This topic describes how to deploy Server Load Balancer (SLB) together with Anti-DDoS Origin to protect a website that is hosted on an Elastic Compute Service (ECS) instance. This combination provides better protection than Anti-DDoS Origin alone.
Prerequisites
An ECS instance is created and has web applications installed. For more information, see Getting started.
An Anti-DDoS Origin instance is purchased. For more information, see Purchase an Anti-DDoS Origin instance.
Background information
To use Anti-DDoS Origin to protect your website, we recommend that you deploy an SLB instance for the ECS instance that hosts your website. Then, add the IP address of the SLB instance to Anti-DDoS Origin for protection. The SLB instance can discard traffic whose protocol and port are not specified in the SLB listener. This helps mitigate DDoS attacks. The preceding solution defends against different types of DDoS attacks, such as reflection attacks, User Datagram Protocol (UDP) flood attacks, and SYN flood attacks with large SYN packets. The reflection attacks include Simple Service Discovery Protocol (SSDP), Network Time Protocol (NTP), and Memcached attacks.
If an SLB instance is deployed for your origin server, you need to only add the IP address of the SLB instance to Anti-DDoS Origin for protection. This way, your origin server is protected by Anti-DDoS Origin. For more information, see Add an object for protection.
The SLB instance family includes Application Load Balancer (ALB) instances, Network Load Balancer (NLB) instances, and Classic Load Balancer (CLB) instances. This topic uses a CLB instance as an example. For more information, see What is SLB?
Procedure
Create an Internet-facing CLB instance. For more information, see Create and manage a CLB instance.
When you create an Internet-facing CLB instance, take note of the following items:
CLB does not support cross-region deployment. Make sure that the ECS instance and the CLB instance are in the same region.
Anti-DDoS Origin provides protection only for Alibaba Cloud services that have public IP addresses. Therefore, you must create an Internet-facing CLB instance.
For more information, see Preparations.
After an Internet-facing CLB instance is created, you can obtain the IP Address of the CLB instance on the Instances page in the SLB console.
Configure the Internet-facing CLB instance. For more information, see Configure a CLB instance.
When you configure the Internet-facing CLB instance, take note of the following items:
In the Configure Listener step, specify only the listening protocol and ports that are required. You can select TCP, UDP, HTTP, or HTTPS. Traffic whose protocol and port are not specified in the listener is discarded and not forwarded to the backend ECS instance.
In the Add Backend Servers step, select the ECS instance that hosts your website.
NoteThe Internet-facing CLB instance communicates with the backend ECS instance over the internal network. Therefore, we recommend that you disable Internet access to the backend ECS instance after you configure the CLB instance. Make sure that the CLB instance functions properly.
After the CLB instance is configured, the CLB instance forwards requests from a client to the backend ECS instance based on the existing configurations.
Change the DNS settings.
If your website is accessed by using its IP address, you can add the IP address of the Internet-facing CLB instance obtained in Step 1 as the IP address of your website. In this case, you do not need to change the DNS settings.
If your website is accessed by using its domain name, you must resolve the domain name to the IP address of the CLB instance obtained in Step 1. For more information, see Use an A record to resolve a domain name to an IP address.
Add the IP address of the CLB instance to the Anti-DDoS Origin instance for protection. For more information, see Add an object for protection.
After you add the IP address of the CLB instance, the Anti-DDoS Origin instance provides best-effort protection. When your service encounters DDoS attacks, the Anti-DDoS Origin instance automatically scrubs traffic to mitigate DDoS attacks.