Global Accelerator (GA) provides web service providers a cross-border website secure
acceleration solution. GA uses high-bandwidth BGP lines and the global transmission
network of Alibaba Cloud to accelerate services. It can interact with Content Delivery
Network (CDN), Anti-DDoS Pro, Web Application Firewall (WAF), and Global Traffic Manager
(GTM) to ensure the security and efficiency of service delivery.
Prerequisites
Before you start, make sure that the following requirements are met:
Background information
A website service is deployed in the US (Silicon Valley) region of Alibaba Cloud.
The origin servers are four Elastic Compute Service (ECS) instances associated with
elastic IP addresses. Users in mainland China want to access the website service by
visiting www.example.com, a domain name hosted in mainland China. The forwarding port
is TCP port 9000. The website service provider meets the following challenges:
- The website service frequently receives website attacks and DDoS attacks, which severely
affect the security and availability of the website service.
- The cross-border public network is unstable. Network issues, such as network latency,
network jitter, and packet loss, may frequently occur and degrade the performance
of the website service.
- The origin servers are unstable. Service disruption may occur when users visit the
website.

As shown in the preceding figure, you can deploy GA to interact with the CDN, Anti-DDoS
Pro, WAF, and GTM services. This solution helps you resolve the issues on visiting
website services across borders.
- Alibaba Cloud CDN can accelerate website content delivery to improve the user experience
of the website visitors.
Alibaba Cloud CDN retrieves resources from origins and caches them on CDN nodes deployed
on a global scale. When the client requests a resource, the system does not need to
send the request to the origin. Instead, the system automatically retrieves the cached
resource from the CDN node that is nearest to the client.
- Anti-DDoS Pro can help you defend against DDoS attacks.
All traffic from the public network passes through Anti-DDoS Pro. Malicious traffic
is scrubbed in the scrubbing center and only legitimate traffic is forwarded to the
origin server through the port protocol.
- WAF can protect your website against a variety of web attacks.
All network traffic destined for the website must pass through WAF before reaching
the origin servers. WAF detects and blocks malicious traffic, and reroutes only normal
traffic to the origin servers to ensure the security, stability, and availability
of the origin servers.
- GA can speed up content delivery between the origin servers and users in acceleration
areas.
Users in China (Shanghai), China (Hangzhou), and China (Shenzhen) can connect to the
nearest access point of the global transmission network by sending requests to accelerated
IP addresses. Then, user requests are redirected to the origin servers deployed in
US (Silicon Valley) through intelligent routing and automatic network traffic distribution.
- GTM can be used to isolate malfunctioned servers or switch network traffic among multiple
origin servers.
- When the primary server group is working normally, all user traffic is forwarded to
the primary server group.
- When the primary server group becomes unavailable, user traffic is immediately switched
to the secondary server group for failover. After the primary server group recovers,
the traffic is switched back to the primary server group.
Procedure
Step 1: Create a GTM instance
GTM is a traffic management service that allows you to manage network traffic from
clients in a fine-grained way.
To create a GTM instance, perform the following steps:
- Log on to the Alibaba Cloud DNS console.
- In the left-side navigation pane, click Global Traffic Manager.
- On the Global Traffic Manager page, click Create Instance.
- On the buy page, set the following parameters.
- Edition: You can select Standard Edition or Ultimate Edition. In this example, Standard Edition is selected.
- Quantity: The number of GTM instances that you want to purchase.
- Service Time: The service duration of the GTM instance.
- Click Buy Now and complete the payment.
Step 2: Configure an access policy
Access policies allow GA to forward requests from different access points to different
origin servers. You can also specify secondary origin servers to meet your business
demands.
To configure an access policy for GTM, perform the following steps:
- Log on to the Alibaba Cloud DNS console.
- In the left-side navigation pane, click Global Traffic Manager.
- On the Global Traffic Manager page, find the GTM instance that you want to manage, click Configure in the Actions column.
- In the Select Configuration Method dialog box, select Quick Start.
- In the Access Policy Configurations wizard, set the following parameters:
- Policy Name: Enter a name for the access policy.
- DNS Request Sources: Select a request source.
After you specify a region as the request source, when users in this region send requests
to the service, GTM distributes the requests to the specified origin server address
pool. Global is selected in this example.
- Primary Address Pool Set: Click the Primary Address Pool Set tab.
Primary Address Pool Set specifies the address pool of backend servers to which GTM forwards user traffic.
Click Create Address Pool and add the IP addresses of Origin Server 1 and Origin Server 2 in the US (Silicon
Valley) region to the primary address pool. Then, configure health checks and select
the primary address pool. For more information about how to configure health checks,see TCP health checks.
- Secondary Address Pool Set: Click Secondary Address Pool Set.
Secondary Address Pool Set specifies the address pool that takes over when the primary address pool specified
by
Primary Address Pool Set is unavailable.
Click Create Address Pool and add Origin Server 3 and Origin Server 4 in the US (Silicon Valley) region to
the secondary address pool. Then, configure health checks and select the secondary
address pool. For more information about how to configure health checks,see TCP health checks.
- Click Next.
Step 3: Configure basic information
After you configure the access policy, you must specify the basic information about
the GTM instance. The information includes the domain name, CNAME, global time-to-live
(TTL) value, and alert group.
To configure the basic information about GTM, perform the following steps:
- On the Basic Information page, follow the wizard to configure basic information.
- Instance Name: Enter an instance name.
The instance name is used to identify the application service that runs on the instance.
- Primary Domain: Enter a base domain name. www.example.com is entered in this topic.
- CNAME Access Domain Name: Specify the type of the CNAME for the base domain name.
- Assigned Access Domain Name: Select this option if the IP address pool only contains Alibaba Cloud IP addresses
or IP addresses outside China.
- Custom Access Domain Name: Select this option if the IP address pool contains IP addresses of on-premises data
centers.
In this topic, the address pool of origin servers only contains Alibaba Cloud elastic
IP addresses. Therefore, the Assigned Access Domain Name option is selected.
- Balance Policy: Select a load balancing policy for GTM.
- Round Robin: distributes network traffic equally to multiple IP addresses in the IP address pool.
This is the default policy.
- Weighted Round Robin: uses the pre-configured weighted round-robin policy to process DNS queries when
the domain name is resolved to more than one IP address.
Round Robin is selected in this topic.
- Global TTL: The validity period of an IP address to which the domain name is resolved. 1 minute(s) is selected in this topic.
GTM provides traffic management services based on domain names. The Global TTL parameter
specifies the validity period of the IP address cached in the DNS system of the service
provider. By default, the parameter is set to 1 minute. If you use a custom domain
name, the global TTL must be the same as the minimum TTL supported by the Alibaba
Cloud DNS service plan of the custom domain name.
- Alert Group: The contact group to which a notification is sent when an exception is detected
in your workloads.
Note
- If you have not configured an alert group, log on to the Cloud Monitor console and
add an alert group. For more information, see Create an alert contact or alert contact group.
- If you have configured a contact group but want to configure the basic information
as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud
account to authorize the RAM user. After the RAM user is authorized, you can log on
as a RAM user to read the alert group information.
- Click Complete.
After you configure the basic information, the system automatically allocates a CNAME
address to the base domain name. User requests destined for the CNAME address are
resolved to the IP address of the scheduled origin server.

Step 4: Create a GA instance
- Log on to the Global Accelerator console.
- On the Instances page, click Create Instance.
- On the buy page, configure the parameters, click Buy Now, and then complete the payment.
- Select a specification for the GA instance. In this example, Medium Ⅰ is selected.
- Select a subscription period for the GA instance.
After the instance is created, the system automatically assigns a CNAME to the instance.
The CNAME is used to resolve the domain name of the origin servers.

Step 5: Purchase and bind a basic bandwidth plan
A basic bandwidth plan provides bandwidth for data transmission over the Internet
and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic
bandwidth plan and bind the plan to the GA instance.
- On the Instances page, click Purchase Basic Bandwidth Plan.
- On the buy page, set the required parameters, click Buy Now, and complete the payment.
- Bandwidth Type: Select the type of the basic bandwidth plan. Basic is selected in this example.
The following types of basic bandwidth plans are supported: basic, enhanced, and premium.
The following table shows that the acceleration type, accelerated backend service,
and acceleration scope of a basic bandwidth plan vary based on the bandwidth type.
Bandwidth type |
Acceleration type |
Accelerated backend service |
Acceleration scope |
Basic |
Applications that are deployed on Alibaba Cloud |
- Public IP addresses provided by Alibaba Cloud
- Elastic Compute Service (ECS)
- Classic Load Balancer (CLB) (formerly known as SLB)
- Application Load Balancer (ALB)
- Object Storage Service (OSS)
|
By default, the acceleration region and the region where the backend service is deployed
are located in the Chinese mainland. You can purchase a cross-border acceleration bandwidth plan to accelerate data transfer
between the Chinese mainland and other areas.
|
Enhanced |
- Applications that are deployed on Alibaba Cloud
- Applications that are not deployed on Alibaba Cloud
|
- Public IP addresses provided by Alibaba Cloud
- ECS
- CLB (formerly known as SLB)
- ALB
- OSS
- Custom IP addresses
- Custom domain names
|
By default, the acceleration region and the region where the backend service is deployed
are located in the Chinese mainland. You can purchase a cross-border acceleration bandwidth plan to accelerate data transfer
between the Chinese mainland and other areas.
|
Premium |
- Applications that are deployed on Alibaba Cloud
- Applications that are not deployed on Alibaba Cloud
|
- Public IP addresses provided by Alibaba Cloud
- ECS
- CLB (formerly known as SLB)
- ALB
- OSS
- Custom IP addresses
- Custom domain names
|
By default, the acceleration region and the region where the backend service is deployed
are located in the areas outside the Chinese mainland. If you want to accelerate data
transfer between the Chinese mainland and other areas, you must select China (Hong
Kong) as the acceleration region. You can purchase a cross-border acceleration bandwidth plan to accelerate data transfer
between the Chinese mainland and other areas.
|
Note
- You can specify ECS, CLB, and ALB instances as endpoints only if your Alibaba Cloud
account is included in the whitelist. If you want to specify ECS, CLB, or ALB instances
as endpoints for your GA instances, submit a ticket to upgrade the GA instances.
- If you want to specify ECS instances or CLB instances as endpoints, make sure that
the instances are deployed in virtual private clouds (VPCs).
- The IP addresses of endpoint groups associated with each GA instance must be globally
unique and not conflict with those of other GA instances.
- Peak Bandwidth: Select the peak bandwidth of the basic bandwidth plan. 10Mb is selected in this topic.
- Duration: Select the duration of the basic bandwidth plan.
- Return to the Instances page and click the ID of the GA instance that you created in Step 1.
- On the page that appears, click the Bandwidth Manage tab.
- In the Basic Bandwidth Package section, find the target plan, and then click Bind in the Actions column.
The basic bandwidth plan is now in the Bound state.
Step 6: Add an acceleration area
After you purchase a basic bandwidth plan, you can add an acceleration area, specify
the acceleration regions where end users are located, and allocate bandwidth to these
regions.
- On the Instances page, click the ID of the GA instance that is created in Step 4.
- On the instance details page, click the Acceleration Areas tab. Then, click Add Region.
- In the Add Acceleration Area dialog box, configure the following parameters and click OK.
Parameter |
Description |
Regions |
Select the region from which requests are to be accelerated. In this example, China (Hangzhou) is selected.
|
Bandwidth |
Specify the bandwidth resources used for acceleration in the region. In this example,
2 Mbit/s is used.
|
Internet Protocol |
Select IPv4 or IPv6. After the acceleration area takes effect, you cannot change the
protocol. If you want to change the protocol, you must delete the current acceleration
area and add another area.
|
Actions |
Specify the operations that you can perform on the area. |
Add |
Click Add, specify China (Shanghai) as the acceleration region, and allocate 2 Mbit/s of bandwidth
to the China (Shanghai) region.
|
- Repeat the preceding steps to specify China (Shenzhen) as the acceleration region,
and allocate 2 Mbit/s of bandwidth to the China (Shenzhen) region.
After you add an acceleration area, GA assigns an IP address to the acceleration regions
in the acceleration area. The IP address is used to accelerate requests from the region.
Step 7: Create a listener
A listener is used to check requests from clients. The system forwards requests based
on the specified protocol and port.
- On the Instances page, click the ID of the GA instance that is created in Step 4.
- On the Listeners tab, click Add Listener.
- In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click
Next.
Parameter |
Description |
Listener Name |
Enter a name for the listener. The name must be 2 to 128 characters in length, and
can contain letters, digits, underscores (_), and hyphens (-). The name must start
with a letter.
|
Protocol |
Select a protocol for the listener. In this example, TCP is selected.
|
Port Number |
Specify a port for the listener. The port is used to receive and forward requests
to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
|
Client Affinity |
Specify whether to enable client affinity. If client affinity is enabled, requests
from the same client can be directed to the same endpoint when the client accesses
a stateful application. In this example, Source IP Address is selected.
|
- In the Configure Endpoint Group step, configure the following parameters and click Next.
- Enter a name for the endpoint group in the Endpoint Group Name field.
- Select the region to which the endpoint group and the backend server belong.
In this example, US (Silicon Valley) is selected.
- Specify whether to deploy the backend service on Alibaba Cloud. In this example, Alibaba Cloud is selected.
- Specify whether to reserve client IP addresses. After the feature is enabled, backend
servers can obtain source IP addresses of clients. In this example, this feature is
disabled.
- Configure endpoints.
Parameter |
Description |
Backend Service Type |
In this example, Alibaba Cloud Public IP Address is selected.
|
Backend Service |
Enter the EIP of the backend server. The EIP is used to provide services. |
Weight |
Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic
to each endpoint in proportion to the weight of each endpoint.
Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the
endpoint. Proceed with caution.
|
Add Endpoint |
Click Add Endpoint to specify another server in the US (Silicon Valley) region as an endpoint, and specify
a weight.
|
Step 8: Configure an endpoint group
- Select the region where the endpoint group is deployed. The selected region is where
the target server is deployed.
US (Silicon Valley) is selected in this topic.
- Specify whether the backend service is deployed on Alibaba Cloud. Off Alibaba Cloud is selected in this topic.
- Enable or disable the feature of reserving client IP addresses. After the feature
is enabled, origin servers can reserve client IP addresses. This feature is disabled
in this topic.
Note The feature of reserving client IP addresses is available only to users in the whitelist.
If you are not included in the whitelist and you want to use the feature,
submit a ticket.
- Configure endpoints.
- Backend Service Type: Select Custom Domain Name from the drop-down list.
- Backend Service: Enter the CNAME address assigned by the system after you configure the basic information
in Step 3. For more information, see Step 3: Configure basic information.
- Weight: Enter a number from 0 to 255 to set a weight for the endpoint. GA routes traffic
to endpoints based on the predefined weights.
Notice If the weight of an endpoint is set to 0, GA stops distributing traffic to the endpoint.
Proceed with caution.
Step 9: Purchase and bind a cross-border bandwidth plan
A bandwidth plan for cross-border acceleration is used to accelerate data transmission
between mainland China and regions outside mainland China. Perform the following steps
to purchase a bandwidth plan for cross-border acceleration and bind the bandwidth
plan to the GA instance.
- On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
- On the buy page, configure the parameters and click Buy Now to complete the payment.
- Area A: Select the area where the bandwidth plan is used. In this example, Mainland China is selected.
- Area B: Select the area where the bandwidth plan is used. By default, Global is selected.
Global: Requests are forwarded to the optimal endpoint based on the region from which requests
are initiated.
- Billing Method: Select a billing method for the bandwidth plan. Only Pay by Bandwidth is supported.
- Bandwidth: Select a bandwidth value for the bandwidth plan.
We recommend that you specify the same bandwidth value for the basic bandwidth plan
and the bandwidth plan for cross-border acceleration. In this example, 10Mb is selected.
- Duration: Select a subscription period.
- Return to the Instances page, find the GA instance to which you want to bind the bandwidth plan for cross-border
acceleration, and then click its ID.
- Click the Bandwidth Manage tab.
- In the Cross-region Bandwidth Package section, find the bandwidth plan for cross-border acceleration and click Bind in the Actions column.
After you bind the bandwidth plan to the GA instance, the bandwidth plan is in the
Bound state.
Step 10: Activate the WAF service
WAF is empowered by big data technologies of Alibaba Cloud Security. WAF allows you
to defend against common web attacks such as SQL injections, cross-site scripting
(XSS), web shells, Trojans, unauthorized downloads, and HTTP flood attacks. WAF protects
your web resources from exposure and ensures the security and availability of your
website.
This topic describes how to purchase a subscription WAF instance.
- Open the WAF product page on the Alibaba Cloud official website, and then log on with your Alibaba Cloud account.
- Click Buy Now.
- On the Web Application Firewall page, set the following parameters:
- Region: Select the region where the WAF instance is deployed.
China Mainland is selected in this topic.
- Plan: Select the version of the WAF service.
Different WAF service plans are applicable to various business scales and provide
different protection features. For more information, see
WAF deployment plans and editions.
Enterprise is selected in this topic.
- Extra Domain: Specify the number of additional domains.
If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase
additional domains. For more information, see
Additional domain. For this solution, you do not need to purchase additional domains.
- Exclusive IP: Specify the number of exclusive IP addresses.
You can purchase an exclusive IP address when your website domain name needs WAF protection
through an exclusive IP address. For more information, see
Exclusive IP. For this solution, you do not need to purchase a WAF exclusive IP.
- Extra Traffic: Specify the size of the bandwidth extension plan to be purchased. Unit: Mbit/s.
If the total bandwidth of your website exceeds the service bandwidth of WAF, you can
purchase a bandwidth extension plan. For more information, see
Bandwidth extension plan.
100Mbps is selected in this topic.
- GSLB: Select whether to enable Global Server Load Balancing (GSLB).
GSLB uses the multi-node resilience technology. It supports automatic traffic distribution
and disaster recovery based on multiple nodes and lines. You can use GSLB to improve
the reliability of your service. No is selected in this topic.
- Access Log Service: Specify whether to enable Log Service.
Log Service retrieves log data from WAF in real time and then stores the data in Logstores.
You can query and analyze the log data, and generate analytics reports online. No is selected in this topic.
- Bot Manager: Select whether to enable the Bot Manager feature.
- Mobile App Protection: Select whether to enable mobile application protection.
You can enable the mobile app protection feature if your business supports native
applications and you have security needs for your business, such as trusted communications
and prevention of abusing bot scripts. For more information, see
Configure application protection.
No is selected in this topic.
- Service Time: Select the validity period of the WAF service.
Step 11: Add website configurations in WAF
Take the following steps to route user traffic to WAF before it reaches the domain
name protected by WAF:
- Log on to the WAF console.
- In the status bar, select the region where your WAF instance is deployed. Select Mainland China in this topic.
- In the left-side navigation pane, choose .
- On the Website Access page, click Add Domain Name.
- Optional:On the Add Domain Name page, click Manually Add Other Websites.
Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
- Follow the Add Domain Name wizard to complete the configuration.
- Domain Name: Enter the domain name that needs WAF protection. www.example.com is entered in this topic.
Note
- This parameter supports precise domain names such as
www.aliyun.com
and wildcard domain names such as *.aliyun.com
.
- WAF protects all subdomains that match the specified wildcard domain name.
- If you configure both a wildcard domain name and a precise domain name for a website,
forwarding rules and protection policies of the precise domain name prevail over those
of the wildcard domain.
- Domain names with the
.edu
suffix are not supported. If you want to use a .edu
domain name, submit a ticket to request technical support.
- Protocol Type: Select the protocol supported by the website. HTTP is selected in this example.
Note
- If your website supports HTTPS, select HTTPS, and upload the certificate and the private
key file after you set website parameters. For more information, see Upload an HTTPS certificate.
- After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient
access to your website. For more information, see Manually add domain name configurations.
- To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
- Your WAF is upgraded to Business or Enterprise Edition.
- HTTPS is selected.
- Destination Server (IP Address): Select a server address type and enter the address of the origin server.
Both
IP and
Destination Server (Domain Name) formats are supported. After you connect your website to WAF, WAF redirects filtered
requests to the specified address. Select
Destination Server (Domain Name) in this topic, and then enter the CNAME address assigned to the GA instance that
you create in Step 4. For more information, see
Step 4: Create a GA instance.
- Destination Server Port: Specify the service port of the website.
WAF receives and forwards traffic for your website through the specified ports. The
user traffic destined for the website domain name is forwarded only through the specified
service ports. For unspecified ports, WAF does not forward traffic received on these
ports to the origin servers. Therefore, no security threats are posed on the origin
servers if you enable these ports or if these ports have vulnerabilities.
Notice The protocol and port must be the same as those of the origin server IP address. You
cannot change the port after it is specified.
The custom port
9000 is specified in this topic.
Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports
443 and 8443. WAF instances of Business and Enterprise Edition support more non-standard
ports, and have corresponding limits on the total number of ports used by the protected
domain name. For more information, see
View the allowed port range.
- Load Balancing Algorithm: If you have specified one or more origin IP addresses, select IP hash, Round Robin, or Least time. WAF distributes requests to these servers based on the specified algorithm for load
balancing. Least time is selected in this topic.
Note You can select
Least time only when intelligent load balancing is enabled. For more information, see
Intelligent load balancing.
- Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. Yes is selected in this example.
- Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME of WAF.
Step 12: Purchase an Anti-DDoS Pro instance
Anti-DDoS Pro has the largest BGP bandwidth resources in mainland China. Up to 1.5
Tbit/s of bandwidth resources can be used to mitigate DDoS attacks.
- Log on to the Anti-DDoS Pro console.
- On the Instances page, click Purchase Instances.
- On the buy page, configure the following parameters.
Parameter |
Description |
Product Type |
By default, Anti-DDoS Pro (Mainland China) is selected.
|
Mitigation Plan |
By default, Profession is selected.
|
Basic Protection |
Specify the bandwidth resources used for basic protection.
Basic protection is billed on a subscription basis. It takes effect only after you
complete the payment. The total instance cost increases based on the basic protection
bandwidth that you select.
|
Burstable Protection |
Specify the maximum value of bandwidth used for protection.
Burstable protection is billed on a pay-as-you-go basis. Burstable protection bandwidth
determines the maximum mitigation capacity provided by the instance.
- If you set Burstable Protection and Basic Protection to the same value, the maximum bandwidth value equals the value of Basic Protection. In this case, you are charged only for basic protection.
- If you set Burstable Protection to a value greater than Basic Protection, the value of bandwidth used for protection is the value between Basic Protection and Burstable Protection. If the peak bandwidth exceeds Basic Protection, a pay-as-you-go bill is generated based on the exceeded amount.
|
Business Scale |
Select the value of bandwidth that is used to process normal requests. Valid values:
100 to 5000. Unit: Mbit/s.
Evaluate your business scale and estimate the maximum values of inbound bandwidth
and outbound bandwidth based on your business requirements. Set Business Scale to the larger value that you estimated.
Notice If the bandwidth resources that you specify are insufficient to meet your business
requirements, packet loss may occur and your business may be affected. In this case,
we recommend that you purchase more bandwidth resources.
|
Function Plan |
Select a function plan for the instance. Valid values:
- Standard Function
- Enhanced Function
For more information, see Function plan.
|
Domains |
Specify the number of domain names that the instance can protect. Values must be multiples
of 10. Valid values: 50 to 200.
You can specify subdomains and wildcard domains. The number of unique domains that
correspond to the sum of subdomains and wildcard domains must not exceed the quotient
obtained by dividing the value of the Domains parameter by 10.
For example, if the default value of the Domains parameter is 50, the Anti-DDoS Pro instance can protect up to 5 different domains.
The sum of subdomains and wildcard domains cannot exceed 50.
If you want to enable protection for example1.com and example2.com, you can specify
their subdomains such as www.example1.com and abc.example2.com. You can also specify
the wildcard domain *.example1.com.
If you want to specify more than 50 subdomains and wildcard domains, or enable protection
for more than five domains, we recommend that you set Domains to a greater value based on your business requirements.
|
Clean QPS |
Specify the number of concurrent queries per second (QPS) that the instance can process.
HTTP and HTTPS requests are supported. Valid values: 3000 to 100000.
|
Ports |
Specify the number of TCP and UDP ports that are used to forward requests. Valid values:
50 to 400.
|
Resource Group |
Select a resource group to which the instance belongs. By default, Default Resource Group is selected.
Note You can select a resource group only on the buy page of the previous version of Anti-DDoS
Pro. You can purchase an instance that does not belong to the Default Resource Group only in the Anti-DDoS Pro console of the previous version. You can click Early Version in the upper-right corner to go to the Anti-DDoS Pro console of the previous version.
|
Quantity |
Select the number of instances that you want to purchase. |
Duration |
Select a subscription period for the instance.
If you select Auto renewal, the instance is automatically renewed before the instance expires.
- Monthly subscription: The instance is automatically renewed for one month.
- Annual subscription: The instance is automatically renewed for one year.
|
- Click Buy Now and complete the payment.
Step 13: Add a domain to Anti-DDoS Pro
To set up Anti-DDoS Pro for a website, you must add the domain name of the website
to Anti-DDoS Pro. The configurations specified in the Anti-DDoS Pro console define
how network traffic is forwarded between a website and an Anti-DDoS Pro instance.
- Log on to the Anti-DDoS Pro console.
- In the top status bar, select the region of the service.
In this topic, the traffic is scrubbed by Anti-DDoS Pro and then forwarded to WAF.
Therefore, Mainland China is selected in this topic.
- In the left-side navigation pane, choose .
- On the Website Config page, click Add Domain.
- On the Add Domain page, enter the website information.
- Function Plan: Select a function plan for the Anti-DDoS Pro instance. You can select a Standard or Enhanced function plan.
For more information, see
Function plan.
Enhanced is selected in this topic.
- Instance: Select the Anti-DDoS Pro instance to be associated with the domain name.
You can associate up to eight Anti-DDoS Pro instances with each domain name. However,
these instances must use the same function plan.
- Domain: Enter the domain name to be protected.
Note
- Based on the naming convention of domain names, the domain name can contain uppercase
and lowercase letters, digits, and hyphens (-). The domain name must start with a
letter or digit.
- You can enter a wildcard domain name, such as
*.aliyun.com
. Anti-DDoS Pro protects all subdomains of the wildcard domain name.
- If you configure both a wildcard domain name such as
*.aliyun.com
and a precise domain name such as www.aliyun.com
for a website, forwarding rules and protection policies of the precise domain name
prevail over those of the wildcard domain.
www.example.com is entered in this topic.
- Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. In this topic, the default setting is used.
- Enable HTTP/2: Select whether to enable HTTP/2 when the domain name is associated with an enhanced
Anti-DDoS Pro instance. After HTTP/2 is enabled, the protocol type is HTTP 2.0.
- Server IP: Select the address type of the origin server, and specify the address of the origin
server. Select Origin Server Domain in this topic, and then enter the CNAME address that is assigned in Step 11. For more information, see Step 11: Add website configurations in WAF.
- Server Port: Specify the server port based on the protocol. In this topic, the server port is
9000.
- Click Add.
After you add a domain name, Anti-DDoS Pro assigns a CNAME address to the domain name.

Step 14: Activate the CDN service
CDN reduces the workload of the origin server and prevents network congestion. You
can use CDN to accelerate content delivery in different regions and for different
scenarios.
To activate the CDN service, take the following steps:
- Log on to the Alibaba Cloud CDN product page.
- Click Buy Now.
- On the Enable Service page, select a billing method.
For more information about CDN billing methods, see CDN Pricing.
- Select the I Agree with IP Application Accelerator Agreement of Service check box, and click Enable Now.
Step 15: Add an accelerated domain name
CDN retrieves resources from origins and caches them on CDN nodes. When clients request
the resources from the accelerated domain name, CDN directly retrieves the resources
from the CDN nodes to the clients.
To add an accelerated domain name, take the following steps:
- Log on to the CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, click Add Domain Name.
- On the Add Domain Name page, configure the domain name.
- Domain Name to Accelerate: Enter a domain name. www.example.com is entered in this topic.
Note
- You can use a subdomain name or a wildcard domain name as the accelerated domain name.
Example:
cdntest.example.com
.
- Wildcard domain names are supported but domain names in Chinese are not supported.
Follow the instructions to enter a wildcard domain name. Example:
*.test.com
. For more information, see Rules for adding wildcard domain names.
- You can add a domain name to CDN only once. If the Domain already exists error occurs, submit a ticket.
- If a wildcard domain has been added to CDN for an Alibaba Cloud account, you are not
allowed to add the subdomains of the wildcard domain to CDN for other Alibaba Cloud
accounts.
- You can add up to 50 accelerated domains for each account. To add more domains, submit a ticket.
- Content that is delivered from the domain must comply with the limits of Alibaba Cloud
CDN. For more information, see Limits.
- Business Type: Select the business type of your website.
- Images and Small Files: If you want to accelerate the delivery of small-size and static resources, such
as small files, images, and web style sheets, we recommend that you select this option.
For more information, see Image and small file distribution.
- Large File Download: For game package installation, app updates, mobile read-only memory (ROM) upgrades,
and app downloads, we recommend that you select this option. For more information,
see Large file distribution.
- VOD: If you want to accelerate the delivery of audio or video files for VOD playback,
we recommend that you select this option. For more information, see On-demand audio and video streaming.
- DCDN: If your website contains a large amount of dynamic and static content, and most
of the requests are for dynamic resources, we recommend that you select this option.
For more information, see What is DCDN?.
Images and Small Files is selected in this topic.
- Origin Info: Configure the information of the origin site.
- Port: Select the access port of the website. Valid values:
- Port 80: Select this option if your website provides services over HTTP.
- Port 443: Select this option if your website provides services over HTTPS.
Port 80 is selected in this topic.
- Region: Select a region. Mainland China Only is selected in this topic.
- Click Next.
After you add an accelerated domain name, Alibaba Cloud CDN assigns a CNAME address
to the accelerated domain name.

Step 16: Resolve the website domain name to CDN
After you add the domain name, you must modify the DNS record to resolve the website
domain name to CDN. Then, requests sent to the accelerated domain name can be forwarded
to CDN nodes for acceleration.
Note If you use a third-party DNS service, log on to the system of the DNS service provider
to modify the DNS record for your website.
To resolve the domain name to CDN, take the following steps:
- Log on to the Alibaba Cloud DNS console.
- On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
- On the Configure page, find the DNS records, and click Edit in the Actions column.
- In Edit Record dialog box, set Type to CNAME, and set Value to the CNAME address that is assigned in Step 15. For more information, see Step 15: Add an accelerated domain name.

- Click OK.
Step 17: Verify the settings
In the China (Hangzhou), China (Shanghai), or China (Shenzhen) region, use a computer
that runs Windows to test how your website is accelerated and protected by GA and
other integrated services including CDN, Anti-DDoS Pro, WAF, and GTM.
- Enter the domain name www.example.com (hosted in mainland China) into the address
bar of the web browser to access the website service deployed in the US (Silicon Valley)
region.
- Run the
nslookup <CNAME access domain name in GTM>
command to check the resolution result.
- If the primary server group is available: The domain name is resolved to the IP address
of Server 1 or Server 2. In this topic, the primary server group contains Server 1
and Server 2 that are deployed in the US (Silicon Valley) region.
- If the primary server group is unavailable: The domain name is resolved to the IP
address of Server 3 or Server 4. In this topic, the primary server group contains
Server 1 and Server 2 that are deployed in the US (Silicon Valley) region.
- Run the following command to check the latency of data packet transmission.
curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total:
%{time_total}\n" "http[s]://<the domain name of the website service>[:<port>]"
where:
- time_connect: the period of time to establish a TCP connection.
- time_starttransfer: the period of time for the backend server to send the first byte
after the client sends a request.
- time_total: the period of time for the backend server to respond to the session after
the client sends a request.