All Products
Search
Document Center

Anti-DDoS:Configure ACLs for the origin server

Last Updated:Mar 15, 2024

After you add your website to Anti-DDoS Proxy, you must prevent the IP address of the origin server from being exposed. This way, attackers cannot bypass Anti-DDoS Proxy and directly access the origin server. If the IP address of the origin server is prone to exposure, we recommend that you configure access control lists (ACLs) for the origin server. For example, you can configure ACLs to allow inbound traffic only from the back-to-origin IP addresses of your Anti-DDoS Proxy instance to improve service availability. This topic describes how to configure ACLs for origin servers based on different network architectures.

The ACLs that you configure for an origin server take effect only when attacks reach the edge of the Alibaba Cloud network in which your origin server resides. The ACLs can help mitigate small volumes of HTTP flood attacks and web attacks but cannot help mitigate volumetric DDoS attacks. When volumetric DDoS attacks reach the edge of the Alibaba Cloud network in which your origin server resides, the volume of attacks far exceeds the mitigation capability of the origin server. The DDoS attacks may trigger blackhole filtering for the origin server. In this case, if the IP address of the origin server is exposed, we recommended that you change the IP address of the origin server at the earliest opportunity. For more information, see Handle exposure of the origin IP address.

Network architecture of your website

ACL configuration description

Anti-DDoS Proxy + Elastic Compute Service (ECS) instance

The origin server is an ECS instance. The back-to-origin IP addresses of your Anti-DDoS Proxy instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you configure ACLs for the origin server by configuring the security group rules of the ECS instance. You can configure security group rules to allow traffic from only the back-to-origin IP addresses and deny all traffic from other IP addresses to protect the origin server. You can obtain the back-to-origin IP addresses of an Anti-DDoS Proxy instance in the Anti-DDoS Proxy console. For more information, see Allow back-to-origin IP addresses to access the origin server.

Anti-DDoS Proxy + Origin server that is not deployed on Alibaba Cloud

The origin server is an ECS instance. The back-to-origin IP addresses of your Anti-DDoS Proxy instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you configure ACLs for the origin server in the security software installed on the origin server, such as iptables and a firewall, to allow traffic only from the back-to-origin IP addresses and deny all traffic from other IP addresses to protect the origin server.

Anti-DDoS Proxy + Layer 4 Server Load Balancer (SLB) instance + ECS instance

The origin server is an ECS instance. The back-to-origin IP addresses of your Anti-DDoS Proxy instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you add the back-to-origin IP addresses of Anti-DDoS Proxy to the whitelist of the SLB instance. Then, enable access control to allow traffic only from the back-to-origin IP addresses to protect the origin server. For more information, see Enable access control.

Anti-DDoS Proxy + Layer 7 Application Load Balancer (ALB) instance + ECS instance

The origin server is an ECS instance. The back-to-origin IP addresses of the ALB instance are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you add the back-to-origin IP addresses of your Anti-DDoS Proxy instance to the whitelist of the ALB instance. Then, enable access control to allow traffic only from the back-to-origin IP addresses to protect the origin server. For more information, see Access control.

Anti-DDoS Proxy + Web Application Firewall (WAF), Alibaba Cloud CDN (CDN), or Dynamic Content Delivery Network (DCDN) + ECS instance

  • (Recommended) Solution 1: Enable the DDoS mitigation and WAF features on DCDN

    • If a DDoS attack occurs, service traffic is forwarded to Anti-DDoS Proxy, then to DCDN, and finally to the ECS instance.

    • If no DDoS attacks occur, service traffic is forwarded to DCDN and then to the ECS instance.

      Note
      • This solution is available only for DCDN. If you deploy CDN, use Solution 2 or migrate your website to DCDN.

      • The protection capabilities of WAF are integrated into DCDN points of presence. You service traffic does not need to be forwarded to WAF.

  • Solution 2: Use the CDN or DCDN interaction feature to allow service traffic to be forwarded to WAF and then the ECS instance

    • If a DDoS attack occurs, service traffic is forwarded to Anti-DDoS Proxy, then to WAF, and finally to the ECS instance.

    • If no DDoS attacks occur, service traffic is forwarded to CDN, then to WAF, and finally to the ECS instance.

Note

If your origin server is not an ECS instance, the network architecture is the same.

Solution 1: The origin server is an ECS instance. The back-to-origin IP addresses of DCDN are the source IP addresses of the requests that are forwarded to the origin server. When you use DCDN, the IP address of the ECS instance is hidden. In most cases, you do not need to configure ACLs. If you want to configure ACLs, contact Alibaba Cloud technical support.

Solution 2: The origin server is an ECS instance. The back-to-origin IP addresses of WAF are the source IP addresses of the requests that are forwarded to the origin server.

We recommend that you configure ACLs for the ECS instance. For more information, see Configure protection for an origin server.