Cross-border website secure acceleration for domain names hosted in mainland China

Procedure

Step 1: Create a GTM instance

GTM is a traffic management service that allows you to manage network traffic from clients in a fine-grained way.

To create a GTM instance, perform the following steps:

1. Log on to the Alibaba Cloud DNS console.
2. In the left-side navigation pane, click Global Traffic Manager.
3. On the Global Traffic Manager page, click Create Instance.
4. On the buy page, set the following parameters.
   1. Edition: You can select Standard Edition or Ultimate Edition. In this example, Standard Edition is selected.
   2. Quantity: The number of GTM instances that you want to purchase.
   3. Service Time: The service duration of the GTM instance.
5. Click Buy Now and complete the payment.

Step 2: Configure an access policy

Access policies allow GA to forward requests from different access points to different origin servers. You can also specify secondary origin servers to meet your business demands.

To configure an access policy for GTM, perform the following steps:

1. Log on to the Alibaba Cloud DNS console.
2. In the left-side navigation pane, click Global Traffic Manager.
3. On the Global Traffic Manager page, find the GTM instance that you want to manage, click Configure in the Actions column.
4. In the Select Configuration Method dialog box, select Quick Start.
5. In the Access Policy Configurations wizard, set the following parameters:
   1. Policy Name: Enter a name for the access policy.
   2. DNS Request Sources: Select a request source.
      After you specify a region as the request source, when users in this region send requests to the service, GTM distributes the requests to the specified origin server address pool. Global is selected in this example.
   3. Primary Address Pool Set: Click the Primary Address Pool Set tab.
      Primary Address Pool Set specifies the address pool of backend servers to which GTM forwards user traffic.

      Click Create Address Pool and add the IP addresses of Origin Server 1 and Origin Server 2 in the US (Silicon Valley) region to the primary address pool. Then, configure health checks and select the primary address pool. For more information about how to configure health checks,see TCP health checks.

   4. Secondary Address Pool Set: Click Secondary Address Pool Set.
      Secondary Address Pool Set specifies the address pool that takes over when the primary address pool specified by Primary Address Pool Set is unavailable.

      Click Create Address Pool and add Origin Server 3 and Origin Server 4 in the US (Silicon Valley) region to the secondary address pool. Then, configure health checks and select the secondary address pool. For more information about how to configure health checks,see TCP health checks.

6. Click Next.

Step 3: Configure basic information

After you configure the access policy, you must specify the basic information about the GTM instance. The information includes the domain name, CNAME, global time-to-live (TTL) value, and alert group.

To configure the basic information about GTM, perform the following steps:

1. On the Basic Information page, follow the wizard to configure basic information.
   1. Instance Name: Enter an instance name.
      The instance name is used to identify the application service that runs on the instance.
   2. Primary Domain: Enter a base domain name. www.example.com is entered in this topic.
   3. CNAME Access Domain Name: Specify the type of the CNAME for the base domain name.
      • Assigned Access Domain Name: Select this option if the IP address pool only contains Alibaba Cloud IP addresses or IP addresses outside China.
      • Custom Access Domain Name: Select this option if the IP address pool contains IP addresses of on-premises data centers.

      In this topic, the address pool of origin servers only contains Alibaba Cloud elastic IP addresses. Therefore, the Assigned Access Domain Name option is selected.

   4. Balance Policy: Select a load balancing policy for GTM.
      • Round Robin: distributes network traffic equally to multiple IP addresses in the IP address pool. This is the default policy.
      • Weighted Round Robin: uses the pre-configured weighted round-robin policy to process DNS queries when the domain name is resolved to more than one IP address.

      Round Robin is selected in this topic.

   5. Global TTL: The validity period of an IP address to which the domain name is resolved. 1 minute(s) is selected in this topic.
      GTM provides traffic management services based on domain names. The Global TTL parameter specifies the validity period of the IP address cached in the DNS system of the service provider. By default, the parameter is set to 1 minute. If you use a custom domain name, the global TTL must be the same as the minimum TTL supported by the Alibaba Cloud DNS service plan of the custom domain name.
   6. Alert Group: The contact group to which a notification is sent when an exception is detected in your workloads.
      Note

      • If you have not configured an alert group, log on to the Cloud Monitor console and add an alert group. For more information, see Create an alert contact or alert contact group.
      • If you have configured a contact group but want to configure the basic information as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud account to authorize the RAM user. After the RAM user is authorized, you can log on as a RAM user to read the alert group information.
2. Click Complete.

After you configure the basic information, the system automatically allocates a CNAME address to the base domain name. User requests destined for the CNAME address are resolved to the IP address of the scheduled origin server.

Step 4: Create a GA instance

1. Log on to the Global Accelerator console.
2. On the Instances page, click Create Instance.
3. On the buy page, configure the parameters, click Buy Now, and then complete the payment.
   1. Select a specification for the GA instance. In this example, Medium Ⅰ is selected.
   2. Select a subscription period for the GA instance.

After the instance is created, the system automatically assigns a CNAME to the instance. The CNAME is used to resolve the domain name of the origin servers.

Step 5: Purchase and bind a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transmission over the Internet and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic bandwidth plan and bind the plan to the GA instance.

1. On the Instances page, click Purchase Basic Bandwidth Plan.
2. On the buy page, set the required parameters, click Buy Now, and complete the payment.
   1. Bandwidth Type: Select the type of the basic bandwidth plan. Basic is selected in this example.
      The following types of basic bandwidth plans are supported: basic, enhanced, and premium. The following table shows that the acceleration type, accelerated backend service, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type.

      Bandwidth type	Acceleration type	Accelerated backend service	Acceleration scope
      Basic	Applications that are deployed on Alibaba Cloud	Public IP addresses provided by Alibaba Cloud Elastic Compute Service (ECS) Classic Load Balancer (CLB) (formerly known as SLB) Application Load Balancer (ALB) Object Storage Service (OSS)	By default, the acceleration region and the region where the backend service is deployed are located in the Chinese mainland. You can purchase a cross-border acceleration bandwidth plan to accelerate data transfer between the Chinese mainland and other areas.
      Enhanced	Applications that are deployed on Alibaba Cloud Applications that are not deployed on Alibaba Cloud	Public IP addresses provided by Alibaba Cloud ECS CLB (formerly known as SLB) ALB OSS Custom IP addresses Custom domain names	By default, the acceleration region and the region where the backend service is deployed are located in the Chinese mainland. You can purchase a cross-border acceleration bandwidth plan to accelerate data transfer between the Chinese mainland and other areas.
      Premium	Applications that are deployed on Alibaba Cloud Applications that are not deployed on Alibaba Cloud	Public IP addresses provided by Alibaba Cloud ECS CLB (formerly known as SLB) ALB OSS Custom IP addresses Custom domain names	By default, the acceleration region and the region where the backend service is deployed are located in the areas outside the Chinese mainland. If you want to accelerate data transfer between the Chinese mainland and other areas, you must select China (Hong Kong) as the acceleration region. You can purchase a cross-border acceleration bandwidth plan to accelerate data transfer between the Chinese mainland and other areas.

      Note

      • You can specify ECS, CLB, and ALB instances as endpoints only if your Alibaba Cloud account is included in the whitelist. If you want to specify ECS, CLB, or ALB instances as endpoints for your GA instances, submit a ticket to upgrade the GA instances.
      • If you want to specify ECS instances or CLB instances as endpoints, make sure that the instances are deployed in virtual private clouds (VPCs).
      • The IP addresses of endpoint groups associated with each GA instance must be globally unique and not conflict with those of other GA instances.
   2. Peak Bandwidth: Select the peak bandwidth of the basic bandwidth plan. 10Mb is selected in this topic.
   3. Duration: Select the duration of the basic bandwidth plan.
3. Return to the Instances page and click the ID of the GA instance that you created in Step 1.
4. On the page that appears, click the Bandwidth Manage tab.
5. In the Basic Bandwidth Package section, find the target plan, and then click Bind in the Actions column.
   
   The basic bandwidth plan is now in the Bound state.

Step 6: Add an acceleration area

After you purchase a basic bandwidth plan, you can add an acceleration area, specify the acceleration regions where end users are located, and allocate bandwidth to these regions.

1. On the Instances page, click the ID of the GA instance that is created in Step 4.
2. On the instance details page, click the Acceleration Areas tab. Then, click Add Region.
3. In the Add Acceleration Area dialog box, configure the following parameters and click OK.

   Parameter	Description
   Regions	Select the region from which requests are to be accelerated. In this example, China (Hangzhou) is selected.
   Bandwidth	Specify the bandwidth resources used for acceleration in the region. In this example, 2 Mbit/s is used.
   Internet Protocol	Select IPv4 or IPv6. After the acceleration area takes effect, you cannot change the protocol. If you want to change the protocol, you must delete the current acceleration area and add another area.
   Actions	Specify the operations that you can perform on the area.
   Add	Click Add, specify China (Shanghai) as the acceleration region, and allocate 2 Mbit/s of bandwidth to the China (Shanghai) region.

4. Repeat the preceding steps to specify China (Shenzhen) as the acceleration region, and allocate 2 Mbit/s of bandwidth to the China (Shenzhen) region.

   After you add an acceleration area, GA assigns an IP address to the acceleration regions in the acceleration area. The IP address is used to accelerate requests from the region.

Step 7: Create a listener

A listener is used to check requests from clients. The system forwards requests based on the specified protocol and port.

1. On the Instances page, click the ID of the GA instance that is created in Step 4.
2. On the Listeners tab, click Add Listener.
3. In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click Next.

   Parameter	Description
   Listener Name	Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
   Protocol	Select a protocol for the listener. In this example, TCP is selected.
   Port Number	Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
   Client Affinity	Specify whether to enable client affinity. If client affinity is enabled, requests from the same client can be directed to the same endpoint when the client accesses a stateful application. In this example, Source IP Address is selected.

4. In the Configure Endpoint Group step, configure the following parameters and click Next.
   1. Enter a name for the endpoint group in the Endpoint Group Name field.
   2. Select the region to which the endpoint group and the backend server belong.
      In this example, US (Silicon Valley) is selected.
   3. Specify whether to deploy the backend service on Alibaba Cloud. In this example, Alibaba Cloud is selected.
   4. Specify whether to reserve client IP addresses. After the feature is enabled, backend servers can obtain source IP addresses of clients. In this example, this feature is disabled.
   5. Configure endpoints.

      Parameter	Description
      Backend Service Type	In this example, Alibaba Cloud Public IP Address is selected.
      Backend Service	Enter the EIP of the backend server. The EIP is used to provide services.
      Weight	Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic to each endpoint in proportion to the weight of each endpoint. Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the endpoint. Proceed with caution.
      Add Endpoint	Click Add Endpoint to specify another server in the US (Silicon Valley) region as an endpoint, and specify a weight.

Step 8: Configure an endpoint group

1. Select the region where the endpoint group is deployed. The selected region is where the target server is deployed.
   US (Silicon Valley) is selected in this topic.
2. Specify whether the backend service is deployed on Alibaba Cloud. Off Alibaba Cloud is selected in this topic.
3. Enable or disable the feature of reserving client IP addresses. After the feature is enabled, origin servers can reserve client IP addresses. This feature is disabled in this topic.
   Note The feature of reserving client IP addresses is available only to users in the whitelist. If you are not included in the whitelist and you want to use the feature, submit a ticket.
4. Configure endpoints.
   1. Backend Service Type: Select Custom Domain Name from the drop-down list.
   2. Backend Service: Enter the CNAME address assigned by the system after you configure the basic information in Step 3. For more information, see Step 3: Configure basic information.
   3. Weight: Enter a number from 0 to 255 to set a weight for the endpoint. GA routes traffic to endpoints based on the predefined weights.
      Notice If the weight of an endpoint is set to 0, GA stops distributing traffic to the endpoint. Proceed with caution.
   

Step 9: Purchase and bind a cross-border bandwidth plan

A bandwidth plan for cross-border acceleration is used to accelerate data transmission between mainland China and regions outside mainland China. Perform the following steps to purchase a bandwidth plan for cross-border acceleration and bind the bandwidth plan to the GA instance.

1. On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
2. On the buy page, configure the parameters and click Buy Now to complete the payment.
   1. Area A: Select the area where the bandwidth plan is used. In this example, Mainland China is selected.
   2. Area B: Select the area where the bandwidth plan is used. By default, Global is selected.
      Global: Requests are forwarded to the optimal endpoint based on the region from which requests are initiated.
   3. Billing Method: Select a billing method for the bandwidth plan. Only Pay by Bandwidth is supported.
   4. Bandwidth: Select a bandwidth value for the bandwidth plan.
      We recommend that you specify the same bandwidth value for the basic bandwidth plan and the bandwidth plan for cross-border acceleration. In this example, 10Mb is selected.
   5. Duration: Select a subscription period.
3. Return to the Instances page, find the GA instance to which you want to bind the bandwidth plan for cross-border acceleration, and then click its ID.
4. Click the Bandwidth Manage tab.
5. In the Cross-region Bandwidth Package section, find the bandwidth plan for cross-border acceleration and click Bind in the Actions column.
   
   After you bind the bandwidth plan to the GA instance, the bandwidth plan is in the Bound state.

Step 10: Activate the WAF service

WAF is empowered by big data technologies of Alibaba Cloud Security. WAF allows you to defend against common web attacks such as SQL injections, cross-site scripting (XSS), web shells, Trojans, unauthorized downloads, and HTTP flood attacks. WAF protects your web resources from exposure and ensures the security and availability of your website.

This topic describes how to purchase a subscription WAF instance.

1. Open the WAF product page on the Alibaba Cloud official website, and then log on with your Alibaba Cloud account.
2. Click Buy Now.
3. On the Web Application Firewall page, set the following parameters:
   1. Region: Select the region where the WAF instance is deployed.
      China Mainland is selected in this topic.
   2. Plan: Select the version of the WAF service.
      Different WAF service plans are applicable to various business scales and provide different protection features. For more information, see WAF deployment plans and editions. Enterprise is selected in this topic.
   3. Extra Domain: Specify the number of additional domains.
      If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase additional domains. For more information, see Additional domain. For this solution, you do not need to purchase additional domains.
   4. Exclusive IP: Specify the number of exclusive IP addresses.
      You can purchase an exclusive IP address when your website domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP. For this solution, you do not need to purchase a WAF exclusive IP.
   5. Extra Traffic: Specify the size of the bandwidth extension plan to be purchased. Unit: Mbit/s.
      If the total bandwidth of your website exceeds the service bandwidth of WAF, you can purchase a bandwidth extension plan. For more information, see Bandwidth extension plan. 100Mbps is selected in this topic.
   6. GSLB: Select whether to enable Global Server Load Balancing (GSLB).
      GSLB uses the multi-node resilience technology. It supports automatic traffic distribution and disaster recovery based on multiple nodes and lines. You can use GSLB to improve the reliability of your service. No is selected in this topic.
   7. Access Log Service: Specify whether to enable Log Service.
      Log Service retrieves log data from WAF in real time and then stores the data in Logstores. You can query and analyze the log data, and generate analytics reports online. No is selected in this topic.
   8. Bot Manager: Select whether to enable the Bot Manager feature.
      To mitigate security threats caused by bot traffic, you can enable the Bot Manager feature. For more information, see Set a bot threat intelligence rule and Configure the allowed crawlers function. No is selected in this topic.
   9. Mobile App Protection: Select whether to enable mobile application protection.
      You can enable the mobile app protection feature if your business supports native applications and you have security needs for your business, such as trusted communications and prevention of abusing bot scripts. For more information, see Configure application protection. No is selected in this topic.
   10. Service Time: Select the validity period of the WAF service.

Step 11: Add website configurations in WAF

Take the following steps to route user traffic to WAF before it reaches the domain name protected by WAF:

1. Log on to the WAF console.
2. In the status bar, select the region where your WAF instance is deployed. Select Mainland China in this topic.
3. In the left-side navigation pane, choose Asset Center > Website Access.
4. On the Website Access page, click Add Domain Name.
5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
   Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
6. Follow the Add Domain Name wizard to complete the configuration.
   1. Domain Name: Enter the domain name that needs WAF protection. www.example.com is entered in this topic.
      Note

      • This parameter supports precise domain names such as www.aliyun.com and wildcard domain names such as *.aliyun.com.
        • WAF protects all subdomains that match the specified wildcard domain name.
        • If you configure both a wildcard domain name and a precise domain name for a website, forwarding rules and protection policies of the precise domain name prevail over those of the wildcard domain.
      • Domain names with the .edu suffix are not supported. If you want to use a .edu domain name, submit a ticket to request technical support.
   2. Protocol Type: Select the protocol supported by the website. HTTP is selected in this example.
      Note

      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Upload an HTTPS certificate.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Manually add domain name configurations.
      • To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
        • Your WAF is upgraded to Business or Enterprise Edition.
        • HTTPS is selected.
   3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.
      Both IP and Destination Server (Domain Name) formats are supported. After you connect your website to WAF, WAF redirects filtered requests to the specified address. Select Destination Server (Domain Name) in this topic, and then enter the CNAME address assigned to the GA instance that you create in Step 4. For more information, see Step 4: Create a GA instance.
   4. Destination Server Port: Specify the service port of the website.
      WAF receives and forwards traffic for your website through the specified ports. The user traffic destined for the website domain name is forwarded only through the specified service ports. For unspecified ports, WAF does not forward traffic received on these ports to the origin servers. Therefore, no security threats are posed on the origin servers if you enable these ports or if these ports have vulnerabilities.

      Notice The protocol and port must be the same as those of the origin server IP address. You cannot change the port after it is specified.

      The custom port 9000 is specified in this topic.

      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of Business and Enterprise Edition support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see View the allowed port range.
   5. Load Balancing Algorithm: If you have specified one or more origin IP addresses, select IP hash, Round Robin, or Least time. WAF distributes requests to these servers based on the specified algorithm for load balancing. Least time is selected in this topic.
      Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.
   6. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. Yes is selected in this example.
7. Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME of WAF.
   

Step 12: Purchase an Anti-DDoS Pro instance

Anti-DDoS Pro has the largest BGP bandwidth resources in mainland China. Up to 1.5 Tbit/s of bandwidth resources can be used to mitigate DDoS attacks.

1. Log on to the Anti-DDoS Pro console.
2. On the Instances page, click Purchase Instances.
3. On the buy page, configure the following parameters.

   Parameter	Description
   Product Type	By default, Anti-DDoS Pro (Mainland China) is selected.
   Mitigation Plan	By default, Profession is selected.
   Basic Protection	Specify the bandwidth resources used for basic protection. Basic protection is billed on a subscription basis. It takes effect only after you complete the payment. The total instance cost increases based on the basic protection bandwidth that you select.
   Burstable Protection	Specify the maximum value of bandwidth used for protection. Burstable protection is billed on a pay-as-you-go basis. Burstable protection bandwidth determines the maximum mitigation capacity provided by the instance. If you set Burstable Protection and Basic Protection to the same value, the maximum bandwidth value equals the value of Basic Protection. In this case, you are charged only for basic protection. If you set Burstable Protection to a value greater than Basic Protection, the value of bandwidth used for protection is the value between Basic Protection and Burstable Protection. If the peak bandwidth exceeds Basic Protection, a pay-as-you-go bill is generated based on the exceeded amount.
   Business Scale	Select the value of bandwidth that is used to process normal requests. Valid values: 100 to 5000. Unit: Mbit/s. Evaluate your business scale and estimate the maximum values of inbound bandwidth and outbound bandwidth based on your business requirements. Set Business Scale to the larger value that you estimated. Notice If the bandwidth resources that you specify are insufficient to meet your business requirements, packet loss may occur and your business may be affected. In this case, we recommend that you purchase more bandwidth resources.
   Function Plan	Select a function plan for the instance. Valid values: Standard Function Enhanced Function For more information, see Function plan.
   Domains	Specify the number of domain names that the instance can protect. Values must be multiples of 10. Valid values: 50 to 200. You can specify subdomains and wildcard domains. The number of unique domains that correspond to the sum of subdomains and wildcard domains must not exceed the quotient obtained by dividing the value of the Domains parameter by 10. For example, if the default value of the Domains parameter is 50, the Anti-DDoS Pro instance can protect up to 5 different domains. The sum of subdomains and wildcard domains cannot exceed 50. If you want to enable protection for example1.com and example2.com, you can specify their subdomains such as www.example1.com and abc.example2.com. You can also specify the wildcard domain *.example1.com. If you want to specify more than 50 subdomains and wildcard domains, or enable protection for more than five domains, we recommend that you set Domains to a greater value based on your business requirements.
   Clean QPS	Specify the number of concurrent queries per second (QPS) that the instance can process. HTTP and HTTPS requests are supported. Valid values: 3000 to 100000.
   Ports	Specify the number of TCP and UDP ports that are used to forward requests. Valid values: 50 to 400.
   Resource Group	Select a resource group to which the instance belongs. By default, Default Resource Group is selected. Note You can select a resource group only on the buy page of the previous version of Anti-DDoS Pro. You can purchase an instance that does not belong to the Default Resource Group only in the Anti-DDoS Pro console of the previous version. You can click Early Version in the upper-right corner to go to the Anti-DDoS Pro console of the previous version.
   Quantity	Select the number of instances that you want to purchase.
   Duration	Select a subscription period for the instance. If you select Auto renewal, the instance is automatically renewed before the instance expires. Monthly subscription: The instance is automatically renewed for one month. Annual subscription: The instance is automatically renewed for one year.

4. Click Buy Now and complete the payment.

Step 13: Add a domain to Anti-DDoS Pro

To set up Anti-DDoS Pro for a website, you must add the domain name of the website to Anti-DDoS Pro. The configurations specified in the Anti-DDoS Pro console define how network traffic is forwarded between a website and an Anti-DDoS Pro instance.

To add a domain name, take the following steps:

1. Log on to the Anti-DDoS Pro console.
2. In the top status bar, select the region of the service.
   In this topic, the traffic is scrubbed by Anti-DDoS Pro and then forwarded to WAF. Therefore, Mainland China is selected in this topic.
3. In the left-side navigation pane, choose Provisioning > Website Config.
4. On the Website Config page, click Add Domain.
5. On the Add Domain page, enter the website information.
   1. Function Plan: Select a function plan for the Anti-DDoS Pro instance. You can select a Standard or Enhanced function plan.
      For more information, see Function plan. Enhanced is selected in this topic.
   2. Instance: Select the Anti-DDoS Pro instance to be associated with the domain name.
      You can associate up to eight Anti-DDoS Pro instances with each domain name. However, these instances must use the same function plan.
   3. Domain: Enter the domain name to be protected.
      Note

      • Based on the naming convention of domain names, the domain name can contain uppercase and lowercase letters, digits, and hyphens (-). The domain name must start with a letter or digit.
      • You can enter a wildcard domain name, such as *.aliyun.com. Anti-DDoS Pro protects all subdomains of the wildcard domain name.
      • If you configure both a wildcard domain name such as *.aliyun.com and a precise domain name such as www.aliyun.com for a website, forwarding rules and protection policies of the precise domain name prevail over those of the wildcard domain.

      www.example.com is entered in this topic.

   4. Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. In this topic, the default setting is used.
   5. Enable HTTP/2: Select whether to enable HTTP/2 when the domain name is associated with an enhanced Anti-DDoS Pro instance. After HTTP/2 is enabled, the protocol type is HTTP 2.0.
   6. Server IP: Select the address type of the origin server, and specify the address of the origin server. Select Origin Server Domain in this topic, and then enter the CNAME address that is assigned in Step 11. For more information, see Step 11: Add website configurations in WAF.
   7. Server Port: Specify the server port based on the protocol. In this topic, the server port is 9000.
6. Click Add.

After you add a domain name, Anti-DDoS Pro assigns a CNAME address to the domain name.

Step 14: Activate the CDN service

CDN reduces the workload of the origin server and prevents network congestion. You can use CDN to accelerate content delivery in different regions and for different scenarios.

To activate the CDN service, take the following steps:

1. Log on to the Alibaba Cloud CDN product page.
2. Click Buy Now.
3. On the Enable Service page, select a billing method.

   For more information about CDN billing methods, see CDN Pricing.

4. Select the I Agree with IP Application Accelerator Agreement of Service check box, and click Enable Now.

Step 15: Add an accelerated domain name

CDN retrieves resources from origins and caches them on CDN nodes. When clients request the resources from the accelerated domain name, CDN directly retrieves the resources from the CDN nodes to the clients.

To add an accelerated domain name, take the following steps:

1. Log on to the CDN console.
2. In the left-side navigation pane, click Domain Names.
3. On the Domain Names page, click Add Domain Name.
4. On the Add Domain Name page, configure the domain name.
   1. Domain Name to Accelerate: Enter a domain name. www.example.com is entered in this topic.
      Note

      • You can use a subdomain name or a wildcard domain name as the accelerated domain name. Example: cdntest.example.com.
      • Wildcard domain names are supported but domain names in Chinese are not supported. Follow the instructions to enter a wildcard domain name. Example: *.test.com. For more information, see Rules for adding wildcard domain names.
      • You can add a domain name to CDN only once. If the Domain already exists error occurs, submit a ticket.
      • If a wildcard domain has been added to CDN for an Alibaba Cloud account, you are not allowed to add the subdomains of the wildcard domain to CDN for other Alibaba Cloud accounts.
      • You can add up to 50 accelerated domains for each account. To add more domains, submit a ticket.
      • Content that is delivered from the domain must comply with the limits of Alibaba Cloud CDN. For more information, see Limits.
   2. Business Type: Select the business type of your website.
      • Images and Small Files: If you want to accelerate the delivery of small-size and static resources, such as small files, images, and web style sheets, we recommend that you select this option. For more information, see Image and small file distribution.
      • Large File Download: For game package installation, app updates, mobile read-only memory (ROM) upgrades, and app downloads, we recommend that you select this option. For more information, see Large file distribution.
      • VOD: If you want to accelerate the delivery of audio or video files for VOD playback, we recommend that you select this option. For more information, see On-demand audio and video streaming.
      • DCDN: If your website contains a large amount of dynamic and static content, and most of the requests are for dynamic resources, we recommend that you select this option. For more information, see What is DCDN?.

      Images and Small Files is selected in this topic.

   3. Origin Info: Configure the information of the origin site.
      Select Site Domain in this topic, and then enter the CNAME that is assigned in Step 13. For more information, see Step 13: Add a domain to Anti-DDoS Pro.
   4. Port: Select the access port of the website. Valid values:
      • Port 80: Select this option if your website provides services over HTTP.
      • Port 443: Select this option if your website provides services over HTTPS.

      Port 80 is selected in this topic.

   5. Region: Select a region. Mainland China Only is selected in this topic.
5. Click Next.
   After you add an accelerated domain name, Alibaba Cloud CDN assigns a CNAME address to the accelerated domain name.

Step 16: Resolve the website domain name to CDN

To resolve the domain name to CDN, take the following steps:

1. Log on to the Alibaba Cloud DNS console.
2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
3. On the Configure page, find the DNS records, and click Edit in the Actions column.
4. In Edit Record dialog box, set Type to CNAME, and set Value to the CNAME address that is assigned in Step 15. For more information, see Step 15: Add an accelerated domain name.
5. Click OK.

Step 17: Verify the settings

In the China (Hangzhou), China (Shanghai), or China (Shenzhen) region, use a computer that runs Windows to test how your website is accelerated and protected by GA and other integrated services including CDN, Anti-DDoS Pro, WAF, and GTM.

1. Enter the domain name www.example.com (hosted in mainland China) into the address bar of the web browser to access the website service deployed in the US (Silicon Valley) region.
2. Run the nslookup <CNAME access domain name in GTM> command to check the resolution result.
   • If the primary server group is available: The domain name is resolved to the IP address of Server 1 or Server 2. In this topic, the primary server group contains Server 1 and Server 2 that are deployed in the US (Silicon Valley) region.
   • If the primary server group is unavailable: The domain name is resolved to the IP address of Server 3 or Server 4. In this topic, the primary server group contains Server 1 and Server 2 that are deployed in the US (Silicon Valley) region.
3. Run the following command to check the latency of data packet transmission.
   curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<the domain name of the website service>[:<port>]"

   where:

   • time_connect: the period of time to establish a TCP connection.
   • time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
   • time_total: the period of time for the backend server to respond to the session after the client sends a request.