Anti-DDoS Proxy (Outside Chinese Mainland) supports the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan. An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan can accelerate access from the Chinese mainland to services in regions outside the Chinese mainland. An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan provides traffic scrubbing capabilities of more than 2 Tbit/s. This improves the access speed and stability of your service.
Prerequisites
An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
Background information
An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan provides DDoS scrubbing capabilities and accelerates user access. You do not need to switch traffic to another Anti-DDoS Proxy (Outside Chinese Mainland) instance to protect your service.
An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Chinese Mainland Acceleration (CMA) mitigation plan does not provide DDoS scrubbing capabilities. If your service is under attack, you must switch traffic to another Anti-DDoS Proxy (Outside Chinese Mainland) instance to mitigate the attacks. If DDoS attacks frequently occur, you must continuously switch traffic to another Anti-DDoS Proxy (Outside Chinese Mainland) instance.
The following table describes the differences between the secure acceleration and network acceleration features.
Feature | Description | Protection scope | Switchover required | Required instance specification |
Secure acceleration | This module supports acceleration and DDoS mitigation and provides traffic scrubbing capabilities of 2 Tbit/s. | Traffic from Internet service providers (ISPs) in the Chinese mainland, excluding traffic from China Mobile. | If DDoS attacks occur, you do not need to switch to Anti-DDoS Proxy (Outside Chinese Mainland) to mitigate the DDoS attacks. |
|
Network acceleration | This module supports only acceleration. | DDoS mitigation is not provided. | If DDoS attacks occur, you must switch to Anti-DDoS Proxy (Outside Chinese Mainland) to mitigate the DDoS attacks. | Traffic from all ISPs in the Chinese mainland: an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan |
Traffic from Internet service providers (ISPs) in the Chinese mainland, excluding traffic from China Mobile.
To provide quick and stable access for users who use Internet Service Providers (ISPs) in the Chinese mainland, excluding China Mobile, you can use only an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.
Users of China Mobile or outside the Chinese mainland cannot access your service by using the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For information about how to accelerate access for these users, see Protect traffic from all ISPs.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select Outside Chinese Mainland.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your website or non-website service to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.
Website configuration: Select the dedicated IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Add one or more websites.
Port configuration for non-website services: Configure a port forwarding rule for the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Configure port forwarding rules.
Redirect traffic to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan to protect your service.
Website configuration: Change the CNAME record to map the domain name of the website to the CNAME that is assigned by Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Change DNS records to protect website services.
Port configuration for non-website services: After you create a port forwarding rule, set the IP address to be protected to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.
Protect traffic from all ISPs
If you want to provide quick and stable access for users in and outside the Chinese mainland, regardless of ISPs, you can use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan together with an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan. You must create a secure acceleration rule in Sec-Traffic Manager.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select Outside Chinese Mainland.
If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.
Add your website or non-website service to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.
NoteIn this step, you do not need to change the DNS record.
Website configuration: You must select the dedicated IP addresses of both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Add one or more websites.
Port configuration for non-website services: You must configure a port forwarding rule in both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Configure port forwarding rules.
NoteBefore you add your non-website service to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan, make sure that the service can be accessed by using domain names. If your service is accessed by using IP addresses, traffic cannot be automatically redirected.
Choose . On the page that appears, click the General Interaction tab.
Click Add Rule. In the dialog box that appears, configure the following parameters and click Next.
Interaction Scenario: Select Sec-CMA.
Rule Name: Enter the name of the rule.
Sec-CMA: Select an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.
Anti-DDoS Pro: Select an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.
After you create a port forwarding rule, the system generates a CNAME. You need to only change the DNS record to map the domain name to the CNAME.
Traffic from ISPs in the Chinese mainland, excluding traffic from China Mobile, is redirected to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.
Traffic from China Mobile and regions outside the Chinese mainland is redirected to the IP address of Anti-DDoS Proxy (Outside Chinese Mainland).
NoteWhen you add your service, make sure that you have selected the dedicated IP addresses of both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.
Change the DNS record for the domain name at your DNS service provider.
After you map your domain name to the CNAME generated in Sec-Traffic Manager, traffic is automatically redirected to Sec-Traffic Manager.
NoteTraffic is automatically redirected based on the CNAME. Therefore, you must use the CNAME record.