Use a single Global Accelerator (GA) instance to accelerate multiple HTTPS domains by binding multiple certificates to one listener and routing requests per domain with forwarding rules.
Use cases
A company headquartered in US (Silicon Valley) runs two web services on Alibaba Cloud, each accessible through a different domain name. Clients are primarily in the China (Hong Kong) region. The company faces two problems:
-
Unstable internet connections cause high latency, jitter, and packet loss.
-
Accelerating each domain separately drives up costs.
To solve both problems, the company uses GA with an HTTPS listener that supports:
-
Multiple certificates — bind multiple certificates to one listener, each associated with a different domain name.
-
Domain-based forwarding rules — route requests for each domain to the corresponding backend server.
-
Data encryption — all client requests are encrypted end-to-end.
The following table shows the configuration for this example.
| Parameter | Domain name 1 (_xxx_test.cloud) |
Domain name 2 (_xxx_test.fun) |
|---|---|---|
| Listener protocol | HTTPS | |
| Listener port | 443 | |
| Certificate | Default certificate A | Additional certificate B |
| Forwarding rule | Default forwarding rule | Custom forwarding rule |
| Endpoint group | Default endpoint group | Virtual endpoint group |
| Server | Server 1 | Server 2 |
| Server service agreement | HTTP | HTTPS |
| Server service port | 80 | 443 |
| Server public IP address | 47.XX.XX.62 | 47.XX.XX.34 |
Certificates configured in GA encrypt data on the client-to-GA path. Certificates on backend servers encrypt data on the GA-to-backend-server path. The two sets of certificates can be identical.
Prerequisites
Before you begin, ensure that you have:
-
Purchased an SSL certificate and submitted a certificate application. For more information, see Purchase an SSL certificate and Submit a certificate application
-
Uploaded the certificate to your backend servers. For more information, see Use Cloud Assistant to upload a file to ECS instances
-
Deployed an HTTP service on port 80 on Server 1 and an HTTPS service on port 443 on Server 2
-
Configured A records for
_xxx_test.cloudand_xxx_test.funpointing to the public IP addresses of the respective backend servers
This example uses Nginx to configure the backend HTTP and HTTPS services, and Alibaba Cloud DNS to configure DNS records. If you use a third-party DNS service, refer to that provider's documentation.
Procedure
This topic uses a standard pay-as-you-go GA instance. Pay-as-you-go instances use the Pay-by-data-transfer billing method and do not require a bandwidth plan. Data transfer fees are settled by Cloud Data Transfer (CDT). For details, see Data transfer fee. If this is your first time using a pay-as-you-go GA instance, activate the service first.
Step 1: Configure basic instance information
-
Log on to the GA console.
-
On the Instances page, click Create Standard Pay-as-you-go Instance.
-
In the Basic Instance Configuration step, set the following parameters and click Next.
Parameter Description GA Instance Name Enter a name for the GA instance. Instance Billing Method Pay-As-You-Go is selected by default. You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees. For details, see Billing of pay-as-you-go GA instances and Pay-by-data-transfer. Resource Group Select the resource group for this instance. The resource group must belong to the current Alibaba Cloud account. For details, see Create a resource group.
Step 2: Configure an acceleration area
Specify acceleration regions and allocate bandwidth to each region.
In the Configure Acceleration Area step, set the following parameters and click Next.
| Parameter | Description |
|---|---|
| Acceleration Area | Select one or more regions and click Add. In this example, select China (Hong Kong) in the Asia Pacific section. |
| Maximum Bandwidth | Specify the maximum bandwidth for the acceleration region. Valid values: 2–10,000 Mbit/s. This value is used for bandwidth throttling; data transfer fees are managed by CDT. In this example, the default value 200 Mbit/s is used. Important
Setting too low a value may cause throttling and packet drops. Set this based on your actual traffic volume. |
| IP Protocol | Select the IP version for connecting to GA. In this example, the default value IPv4 is selected. |
| ISP Line Type | Select an ISP line type. BGP (Multi-ISP) is selected in this example. |
Step 3: Configure a listener
A listener receives connection requests and distributes them to endpoints based on the port and protocol. Each listener is associated with an endpoint group that determines where traffic is sent.
In the Configure listeners step, set the following parameters and click Next.
| Parameter | Description |
|---|---|
| Listener Name | Enter a name for the listener. |
| Routing Type | Select a routing type. In this example, Intelligent Routing is selected. |
| Protocol | Select HTTPS. |
| Port | Enter 443. Valid values: 1–65499. |
| Server Certificate | Select the server certificate that you obtained. In this example, Certificate A is selected. |
| TLS Security Policies | Select the TLS security policy required by your service. A TLS security policy specifies the supported TLS protocol versions and cipher suites. For details, see TLS security policies. In this example, the default policy tls_cipher_policy_1_0 is used. |
| Client Affinity | Specify whether to enable client affinity. When enabled, all requests from the same client are directed to the same endpoint. In this example, Source IP Address is selected. |
| Custom HTTP Headers | Select the HTTP header fields to add. In this example, the default configurations are used. The available header fields are: GA-ID (GA instance ID), GA-AP (acceleration region), GA-X-Forwarded-Proto (listener protocol), GA-X-Forwarded-Port (listener port), and X-Real-IP (client IP address). |
Step 4: Configure endpoint groups and endpoints
-
In the Configure an endpoint group step, set the following parameters and click Next. For a full parameter reference, see Add and manage endpoint groups of smart routing listeners.
Parameter Description Region Select the region where the endpoint group is deployed. In this example, US (Silicon Valley) is selected. Endpoint Configuration Configure endpoints as the destinations for client requests: Backend Service Type: Select Alibaba Cloud Public IP Address. Backend Service: Enter the public IP address of Server 1: 47.XX.XX.62. Weight: Enter a weight for the endpoint. Valid values: 0–255. GA distributes traffic proportionally to the weights. In this example, keep the default value 255.WarningSetting an endpoint weight to 0 stops all traffic to that endpoint.
Preserve Client IP Client IP address preservation is enabled by default for HTTPS listeners. Backend servers can retrieve client IP addresses directly. For HTTP listeners, use the X-Forwarded-Forheader. For details, see Preserve client IP addresses.Backend Service Protocol Select the protocol used by the backend server. The default is HTTP. Port Mapping Configure port mapping when the listener port differs from the endpoint's service port. Listener Port: 443. Endpoint Port:80.Traffic Distribution Ratio Specify the traffic ratio for this endpoint group. Valid values: 0–100. In this example, the default value 100% is used. Health Check Specify whether to enable health checks. In this example, health checks remain disabled. -
On the Configuration Review page, confirm the configuration and click Submit.
It takes 3 to 5 minutes to create a GA instance.
-
(Optional) After the instance is created, click Enter Instance Details. On the instance details page, select the Instance Information, Listeners, and Acceleration Areas tabs to review the configuration.
-
Add a virtual endpoint group for Server 2.
-
On the instance details page, click the Listeners tab.
-
Find the listener and click the endpoint group ID in the Default Endpoint Group column.
-
On the Endpoint Group tab, click Add Virtual Endpoint Group in the Virtual Endpoint Group section.
-
On the Add Endpoint Group page, configure the following parameters and click Create. The virtual endpoint group uses the same settings as the default endpoint group, except for:
-
Backend Service Type: Alibaba Cloud Public IP Address
-
Backend Service:
47.XX.XX.34(Server 2) -
Backend Service Protocol: HTTPS
-
Port Mapping: No port mapping needed. When the listener port and the endpoint port are the same (both 443), GA forwards requests on the same port automatically.
-
-
Step 5: Associate an additional certificate
Bind Certificate B to the HTTPS listener to associate domain name 2 (_xxx_test.fun) with it. Combined with a forwarding rule, this lets GA route requests for different domains to different endpoint groups.
-
On the Listeners tab, find the HTTPS listener and click its listener ID.
-
On the listener details page, click the Certificates tab.
-
In the Additional Certificate section, click Associate Certificate.
-
In the Associate Certificate dialog box, set the following parameters and click OK.
-
Certificate: Select Certificate B.
-
Associated Domain Name: Select
_xxx_test.fun.
-
Step 6: Add a forwarding rule
When the listener receives a request, it checks custom forwarding rules first. If a rule matches, GA sends the request to the corresponding endpoint group. If no rule matches, GA sends it to the default endpoint group.
Create a forwarding rule that routes all requests for _xxx_test.fun to the virtual endpoint group (Server 2).
-
On the Listeners tab, find the HTTPS listener and click its listener ID.
-
On the listener details page, click the Forwarding Rule tab.
-
Click Add Forwarding Rule.
-
In the Add Forwarding Rule area, set the following parameters and click OK.
Parameter Description Name Enter a name for the forwarding rule. If (Matching All Conditions) Select Domain Names and enter _xxx_test.fun.Then Select Forward and select the virtual endpoint group created in Step 4.
Step 7: Configure CNAME records
Map both domain names to the GA instance's CNAME so that access requests are forwarded through GA for acceleration.
-
Go to the Public Zone page and find
_xxx_test.cloud. Click Settings in the Actions column.For domain names not registered with Alibaba Cloud, add the domain name to the Cloud DNS console before configuring DNS records.
-
Find the existing A record and click Edit in the Actions column.
-
In the Edit Record panel, set Record Type to CNAME, set Record Value to the CNAME assigned to the GA instance, and click OK. The CNAME appears on the Instances page.
-
Repeat the preceding steps to update the A record for
_xxx_test.fun.
To return resolution results based on the client's region, upgrade Alibaba Cloud DNS to Enterprise Ultimate Edition. For details, see Renewal and upgrade. After upgrading, change the default DNS line of each A record to a specific regional line and add a CNAME record pointing to the GA instance's CNAME address.
Step 8: Test the connectivity
Use both domain names to verify the configuration and acceleration.
The following commands use Alibaba Cloud Linux 3. Commands may vary by operating system. The acceleration results depend on your actual network conditions.
Test the network connectivity
-
Open a terminal on a machine in the China (Hong Kong) region.
-
Run the following command for each domain name to verify that the CNAME record has taken effect.
ping <Website domain name>If the CNAME in the output matches the CNAME assigned by GA, the record is active.

-
Run the following command for each domain name to confirm that the website is accessible and the certificate is returned correctly.
curl -v https://<The domain name> --resolve <The domain name>:<The listener port>:<The accelerated IP address>This example shows the result for
_xxx_test.cloud. If the response includes server certificate information and an HTTPS response, the domain is accessible.
Test acceleration
To measure the acceleration performance, see Test the acceleration performance of GA.