Alibaba Cloud provides elastic IP addresses (EIPs) that are protected by Anti-DDoS Pro/Premium. EIPs protected by Anti-DDoS Pro/Premium can mitigate DDoS attacks at the Tbit/s level, and are ideal for scenarios that require high security and low latency, such as large-scale gaming and major livestreaming activities. This topic describes how to associate an EIP protected by Anti-DDoS Pro/Premium with an Application Load Balancer (ALB) instance. This way, the ALB instance can access the Internet by using the EIP.
Introduction to EIPs protected by Anti-DDoS Pro/Premium
Alibaba Cloud provides EIPs that are protected by Anti-DDoS Pro/Premium. You can purchase EIPs that are protected by Anti-DDoS Pro/Premium in the EIP console. EIPs protected by Anti-DDoS Pro/Premium can mitigate DDoS attacks at the Tbit/s level. If you use EIPs protected by Anti-DDoS Pro/Premium, you do not need to perform additional configurations or change the IP address that is used by your ALB instance to provide services. For more information, see Best practices for using EIPs protected by Anti-DDoS Pro/Premium.
Limits
The ALB instance and the EIPs protected by Anti-DDoS Pro/Premium must belong to the same region.
Limits on EIPs protected by Anti-DDoS Pro/Premium
Only pay-as-you-go EIPs support Anti-DDoS Pro/Premium
You can enable Anti-DDoS Pro/Premium only when you purchase an EIP. After you purchase an EIP for which Anti-DDoS Origin Basic is enabled, you cannot upgrade Anti-DDoS Origin Basic to Anti-DDoS Pro/Premium.
The following regions support EIPs integrated with Anti-DDoS Pro/Premium.
Area
Region
China
China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Hong Kong)
Asia Pacific
Philippines (Manila), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe & Americas
US (Virginia), US (Silicon Valley), Germany (Frankfurt), and UK (London)
Limits on associating EIPs protected by Anti-DDoS Pro/Premium with ALB instances
You must specify an EIP that is protected by Anti-DDoS Pro/Premium for each zone of the ALB instance.
The EIP protected by Anti-DDoS Pro/Premium that you want to associate with an ALB instance cannot be associated with an Internet Shared Bandwidth instance. After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you can associate an Internet Shared Bandwidth instance with the ALB instance in the ALB console. Only Internet Shared Bandwidth instances that use BGP (Multi-ISP) lines are supported.
Billing rules
After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you are charged a security protection fee by Anti-DDoS.
Billable item | Fee calculation | References |
Instance fee |
| |
LCU fee |
| |
Internet data transfer fee | You are not charged Internet data transfer fees if you use internal-facing ALB instances. You are charged Internet data transfer fees only if you use Internet-facing ALB instances. After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you are charged an instance fee and a data transfer fee for the EIP. For more information, see Pricing. | |
Security protection fee | After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you are charged a security protection fee. For more information, see Pay-as-you-go. Warning To purchase an EIP protected by Anti-DDoS Pro/Premium, you must activate pay-as-you-go Anti-DDoS Origin. Pay-as-you-go Anti-DDoS Origin is activated on a monthly basis. You must use the service for at least 30 days before you can disable the service. | |
Prerequisites
A virtual private cloud (VPC) named VPC1 is created. For more information, see Create a VPC.
ECS01 and ECS02 are created in VPC1. An NGINX service is deployed on each Elastic Compute Service (ECS) instance.
For more information about how to create an ECS instance, see Purchase an ECS instance.
For more information about how to deploy an NGINX service, see Deploy an LNMP environment on CentOS 7.
An ALB server group named RS01 is created and ECS01 and ECS02 are added to the server group as backend servers. For more information, see Create and manage server groups.
If you want to associate the ALB instance with an Internet Shared Bandwidth instance, you must purchase an Internet Shared Bandwidth instance. In this example, an Internet Shared Bandwidth instance that uses BGP (Multi-ISP) lines is purchased. For more information, see Purchase an Internet Shared Bandwidth instance.
Procedure
Step 1: Create an EIP protected by Anti-DDoS Pro/Premium
Before you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you must purchase an EIP protected by Anti-DDoS Pro/Premium in the EIP console.
- Log on to the Elastic IP Address console .
On the Elastic IP Addresses page, click Create EIP.
The first time that you purchase an EIP protected by Anti-DDoS Pro/Premium, click Anti-DDoS Origin (pay-as-you-go) on the Elastic IP page to activate pay-as-you-go Anti-DDoS Origin.
WarningTo purchase an EIP protected by Anti-DDoS Pro/Premium, you must activate pay-as-you-go Anti-DDoS Origin. Pay-as-you-go Anti-DDoS Origin is activated on a monthly basis. You must use the service for at least 30 days before you can disable the service.
After you activate pay-as-you-go Anti-DDoS Origin, you can log on to the Traffic Security console and choose or to view the details of the Anti-DDoS Origin instance.
After Anti-DDoS Origin is activated, configure the EIP based on the following information, click Buy Now, and then complete the payment.
The following table describes the parameters that are relevant to this topic. For more information, see Apply for an EIP.
Parameter
Description
Billing Method
Select a billing method for the EIP. In this example, Pay-as-you-go is selected.
Region
Select the region where you want to create the EIP.
Make sure that the EIP is deployed in the same region as the ALB instance. In this example, China (Hangzhou) is selected.
Line Type
Select a line type for the EIP. BGP (Multi-ISP) is selected in this example.
Security Protection
Select the Anti-DDoS edition. In this example, Anti-DDoS (Enhanced) is selected.
Default: Anti-DDoS Origin Basic, which can mitigate DDoS attacks at up to 5 Gbit/s.
Anti-DDoS (Enhanced): Anti-DDoS Pro/Premium, which can mitigate DDoS attacks at the Tbit/s level.
Data Transfer
Select a metering method for data transfer. In this example, Pay-By-Data-Transfer is selected.
Quantity
Select the number of EIPs that you want to purchase. The number of EIPs that you want to purchase must be the same as the number of zones of the ALB instance.
Step 2: Associate EIPs protected by Anti-DDoS Pro/Premium with an ALB instance
New ALB instance
When you purchase an ALB instance, you can associate EIPs protected by Anti-DDoS Pro/Premium with the ALB instance.
- Log on to the ALB console.
On the Instances page, click Create ALB.
On the Application Load Balancer page, configure the following parameters and click Buy Now.
The following section describes the parameters that are relevant to this topic. For more information about the other parameters, see Create an ALB instance.
Network Type: Select Internet.
VPC: Select VPC1.
Zone: Select zones and vSwitches, and assign an EIP protected by Anti-DDoS Pro/Premium to each zone.
NoteALB supports multi-zone deployment. If the selected region supports two or more zones, select at least two zones to ensure high availability. ALB does not charge additional fees.
If no vSwitch is available in a zone, follow the instructions in the ALB console to create a vSwitch.
Configure a listener for the ALB instance. In this example, an HTTP listener is configured and the ALB server group RS01 is selected.
Return to the Instances page. Click Create Listener in the Actions column of the instance that you want to manage.
In the Configure Listener step, configure the parameters and click Next.
The following section describes the parameters that are relevant to this topic. Use default values for the other parameters. For more information, see Add an HTTP listener.
Listener Protocol: Select HTTP.
Listener Port: Enter 80.
In the Server Group step, select RS01 and click Next.
In the Configuration Review step, confirm the configurations and click Submit.
Existing internal-facing ALB instance
If you want to associate EIPs protected by Anti-DDoS Pro/Premium with an internal-facing ALB instance, you can change the network type of the ALB instance, and then assign EIPs protected by Anti-DDoS Pro/Premium to the ALB instance.
- Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Hangzhou) is selected.
On the Instances page, find the internal-facing ALB instance that you want to manage and click the instance ID.
On the Instance Details tab, find Basic Information and click Change Network Type next to IPv4 on the right side of Network Type.
In the Change Network Type dialog box, select the EIP protected by Anti-DDoS Pro/Premium that is created in Step 1: Create an EIP protected by Anti-DDoS Pro/Premium from the Assign EIP drop-down list. After you assign an EIP protected by Anti-DDoS Pro/Premium to each zone, click OK.
Existing Internet-facing ALB instance
If EIPs protected by Anti-DDoS Origin Basic are associated with your Internet-facing ALB instance, and you want to associate EIPs protected by Anti-DDoS Pro/Premium with the ALB instance, perform the following steps:
Change the Internet-facing ALB instance to an internal-facing ALB instance.
Change the network type again and assign EIPs protected by Anti-DDoS Pro/Premium to the internal-facing ALB instance.
By default, a new Internet-facing ALB instance is associated with pay-as-you-go EIPs that use the pay-by-data-transfer metering method. The EIPs use BGP (Multi-ISP) lines and are protected by Anti-DDoS Origin Basic.
Step 1: Change the Internet-facing ALB instance to an internal-facing ALB instance
On the Instances page, find the Internet-facing ALB instance, and then click the instance ID.
On the Instance Details tab, find Basic Information and click Change Network Type next to IPv4 on the right side of Network Type.
In the Change Network Type message, confirm the impacts of the change and click OK.
It takes about 1 minute for the change to take effect. When the Network Type parameter on the Instance Details tab displays Private, the network type is changed.
Step 2: Change the internal-facing ALB instance to an Internet-facing ALB instance
On the Instances page, find the internal-facing ALB instance that you want to manage and click the instance ID.
On the Instance Details tab, find Basic Information and click Change Network Type next to IPv4 on the right side of Network Type.
In the Change Network Type dialog box, select the EIP protected by Anti-DDoS Pro/Premium that is created in Step 1: Create an EIP protected by Anti-DDoS Pro/Premium from the Assign EIP drop-down list. After you assign an EIP protected by Anti-DDoS Pro/Premium to each zone, click OK.
Step 3: (Optional) Associate an Internet Shared Bandwidth instance with the ALB instance
If you require higher bandwidth, you need to associate the ALB instance with an Internet Shared Bandwidth instance.
On the Instances page, find the instance that you want to manage and associate an Internet Shared Bandwidth instance with the ALB instance by using one of the following methods:
Choose
> Associate EIP Bandwidth Plan in the Actions column or click Associate in the Internet Shared Bandwidth column. Click the ID of the ALB instance that you want to manage. On the Instance Details tab, find the Billing Information section and click Associate with Internet Shared Bandwidth.
In the Associate EIP Bandwidth Plan dialog box, select an Internet Shared Bandwidth instance and click OK.
Step 4: Create a DNS record
ALB allows you to map common domain names to the public domain name of the ALB instance by using CNAME records. This facilitates access to network resources. For more information, see Configure a CNAME record.
In the left-side navigation pane, choose .
On the Instances page, copy the domain name of the ALB instance.
To create a CNAME record, perform the following steps:
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name of your host and click OK.
ImportantBefore you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
In the Actions column of the domain name that you want to manage, click DNS Settings.
On the DNS Settings page, click Add DNS Record.
In the Add DNS Record panel, set the following parameters and click OK.
Parameter
Description
Record Type
Select CNAME from the drop-down list.
Hostname
Enter the prefix of your domain name.
DNS Request Source
Select Default.
Record Value
Enter the CNAME. The CNAME is the domain name of the ALB instance.
TTL Period
Select the time-to-live (TTL) value of the record on the DNS server. In this example, the default value is used.
NoteNew CNAME records immediately take effect. The time that is required for a modified CNAME record to take effect is determined by the TTL value. The default TTL value is 10 minutes.
If the CNAME record that you want to create conflicts with an existing record, specify another domain name.
Step 5: Test network connectivity
In this example, an HTTP listener is configured for the ALB instance and the ALB server group RS01 is selected. For more information, see Add an HTTP listener.
After you configure a CNAME record for the ALB instance, you can enter the domain name that is specified in Step 4: Create a DNS record in the browser to check whether the ALB instance can provide Internet-facing services by using the EIPs protected by Anti-DDoS Pro/Premium.
If you refresh the page, requests are switched between ECS01 and ECS02. You can view the following messages returned by the ECS instances.
