Global Accelerator (GA) can interact with Web Application Firewall (WAF), a security service empowered by big data technologies of Alibaba Cloud Security, to provide a solution for high-security web application acceleration across borders. Based on high-bandwidth BGP lines and the global transmission network of Alibaba, GA allows web application providers to deploy their services on a global scale. Users in different regions can connect to the nearest access points over the global transmission network for service delivery acceleration.

Prerequisites

Before you start, make sure that the following requirements are met:
  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • Internet Content Provider (ICP) filing is complete.

Background information

A web application is deployed on Alibaba Cloud in the US (Silicon Valley) region. The backend servers provide web services through two elastic IP addresses (EIPs) of Alibaba Cloud. The forwarding port is TCP port 9000. Most users are located in the China (Shanghai), China (Hangzhou), and China (Shenzhen) regions. Web applications are often targeted by web application attacks. These attacks severely affect the security and availability of web applications. WAF

You can create a GA instance, specify China (Shanghai), China (Hangzhou), and China (Shenzhen) as the acceleration regions, and deploy WAF, as shown in the preceding figure. After the deployment is complete, WAF scans and filters malicious requests based on the configured protection policies. Only legitimate requests are forwarded to the origin servers. Requests from users in the China (Shanghai), China (Hangzhou), and China (Shenzhen) regions are scanned and filtered by WAF. Then, the scrubbed network traffic is forwarded from the nearest access points to the global transmission network through an accelerated IP address. This avoids network congestion and reduces network latency.

Procedure

Procedure

Step 1: Create a GA instance

  1. Log on to the Global Accelerator console.
  2. On the Instances page, click Create Instance.
  3. On the buy page, configure the parameters, click Buy Now, and then complete the payment.
    1. Select a specification for the GA instance. In this example, Medium Ⅰ is selected.
      GA supports the following types of instance specifications: Small I, Small II, Small III, Medium I, Medium II, and Medium III. The acceleration performance can vary based on the instance specification.
      Instance specification Number of acceleration regions Peak bandwidth Maximum number of concurrent connections
      Small I 1 20 Mbit/s 5,000
      Small II 2 40 Mbit/s 10,000
      Small III 3 60 Mbit/s 15,000
      Medium I 5 100 Mbit/s 25,000
      Medium II 8 160 Mbit/s 40,000
      Medium III 10 200 Mbit/s 50,000
    2. Select a subscription period for the GA instance.

Step 2: Purchase and bind a basic bandwidth plan to the GA instance

A basic bandwidth plan provides bandwidth for data transmission over the Internet and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic bandwidth plan and bind the plan to the GA instance.

  1. On the Instances page, click Purchase Basic Bandwidth Plan.
  2. On the buy page, configure the parameters, click Buy Now, and then complete the payment.
    1. Bandwidth Type: Select the type of bandwidth of the basic bandwidth plan. In this example, Basic is selected.
      Basic bandwidth plans support the following types of bandwidth: basic, enhanced, and premium. The following table shows that the acceleration type, acceleration backend service, and acceleration scope of a basic bandwidth plan can vary based on the bandwidth type.
      Bandwidth type Workload type Accelerated object Acceleration scope
      Basic bandwidth Applications that are deployed on Alibaba Cloud
      • Elastic Compute Service (ECS)
      • Server Load Balancer (SLB)
      • Alibaba Cloud public IP address
        Note If ECS instances and SLB instances run in classic networks, both types of instances are not supported.
      By default, networking within mainland China is accelerated. You can also purchase a cross-border bandwidth plan. This allows you to optimize the acceleration of networking between mainland China and other areas.
      Enhanced bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • ECS
      • SLB
      • Alibaba Cloud public IP address
      • Custom IP address
      • Custom domain name
      By default, networking within mainland China is accelerated. You can also purchase a cross-border bandwidth plan. This allows you to optimize the acceleration of networking between mainland China and other areas.
      Premium bandwidth
      • Applications that are deployed on Alibaba Cloud
      • Applications that are not deployed on Alibaba Cloud
      • ECS
      • SLB
      • Alibaba Cloud public IP address
      • Custom IP address
      • Custom domain name
      By default, network connections are accelerated on a global scale. Network traffic transmitted from mainland China to areas outside China is accelerated in the China (Hong Kong) region. If you also purchase a cross-border bandwidth plan, the acceleration of network connections between mainland China and areas outside China are reinforced.
      Note
      • You can specify ECS or SLB as the backend service type only if your account is added to the whitelist. To specify ECS or SLB as the backend service type, submit a ticket.
      • Only an ECS instance or SLB instance in a virtual private cloud (VPC) can be specified as an endpoint.
      • The IP addresses of endpoint groups associated with each GA instance must be globally unique and not conflict with those of other GA instances.
    2. Peak Bandwidth: Select a maximum bandwidth value for the basic bandwidth plan. In this example, 10Mb is selected.
    3. Duration: Select the subscription period of the basic bandwidth plan.
  3. Return to the Instances page and click the ID of the GA instance that you created in Step 1.
  4. On the page that appears, click the Bandwidth Manage tab.
  5. In the Basic Bandwidth Package section, find the basic bandwidth plan that you want to bind to the GA instance and click Bind in the Actions column.
    Bind the basic bandwidth plan to the GA instance
    After the basic bandwidth plan is bound to the GA instance, the basic bandwidth plan is in the Bound state.

Step 3: Add an acceleration area

After you purchase a basic bandwidth plan, you can add an acceleration area, specify the acceleration regions where end users are located, and allocate bandwidth to these regions.

  1. On the Instances page, click the ID of the GA instance that you created in Step 1: Create a GA instance.
  2. On the instance details page, click the Acceleration Areas tab. Then, click Add Region.
  3. In the Add Acceleration Area dialog box, configure the following parameters and click OK.
    Parameter Description
    Regions Select the region from which requests are to be accelerated. In this example, China (Hangzhou) is selected.
    Bandwidth Specify the bandwidth resources used for acceleration in the region. In this example, 2 Mbit/s is used.
    Internet Protocol Select IPv4 or IPv6. After the acceleration area takes effect, you cannot change the protocol. If you want to change the protocol, you must delete the current acceleration area and add another area.
    Actions Specify the operations that you can perform on the area.
    Add Click Add, specify China (Shanghai) as the acceleration region, and allocate 2 Mbit/s of bandwidth to the China (Shanghai) region.
  4. Repeat the preceding steps to specify China (Shenzhen) as the acceleration region, and allocate 2 Mbit/s of bandwidth to the China (Shenzhen) region.

    After you add an acceleration area, GA assigns an IP address to the acceleration regions in the acceleration area. The IP address is used to accelerate requests from the region.

Step 4: Add a listener

A listener is used to check requests from clients. The system forwards requests based on the specified protocol and port.

  1. On the Instances page, click the ID of the GA instance that you created in Step 1: Create a GA instance.
  2. On the Listeners tab, click Add Listener.
  3. In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click Next.
    Parameter Description
    Listener Name Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
    Protocol Select a protocol for the listener. In this example, TCP is selected.
    Port Number Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
    Client Affinity Specify whether to enable client affinity. If client affinity is enabled, requests from the same client can be directed to the same endpoint when the client accesses a stateful application. In this example, Source IP Address is selected.

Step 5: Configure an endpoint group

Each listener must be associated with an endpoint group. To associate an endpoint group with listeners, specify the regions to which you want to distribute requests. After you associate an endpoint group with a listener, traffic is distributed to the optimal endpoint in the associated endpoint group.

  1. In the Configure Endpoint Group step, configure the following parameters and click Next.
    1. Enter a name for the endpoint group in the Endpoint Group Name field.
    2. Select the region to which the endpoint group and the backend server belong.
      In this example, US (Silicon Valley) is selected.
    3. Specify whether to deploy the backend service on Alibaba Cloud. In this example, Alibaba Cloud is selected.
    4. Specify whether to reserve client IP addresses. After the feature is enabled, backend servers can obtain source IP addresses of clients. In this example, this feature is disabled.
    5. Configure endpoints.
      Parameter Description
      Backend Service Type In this example, Alibaba Cloud Public IP Address is selected.
      Backend Service Enter the EIP of the backend server. The EIP is used to provide services.
      Weight Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic to each endpoint in proportion to the weight of each endpoint.
      Notice If you set the weight of an endpoint to 0, GA does not route network traffic to the endpoint. Proceed with caution.
      Add Endpoint Click Add Endpoint to specify another server in the US (Silicon Valley) region as an endpoint, and specify a weight.
  2. In the Confirm step, check the configurations of the listener and endpoint group. After you confirm the configurations, click Submit.

Step 6: Purchase and bind a cross-border acceleration bandwidth plan

The cross-border acceleration bandwidth plan can be used to optimize network acceleration between mainland China and regions outside mainland China. Perform the following steps to purchase a bandwidth plan for cross-border acceleration and bind the bandwidth plan to the GA instance.

  1. On the Instances page, click Purchase Cross-border Acceleration Bandwidth Plan.
  2. On the buy page, set the parameters and click Buy Now to complete the payment.
    1. Area A: Select the area where the bandwidth plan is used. In this example, Mainland China is selected.
    2. Area B: Select the area where the bandwidth plan is used. By default, Global is selected.
      Global: Requests are forwarded to the optimal endpoint based on the region from which requests are initiated.
    3. Billing Method: Select a metering method for the bandwidth plan. Only Pay by Bandwidth is supported.
    4. Bandwidth: Select a bandwidth value for the bandwidth plan.
      We recommend that you specify the same bandwidth value for the basic bandwidth plan and the bandwidth plan for cross-border acceleration. In this example, 10Mb is selected.
    5. Duration: Select a subscription duration.
  3. Return to the Instances page, find the GA instance to which you want to bind the bandwidth plan for cross-border acceleration, and then click its ID.
  4. Click the Bandwidth Manage tab.
  5. In the Cross-region Bandwidth Package section, find the bandwidth plan for cross-border acceleration and click Bind in the Actions column.
    Bind the bandwidth plan to the GA instance
    After you bind the bandwidth plan to the GA instance, the bandwidth plan changes to the Bound state.

Step 7: Activate WAF

WAF provides security protection based on big data technologies of Alibaba Cloud Security. It defends against common attacks defined by Open Web Application Security Project (OWASP), including SQL injections, Cross-Site Scripting (XSS) attacks, exploits of vulnerabilities in web server plug-ins, Trojan uploads, and unauthorized access to core resources. WAF blocks volumetric HTTP flood attacks to prevent the exposure of website assets and data, and to ensure website security and availability.

This step describes how to purchase a subscription WAF instance.

  1. Go to Alibaba Cloud International Site and log on to the WAF page with your Alibaba Cloud account.
  2. Click Buy Now.
  3. On the Web Application Firewall page, set the following parameters:
    1. Region: Select the region where the WAF instance is deployed.
      Network traffic is filtered by WAF and then forwarded to GA. In this topic, China Mainland is selected.
    2. Plan: Select the edition of WAF that you want to activate.
      Different WAF editions are applicable to various business scales and provide different protection features. For more information, see WAF deployment plans and editions. Enterprise is selected in this example.
    3. Extra Domain: Specify the number of additional domain names.
      If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase additional domain names. For more information, see Additional domain names. Additional domain names are not purchased in this example.
    4. Exclusive IP: Specify the number of exclusive IP addresses.
      You can purchase an exclusive IP address when your domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP addresses. Exclusive IP addresses are not purchased in this example.
    5. Extra Traffic: Specify the additional bandwidth value. Unit: Mbit/s.
      If you require additional bandwidth, you can purchase an additional bandwidth plan. For more information, see additional bandwidth plans. 100Mbps is selected in this topic.
    6. GSLB: Select whether to enable Global Server Load Balancing (GSLB).
      GSLB uses the multi-node resilience technology. It supports automatic traffic distribution and disaster recovery based on multiple nodes and lines. You can use GSLB to improve the reliability of your service. No is selected in this example.
    7. Access Log Service: Select whether to activate Log Service.
      Log Service retrieves log data from WAF in real time and then stores the data in Logstores. You can query and analyze the log data, and generate analytics reports online. No is selected in this topic.
    8. Bot Manager: Select whether to enable this feature.
      To mitigate security threats caused by bot traffic, you can enable this feature. For more information, see Set a bot threat intelligence rule and Configure the allowed crawlers function. No is selected in this example.
    9. Mobile App Protection: Select whether to enable this feature.
      You can enable this feature if your business supports mobile applications and you have security requirements for your business, such as trusted communication and prevention of bot scripts. For more information, see Configure application protection. No is selected in this example.
    10. Validity Period: Select the duration of the WAF service.
  4. Click Buy Now and complete the payment.

Step 8: Add website configurations

After WAF is activated, you must configure the forwarding rules for the website protected by WAF.

Perform the following steps to route user traffic to WAF before it reaches the domain name protected by WAF:

  1. Log on to the WAF console.
  2. In the top navigation bar, select the region of your WAF instance. Mainland China is selected in this example.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, click Add Domain Name.
  5. On the Add Domain Name page, set the following parameters:
    1. Domain Name: Enter the domain name for which you want to enable WAF protection. www.example.com is entered in this example.
      Note
      • Wildcard domain names such as *.aliyun.com are supported. WAF automatically matches all subdomains against the specified wildcard domain.
      • If you enter a wildcard domain and a precise domain name, such as *.aliyun.com and www.aliyun.com, the forwarding rules and protection policies of the exact domain name prevail over those of the wildcard domain.
      • Domain names with the .edu suffix are not supported. To use a domain name with the .edu suffix, submit a ticket to request technical support.
    2. Protocol Type: Select the protocol that your website supports. HTTP is selected in this example.
      Note
      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Upload an HTTPS certificate.
      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Manually add website configurations.
      • To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:
        • Your WAF service is upgraded to Business or Enterprise Edition.
        • HTTPS is selected.
    3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.
      Both IP and Destination Server (Domain Name) formats are supported. After your website is connected to WAF, WAF filters and redirects requests to the specified address. In this example, select IP, and enter the accelerated IP addresses, which are assigned by GA instances to China (Shanghai), China (Hangzhou), and China (Shenzhen) after acceleration regions are added in Step 3.
    4. Destination Server Port: Specify the service port of the website.
      WAF receives and forwards traffic for your website through the specified ports. The user traffic destined for the website domain name is forwarded only through the specified service ports. For unspecified ports, WAF does not forward traffic received on these ports to the origin servers. Therefore, no security threats are posed on the origin servers if you enable these ports or if these ports have vulnerabilities.
      Notice The protocol and port must be the same as those of the origin server IP address. You cannot change the port after it is specified.
      The custom port 9000 is specified in this topic.
      Note By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of Business and Enterprise Edition support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see View the allowed port range.
    5. Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load balancing.
    6. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. No is selected in this topic.
    7. Request Tag: Enter an unused Header Field Name and specify a custom Header Field Value to label the requests that are redirected to the origin servers through WAF. WAF adds the specified header field to the filtered requests. This enables your origin server to identify the requests redirected by WAF.
      Note If the requests to your website already contain a specified header field, WAF overwrites the original field value with the specified value.
  6. Click Next.
    After you add the website configuration, on the Website Access page, move the pointer over the protected domain name to view CNAME address assigned by WAF. Add a website

Step 9:Configure DNS settings

After you add the website configuration, you must modify the DNS record to map the website domain name to the CNAME address assigned by WAF so that the traffic is redirected to WAF.
Note If you use a third-party DNS service, log on to the system of the DNS service provider to modify the DNS record of your website.

Perform following steps to configure DNS settings:

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the domain name that you want to manage, and click Configure in the Actions column.
  3. On the Configure page, find the DNS record that you want to modify, and click Edit in the Actions column.
  4. In the Edit Record dialog box, modify the host record.
    1. Type: Select CNAME.
    2. Value: Change the value to the one that is obtained in Step 8.The value is the CNAME assigned by WAF.
    3. Keep the remaining settings unchanged.
    Modify the DNS record
  5. Click OK.

Step 10:Verify the acceleration performance

Perform the following steps to verify how GA interacts with WAF to conduct security protection and content delivery acceleration on your website:

  1. Open a browser on a computer in an acceleration region. In this example, acceleration regions include China (Hangzhou), China (Shanghai), and China (Shenzhen).
  2. Enter the CNAME address assigned by WAF to access the web application deployed in the US (Silicon Valley) region.
  3. Open the CLI on a computer in an accelerated region. In this example, accelerated regions include China (Hangzhou), China (Shanghai), and China (Shenzhen).
  4. Run the following command to test the latency of data transmission:
    curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<the CNAME address assigned by WAF>[:<port>]"
    where:
    • time_connect: the period of time to establish a TCP connection.
    • time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
    • time_total: the period of time for the backend server to respond to the session after the client sends a request.