Global Accelerator (GA) offers web service providers a cross-border acceleration solution.
GA is integrated with Anti-DDoS Pro and Web Application Firewall (WAF) to mitigate
DDoS attacks and web attacks based on high-bandwidth BGP lines and the global transmission
network of Alibaba Cloud. Global Traffic Manager (GTM) can interact with GA to conduct
fault isolation or traffic failovers.
Background information
A web service is deployed on Alibaba Cloud in US (Silicon Valley). The origin servers
are four Elastic Compute Service (ECS) instances associated with Alibaba Cloud elastic
IP addresses (EIPs). The web service is deployed on the ECS instances with the domain
name www.example.us that is registered outside mainland China. The forwarding port
is TCP port 9000. The web service may encounter the following issue:
- The domain name of the web service is registered outside mainland China and cannot
be hosted on servers in mainland China. However, the majority of users are located
in mainland China.
- The web service frequently suffers from web attacks and DDoS attacks, which severely
degrades the security and availability of the web service.
- The cross-border network is unstable. Network issues, such as network latency, network
jitter, and packet loss, may frequently occur and degrade the performance of the web
service.
- The origin servers are unstable and services may be interrupted.

The preceding figure shows how to deploy a GA service to interact with Anti-DDoS Pro,
WAF, and GTM. This solution allows you to resolve the preceding issues.
- Anti-DDoS Pro can mitigate DDoS attacks.
The Anti-DDoS Pro service is deployed in tap mode. Anti-DDoS Pro is triggered only
in specific scenarios. This ensures service quality when no DDoS attack occurs and
enhances protection when DDoS attacks are detected.
- GA can accelerate content delivery between the origin servers and users in accelerated
areas.
Users in mainland China send requests to the Alibaba Cloud acceleration network from
the access points in the China (Hong Kong) region. The system forwards the requests
to the origin servers in the US (Silicon Valley) region by using intelligent routing
and automatic network traffic distribution.
- WAF can protect your website against a variety of web attacks.
WAF can detect and block malicious Internet traffic. Non-malicious network traffic
is forwarded to the IP addresses of the origin servers. WAF ensures security, stability,
and availability of the origin servers.
- GTM can be used to isolate malfunctioned servers or switch network traffic among multiple
origin servers.
- When the primary server group is working as expected, all user traffic is forwarded
to the primary server group.
- When the primary server group is unavailable, traffic is directed to the secondary
server group. After the primary server recovers, traffic is switched back to the primary
server group.
Procedure
Step 1: Create a GTM instance
GTM is a traffic management service that allows you to manage network traffic from
clients in a fine-grained way.
To create a GTM instance, perform the following steps:
- Log on to the Alibaba Cloud DNS console.
- In the left-side navigation pane, click Global Traffic Manager.
- On the Global Traffic Manager page, click Create Instance.
- On the buy page, set the following parameters.
- Edition: You can select Standard Edition or Ultimate Edition. In this example, Standard Edition is selected.
- Quantity: The number of GTM instances that you want to purchase.
- Service Time: The service duration of the GTM instance.
- Click Buy Now and complete the payment.
Step 2: Configure an access policy
Access policies allow GA to forward requests from different access points to different
origin servers. You can also specify secondary origin servers to meet your business
demands.
To configure an access policy for GTM, perform the following steps:
- Log on to the Alibaba Cloud DNS console.
- In the left-side navigation pane, click Global Traffic Manager.
- On the Global Traffic Manager page, find the GTM instance that you want to manage, click Configure in the Actions column.
- In the Select Configuration Method dialog box, select Quick Start.
- In the Access Policy Configurations wizard, set the following parameters:
- Policy Name: Enter a name for the access policy.
- DNS Request Sources: Select a request source.
After you specify a region as the request source, when users in this region send requests
to the service, GTM distributes the requests to the specified origin server address
pool. Global is selected in this example.
- Primary Address Pool Set: Click the Primary Address Pool Set tab.
Primary Address Pool Set specifies the address pool of backend servers to which GTM forwards user traffic.
Click Create Address Pool and add the IP addresses of Origin Server 1 and Origin Server 2 in the US (Silicon
Valley) region to the primary address pool. Then, configure health checks and select
the primary address pool. For more information about how to configure health checks,see TCP health checks.
- Secondary Address Pool Set: Click Secondary Address Pool Set.
Secondary Address Pool Set specifies the address pool that takes over when the primary address pool specified
by
Primary Address Pool Set is unavailable.
Click Create Address Pool and add Origin Server 3 and Origin Server 4 in the US (Silicon Valley) region to
the secondary address pool. Then, configure health checks and select the secondary
address pool. For more information about how to configure health checks,see TCP health checks.
- Click Next.
Step 3: Configure basic information
After you configure the access policy, you must specify the basic information about
the GTM instance. The information includes the domain name, CNAME, global time-to-live
(TTL) value, and alert group.
To configure the basic information about GTM, perform the following steps:
- In the Basic Configuration wizard, set the following parameters:
- Instance Name: Enter an instance name.
An instance name is used to identify the service to which the instance applies.
- Domain Name (Public): Enter a domain name to be accessed by the client. www.example.us is used in this example.
- CNAME Access Domain Name: Specify the type of the CNAME for the domain name.
- Assigned Access Domain Name: Select this option if the IP address pool contains only Alibaba Cloud IP addresses
or IP addresses outside mainland China.
- Custom Access Domain Name: Select this option if the IP address pool contains IP addresses of data centers.
In this example, the address pool contains only EIPs. Therefore, Assigned Access Domain Name is selected in this example.
- Global TTL: The validity period of the IP address to which the domain name is resolved. 1 minute(s) is selected in this example.
You can use GTM to manage network traffic based on domain names. Global TTL specifies
the TTL of the IP address that is cached in the DNS system of the Internet service
provider (ISP). By default, the global TTL is set to 1 minute. If you use a custom
domain name, the global TTL must be the same as the minimum TTL supported by the Cloud
DNS plan of the custom domain name.
- Alert Group: the contact group to which a notification is sent when an exception is detected
in your workloads.
Note
- If you have not configured an alert group, log on to the CloudMonitor console and
add a contact group. For more information, see Create an alert contact or alert contact group.
- If you have configured a contact group but want to configure the basic information
as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud
account to authorize the RAM user. After the RAM user is authorized, you can log on
as a RAM user to read messages sent to the alert group.
- Click Complete.
After you configure the basic information, the system automatically allocates a CNAME
to the domain name. User requests destined for the CNAME are resolved to the IP address
of the scheduled origin server.
Step 4: Activate WAF
WAF provides security protection based on big data technologies of Alibaba Cloud Security.
It defends against common attacks defined by Open Web Application Security Project
(OWASP), including SQL injections, Cross-Site Scripting (XSS) attacks, exploits of
vulnerabilities in web server plug-ins, Trojan uploads, and unauthorized access to
core resources. WAF blocks volumetric HTTP flood attacks to prevent the exposure of
website assets and data, and to ensure website security and availability.
This step describes how to purchase a subscription WAF instance.
- Go to Alibaba Cloud International Siteand log on to the WAF page with your Alibaba Cloud account.
- Click Buy Now.
- On the Web Application Firewall buy page, set the following parameters.
- Region: Select the region where the WAF instance is deployed.
In this example, the WAF instance is located in the US (Silicon Valley) region. Therefore,
International is selected.
- Deployment: Select a plan for WAF. On-cloud WAF is selected in this example.
- Plan: Select the edition of WAF that you want to activate.
Different WAF editions are applicable to various business scales and provide different
protection features. For more information, see
WAF deployment plans and editions.
Enterprise is selected in this example.
- Extra Domain: Specify the number of additional domain names.
If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase
additional domain names. For more information, see
Additional domain names. Additional domain names are not purchased in this example.
- Exclusive IP: Specify the number of exclusive IP addresses.
You can purchase an exclusive IP address when your domain name needs WAF protection
through an exclusive IP address. For more information, see
Exclusive IP addresses. Exclusive IP addresses are not purchased in this example.
- Extra Traffic: Specify the additional bandwidth value. Unit: Mbit/s.
If you require additional bandwidth, you can purchase an additional bandwidth plan.
For more information, see
additional bandwidth plans.
100Mbps is selected in this example.
- GSLB: Select whether to enable global load balancing.
Global load balancing uses the multi-node resilience technology. It distributes network
traffic based on multiple nodes or lines to implement disaster recovery and improve
service reliability. No is selected in this example.
- Access Log Service: Select whether to activate Log Service.
Log Service retrieves log data from WAF in real time and stores the data. You can
query and analyze the log data, and generate analytics reports online. No is selected in this example.
- Bot Manager: Select whether to enable this feature.
- Mobile App Protection: Select whether to enable this feature.
You can enable this feature if your business supports native applications and you
have security requirements for your business, such as trusted communication and prevention
of bot scripts. For more information, see
Configure application protection.
No is selected in this example.
- Validity Period: Select the duration of the WAF service.
- Click Buy Now and pay for the order.
Step 5: Add website configurations
After WAF is activated, you must configure the forwarding rules for the website protected
by WAF.
Perform the following steps to route user traffic to WAF before it reaches the domain
name protected by WAF:
- Log on to the WAF console.
- In the top navigation bar, select the region of your WAF instance. International is selected in this example.
- In the left-side navigation pane, choose .
- On the Website Access page, click Website Access.
- Optional:On the Add Domain Name page, click Manually Add Other Websites.
Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
- Follow the Add Domain Name wizard to complete the configuration.
- Domain Name: Enter the domain name that needs WAF protection. www.example.us is used in this example.
Note
- You can enter a specific domain name, such as
www.aliyun.com
or a wildcard domain name, such as *.aliyun.com
.
- If you use a wildcard domain name, WAF automatically searches for domain names that
match the specified wildcard domain name.
- If you configure both a wildcard domain name and a specific domain name for a website,
forwarding rules and protection policies of the specific domain name prevail over
those of the wildcard domain.
- Domain names suffixed with
.edu
are not supported. If you need to use a .edu
domain name, submit a ticket to request technical support.
- Protocol Type: Select the protocol supported by the website. HTTP is selected in this example.
Note
- If your website supports HTTPS, select HTTPS, and upload the certificate and the private
key file after you set website parameters. For more information, see Upload an HTTPS certificate.
- After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient
access to your website. For more information, see Manually add domain name configurations.
- To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
- Your WAF is upgraded to Business or Enterprise Edition.
- HTTPS is selected.
- Destination Server (IP Address): Select a server address type and enter the address of the origin server.
You can select
IP or
Domain Name (Such as CNAME). After your website is connected to WAF, WAF filters and redirects requests to this
IP address. In this example,
Domain Name (Such as CNAME) is selected, and the CNAME that is assigned to GTM after you configure the basic
information in Step 3 is used. For more information, see
Step 3: Configure basic information.
- Destination Server Port: Specify the service port of the website.
WAF receives and forwards traffic for your website through the specified ports. The
user traffic destined for the website domain name is forwarded only through the specified
service ports. For unspecified ports, WAF does not forward traffic received on these
ports to the origin servers. Therefore, no security threats are posed on the origin
servers if you enable these ports or if these ports have vulnerabilities.
Notice The protocol and port must be the same as those of the origin server IP address. You
cannot change the port after it is specified.
The custom port
9000 is specified in this topic.
Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports
443 and 8443. WAF instances of Business and Enterprise Edition support more non-standard
ports, and have corresponding limits on the total number of ports used by the protected
domain name. For more information, see
View the allowed port range.
- Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load
balancing.
- Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. Yes is selected in this example.
- Enable Traffic Mark: Specify whether to enable the traffic mark feature. If you want to mark requests
that pass through WAF, you can enable this feature. After you enable this feature,
requests that pass through WAF are marked and other requests are not marked. When
you enable this feature, you must specify a custom HTTP header field. The header field
consists of Header Field Name and Header Field Value. This feature is enabled in this example.
Note Do not specify a standard HTTP header field, such as User-Agent. Otherwise, the value
of the standard header field is overwritten by the custom field value.
- Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME of WAF.
- Click Next to view the WAF IP address, and then click Completed. Return to the website list.
Step 6: Create a GA instance
- Log on to the Global Accelerator console.
- On the Instances page, click Create Instance.
- On the buy page, configure the parameters, click Buy Now, and then complete the payment.
- Select a specification for the GA instance. In this example, Medium Ⅰ is selected.
- Select a subscription period for the GA instance.
After the instance is created, the system automatically assigns a CNAME to the instance.
The CNAME is used to resolve the domain name of the origin servers.

Step 7: Purchase and associate with a basic bandwidth plan
A basic bandwidth plan provides bandwidth for data transmission over the Internet
and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic
bandwidth plan and bind the plan to the GA instance.
- On the Instances page, click Purchase Basic Bandwidth Plan.
- On the buy page, set the following parameters, click Buy Now, and then pay for the order.
- Bandwidth Type: Select the type of the basic bandwidth plan.
In this example, the domain name of the origin server is registered outside China
and cannot be hosted on servers in mainland China. Premium is selected to allow users in mainland China to access the web services deployed
in the US (Silicon Valley) region through the premium Internet in Hong Kong.
The following types of basic bandwidth plans are supported: basic, enhanced, and premium.
The following table shows that the acceleration type, accelerated backend service,
and acceleration scope of a basic bandwidth plan vary based on the bandwidth type.
Bandwidth type |
Acceleration type |
Accelerated backend service |
Acceleration scope |
Basic |
Applications that are deployed on Alibaba Cloud |
- Public IP addresses provided by Alibaba Cloud
- Elastic Compute Service (ECS)
- Classic Load Balancer (CLB) (formerly known as SLB)
- Application Load Balancer (ALB)
- Object Storage Service (OSS)
|
By default, the acceleration region and the region where the backend service is deployed
are located in the Chinese mainland.
|
Enhanced |
- Applications that are deployed on Alibaba Cloud
- Applications that are not deployed on Alibaba Cloud
|
- Public IP addresses provided by Alibaba Cloud
- ECS
- CLB (formerly known as SLB)
- ALB
- OSS
- Custom IP addresses
- Custom domain names
|
By default, the acceleration region and the region where the backend service is deployed
are located in the Chinese mainland.
|
Premium |
- Applications that are deployed on Alibaba Cloud
- Applications that are not deployed on Alibaba Cloud
|
- Public IP addresses provided by Alibaba Cloud
- ECS
- CLB (formerly known as SLB)
- ALB
- OSS
- Custom IP addresses
- Custom domain names
|
By default, the acceleration region and the region where the backend service is deployed
are located in the areas outside the Chinese mainland. If you want to accelerate data
transfer between the Chinese mainland and other areas, you must select China (Hong
Kong) as the acceleration region.
|
Note
- You can specify ECS, CLB, and ALB instances as endpoints only if your Alibaba Cloud
account is included in the whitelist. If you want to specify ECS, CLB, or ALB instances
as endpoints for your GA instances, submit a ticket to upgrade the GA instances.
- If you want to specify ECS instances or CLB instances as endpoints, make sure that
the instances are deployed in virtual private clouds (VPCs).
- The IP addresses of endpoint groups associated with each GA instance must be globally
unique and not conflict with those of other GA instances.
- Peak Bandwidth: Specify the maximum bandwidth value of the basic bandwidth plan. 10Mb is selected in this example.
- Duration: Select the duration of the basic bandwidth plan.
- Return to the Instances page and click the ID of the GA instance that you created in Step 1.
- On the page that appears, click the Bandwidth Manage tab.
- In the Basic Bandwidth Package section, find the plan that you want to manage, and click Bind in the Actions column.
The basic bandwidth plan is now in the Bound state.
Step 8: Add an area that you want to accelerate
After you purchase a basic bandwidth plan, you can add an acceleration area, specify
the acceleration regions where end users are located, and allocate bandwidth to these
regions.
- On the Instances page, click the ID of the GA instance that is created in Step 6.
- On the instance details page, click the Acceleration Regions tab and select the region where you want to accelerate access. In this example, Asia Pacific is selected.
- On the Acceleration Areas tab, click Add Acceleration Area.
- In the Add Acceleration Area dialog box, set the following parameters, and click OK:
- Regions: Select the region where users are located. China (Hong Kong) is selected in this example.
- Bandwidth: Select a bandwidth value for the acceleration service. 10 Mbit/s is selected in this topic.
After the area to be accelerated is added, GA assigns an accelerated IP address to
each acceleration area to accelerate access to the domain name.
Step 9: Create a listener
A listener is used to check requests from clients. The system forwards requests based
on the specified protocol and port.
- On the Instances page, click the ID of the GA instance that is created in Step 6.
- On the Listeners tab, click Add Listener.
- In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click
Next.
Parameter |
Description |
Listener Name |
Enter a name for the listener. The name must be 2 to 128 characters in length, and
can contain letters, digits, underscores (_), and hyphens (-). The name must start
with a letter.
|
Protocol |
Select a protocol for the listener. In this example, TCP is selected.
|
Port Number |
Specify a port for the listener. The port is used to receive and forward requests
to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
|
Client Affinity |
Specify whether to enable client affinity. If client affinity is enabled, requests
from the same client can be directed to the same endpoint when the client accesses
a stateful application. In this example, Source IP Address is selected.
|
- In the Configure Endpoint Group step, configure the following parameters and click Next.
- Enter a name for the endpoint group in the Endpoint Group Name field.
- Select the region to which the endpoint group and the backend server belong.
In this example, US (Silicon Valley) is selected.
- Specify whether to deploy the backend service on Alibaba Cloud. In this example, Alibaba Cloud is selected.
- Specify whether to reserve client IP addresses. After the feature is enabled, backend
servers can obtain source IP addresses of clients. In this example, this feature is
disabled.
- Configure endpoints.
Parameter |
Description |
Backend Service Type |
In this example, Alibaba Cloud Public IP Address is selected.
|
Backend Service |
Enter the EIP of the backend server. The EIP is used to provide services. |
Weight |
Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic
to each endpoint in proportion to the weight of each endpoint.
Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the
endpoint. Proceed with caution.
|
Add Endpoint |
Click Add Endpoint to specify another server in the US (Silicon Valley) region as an endpoint, and specify
a weight.
|
Step 10: Configure an endpoint group
- Enter a name for the endpoint group in the Endpoint Group Name field.
- Select the region to which the endpoint group and backend servers belong.
In this example, network traffic is forwarded to WAF. Therefore, United States (Silicon Valley) is selected.
- Specify whether to deploy the backend service on Alibaba Cloud. Off Alibaba Cloud is selected in this example.
- Specify whether to reserve client IP addresses. After the feature is enabled, backend
servers can obtain source IP addresses of clients. This feature is disabled in this
example.
Note This feature is available to only Alibaba Cloud accounts that are included in the
whitelist. To use this feature,
submit a ticket.
- Configure endpoints.
- Backend Service Type: Select Custom Domain Name from the drop-down list.
- Backend Service: Enter the IP address of the CNAME assigned by WAF after you set website parameters
in Step 5. For more information, see the Step 5: Add website configurations.
- Weight: Specify a weight for the endpoint. Valid values: 0 to 255. GA routes traffic to
endpoints based on the specified weights.
Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the
endpoint. Proceed with caution.
- Click Next, confirm the configurations, and then click Next.
Step 11: Activate the Anti-DDoS Premium service
You can use Anti-DDoS Premium to mitigate DDoS attacks against servers deployed outside
mainland China. The Anti-DDoS Premium service filters out attack traffic in scrubbing
centers that are deployed closest to visitors and forwards only normal network traffic
back to the origin server. This ensures the stability of your workloads.
To purchase an Anti-DDoS Premium instance, perform the following steps:
- Log on to the Anti-DDoS Pro console.
- On the Instances page, click Purchase Instances.
- On the buy page, set the following parameters.
- Product Type: Select Anti-DDoS Premium.
- Mitigation Plan: Select a mitigation plan for the Anti-DDoS Premium instance that you want to purchase.
The Unlimited plan is selected in this example.
- Clean Bandwidth: Select the bandwidth value of the Anti-DDoS Premium instance.
The value specifies the maximum traffic load of an Anti-DDoS instance when the instance
is not under attack. 100Mbps is selected in this example.
- Function Plan: Select a plan.
You can select
Standard Function or
Enhanced Function. For more information about the differences between Standard Function and Enhanced
Function, see
Function plan.
Enhanced Function is selected in this example.
- Domains: Select the number of HTTP/HTTPS domain names that can be protected by the instance.
- Clean QPS: Set the queries per second (QPS).
This parameter specifies the maximum number of concurrent HTTP or HTTPS requests that
the instance can process when no attack occurs. 3000 is selected in this example.
- Ports: Select the number of supported ports.
The number of protected ports equals the maximum number of entries supported for TCP/UDP
forwarding. 50 is selected in this example.
- Quantity: Select the number of instances that you want to purchase.
- Subscription: Select the subscription period of the Anti-DDoS Premium instance.
- Click Buy Now to complete the payment.
Step 12: Add a website
The configurations of a website specified in the Anti-DDoS Pro console define how
network traffic is transmitted between a website and an Anti-DDoS Pro instance.
Follow these steps to add the website that needs protection to Anti-DDoS Pro:
- Log on to the Anti-DDoS Pro console.
- In the top status bar, select the region where the service is deployed. Outside Mainland China is selected in this example.
- In the left-side navigation pane, choose .
- On the Website Config page, click Add Domain.
- On the Add Domain page, enter the website information.
- Function Plan: Select a plan for the Anti-DDoS Premium instance that you want to associate with
your website.
Standard and
Enhanced are available. For more information, see
Function plan.
Enhanced is selected in this example.
- Instance: Select the Anti-DDoS Pro instance to be associated. You can select up to eight instances
for one domain. The instances associated with a domain must use the same function
plan.
- Domain: Enter the website domain name that requires protection. www.example.us is used in this example.
- Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. This topic uses the default setting.
- Server IP: Specify the address type and address of the origin server. In this example, Origin Server IP is selected, and the accelerated IP address is used. The accelerated IP address is
the one that the GA instance assigns to the China (Hong Kong) region after you add
the acceleration area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.
- Server Port: Specify a server port based on the protocol type. In this topic, 9000 is used.
- Click Add.
Step 13: Set parameters of Sec-Traffic Manager
Anti-DDoS Pro provides Sec-Traffic Manager to set the interaction rules between Anti-DDoS
Pro and other cloud resources. You can set rules to trigger and enable Anti-DDoS Pro
in specific scenarios. This helps you keep workloads running smoothly if no DDoS attacks
occur, and provides more effective protection when DDoS attacks occur.
To configure Sec-Traffic Manager, follow these steps:
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region of the service. Outside Mainland China is selected in this example.
- In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
- On the Cloud Service Interaction tab, click Create Rule.
- In the Create Rule dialog box, set the following parameters:
- Interaction Scenario: Select an interaction scenario for the rule. In this topic, select Cloud Service Interaction.
- Name: Enter the rule name.
The name can be 1 to 128 characters in length and can contain letters, digits, and
underscores (_).
- Anti-DDoS Instance IP: Select the Anti-DDoS instance with which you want to associate. In this topic, the
Anti-DDoS Premium instance that you create in Step 11 is selected.
- Cloud Service: Select the region where the cloud resource is deployed, and then enter the IP address
of the cloud resource.
You can click
Add Cloud Resource IP to add more cloud resources. You can add at most 20 IP addresses.
cn-hongkong is selected and the accelerated IP address is used in this example. The accelerated
IP address is the one that the GA instance assigns to the China (Hong Kong) region
after you add the accelerated area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.
- The waiting time of switching back: The waiting time for triggering the switching back process after GA interacts with
Anti-DDoS Pro.
Black hole deactivation consumes a specific amount of time. Frequent switchback is
not recommended. Therefore, the minimum value of this parameter is 30 minutes. The
waiting time is set to 60 minutes in this example.
- Click Next.
- Click Finished.
After a rule is created, Sec-Traffic Manager assigns a CNAME address to this rule.

Step 14: Resolve the domain name to Sec-Traffic Manager
After you create a scheduling rule in Sec-Traffic Manager, you must update the CNAME
record of the domain to redirect website traffic from mainland China to Sec-Traffic
Manager. The rule takes effect only after you update the CNAME record.
Note If you use a third-party DNS service, log on to the system of the DNS service provider
to modify the DNS record of your website.
To resolve the domain name to Sec-Traffic Manager, follow these steps:
- Log on to the Alibaba Cloud DNS console.
- On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
- On the DNS Settings page, click Add Record.
- In the Add Record dialog box, configure the record, and click Confirm.
- Type: Select a record type.
In this example, the website domain name is mapped to another domain name. Therefore,
CNAME is selected.
- Host: Enter the prefix of the accelerated domain name.
www is entered in this example.
- ISP Line: Select Default from the drop-down list.
- Value: Set this parameter to the CNAME assigned in Step 13. For more information, see Step 13: Set parameters of Sec-Traffic Manager.
- TTL: The TTL value of the IP address that is mapped to the specified domain name.
10 minute(s) is selected in this example.
- Repeat the preceding steps to add CNAME records for ISP lines provided by China Unicom, China Telecom, China Mobile, and China Education Network.
Step 15: Test the connectivity
In regions of mainland China, use a Windows operating system to test the performance
of protection and acceleration provided by GA after GA interacts with CDN, Anti-DDoS
Pro, WAF, and GTM.
- The domain name www.example.us is hosted outside mainland China. Enter this domain
in the address bar of the browser to access the application deployed in the US (Silicon
Valley) region.
- Open the Command Prompt, and run the
nslookup <web service domain name>
command to check the DNS resolution result.
- When the origin server is not attacked, the IP address of the GA instance is returned.
- When the origin server is under attack, the IP address of the Anti-DDoS Premium instance
is returned.
- Run the
nslookup <CNAME access domain name in GTM>
command to check the resolution result.
- If the primary server group is available: The domain name is resolved to the IP address
of Server 1 or Server 2. In this topic, the primary server group contains Server 1
and Server 2 that are deployed in the US (Silicon Valley) region.
- If the primary server group is unavailable, the IP address of Server 3 or Server 4
is returned. In this topic, the primary server group contains Server 1 and Server
2 deployed in the US (Silicon Valley) region.
- Run the following command to query the network latency:
curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total:
%{time_total}\n" "http[s]://<Web service domain>[:<Port>]"
where:
- time_connect: the period of time to establish a TCP connection.
- time_starttransfer: the period of time for the backend server to send the first byte
after the client sends a request.
- time_total: the period of time for the backend server to respond to the session after
the client sends a request.