All Products
Search

This Product

    :Protect non-website services

    Document Center

    :Protect non-website services

    Last Updated:Apr 02, 2026

    Anti-DDoS Pro and Premium support port forwarding rules that let you use a dedicated Anti-DDoS IP address as your service IP. Once configured, your service gets transport-layer protection (such as SYN flood and UDP flood mitigation) as well as application-layer protection for non-HTTP/HTTPS protocols.

    Prerequisites

    An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

    Step 1: Add a port forwarding rule

    Before onboarding your service to Anti-DDoS, add a port forwarding rule.

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Provisioning > Port Config.

    4. On the Port Config, select the target Anti-DDoS instance and add a port forwarding rule.

      Note

      Rules marked with the exclamation mark icon next to Forwarding Protocol are auto-generated for website services. You cannot edit or delete these rules manually. An auto-generated rule is removed when all website configurations that use it are deleted. For details, see Add a website configuration.

      • If the website server port is 80, the system auto-generates a TCP rule for forwarding port 80.

      • If the website server port is 443, the system auto-generates a TCP rule for forwarding port 443.

      **Parameter**| **Description** ---|--- **Forwarding protocol**| The forwarding protocol. Valid values: TCP, UDP. **Forwarding port**| The forwarding port used by the Anti-DDoS instance. **Note** * For easier management, keep the **Forwarding port** and **Origin port** the same. * To comply with Chinese national regulatory requirements and prevent domains without ICP filing from receiving protection, Anti-DDoS doesn't support ports 80, 8080, 443, or 8443 for non-website access. To protect services on these ports, use domain-based access. For more information, see [Add a website configuration](https://www.alibabacloud.com/help/zh/anti-ddos/anti-ddos-pro-and-premium/user-guide/add-websites#task-2325689). * To prevent unauthorized DNS protection servers, Anti-DDoS doesn't support port 53 for non-website access. * Within the same Anti-DDoS instance and forwarding protocol, each rule's forwarding port must be unique. If you try to add a rule with the same protocol and forwarding port, a conflict error is displayed. * Each forwarding port must not conflict with ports automatically reserved by website configurations. **Origin port**| The business port on the origin server. **Back-to-origin forwarding mode**| The forwarding mode defaults to round robin and cannot be modified. **Application-layer protection enhanced port**| Available only for Anti-DDoS Premium instances using the TCP protocol. Enables protection against application-layer attacks on non-HTTP/HTTPS protocols. For attack type details, see [DDoS attack types suitable for protection](https://www.alibabacloud.com/help/zh/anti-ddos/product-overview/scenario-specific-anti-ddos-solutions#section-0ec-xu5-qoj). * **Back-to-origin new connection timeout**: 1–3 seconds. If Anti-DDoS can't establish a new connection to the origin server within this time, the connection is considered timed out. This setting mitigates HTTP flood (CC attack), where attackers establish many TCP connections to the origin server but never send valid data. * **Back-to-origin read/write connection timeout**: 60–600 seconds. * Read timeout: The time Anti-DDoS waits for a response from the origin server after sending a request. If no data is received within this period, the connection is considered timed out. * Write timeout: The time within which Anti-DDoS must successfully send data to the origin server. If data isn't sent within this period, the connection is considered timed out. This timeout prevents slow-rate attacks, where attackers hold open connections while sending or receiving data at extremely low rates, consuming origin server resources indefinitely. **Origin IP**| The IP address of the origin server. **Note** * The origin server can be an Alibaba Cloud product or a non-Alibaba Cloud product. If the origin server is an Alibaba Cloud product, make sure it belongs to the current Alibaba Cloud account. If it belongs to a different account, contact your account manager before adding it. * Multiple origin IP addresses can be added for automatic load balancing. Separate multiple IP addresses with commas (,). Up to 20 origin IP addresses can be configured.

    Step 2: Switch traffic to Anti-DDoS

    After creating the port forwarding rule, replace your service IP with the dedicated IP address of the Anti-DDoS instance. This switches your traffic to Anti-DDoS, where it's scrubbed before being forwarded to the origin server.

    1. On the origin server, add the back-to-origin IP addresses of Anti-DDoS to the allowlist so that security software on the origin server does not block forwarded traffic. For details, see Allow Anti-DDoS back-to-origin IP addresses.

    2. Before switching traffic, verify the forwarding rule from your local machine to avoid service disruption caused by misconfiguration. For details, see Verify forwarding configurations on your local computer.

      __

      Warning: Switching traffic before the rule takes effect may cause service disruption.

    3. Switch your non-website service traffic to the Anti-DDoS instance.

      Replace your service IP with the dedicated IP of the Anti-DDoS instance. The exact procedure depends on your development platform.

      __

      Note

      • If your service uses a domain name as the server address — for example, example.com is hardcoded in a game client — you don't need domain-based access. Instead, update the DNS record at your DNS provider to point the A record of that domain to the dedicated IP of the Anti-DDoS instance. For details, see Change DNS records.

      • In some scenarios, you may want to use a domain name for Layer 4 access and have traffic automatically distributed across multiple dedicated IP addresses. In this case, add the domain name and update the CNAME record to onboard the non-website service. For details, see Use CNAME records to protect non-website services.

    Step 3: Configure port forwarding and protection policies

    After switching traffic, Anti-DDoS applies default policies to scrub and forward traffic. Customize DDoS protection policies and enable session persistence and health checks to optimize forwarding behavior.

    On the Port Config, select the target Anti-DDoS instance, locate the target forwarding rule, and configure the following settings as needed.

    Setting

    Description

    Session Persistence

    If your non-website service has issues such as login timeouts requiring re-authentication or interrupted uploads after onboarding to Anti-DDoS, enable session persistence. Session persistence forwards requests from the same client to the same backend server within a specified time window.

    1. Click Configure in the Session Persistence column.

    2. In the Session Persistence dialog box, enable or disable session persistence as needed.

      • To enable session persistence: set Timeout Period, then click Set Timeout Period and Enable.

      • To disable session persistence: click Disable Session Persistence.

    Health Check

    When multiple origin IP addresses are configured, health checks determine whether each origin server is available and route client requests away from unhealthy servers.

    1. Click Configure in the Health Check column.

    2. In the Health Check panel, enable or disable health checks as needed.

      1. To enable health checks: turn on Enable Health Check, complete the configuration, then click OK. For parameter descriptions, see Health check parameter reference.

      2. To disable health checks: turn off Enable Health Check, then click OK.

    DDoS Mitigation Policies

    DDoS protection policies let you limit connection rates, packet sizes, and other parameters for non-website services protected by Anti-DDoS, which helps mitigate low-volume connection-based attacks.

    1. Click Configure in the DDoS Mitigation Policies column.

    2. On the Protection for Non-website Services tab, configure DDoS protection policies for the current forwarding rule as needed. For more information, see Configure a DDoS mitigation policy.

    Step 4: View port protection data

    After onboarding your non-website service to Anti-DDoS, view port traffic forwarding data on the Security Overview page.

    1. In the left-side navigation pane, click Security Overview.

    2. Click the Instances, set the instance and time range, and view the relevant data.

      Feature

      Description

      Bandwidth (labeled 1)

      • For an Bandwidth instance, it provides a bandwidth trend chart that shows trends in inbound traffic, outbound traffic, attack traffic, and rate-limited traffic on the instance over a specified period. Traffic is measured in bps or pps.

      • For an Overview instance, it provides three tabs: Inbound Traffic Distribution (which is the same as the bandwidth trend chart), Outbound Traffic Distribution (distribution of inbound traffic), and Outbound Traffic Distribution (distribution of outbound traffic).

      Connections (labeled 2)

      • Concurrent Connections: The number of TCP connections established between clients and Anti-DDoS Proxy at the same time.

        • Active connections: The number of TCP connections that are in the Established state.

        • Inactive connections: The number of TCP connections that are in any state other than Established.

      • New Connections: The number of new TCP connections established between clients and Anti-DDoS Proxy per second.

      Network Layer Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (labeled 3)

      • Network Layer Attack Events:

        Hover over the attacked IP address or port to view details, including the IP address and port, attack type, peak traffic, and protection result.

      • Alerts on Exceeded Upper Limits:

        Event types include service bandwidth, new connections, and concurrent connections. When the metrics for an event type exceed your purchased specifications, an alert is triggered. This does not affect your current services, but we recommend upgrading your instance. For more information, see Upgrade an instance.

        You can click Details in the Status column to go to the System Logs page and view detailed information.

        Note

        Alerts on exceeded upper limits are updated every Monday at 10:00 (UTC+8) with data from the previous day. If you have configured notifications by using internal messages, text messages, or email, you also receive a notification at 10:00 (UTC+8) every Monday that contains data from the previous day.

      • Destination Rate Limit Events

        When metrics such as new connections, concurrent connections, or service bandwidth significantly exceed the instance specifications, a rate-limiting policy is triggered. This affects your services and generates a destination rate limit event.

        • If rate limiting is triggered by normal service traffic, upgrade your instance as soon as possible. For more information, see Upgrade an instance.

        • If rate limiting is triggered by a DDoS attack, adjust your protection settings promptly. For more information, see Protection settings.

        You can click Details in the Status column to go to the System Logs page and view detailed information.

      Service Distribution by Location and Service Distribution by ISP (labeled 4)

      • Service Distribution by Location: The distribution of source locations for normal service traffic.

      • Service Distribution by ISP: The distribution of ISPs for normal service traffic.