Accelerate domain names hosted outside mainland China

Procedure

Step 1: Create a GTM instance

GTM is a traffic management service that allows you to manage network traffic from clients in a fine-grained way.

To create a GTM instance, perform the following steps:

1. Log on to the Alibaba Cloud DNS console.
2. In the left-side navigation pane, click Global Traffic Manager.
3. On the Global Traffic Manager page, click Create Instance.
4. On the buy page, set the following parameters.
   1. Edition: You can select Standard Edition or Ultimate Edition. In this example, Standard Edition is selected.
   2. Quantity: The number of GTM instances that you want to purchase.
   3. Service Time: The service duration of the GTM instance.
5. Click Buy Now and complete the payment.

Step 2: Configure an access policy

Access policies allow GA to forward requests from different access points to different origin servers. You can also specify secondary origin servers to meet your business demands.

To configure an access policy for GTM, perform the following steps:

1. Log on to the Alibaba Cloud DNS console.
2. In the left-side navigation pane, click Global Traffic Manager.
3. On the Global Traffic Manager page, find the GTM instance that you want to manage, click Configure in the Actions column.
4. In the Select Configuration Method dialog box, select Quick Start.
5. In the Access Policy Configurations wizard, set the following parameters:
   1. Policy Name: Enter a name for the access policy.
   2. DNS Request Sources: Select a request source.
      After you specify a region as the request source, when users in this region send requests to the service, GTM distributes the requests to the specified origin server address pool. Global is selected in this example.
   3. Primary Address Pool Set: Click the Primary Address Pool Set tab.
      Primary Address Pool Set specifies the address pool of backend servers to which GTM forwards user traffic.

      Click Create Address Pool and add the IP addresses of Origin Server 1 and Origin Server 2 in the US (Silicon Valley) region to the primary address pool. Then, configure health checks and select the primary address pool. For more information about how to configure health checks,see TCP health checks.

   4. Secondary Address Pool Set: Click Secondary Address Pool Set.
      Secondary Address Pool Set specifies the address pool that takes over when the primary address pool specified by Primary Address Pool Set is unavailable.

      Click Create Address Pool and add Origin Server 3 and Origin Server 4 in the US (Silicon Valley) region to the secondary address pool. Then, configure health checks and select the secondary address pool. For more information about how to configure health checks,see TCP health checks.

6. Click Next.

Step 3: Configure basic information

After you configure the access policy, you must specify the basic information about the GTM instance. The information includes the domain name, CNAME, global time-to-live (TTL) value, and alert group.

To configure the basic information about GTM, perform the following steps:

1. In the Basic Configuration wizard, set the following parameters:
   1. Instance Name: Enter an instance name.
      An instance name is used to identify the service to which the instance applies.
   2. Domain Name (Public): Enter a domain name to be accessed by the client. www.example.us is used in this example.
   3. CNAME Access Domain Name: Specify the type of the CNAME for the domain name.
      • Assigned Access Domain Name: Select this option if the IP address pool contains only Alibaba Cloud IP addresses or IP addresses outside mainland China.
      • Custom Access Domain Name: Select this option if the IP address pool contains IP addresses of data centers.

      In this example, the address pool contains only EIPs. Therefore, Assigned Access Domain Name is selected in this example.

   4. Global TTL: The validity period of the IP address to which the domain name is resolved. 1 minute(s) is selected in this example.
      You can use GTM to manage network traffic based on domain names. Global TTL specifies the TTL of the IP address that is cached in the DNS system of the Internet service provider (ISP). By default, the global TTL is set to 1 minute. If you use a custom domain name, the global TTL must be the same as the minimum TTL supported by the Cloud DNS plan of the custom domain name.
   5. Alert Group: the contact group to which a notification is sent when an exception is detected in your workloads.
      Note

      • If you have not configured an alert group, log on to the CloudMonitor console and add a contact group. For more information, see Create an alert contact or alert contact group.
      • If you have configured a contact group but want to configure the basic information as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud account to authorize the RAM user. After the RAM user is authorized, you can log on as a RAM user to read messages sent to the alert group.
2. Click Complete.

After you configure the basic information, the system automatically allocates a CNAME to the domain name. User requests destined for the CNAME are resolved to the IP address of the scheduled origin server.

Step 4: Activate WAF

WAF provides security protection based on big data technologies of Alibaba Cloud Security. It defends against common attacks defined by Open Web Application Security Project (OWASP), including SQL injections, Cross-Site Scripting (XSS) attacks, exploits of vulnerabilities in web server plug-ins, Trojan uploads, and unauthorized access to core resources. WAF blocks volumetric HTTP flood attacks to prevent the exposure of website assets and data, and to ensure website security and availability.

This step describes how to purchase a subscription WAF instance.

1. Go to Alibaba Cloud International Siteand log on to the WAF page with your Alibaba Cloud account.
2. Click Buy Now.
3. On the Web Application Firewall buy page, set the following parameters.
   1. Region: Select the region where the WAF instance is deployed.
      In this example, the WAF instance is located in the US (Silicon Valley) region. Therefore, International is selected.
   2. Deployment: Select a plan for WAF. On-cloud WAF is selected in this example.
   3. Plan: Select the edition of WAF that you want to activate.
      Different WAF editions are applicable to various business scales and provide different protection features. For more information, see WAF deployment plans and editions. Enterprise is selected in this example.
   4. Extra Domain: Specify the number of additional domain names.
      If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase additional domain names. For more information, see Additional domain names. Additional domain names are not purchased in this example.
   5. Exclusive IP: Specify the number of exclusive IP addresses.
      You can purchase an exclusive IP address when your domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP addresses. Exclusive IP addresses are not purchased in this example.
   6. Extra Traffic: Specify the additional bandwidth value. Unit: Mbit/s.
      If you require additional bandwidth, you can purchase an additional bandwidth plan. For more information, see additional bandwidth plans. 100Mbps is selected in this example.
   7. GSLB: Select whether to enable global load balancing.
      Global load balancing uses the multi-node resilience technology. It distributes network traffic based on multiple nodes or lines to implement disaster recovery and improve service reliability. No is selected in this example.
   8. Access Log Service: Select whether to activate Log Service.
      Log Service retrieves log data from WAF in real time and stores the data. You can query and analyze the log data, and generate analytics reports online. No is selected in this example.
   9. Bot Manager: Select whether to enable this feature.
      To mitigate security threats caused by bot traffic, you can enable this feature. For more information, see Set a bot threat intelligence rule and Configure the allowed crawlers function. No is selected in this example.
   10. Mobile App Protection: Select whether to enable this feature.
       You can enable this feature if your business supports native applications and you have security requirements for your business, such as trusted communication and prevention of bot scripts. For more information, see Configure application protection. No is selected in this example.
   11. Validity Period: Select the duration of the WAF service.
4. Click Buy Now and pay for the order.

Step 5: Add website configurations

After WAF is activated, you must configure the forwarding rules for the website protected by WAF.

Perform the following steps to route user traffic to WAF before it reaches the domain name protected by WAF:

1. Log on to the WAF console.
2. In the top navigation bar, select the region of your WAF instance. International is selected in this example.
3. In the left-side navigation pane, choose Asset Center > Website Access.
4. On the Website Access page, click Website Access.
5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
   Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
6. Follow the Add Domain Name wizard to complete the configuration.
   1. Domain Name: Enter the domain name that needs WAF protection. www.example.us is used in this example.
      Note

      • You can enter a specific domain name, such as www.aliyun.com or a wildcard domain name, such as *.aliyun.com.
        • If you use a wildcard domain name, WAF automatically searches for domain names that match the specified wildcard domain name.
        • If you configure both a wildcard domain name and a specific domain name for a website, forwarding rules and protection policies of the specific domain name prevail over those of the wildcard domain.
      • Domain names suffixed with .edu are not supported. If you need to use a .edu domain name, submit a ticket to request technical support.
   2. Protocol Type: Select the protocol supported by the website. HTTP is selected in this example.
      Note

      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Upload an HTTPS certificate.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Manually add domain name configurations.
      • To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
        • Your WAF is upgraded to Business or Enterprise Edition.
        • HTTPS is selected.
   3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.
      You can select IP or Domain Name (Such as CNAME). After your website is connected to WAF, WAF filters and redirects requests to this IP address. In this example, Domain Name (Such as CNAME) is selected, and the CNAME that is assigned to GTM after you configure the basic information in Step 3 is used. For more information, see Step 3: Configure basic information.
   4. Destination Server Port: Specify the service port of the website.
      WAF receives and forwards traffic for your website through the specified ports. The user traffic destined for the website domain name is forwarded only through the specified service ports. For unspecified ports, WAF does not forward traffic received on these ports to the origin servers. Therefore, no security threats are posed on the origin servers if you enable these ports or if these ports have vulnerabilities.

      Notice The protocol and port must be the same as those of the origin server IP address. You cannot change the port after it is specified.

      The custom port 9000 is specified in this topic.

      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of Business and Enterprise Edition support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see View the allowed port range.
   5. Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load balancing.
   6. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. Yes is selected in this example.
   7. Enable Traffic Mark: Specify whether to enable the traffic mark feature. If you want to mark requests that pass through WAF, you can enable this feature. After you enable this feature, requests that pass through WAF are marked and other requests are not marked. When you enable this feature, you must specify a custom HTTP header field. The header field consists of Header Field Name and Header Field Value. This feature is enabled in this example.
      Note Do not specify a standard HTTP header field, such as User-Agent. Otherwise, the value of the standard header field is overwritten by the custom field value.
7. Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME of WAF.
   
8. Click Next to view the WAF IP address, and then click Completed. Return to the website list.

Step 6: Create a GA instance

1. Log on to the Global Accelerator console.
2. On the Instances page, click Create Instance.
3. On the buy page, configure the parameters, click Buy Now, and then complete the payment.
   1. Select a specification for the GA instance. In this example, Medium Ⅰ is selected.
   2. Select a subscription period for the GA instance.

After the instance is created, the system automatically assigns a CNAME to the instance. The CNAME is used to resolve the domain name of the origin servers.

Step 7: Purchase and associate with a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transmission over the Internet and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic bandwidth plan and bind the plan to the GA instance.

1. On the Instances page, click Purchase Basic Bandwidth Plan.
2. On the buy page, set the following parameters, click Buy Now, and then pay for the order.
   1. Bandwidth Type: Select the type of the basic bandwidth plan.

      In this example, the domain name of the origin server is registered outside China and cannot be hosted on servers in mainland China. Premium is selected to allow users in mainland China to access the web services deployed in the US (Silicon Valley) region through the premium Internet in Hong Kong.

      The following types of basic bandwidth plans are supported: basic, enhanced, and premium. The following table shows that the acceleration type, accelerated backend service, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type.

      Bandwidth type	Acceleration type	Accelerated backend service	Acceleration scope
      Basic	Applications that are deployed on Alibaba Cloud	Public IP addresses provided by Alibaba Cloud Elastic Compute Service (ECS) Classic Load Balancer (CLB) (formerly known as SLB) Application Load Balancer (ALB) Object Storage Service (OSS)	By default, the acceleration region and the region where the backend service is deployed are located in the Chinese mainland.
      Enhanced	Applications that are deployed on Alibaba Cloud Applications that are not deployed on Alibaba Cloud	Public IP addresses provided by Alibaba Cloud ECS CLB (formerly known as SLB) ALB OSS Custom IP addresses Custom domain names	By default, the acceleration region and the region where the backend service is deployed are located in the Chinese mainland.
      Premium	Applications that are deployed on Alibaba Cloud Applications that are not deployed on Alibaba Cloud	Public IP addresses provided by Alibaba Cloud ECS CLB (formerly known as SLB) ALB OSS Custom IP addresses Custom domain names	By default, the acceleration region and the region where the backend service is deployed are located in the areas outside the Chinese mainland. If you want to accelerate data transfer between the Chinese mainland and other areas, you must select China (Hong Kong) as the acceleration region.

      Note

      • You can specify ECS, CLB, and ALB instances as endpoints only if your Alibaba Cloud account is included in the whitelist. If you want to specify ECS, CLB, or ALB instances as endpoints for your GA instances, submit a ticket to upgrade the GA instances.
      • If you want to specify ECS instances or CLB instances as endpoints, make sure that the instances are deployed in virtual private clouds (VPCs).
      • The IP addresses of endpoint groups associated with each GA instance must be globally unique and not conflict with those of other GA instances.
   2. Peak Bandwidth: Specify the maximum bandwidth value of the basic bandwidth plan. 10Mb is selected in this example.
   3. Duration: Select the duration of the basic bandwidth plan.
3. Return to the Instances page and click the ID of the GA instance that you created in Step 1.
4. On the page that appears, click the Bandwidth Manage tab.
5. In the Basic Bandwidth Package section, find the plan that you want to manage, and click Bind in the Actions column.
   
   The basic bandwidth plan is now in the Bound state.

Step 8: Add an area that you want to accelerate

After you purchase a basic bandwidth plan, you can add an acceleration area, specify the acceleration regions where end users are located, and allocate bandwidth to these regions.

1. On the Instances page, click the ID of the GA instance that is created in Step 6.
2. On the instance details page, click the Acceleration Regions tab and select the region where you want to accelerate access. In this example, Asia Pacific is selected.
3. On the Acceleration Areas tab, click Add Acceleration Area.
4. In the Add Acceleration Area dialog box, set the following parameters, and click OK:
   1. Regions: Select the region where users are located. China (Hong Kong) is selected in this example.
   2. Bandwidth: Select a bandwidth value for the acceleration service. 10 Mbit/s is selected in this topic.

After the area to be accelerated is added, GA assigns an accelerated IP address to each acceleration area to accelerate access to the domain name.

Step 9: Create a listener

A listener is used to check requests from clients. The system forwards requests based on the specified protocol and port.

1. On the Instances page, click the ID of the GA instance that is created in Step 6.
2. On the Listeners tab, click Add Listener.
3. In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click Next.

   Parameter	Description
   Listener Name	Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
   Protocol	Select a protocol for the listener. In this example, TCP is selected.
   Port Number	Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
   Client Affinity	Specify whether to enable client affinity. If client affinity is enabled, requests from the same client can be directed to the same endpoint when the client accesses a stateful application. In this example, Source IP Address is selected.

4. In the Configure Endpoint Group step, configure the following parameters and click Next.
   1. Enter a name for the endpoint group in the Endpoint Group Name field.
   2. Select the region to which the endpoint group and the backend server belong.
      In this example, US (Silicon Valley) is selected.
   3. Specify whether to deploy the backend service on Alibaba Cloud. In this example, Alibaba Cloud is selected.
   4. Specify whether to reserve client IP addresses. After the feature is enabled, backend servers can obtain source IP addresses of clients. In this example, this feature is disabled.
   5. Configure endpoints.

      Parameter	Description
      Backend Service Type	In this example, Alibaba Cloud Public IP Address is selected.
      Backend Service	Enter the EIP of the backend server. The EIP is used to provide services.
      Weight	Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic to each endpoint in proportion to the weight of each endpoint. Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the endpoint. Proceed with caution.
      Add Endpoint	Click Add Endpoint to specify another server in the US (Silicon Valley) region as an endpoint, and specify a weight.

Step 10: Configure an endpoint group

1. Enter a name for the endpoint group in the Endpoint Group Name field.
2. Select the region to which the endpoint group and backend servers belong.
   In this example, network traffic is forwarded to WAF. Therefore, United States (Silicon Valley) is selected.
3. Specify whether to deploy the backend service on Alibaba Cloud. Off Alibaba Cloud is selected in this example.
4. Specify whether to reserve client IP addresses. After the feature is enabled, backend servers can obtain source IP addresses of clients. This feature is disabled in this example.
   Note This feature is available to only Alibaba Cloud accounts that are included in the whitelist. To use this feature,submit a ticket.
5. Configure endpoints.
   1. Backend Service Type: Select Custom Domain Name from the drop-down list.
   2. Backend Service: Enter the IP address of the CNAME assigned by WAF after you set website parameters in Step 5. For more information, see the Step 5: Add website configurations.
   3. Weight: Specify a weight for the endpoint. Valid values: 0 to 255. GA routes traffic to endpoints based on the specified weights.
      Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the endpoint. Proceed with caution.
   
6. Click Next, confirm the configurations, and then click Next.

Step 11: Activate the Anti-DDoS Premium service

You can use Anti-DDoS Premium to mitigate DDoS attacks against servers deployed outside mainland China. The Anti-DDoS Premium service filters out attack traffic in scrubbing centers that are deployed closest to visitors and forwards only normal network traffic back to the origin server. This ensures the stability of your workloads.

To purchase an Anti-DDoS Premium instance, perform the following steps:

1. Log on to the Anti-DDoS Pro console.
2. On the Instances page, click Purchase Instances.
3. On the buy page, set the following parameters.
   1. Product Type: Select Anti-DDoS Premium.
   2. Mitigation Plan: Select a mitigation plan for the Anti-DDoS Premium instance that you want to purchase.
      • For more information about Insurance and Unlimited mitigation plans, see Billing methods of the Insurance and Unlimited mitigation plans.
      • For more information about Mainland China Access (MCA), see Billing methods of the MCA mitigation plan.

      The Unlimited plan is selected in this example.

   3. Clean Bandwidth: Select the bandwidth value of the Anti-DDoS Premium instance.
      The value specifies the maximum traffic load of an Anti-DDoS instance when the instance is not under attack. 100Mbps is selected in this example.
   4. Function Plan: Select a plan.
      You can select Standard Function or Enhanced Function. For more information about the differences between Standard Function and Enhanced Function, see Function plan. Enhanced Function is selected in this example.
   5. Domains: Select the number of HTTP/HTTPS domain names that can be protected by the instance.
      For more information about the number of protected domain names, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance. 10 is selected in this example.
   6. Clean QPS: Set the queries per second (QPS).
      This parameter specifies the maximum number of concurrent HTTP or HTTPS requests that the instance can process when no attack occurs. 3000 is selected in this example.
   7. Ports: Select the number of supported ports.
      The number of protected ports equals the maximum number of entries supported for TCP/UDP forwarding. 50 is selected in this example.
   8. Quantity: Select the number of instances that you want to purchase.
   9. Subscription: Select the subscription period of the Anti-DDoS Premium instance.
4. Click Buy Now to complete the payment.

Step 12: Add a website

The configurations of a website specified in the Anti-DDoS Pro console define how network traffic is transmitted between a website and an Anti-DDoS Pro instance.

Follow these steps to add the website that needs protection to Anti-DDoS Pro:

1. Log on to the Anti-DDoS Pro console.
2. In the top status bar, select the region where the service is deployed. Outside Mainland China is selected in this example.
3. In the left-side navigation pane, choose Provisioning > Website Config.
4. On the Website Config page, click Add Domain.
5. On the Add Domain page, enter the website information.
   1. Function Plan: Select a plan for the Anti-DDoS Premium instance that you want to associate with your website.
      Standard and Enhanced are available. For more information, see Function plan. Enhanced is selected in this example.
   2. Instance: Select the Anti-DDoS Pro instance to be associated. You can select up to eight instances for one domain. The instances associated with a domain must use the same function plan.
   3. Domain: Enter the website domain name that requires protection. www.example.us is used in this example.
   4. Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. This topic uses the default setting.
   5. Server IP: Specify the address type and address of the origin server. In this example, Origin Server IP is selected, and the accelerated IP address is used. The accelerated IP address is the one that the GA instance assigns to the China (Hong Kong) region after you add the acceleration area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.
   6. Server Port: Specify a server port based on the protocol type. In this topic, 9000 is used.
6. Click Add.

Step 13: Set parameters of Sec-Traffic Manager

Anti-DDoS Pro provides Sec-Traffic Manager to set the interaction rules between Anti-DDoS Pro and other cloud resources. You can set rules to trigger and enable Anti-DDoS Pro in specific scenarios. This helps you keep workloads running smoothly if no DDoS attacks occur, and provides more effective protection when DDoS attacks occur.

To configure Sec-Traffic Manager, follow these steps:

1. Log on to the Anti-DDoS Pro console.
2. In the top navigation bar, select the region of the service. Outside Mainland China is selected in this example.
3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
4. On the Cloud Service Interaction tab, click Create Rule.
5. In the Create Rule dialog box, set the following parameters:
   1. Interaction Scenario: Select an interaction scenario for the rule. In this topic, select Cloud Service Interaction.
   2. Name: Enter the rule name.
      The name can be 1 to 128 characters in length and can contain letters, digits, and underscores (_).
   3. Anti-DDoS Instance IP: Select the Anti-DDoS instance with which you want to associate. In this topic, the Anti-DDoS Premium instance that you create in Step 11 is selected.
   4. Cloud Service: Select the region where the cloud resource is deployed, and then enter the IP address of the cloud resource.
      You can click Add Cloud Resource IP to add more cloud resources. You can add at most 20 IP addresses.

      cn-hongkong is selected and the accelerated IP address is used in this example. The accelerated IP address is the one that the GA instance assigns to the China (Hong Kong) region after you add the accelerated area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.

   5. The waiting time of switching back: The waiting time for triggering the switching back process after GA interacts with Anti-DDoS Pro.
      Black hole deactivation consumes a specific amount of time. Frequent switchback is not recommended. Therefore, the minimum value of this parameter is 30 minutes. The waiting time is set to 60 minutes in this example.
6. Click Next.
7. Click Finished.
   After a rule is created, Sec-Traffic Manager assigns a CNAME address to this rule.

Step 14: Resolve the domain name to Sec-Traffic Manager

To resolve the domain name to Sec-Traffic Manager, follow these steps:

1. Log on to the Alibaba Cloud DNS console.
2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
3. On the DNS Settings page, click Add Record.
4. In the Add Record dialog box, configure the record, and click Confirm.
   1. Type: Select a record type.
      In this example, the website domain name is mapped to another domain name. Therefore, CNAME is selected.
   2. Host: Enter the prefix of the accelerated domain name.
      www is entered in this example.
   3. ISP Line: Select Default from the drop-down list.
   4. Value: Set this parameter to the CNAME assigned in Step 13. For more information, see Step 13: Set parameters of Sec-Traffic Manager.
   5. TTL: The TTL value of the IP address that is mapped to the specified domain name.
      10 minute(s) is selected in this example.
5. Repeat the preceding steps to add CNAME records for ISP lines provided by China Unicom, China Telecom, China Mobile, and China Education Network.
   

Step 15: Test the connectivity

In regions of mainland China, use a Windows operating system to test the performance of protection and acceleration provided by GA after GA interacts with CDN, Anti-DDoS Pro, WAF, and GTM.

1. The domain name www.example.us is hosted outside mainland China. Enter this domain in the address bar of the browser to access the application deployed in the US (Silicon Valley) region.
2. Open the Command Prompt, and run the nslookup <web service domain name> command to check the DNS resolution result.
   • When the origin server is not attacked, the IP address of the GA instance is returned.
   • When the origin server is under attack, the IP address of the Anti-DDoS Premium instance is returned.
3. Run the nslookup <CNAME access domain name in GTM> command to check the resolution result.
   • If the primary server group is available: The domain name is resolved to the IP address of Server 1 or Server 2. In this topic, the primary server group contains Server 1 and Server 2 that are deployed in the US (Silicon Valley) region.
   • If the primary server group is unavailable, the IP address of Server 3 or Server 4 is returned. In this topic, the primary server group contains Server 1 and Server 2 deployed in the US (Silicon Valley) region.
4. Run the following command to query the network latency:
   curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<Web service domain>[:<Port>]"

   where:

   • time_connect: the period of time to establish a TCP connection.
   • time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
   • time_total: the period of time for the backend server to respond to the session after the client sends a request.