.

Important

If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.

IP Protocol

Select the IP version that is used to connect to GA.

In this example, the default value IPv4 is selected.

ISP Line Type

Select an ISP line type for the GA.

BGP (Multi-ISP) is selected in this example.

Step 3: Configure a listener

A listener listens for connection requests and distributes the requests to endpoints based on the port and protocol that you specify. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoints in the endpoint group.

In the Configure listener step, configure the following parameters and click Next.

Parameter

Description

Listener Name

Enter a name for the listener.

Routing Type

Select a routing type.

In this example, Intelligent Routing is selected.

Protocol

Select a protocol for the listener.

In this example, HTTPS is selected in this example.

Port

Specify a port for the listener to receive and forward requests to endpoints. Valid values: 1 to 65499.

In this example, the value is set to 443.

Server Certificate

Select the server certificate that you obtained.

In this example, Certificate A is selected.

TLS Security Policies

Select the TLS security policy required by your service.

A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information about TLS security policies, see TLS security policies.

In this example, the default policy tls_cipher_policy_1_0 is used.

Client Affinity

Specify whether to enable client affinity. If client affinity is enabled, requests from the same client are forwarded to the same endpoint when the client connects to a stateful application.

In this example, Source IP is selected.

Custom HTTP Headers

Select the HTTP headers that you want to add.

In this example, the default settings are used.

Show custom HTTP headers.

  • Obtain the GA instance ID by using the GA-ID header

  • Obtain the information about the acceleration region by using the GA-AP header

  • Obtain the listening protocol of the GA instance by using the GA-X-Forward-Proto header

  • Obtain the listening port of the GA instance by using the GA-X-Forward-Port header

  • Obtain client IP addresses by using the X-Real-IP header

Step 4: Configure an endpoint group and endpoints

  1. In the Configure an endpoint group step, configure an endpoint group, add endpoints to the endpoint group, and then click Next.

    This topic describes only the key parameters. For more information, see Add and manage endpoint groups of intelligent routing listeners.

    Parameter

    Description

    Region

    Select the region where the endpoint group is deployed.

    In this example, US (Silicon Valley) is selected.

    Endpoint Configuration

    Client requests are routed to endpoints. To add an endpoint, set the following parameters:

    • Backend Service Type: Select Alibaba Cloud Public IP.

    • Backend Service: Enter the IP address of the backend service that you want to accelerate. In this example, 47.XX.XX.62 is entered, which is the public IP address of Server 1.

    • Weight: Enter a weight for the endpoint. Valid values: 0 to 255. Global Accelerator routes network traffic to endpoints based on the weights of the endpoints. In this example, the default value 255 is used.

    Warning

    If you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution.

    Preserve Client IP

    By default, client IP address preservation is enabled. This feature allows you to view client IP addresses on backend servers. HTTP listeners can retrieve client IP addresses from the X-Forwarded-For HTTP header. For more information, see Preserve client IP addresses.

    Backend Service Protocol

    Select the protocol that is used by backend servers.

    In this example, the default value HTTP is used.

    Port Mapping

    If the listener port and the port that is used by the endpoint to provide services are different, you must configure this parameter.

    • Listener Port: Enter the port of the current listener. In this example, the value is set to 443.

    • Endpoint Port: Enter the port that the endpoint uses to provide services. In this example, 80 is used.

    Traffic Distribution Ratio

    Specify a traffic distribution ratio for the endpoint group.

    Valid values: 0 to 100.

    In this example, the default value 100 is used.

    Health Check

    Specify whether to enable the health check feature.

    After you enable this feature, you can use health checks to check the status of endpoints. For more information about the health check feature, see Enable and manage health checks.

    In this example, the health check feature is disabled.

  2. In the Configuration Review step, check the configurations and click Submit.

    Note

    It takes 3 to 5 minutes to create a Global Accelerator instance.

  3. (Optional) After you create a GA instance, you can click the instance ID on the Instances page to view the configurations of the instance. On the instance details page, you can click tabs such as Instance Information, Listeners, and Acceleration Areas to view more details.

  4. Configure a virtual endpoint group.

    1. On the instance details page, click the Listeners tab.

    2. On the Listeners tab, find the listener that you want to manage and click the endpoint group ID in the Default Endpoint Group column.

    3. On the Endpoint Group tab, click Add Virtual Endpoint Group in the Virtual Endpoint Group section.

    4. On the Add Endpoint Group page, configure the parameters based on the following information and click Create.

      The configurations of the virtual endpoint group are the same as those of the default endpoint group that you created in Step 4-1, except for the following parameters.

      • Backend Service Type: Select Alibaba Cloud Public IP.

      • Backend Service: Enter 47.XX.XX.34, which is the public IP address of Server 2.

      • Backend Service Protocol: Select HTTPS.

      • Port Mapping: You do not need to add a port mapping.

        If the listener port is the same as the port over which the endpoint provides services, you do not need to add a port mapping. Global Accelerator automatically forwards client requests to the listener port of the endpoint.

Step 5: Associate an additional certificate

You can associate multiple domain names with an HTTPS listener by associating an additional certificate with the listener. Based on the additional certificate and forwarding rules, GA can distribute requests that are destined for different domain names to different virtual endpoint groups.

You can perform the following operations to associate Certificate B with an HTTPS listener to associate domain name 2 (xxx test.fun) with the HTTPS listener.

  1. On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.

  2. On the listener details page, click the Certificates tab.

  3. On the Certificates tab, click Associate Certificate in the Additional Certificate section.

  4. In the Associate Certificate dialog box, configure the additional certificate and click OK.

    • Certificate: Select the certificate that you want to associate. In this example, Certificate B is used.

    • Associated Domain Name: Select one or more domain names that you want to accelerate by using Global Accelerator. The certificate will be associated with the selected domain names. In this example, xxx test.fun is selected, which is domain name 2.

Step 6: Add a forwarding rule

When an HTTPS listener receives requests, it forwards requests that meet the conditions in forwarding rules to the associated endpoint groups. If the requests do not match any custom forwarding rule, the HTTPS listener forwards the requests to the default endpoint group in the default forwarding rule.

You can perform the following operations to add a custom forwarding rule for the virtual endpoint group that is associated with Server 2. This way, the requests that are destined for xxxtest.fun can be forwarded to Server 2.

  1. On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.

  2. On the listener details page, click Forwarding Rule.

  3. On the Forwarding Rule tab, click Add Forwarding Rule.

  4. In the Add Forwarding Rule section, configure the parameters and click OK. The following table describes the parameters.OK

    Parameter

    Description

    Name

    Enter a name for the forwarding rule.

    If (Matching All Conditions)

    Select a match condition for the forwarding rule.

    In this example, Host is selected and the xxxtest.fun domain name is entered.

    Then

    Select a forwarding action.

    In this example, Forward is selected and the virtual endpoint group that you created in Step 4: Configure an endpoint group and endpoints is selected.

Step 7: Configure CNAME records

Before the requests that are destined for domain name 1 and domain name 2 can be forwarded to GA, you must map xxxtest.cloud and xxxtest.fun to the CNAME record of the GA instance.

  1. Log on to the Alibaba Cloud DNS console.
  2. If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS.

    Note

    If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS before to configure a DNS record. For more information, see the "Add a domain name" section of the Manage domain names topic. If your domain name is registered by using Alibaba Cloud Domains, skip this step.

  3. On the Domain Name Resolution page, find domain name 1 (xxxtest.cloud) and click DNS Settings in the Actions column.

  4. On the DNS Settings page, find the A record and click Modify in the Actions column.

  5. In the Modify DNS Record panel, set Record Type to CNAME, set Record Value to the CNAME assigned to the Global Accelerator instance, and then click OK.

    You can view the CNAME assigned to the Global Accelerator instance on the Instances page.

  6. Modify the A record of domain name 2 (xxxtest.fun) and add a CNAME record for the domain name.

    Repeat Step 3 to Step 5.

Note

If you want to return resolution results based on the region to which a client belongs, make sure that Alibaba Cloud DNS is upgraded to Enterprise Standard Edition or Enterprise Ultimate Edition. For more information, see Renewal and upgrade.

After the upgrade is complete, you can change the default ISP line of the existing A record to the ISP line of a specific region and add a CNAME record that maps the website domain name to the CNAME assigned to the Global Accelerator instance.

Step 7: Test the acceleration performance

Use both domain names to test the connectivity to the web application that is deployed in the US (Silicon Valley) region. Then, check whether access to the domain names is accelerated.

Note
  • In this example, the Alibaba Cloud Linux 3 operating system is used. The command that is used to test the connectivity varies based on the operating system that you use. For more information, see the user guide of your operating system.

  • The test result varies based on the actual workloads. Global Accelerator

  1. Open the CLI on an on-premises machine in the China (Hong Kong) region.

  2. Run the following command to ping domain name 1 (xxx test.cloud) and domain name 2 (xxx test.fun) to check whether the CNAME records take effect:

    ping <Website domain name>

    If the CNAME in the output is the same as the CNAME assigned by GA, the CNAME record takes effect.

    CNAME生效验证.png

  3. Run the following command for domain name 1 (xxx test.cloud) and domain name 2 (www. xxx test.cloud) to test the network connectivity:

    curl -v https://<The domain name> --resolve <The domain name>:<The listener port>:<The accelerated IP address>

    In this example, the test result of domain name 1 (xxx test.cloud) is used. If the response contains the server certificate information and HTTPS response information, the domain name is accessible.

    测试ECS01连通及证书是否正常.png

  4. For information about how to verify the acceleration performance, see Perform instant detection to test the acceleration performance of GA.