All Products
Search

This Product

    Edge Security Acceleration:Configure TCP/UDP acceleration

    Document Center

    Edge Security Acceleration:Configure TCP/UDP acceleration

    Last Updated:Jan 08, 2026

    If your application, such as a real-time multiplayer game, interactive video stream, or IoT service, relies on layer-4 (TCP/UDP) protocols, you may experience high latency and network instability over the public internet, which degrades the user experience. Edge Security Acceleration (ESA) mitigates these issues by routing user traffic to the nearest global Point of Presence (POP). From the POP, traffic is forwarded to your origin server over Alibaba Cloud's optimized network, which reduces latency and packet loss. This ensures a smooth, responsive, and secure experience for your end-users, regardless of their location.

    Limitations

    • If you map a range of edge ports to a different range of origin ports, the service maps the ports using a port offset. For example, if you map edge ports 3000-4000 to origin ports 5000-6000, a request to edge port 3050 is automatically forwarded to origin port 5050.

    • You can configure up to 30 proxy rules for an application.

    Create a layer-4 proxy application

    Follow these steps to create a layer 4 proxy application.

    1. In the ESA console, choose Websites, and in the Website column, click the target site.

    2. In the left navigation pane, choose TCP/UDP > Settings.

    3. Click Create Application and configure the parameters for the layer 4 proxy application.

      Configuration item

      Parameter

      Description

      Access Configuration

      Domain Name

      The domain name (hostname or record) that the client accesses. This domain name is used to resolve the accelerated IP address of ESA. After the IP address is resolved, the client can use a layer 4 protocol to request the IP address.

      IPv6 Access

      After you enable this feature, if the client is in an IPv6 environment and the nearest ESA node also supports IPv6 requests, the client can access the ESA node using the IPv6 protocol.

      Security

      IP Access Rules

      After you enable this feature, the IP access control rules that are set in WAF take effect for this layer 4 proxy application.

      Proxy Rules

      Protocol

      Select the layer 4 protocol that your application uses. TCP and UDP are supported.

      Edge Port

      The port used to access ESA. You can specify a single port, multiple ports, a port range, or a combination.

      Note

      Ports from 1 to 65535 are supported.

      Example of multiple ports: 80,81,82. Use commas (,) to separate the port numbers.

      Example of a port range: 100-200. Use a hyphen (-) to connect the port numbers.

      Example of a combination: 80,81,82,100-200.

      Origin Server

      The address of the origin server to which ESA forwards origin fetch requests. You can specify an IP address, a Domain Name, an Origin Pool, or a Load Balancer.

      Origin Port

      The port of the origin server. You can specify a single port or a port range. If you set Edge Port to a port range, you must set Origin Server Port to a single port or a port range of the same length. If you do not set Edge Port to a port range, you must set origin server port to a single port.

      Pass Client IP

      The proxy protocol passes the original IP address and port information of the client to the source server. Different protocol types support different Pass Client IP methods. By default, Do Not Pass is selected.

      • PROXY Protocol v1: The PROXY Protocol V1 passes the client IP address through the TCP header in ASCII text format. Only the TCP protocol is supported.

      • PROXY Protocol v2: The PROXY Protocol V2 passes the client IP address through the header in binary format. Both TCP and UDP protocols are supported.

      • Simple Proxy Protocol: The Simple Proxy Protocol passes the client IP address by inserting a special header in binary format. Only the UDP protocol is supported.

      For more information about how to obtain the originating IP address of a client, see Preserve client IP with PROXY protocol v1 or v2.

    4. Click OK.

    Modify a layer-4 proxy application

    Follow these steps to modify an existing layer 4 proxy application.

    1. In the ESA console, choose Websites, and in the Website column, click the target site.

    2. In the left navigation pane, choose TCP/UDP > Settings.

    3. Click Edit in the Actions column. Enable or disable IP Access Rules and modify the Proxy Rules and their parameters.

      Note

      • When adding a new rule, ensure its edge ports do not overlap with any existing rules.

      • When deleting a proxy rule, ensure that the application retains at least one rule.

    4. After you complete the modifications, click OK.

    Delete a layer-4 proxy application

    Follow these steps to delete an existing layer 4 proxy application.

    1. In the ESA console, choose Websites, and in the Website column, click the target site.

    2. In the left navigation pane, choose TCP/UDP > Settings.

    3. In the Actions column for the layer 4 proxy application that you want to delete, click Delete. In the dialog box that appears, confirm the information and then click Delete.