GA interacts with WAF and GTM to accelerate ERP applications - Global Accelerator

Global Accelerator (GA) can interact with Web Application Firewall (WAF) and Global Traffic Manager (GTM) to accelerate enterprise resource planning (ERP) applications. Based on high-bandwidth BGP lines, and the global transmission network of Alibaba, GA allows you to deploy your workloads across regions. Users can connect to the nearest access point over the global network for content delivery acceleration. WAF, a security service empowered by big data technologies of Alibaba Cloud Security, allows you to ensure the security of content delivery. This is a highly secure solution for cross-region acceleration of ERP systems.

Prerequisites

An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, click Create an Alibaba Cloud account.

Background information

A company deploys an ERP system on Alibaba Cloud in the Germany (Frankfurt) region. The backend servers provide external services through two Elastic IP addresses (EIPs). The forwarding port is port 9000. Most of the end users are in the China (Hong Kong) and Singapore regions. Several issues such as data transmission latency or logon timeout may occur when users connect to the ERP system across regions. The existing ERP service architecture cannot be dynamically modified and is vulnerable to various web application attacks. These issues severely affect the security and availability of the ERP system. To solve these issues, you can use GA to interact with WAF and GTM. When the access point nearest to the users receives requests delivered across regions, GA uses WAF to filter out malicious network traffic and uses GTM to implement intelligent traffic distribution. This improves the security, availability, and communication efficiency between the users and the ERP system in different regions. ERP architecture 3

As shown in the preceding figure, you can create a GA instance, specify China (Hong Kong) and Singapore as the acceleration regions, and deploy WAF and GTM. WAF can detect and filter out malicious requests based on the specified protection policies, and allow only valid requests to reach the origin server. GTM can forward network traffic destined for the ERP system based on the specified access policy, perform real-time health checks on the origin server of the ERP system, and implement fault isolation or failover based on the health check results. When users in China (Hong Kong) and Singapore send requests to the ERP system, the access point nearest to the users receives the requests and distributes them to the GA network. WAF filters network traffic. GTM then forwards the network traffic to the origin server and performs fault isolation or traffic redirection based on the health check results. This solution ensures high security and availability of the ERP system and reduces the network latency.

Procedure

Step 1: Create a GTM instance

GTM allows you to balance a large number of concurrent workloads, perform health checks on application services, and implement fault isolation and failovers based on the health check results.

To create a GTM instance, perform the following steps:

Note

If you are using GTM for the first time, you must authorize the GTM service to access your cloud resources. This allows GTM to access your alert groups that are created in CloudMonitor. For more information, see Cloud resource access authorization.

Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Global Traffic Manager.
On the Global Traffic Manager page, click Create Instance.
On the buy page, set the following parameters.
1. Edition: By default, Standard Edition is selected and cannot be changed.
  The Standard Edition supports the following features:
  - Health checks on IP addresses of application services: ping, tcp, and http(s).
  - DNS failover: switches your application workloads to the secondary server to avoid service interruption and implements fault isolation.
  - Intelligent DNS resolution of domain names based on areas.
  - WRR: weighted round-robin load balancing policy.
2. Quantity: The number of GTM instances that you want to purchase.
3. Duration: The service duration of the GTM instance.
Click Buy Now and complete the payment.

Step 2: Configure an access policy

An access policy defines address pools for which requests from different networks or regions are resolved. With the access policy, users can connect to the nearest access point and your workloads can be automatically switched between the primary and secondary servers for fast failover.

To configure an access policy for the GTM instance, perform the following steps:

Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Global Traffic Manager.
On the Global Traffic Manager page, find the GTM instance that you want to manage and click Settings in the Actions column.
In the Select Configuration Method dialog box, select Quick Start.
In the Configure Access Policy step, set the following parameters:
1. Policy Name: Enter a name for the access policy.
2. DNS Request Sources: Select a request source.
  After you specify a region as the request source, when users in this region send requests to the service, GTM distributes the requests to the specified origin server address pool. Global is selected in this example.
  Note
  If you configure only one access policy, you must select Global.
  If you configure multiple access policies, you must specify Global as one of your DNS request sources. Otherwise, the application may not be accessible in some regions.
  You cannot select the options that have been used in other access policies. These options are unavailable.
  If multiple access policies exist, you can only specify ISP or Mainland China as DNS request source.
3. Primary Address Pool Set: Select the default address pool.
  The default address pool is the origin server address pool to which GTM forwards normal network traffic.
  In this topic, click Create Address Pool, add the address of ERP Server A in Germany (Frankfurt) to the default address pool, enable HTTP health checks, and then select the default address pool. For more information about health check configurations, see HTTP(S) health check. For more information about how to configure address pools, see Address pool configurations.
4. Secondary Address Pool Set: Select an alternative address pool.
  An alternative address pool is an IP address pool of origin servers to which GTM directs requests if the servers in the default address pool are down.
  In this topic, click Create Address Pool, add the address of ERP Server B in Germany (Frankfurt) to the alternative address pool, enable HTTP health checks, and then select the alternative address pool. For more information about HTTP(S) health check. For more information about how to configure address pools, see Address pool configurations.
Click Next.

Step 3: Configure basic settings

After you configure the access policy, you must specify the basic information of the GTM instance, including the primary domain name, type of the Canonical Name (CNAME) of your application, load balancing policies, global time-to-live (TTL), and alert groups.

In the Basic Information step, set the following parameters.
1. Instance Name: Enter an instance name.
  An instance name is used to identify the service to which the instance applies.
2. Primary Domain: Enter the domain name of your application. Enter www.example.de in this topic.
3. CNAME: Specify the type of the CNAME.
  - Assigned CNAME: Select this option if the IP address pool contains only Alibaba Cloud IP addresses or IP addresses outside the Chinese mainland.
  - Custom CNAME: Select this option if the IP address pool contains IP addresses of data centers.
  In this example, the address pool contains only EIPs. Therefore, Assigned CNAME is selected in this example.
4. Balance Policy: Select a load balancing policy for GTM.
  - Round Robin: The default policy. If you select this policy, GTM distributes network traffic to IP addresses in the IP address pool on a rotation.
  - Weighted Round Robin: If users are distributed across the country or around the world, you can select this policy to distribute network traffic based on the capacity of each origin server in the pool. This policy allows the system to distribute access traffic based on weights. You can set a weight for each IP address. DNS resolution returns IP addresses based on the predefined weights.
  Select Round Robin in this topic.
5. Global TTL Period: The validity period of the IP address to which the domain name is resolved. 1 Minutes is selected in this example.
  You can use GTM to manage network traffic based on domain names. The global TTL specifies the TTL of the IP address information cached in the DNS system of the Internet Service Provider (ISP). By default, the global TTL is set to 1 minute. If you use a custom domain name, the global TTL must be the same as the minimum TTL supported by the DNS plan of the custom domain name.
6. Alert Group: the contact group to which a notification is sent when an exception is detected in your workloads.
  Note
  If you have not configured an alert group, log on to the CloudMonitor console and add a contact group. For more information, see Delete alert contacts or alert contact groups.
  If you have configured a contact group but want to configure the basic information as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud account to authorize the RAM user. After the RAM user is authorized, you can log on as a RAM user to read messages sent to the alert group.
Click Complete.

After you configure the basic information, the system automatically allocates a CNAME to the domain name. User requests destined for the CNAME are resolved to the IP address of the scheduled origin server. cname

Step 4: Activate WAF

WAF is empowered by big data technologies of Alibaba Cloud Security. WAF allows you to defend against common web attacks such as SQL injections, cross-site scripting (XSS), web shells, Trojans, unauthorized downloads, and HTTP flood attacks. WAF protects your web resources from exposure and ensures the security and availability of your website.

Enter the WAF product overview page on the Alibaba Cloud official website, and log on with your Alibaba Cloud account.
Click Buy Now.
On the buy page, set the following parameters.
1. Region: Select the region where the WAF instance is deployed.
  In this topic, network traffic is forwarded through WAF over the GA network. Select Outside Chinese Mainland.
2. Edition: Select the edition of WAF that you want to activate.
  Different WAF editions are applicable to various business scales and provide different protection features. For more information, see WAF deployment plans and editions. Enterprise is selected in this example.
3. Extra Domains: Specify the number of additional domains to be activated.
  If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase additional domain names. For more information, see Additional domain names. Do not purchase any additional domain in this topic.
4. Exclusive IP Address: Specify the number of exclusive IP addresses.
  You can purchase an exclusive IP address if you need a dedicated WAF IP address to protect your domain name. For more information, see Exclusive IP addresses. This topic does not involve the purchase of exclusive IP addresses.
5. Extra Traffic: Specify the size of the additional bandwidth plan to be purchased. Unit: Mbit/s.
  If the total bandwidth required by your website exceeds the bandwidth provided by WAF, you can purchase an additional bandwidth plan. For more information, see additional bandwidth plans. Do not purchase any additional bandwidth plans in this topic.
6. GSLB: Enable or disable Global Server Load Balancing (GSLB).
  Global load balancing uses the multi-node resilience technology. It distributes network traffic based on multiple nodes or lines to implement disaster recovery and improve service reliability. No is selected in this example.
7. Log Service: Select whether to enable Log Service.
  Log Service retrieves log data from WAF in real time and stores the data in Logstores. You can query and analyze the log data, and generate analytics reports online. Disable is selected in this example.
8. Bot Management: Select whether to enable this feature.
  To mitigate security threats caused by bot traffic, you can enable this feature. For more information, see Configure bot threat intelligence rules and Configure the allowed crawlers function. Disable is selected in this example.
9. App Protection: Select whether to enable this feature.
  You can enable the mobile app protection feature if your business supports native applications and you have security needs for your business, such as trusted communications and prevention of abusing bot scripts. For more information, see Configure application protection. Disable is selected in this example.
10. Subscription Duration: Select the subscription duration of the WAF service.
Click Buy Now and complete the payment.

Step 5: Add website configurations

After you activate the WAF service, you must configure the forwarding rule for the website protected by WAF.

Perform the following steps to redirect network traffic of the protected domain name to WAF in DNS proxy mode:

Log on to the WAF console.
On the top of the page, select the region of the WAF instance that you want to manage. Outside Chinese Mainland is selected in this example.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Website Access page, click Website Access.
On the Enter Your Website Information wizard page, set the following parameters:
1. Domain Name: Enter the domain name for which you want to enable WAF protection. Enter www.example.de in this topic.
  Note
  Wildcard domain names such as *.aliyun.com are supported. WAF automatically matches all subdomains against the specified wildcard domain.
  If you enter a wildcard domain and a specific domain name, such as *.aliyun.com and www.aliyun.com, the forwarding rules and protection policies of the specific domain name prevail over those of the wildcard domain.
  Domain names with the .edu suffix are not supported. If you need to use .edu domain names, submit a ticket to request technical support.
2. Protocol Type: Select the protocol that your website supports. HTTP is selected in this example.
  Note
  If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Add a domain name to WAF.
  After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Add a domain name to WAF.
  To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
  Your WAF service is upgraded to Business or Enterprise Edition.
  HTTPS is selected.
3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.
  Both IP and Domain Name (Such as CNAME) formats are supported. After your website is connected to WAF, WAF filters and redirects requests to the specified address. Select Domain Name (Such as CNAME) and enter the CNAME generated for the GTM instance. For more information, see Step 3: Configure basic settings.
4. Destination Server Port: Specify the service port of the website.
  WAF receives and forwards traffic for your website through the specified ports. The user traffic destined for the website domain name is forwarded only through the specified service ports. For unspecified ports, WAF does not forward traffic received on these ports to the origin servers. Therefore, no security threats are posed on the origin servers if you enable these ports or if these ports have vulnerabilities.
  Important
  The protocol and port must be the same as those of the origin server IP address. You cannot change the port after it is specified.
  The custom port 9000 is specified in this topic.
  Note
  By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of Business Edition and Enterprise Edition support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see View the ports supported by WAF.
5. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. No is selected in this example.
6. Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load balancing.
7. Enable Traffic Mark: Enter an unused Header Name and specify a custom Header Value to label the requests that are redirected to the origin servers through WAF. WAF adds the specified header to the filtered requests. This enables your origin server to identify the requests redirected by WAF.
  Note
  If the requests to your website already contain a specified header, WAF overwrites the original header value with the specified value.
Click Next. On the Change DNS Settings wizard page, click Copy CNAME to record the CNAME allocated by WAF. This enables the WAF to receive inbound traffic.
Click Next. Click Complete. Return to the website list..
Note
If you have enabled a third-party firewall for your server, disable the firewall or add the WAF IP address in the following figure to the whitelist of the enabled firewall so that the firewall will not block requests forwarded from WAF. If you are not using a third-party firewall, ignore the information in the following figure.

Step 6: Create a GA instance

GA is a high-availability and high-performance network acceleration service for global users. Based on the high-quality BGP bandwidth and global network infrastructure of Alibaba, GA allows service providers to deploy their applications across regions and users to connect to the nearest endpoints for content delivery acceleration. This can reduce network issues, such as network latency, network jitter, and packet loss.

Perform the following steps to create a GA instance.

Log on to the GA console.
On the Instances page, click Create Instance.
On the buy page, set the required parameters, and click Buy Now.
1. Select a specification for the GA instance. Select Small Ⅱ in this topic. For more information, see Specifications of standard GA instances.
2. Select a subscription duration for the GA instance.
After you create the instance, the system automatically allocates a CNAME. User requests destined for the CNAME are resolved to the IP address of the origin server. Record the CNAME for DNS resolution.

Step 7: Purchase and associate with a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transfer over the Internet and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic bandwidth plan and associate the basic bandwidth plan with the GA instance.

To purchase and associate a basic bandwidth plan to a GA instance, perform the following steps:

On the Instances page, click Purchase Basic Bandwidth Plan.

On the buy page, set the following parameters, click Buy Now, and then pay for the order.

Bandwidth Type: Select the bandwidth type of the basic bandwidth plan. In this example, Premium is selected.

The following types of bandwidth are supported by basic bandwidth plans: basic, enhanced, and premium. The acceleration type, accelerated endpoint, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type, as described in the following table.

Bandwidth type	Acceleration type	Accelerated endpoint	Acceleration scope
Basic	Applications deployed on Alibaba Cloud	Standard Global Accelerator instance: Public IP addresses provided by Alibaba Cloud Elastic Compute Service instances Elastic network interfaces (ENIs) Classic Load Balancer (CLB) (formerly known as SLB) instances Application Load Balancer (ALB) instances Network Load Balancer (NLB) instances Object Storage Service (OSS) buckets vSwitches Basic Global Accelerator instance: CLB instances Secondary ENIs Elastic Compute Service instances NLB instances	By default, the acceleration region and the region where the endpoint is deployed are located in the Chinese mainland.
Enhanced	Applications deployed on Alibaba Cloud Applications deployed outside Alibaba Cloud	Standard Global Accelerator instance: Public IP addresses provided by Alibaba Cloud Elastic Compute Service instances ENIs CLB instances ALB instances NLB instances OSS buckets vSwitches Custom IP addresses Custom domain names Basic Global Accelerator instance: N/A	By default, the acceleration region and the region where the endpoint is deployed are located in the Chinese mainland.
Premium	Applications deployed on Alibaba Cloud Applications deployed outside Alibaba Cloud	Standard Global Accelerator instance: Public IP addresses provided by Alibaba Cloud Elastic Compute Service instances ENIs CLB instances ALB instances NLB instances OSS buckets vSwitches Custom IP addresses Custom domain names Basic Global Accelerator instance: CLB instances Secondary ENIs Elastic Compute Service instances NLB instances	By default, the acceleration region and the region where the endpoint is deployed are located in areas outside the Chinese mainland. If you want to accelerate data transfer between the Chinese mainland and other areas, you must select China (Hong Kong) as the acceleration region.

Note

You can associate only basic bandwidth plans that provide basic bandwidth or premium bandwidth with basic Global Accelerator instances that use the pay-by-bandwidth bandwidth metering method.
If your standard GA instance does not support ALB instances, ECS instances in VPCs, CLB instances in VPCs, NLB instances, or ENIs as endpoints, the GA instance may not use the latest version. Contact your account manager to upgrade your GA instance. If you have the permissions to upgrade GA instances, you can upgrade your GA instance. For more information, see Upgrade a GA instance.
If your basic Global Accelerator instance was created after August 1, 2023, you can specify internal-facing NLB instances as endpoints. If your basic Global Accelerator instance was created before August 1, 2023 and you want to use the preceding feature, contact your account manager to upgrade your GA instance.

Peak Bandwidth: Specify the bandwidth limit of the basic bandwidth plan. Select 20 Mbps in this topic.
Duration: Select the duration of the basic bandwidth plan.

Return to the Instances page and click the ID of the GA instance that you created.
Click the Bandwidth Manage tab.
In the Basic Bandwidth Plan section, find the plan that you want to manage, and click Bind in the Actions column.
The basic bandwidth plan is now in the In Use state.

Step 8: Add an acceleration area

After you purchase a basic bandwidth plan, you can add an acceleration area, specify the acceleration regions where end users are located, and allocate bandwidth to these regions.

To add an acceleration area, perform the following steps:

On the Instances page, click the ID of the GA instance that you have created.
On the instance details page, click the Acceleration Areas tab and select an acceleration area. In this example, Asia Pacific is selected.
On the Acceleration Areas tab, click Add Acceleration Area.
In the Add Acceleration Area dialog box, configure the regions and click OK.
1. Region: Select the region where users are located. Select Singapore.
2. Bandwidth: Select a bandwidth value for the acceleration region. 10 Mbit/s is selected in this topic.
3. Select China (Hong Kong) as the acceleration region and allocate 10 Mbit/s of bandwidth to the China (Hong Kong) region.

After the acceleration area is added, GA assigns an accelerated IP address to each region in the acceleration area for network acceleration.

Step 9: Create a listener

Listeners are used to monitor connection requests from clients. GA monitors connection requests received on the specified listener ports and forwards the requests to endpoints through the specified protocol.

To add a listener to a GA instance, perform the following steps:

On the Instances page, click Instance ID.
On the instance details page, click the Listeners tab and then click Add Listener.
On the Configure Listener & Protocol wizard page, configure the listener:
1. Listener Name: Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
2. Protocol: Select a protocol for the listener. In this example, TCP is selected.
3. Port Number: Enter the number of the listener port that is used to receive requests and forward requests to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
4. Client Affinity: Select whether to enable client affinity. If client affinity is enabled, requests from the same client IP address are forwarded to the same endpoint when clients access stateful applications. Select Source IP Address in this topic.
Click Next to configure an endpoint group.

Step 10: Configure an endpoint group

Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoints in the endpoint group.

To create an endpoint group, perform the following steps:

Enter a name for the endpoint group in the Endpoint Group Name parameter.
Select the region where you want to create the endpoint group. The servers that the clients want to access must be deployed in the specified region.
Select Germany (Frankfurt) in this topic.
Specify whether the backend service is deployed on Alibaba Cloud or outside Alibaba Cloud. Off Alibaba Cloud is selected in this example.
Specify whether to preserve client IP addresses. After you enable this feature, backend servers can retrieve client IP addresses. In this example, this feature is disabled.
Configure endpoints.
1. Backend Service Type: Select Custom Domain Name from the drop-down list.
2. Backend Service: Enter the domain name that you want to accelerate. Enter the CNAME that is generated by WAF in this topic. For more information, see Step 5: Add website configurations.
3. Weight: Enter a weight for the endpoint. Valid values: 0 to 255. GA distributes network traffic to endpoints based on their weights.
  Warning
  If the weight of an endpoint is set to 0, GA stops distributing network traffic to the endpoint. Proceed with caution.
Click Next, confirm the configurations, and then click Next.

Step 11: Connect workloads to GA

After you complete the GA configurations, you must modify the DNS resolution settings to map the website domain names to the CNAME assigned by GA, and redirect inbound traffic to GA.

Note

If you use a third-party DNS service, log on to the system of the DNS service provider to modify the DNS record of your website.

To connect your workloads to GA, perform the following steps:

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find the domain name that you want to manage, and click DNS Settings in the Actions column.
On the DNS Settings page, find the DNS record that you want to modify, and click Modify in the Actions column.
In the Modify DNS Record dialog box, modify the DNS record.
1. Type: Select CNAME.
2. Record Value: Change the value to the CNAME allocated by GA. For more information, see Step 6: Create a GA instance.
3. Keep the remaining settings unchanged.
Click OK.

Step 12: Verify the settings

To check the acceleration and protection performance after GA interacts with WAF and GTM, perform the following steps:

Open a web browser on a client located in the region of an access point, such as China (Hong Kong) or Singapore.
Enter the domain name of the ERP system to access the ERP system services deployed in Germany (Frankfurt).
Open the CLI on your computer in the China (Hong Kong) or Singapore region in this topic.
Run the following command to test the network latency:
curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<ERP system domain name>[:<port>]"
where:
- time_connect: the period of time to establish a TCP connection.
- time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
- time_total: the period of time for the backend server to respond to the session after the client sends a request.