GA interacts with WAF and GTM to accelerate enterprise mailbox service

Procedure

Step 1: Create a GA instance

Each GA instance is an acceleration service running on a global scale.

To create a GA instance, follow these steps:

1. Log on to the Global Accelerator console.
2. On the Instances page, click Create Instance.
3. On the buy page, set the required parameters, and click Buy Now.
   1. Select the specification of the GA instance that you want to purchase. Select Small Ⅱ in this topic.
      GA supports the following types of instance specifications: Small I, Small II, Small III, Medium I, Medium II, and Medium III. The acceleration performance can vary based on the instance specification.

      Instance specification	Number of acceleration regions	Peak bandwidth	Maximum number of concurrent connections
      Small I	1	20 Mbit/s	5,000
      Small II	2	40 Mbit/s	10,000
      Small III	3	60 Mbit/s	15,000
      Medium I	5	100 Mbit/s	25,000
      Medium II	8	160 Mbit/s	40,000
      Medium III	10	200 Mbit/s	50,000

   2. Select the subscription duration of the GA instance.

Step 2: Purchase and bind a basic bandwidth plan

A basic bandwidth plan provides bandwidth resources for data transmission over the global network and the internal network of Alibaba Cloud. To achieve global acceleration, you need to purchase a basic bandwidth plan and bind the basic bandwidth plan to a GA instance.

To purchase and bind a basic bandwidth plan to a GA instance, follow these steps:

1. On the Instances page, click Purchase Basic Bandwidth Plan.
2. On the buy page, configure the required parameters, and click Buy Now to complete the payment.
   1. Bandwidth Type: Select the type of the basic bandwidth plan. Select Enhanced in this topic.
      Basic bandwidth plans support the following types of bandwidth: basic, enhanced, and premium. The following table shows that the acceleration type, acceleration backend service, and acceleration scope of a basic bandwidth plan can vary based on the bandwidth type.

      Bandwidth type	Workload type	Accelerated object	Acceleration scope
      Basic bandwidth	Applications that are deployed on Alibaba Cloud	Elastic Compute Service (ECS) Server Load Balancer (SLB) Alibaba Cloud public IP address Note If ECS instances and SLB instances run in classic networks, both types of instances are not supported.	By default, networking within mainland China is accelerated. You can also purchase a cross-border bandwidth plan. This allows you to optimize the acceleration of networking between mainland China and other areas.
      Enhanced bandwidth	Applications that are deployed on Alibaba Cloud Applications that are not deployed on Alibaba Cloud	ECS SLB Alibaba Cloud public IP address Custom IP address Custom domain name	By default, networking within mainland China is accelerated. You can also purchase a cross-border bandwidth plan. This allows you to optimize the acceleration of networking between mainland China and other areas.
      Premium bandwidth	Applications that are deployed on Alibaba Cloud Applications that are not deployed on Alibaba Cloud	ECS SLB Alibaba Cloud public IP address Custom IP address Custom domain name	By default, network connections are accelerated on a global scale. Network traffic transmitted from mainland China to areas outside China is accelerated in the China (Hong Kong) region. If you also purchase a cross-border bandwidth plan, the acceleration of network connections between mainland China and areas outside China are reinforced.

      Note

      • You can specify ECS or SLB as the backend service type only if your account is added to the whitelist. To specify ECS or SLB as the backend service type, submit a ticket.
      • Only an ECS instance or SLB instance in a virtual private cloud (VPC) can be specified as an endpoint.
      • The IP addresses of endpoint groups associated with each GA instance must be globally unique and not conflict with those of other GA instances.
   2. Peak Bandwidth: Select the peak bandwidth of the basic bandwidth plan. Select 10 Mb in this topic.
   3. Duration: Select the duration of the basic bandwidth plan.
3. Return to the Instances page, and click the ID of the GA instance that you have created.
4. On the page that appears, click the Bandwidth Manage tab.
5. In the Basic Bandwidth Plan field, find the target plan that you want to manage, and click Bind in the Actions column.
   If the binding is successful, the basic bandwidth plan is in the Bound state.

Step 3: Purchase and bind a cross-border acceleration bandwidth plan

The cross-border acceleration bandwidth plan can be used to optimize network acceleration between mainland China and regions outside mainland China.

Follow these steps to purchase and bind a cross-border acceleration bandwidth plan to the GA instance.

1. On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
2. On the buy page, configure the required parameters, and click Buy Now to complete the payment.
   1. Area A: Select the area to connect. Select Mainland China in this topic.
   2. Area B: Select the area to connect.
      • Global: User requests are automatically forwarded to the global optimal egress based on the region where the users are located.
      • China (Hong Kong): All user requests flow from China (Hong Kong) to the global transmission network.

      Select Global in this topic.

   3. Billing Method: Select a billing method for the cross-border acceleration bandwidth plan. Only Pay by Bandwidth is supported.
   4. Bandwidth: Select the bandwidth of the cross-border acceleration bandwidth plan.
      We recommend that you specify the same bandwidth value for the cross-border acceleration bandwidth plan and the basic bandwidth plan. Select 10Mb in this topic.
   5. Duration: Select the duration of the cross-border bandwidth plan.
3. Return to the Instances page. Find the target GA instance and click the instance ID.
4. On the page that appears, click the Bandwidth Manage tab.
5. In the Cross-region Bandwidth Package section, find the target cross-border acceleration bandwidth plan, and click Bind in the Actions column.
   
   After you bind the cross-border acceleration bandwidth plan to the GA instance, the status of the plan is changed to Bound.

Step 4: Add an acceleration area

After you purchase a basic bandwidth plan, you must add one or more acceleration areas where end users are located, and allocate bandwidth to these areas.

To add an acceleration area, follow these steps:

1. On the Instances page, click the ID of the GA instance that you have created in step 1.
2. On the instance details page, click the Acceleration Areas tab, and then click Add Acceleration Area.
3. In the Add Acceleration Area dialog box, set the required parameters as follows, and click OK.
   1. Acceleration Area: Select the area where the GA service is deployed. In this topic, select Asia Pacific.
   2. Regions: Select the regions where the end users are located. Select Singapore.
   3. Bandwidth: Specify the amount of bandwidth that you want to allocate to the region. Select 5 Mbps in this topic.
4. Repeat the preceding steps to add the Germany region in the Europe area as an acceleration area and allocate 5 Mbit/s of bandwidth to the Germany region.

After the acceleration area is added, Global Accelerator assigns an accelerated IP address to each region in the acceleration area for network acceleration purpose.

Step 5: Create a listener

A listener monitors inbound connection requests from clients. GA forwards connection requests to the origin server based on the specified protocol and port.

To add a listener to a Global Accelerator instance, follow these steps:

1. On the Instances page, click the ID of the GA instance that is created in Step 1.
2. On the instance details page, click the Listeners tab. Then, click Add Listener.
3. On the Configure Listener & Protocol page, configure the listener:
   1. Listener Name: Enter a name for the listener to be created. The name must be 2 to 128 characters in length and can contain letters, Chinese characters, digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.
   2. Protocol: Select a protocol for the listener. Select TCP in this topic.
   3. Port Number: Enter a port or port range for receiving and forwarding requests to the endpoints. Valid values: 1 to 65499. Enter 9000 in this topic.
   4. Client Affinity: Enable or disable client affinity. When client affinity is enabled, requests from a specific source (client) IP address are always routed to the same endpoint. Select Source IP Address in this topic.
   
4. Click Next to configure an endpoint group.

Step 6: Configure an endpoint group

Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After the association is complete, traffic is distributed to the optimal endpoints in the associated endpoint groups.

To create an endpoint group, follow these steps:

1. Endpoint Group Name: Enter a name for the endpoint group.
2. Select the region where the endpoint group is located, that is, the region where the origin server is located.
   Select Beijing in this topic.
3. Select whether to deploy the backend service on Alibaba Cloud or non-Alibaba Cloud. Select non-Alibaba Cloud.
4. Select whether to enable or disable client IP address reservation in the specified region. After this feature is enabled, backend servers can obtain the source IP addresses of clients. Disable this feature for the origin server in this topic.
   Note To make client IP address reservation available for use in the whitelis, submit a ticket.
5. Set the following parameters of endpoints:
   1. Backend Service Type: Select EIP.
   2. Backend Service: Select the EIP that is used to provide backend services.
   3. Weight: Enter a number from 0 to 255 to set a weight for the endpoint. GA distributes network traffic to endpoints based on the predefined weights of the endpoints.
      Notice Caution: If the weight of an endpoint is set to 0, GA stops distributing traffic to the endpoint.

      
6. Click Next to view the configurations. After confirmation, click Next.

Step 7: Activate the WAF service

WAF is empowered by big data technologies of Alibaba Cloud Security. WAF helps you defend against common web attacks such as SQL injections, cross-site scripting (XSS), web shells, Trojans, and unauthorized downloads, and HTTP flood attacks. WAF protects your web resources from exposure and ensures the security and availability of your website.

1. Enter the WAF product page on the Alibaba Cloud International site, and then log on with your Alibaba Cloud account.
2. Click Buy Now.
3. On the buy page, set the following parameters.
   1. Region: Select the region where the WAF instance is located.
      In this topic, network traffic is forwarded through WAF over the GA network. Select Overseas Region.
   2. Plan: Select the version of WAF service to be activated.
      Different WAF instance types support different business scales and protection features. For more information, see WAF deployment plans and editions. Select Enterprise in this topic.
   3. Extra Domain: Specify the number of additional domains to be activated.
      If you want to add multiple domains (or more than 10 subdomains) to WAF, you can activate additional domains. For more information, see Additional domains. Do not purchase any additional domain in this topic.
   4. Exclusive IP: Specify the number of exclusive IP addresses to be purchased.
      You can purchase an exclusive IP address when your website domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP. This topic does not involve the purchase of exclusive IP addresses.
   5. Extra Traffic: Specify the size of the bandwidth extension plan to be purchased. Unit: Mbit/s.
      If the total bandwidth of your websites exceeds the service bandwidth of WAF, you can purchase the bandwidth extension plan. For more information, see Bandwidth extension plans. Do not purchase any additional domains in this topic.
   6. GSLB: Select whether to enable Global Server Load Balancing (GSLB).
      GSLB uses the multi-node resilience technology. It distributes network traffic based on multiple nodes and lines for disaster recovery and high service reliability. Select Yes in this topic.
   7. Log Service: Select whether to enable Log Service.
      Log Service retrieves log data from WAF in real time and then stores the data in Logstores. You can query and analyze the log data, and generate analytics reports online. Select No in this topic.
   8. Bot Manager: Enable or disable the Bot Manager feature.
      To mitigate security threats caused by bot traffic, you can purchase Bot Manager. For more information, see Set a bot threat intelligence rule and Configure the allowed crawlers function. Select No in this topic.
   9. Mobile App Protection: Enable or disable mobile application protection.
      You can enable the mobile app protection feature if your business supports native applications and you have security needs for your business, such as trusted communications and prevention of abusing bot scripts. For more information, see Configure application protection. Select No in this topic.
   10. Service Time: Select the validity period of the WAF service.
4. Click Buy Now to complete the payment.

Step 8: Add website configurations

After you activate the WAF service, you must configure the forwarding rule for the website protected by WAF.

To forward network traffic of the protected domain name to WAF in DNS proxy mode, follow these steps.

1. Log on to the WAF console.
2. On the top of the page, select the region of the WAF instance that you want to manage. Select International.
3. In the left-side navigation pane, choose Asset Center > Website Access.
4. On the Website Access page, click Add Domain Name.
5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
   Note The Add Domain Name page appears only when a qualified domain name exists. If Add Domain Name does not appear, skip this step.
6. Follow the Add Domain Name wizard to complete the configuration.
   1. Domain Name: Enter the domain name for which you want to enable WAF protection. Enter www.example.cn in this topic.
      Note

      • This parameter supports precise domain names such as www.aliyun.com and wildcard domain names such as *.aliyun.com.
        • If you use a wildcard domain name, WAF automatically matches all subdomains against the wildcard domain name.
        • If you configure both a wildcard domain name and a precise domain name for a website, forwarding rules and protection policies of the precise domain name prevail over those of the wildcard domain name.
      • The .edu domain names are not supported. If you want to use a .edu domain name, submit a ticket to request technical support.
   2. Protocol Type: Select the protocol supported by the website. Select HTTP in this topic.
      Note

      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Upload an HTTPS certificate.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to accelerate your application. For more information, see Manually add website configurations.
      • To enable protection for HTTP 2.0 requests, make sure the following conditions are met:
        • You have upgraded your WAF instance to the Business or Enterprise edition.
        • You have selected HTTPS.
   3. Server Address: Select a server address type and enter the address of the origin server.
      Both IP and Other address formats are supported. After you connect your website to WAF, WAF redirects filtered requests to the specified address. Select IP address in this topic. Then, enter the accelerated IP addresses that are assigned to the Germany (Frankfurt) and Singapore regions by the GA instance in the preceding steps.
   4. Server Port: Configure the protocol port of the website.
      WAF uses the specified ports to receive and forward user traffic for your website. The network traffic destined for the website domain name is only forwarded through the specified service ports. WAF does not forward traffic received on unspecified ports to the origin server. Therefore, no security threats are posed on the origin server if you enable these unspecified ports or these ports have vulnerabilities.

      Notice Make sure that the protocol and port that you have specified in WAF are the same as those of the origin server whose IP address is specified as the server address. Port mapping is not supported.

      Enter the custom port 9000 in this topic.

      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of the Business and Enterprise editions support more non-standard ports, and have limits on the total number of ports used by the protected domain name. For more information, see View the allowed port range.
   5. Load Balancing Algorithm: If you have specified more than one origin IP address, select IP hash, Round Robin, or Least time. WAF distributes requests to these servers based on the specified algorithm. Selected Least time in this topic.
      Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.
   6. Whether a layer-7 proxy (such as Anti-DDoS Pro and CDN) is enabled: Select Yes or No based on the actual workload of your website. Select No in this topic.
   7. Traffic Labeling: Enter an unused Header Field Name and specify a Header Field Value to label the Web requests that are redirected to the origin server through WAF. WAF adds the specified header field to the filtered requests. This enables your origin server to identify the requests redirected by WAF.
      Note If a request already contains the specified header field, WAF overwrites the original field value with the specified value.
7. Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME address allocated by WAF to receive inbound traffic.
   
8. Click Next. Click Complete, and return to the website list.
   Note If you have enabled a third-party firewall for your server, disable the firewall or add the WAF IP address in the following figure to the whitelist of the enabled firewall so that the firewall will not block requests forwarded from WAF. If you are not using a third-party firewall, ignore the information in the following figure.

   

Step 9: Configure DNS settings

Follow the steps to configure DNS settings.

1. Log on to the Alibaba Cloud DNS console.
2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.
3. On the Configure page, find the DNS record, and click Edit in the Actions column.
4. In the Edit Record dialog box, edit the host record.
   1. Type: Select CNAME.
   2. Value: Enter the CNAME address assigned by WAF.
   3. Keep the other settings unchanged.
   
5. Click OK.

Step 10: Verify the settings

To verify the performance of the acceleration and protection services after Global Accelerator interacts with WAF and GTM, follow these steps:

1. Open a web browser on a client located in the region of an access point, such as China (Hong Kong), or Singapore in this topic.
2. Enter the domain name of the enterprise mailbox service deployed in the China (Beijing) region to access the service.
   The test result shows that you can access the mailbox service deployed in the China (Beijing) region by visiting the domain name of the enterprise mailbox service.
3. Launch the Command Prompt on your computer in the Germany (Frankfurt) or Singapore region in this topic.
4. Run the following command to check the latency of data transmission.
   curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<the domain name of the enterprise mailbox service>[:<port>]"

   where:

   • time_connect: the period of time to establish a TCP connection.
   • time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
   • time_total: the period of time for the backend server to respond to the session after the client sends a request.
   The test result shows that GA has reduced the network latency of data transmission for users in Germany (Frankfurt) and Singapore when they access the mailbox service deployed in the China (Beijing) region.

   

   

   Note The acceleration performance after GA interacts with WAF varies based on your workloads.