All Products
Search
Document Center

Anti-DDoS:Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan

Last Updated:Mar 19, 2024

Anti-DDoS Proxy (Outside Chinese Mainland) supports the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan. An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan can accelerate access from the Chinese mainland to services in regions outside the Chinese mainland. An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan provides traffic scrubbing capabilities of more than 2 Tbit/s. This improves the access speed and stability of your service.

Prerequisites

An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

Background information

An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan provides DDoS scrubbing capabilities and accelerates user access. You do not need to switch traffic to another Anti-DDoS Proxy (Outside Chinese Mainland) instance to protect your service.

Note

An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Chinese Mainland Acceleration (CMA) mitigation plan does not provide DDoS scrubbing capabilities. If your service is under attack, you must switch traffic to another Anti-DDoS Proxy (Outside Chinese Mainland) instance to mitigate the attacks. If DDoS attacks frequently occur, you must continuously switch traffic to another Anti-DDoS Proxy (Outside Chinese Mainland) instance.

The following table describes the differences between the secure acceleration and network acceleration features.

Feature

Description

Protection scope

Switchover required

Required instance specification

Secure acceleration

This module supports acceleration and DDoS mitigation and provides traffic scrubbing capabilities of 2 Tbit/s.

Traffic from Internet service providers (ISPs) in the Chinese mainland, excluding traffic from China Mobile.

If DDoS attacks occur, you do not need to switch to Anti-DDoS Proxy (Outside Chinese Mainland) to mitigate the DDoS attacks.

  • Traffic from ISPs in the Chinese mainland, excluding from China Mobile: an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan

  • Traffic from all ISPs: an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan

Network acceleration

This module supports only acceleration.

DDoS mitigation is not provided.

If DDoS attacks occur, you must switch to Anti-DDoS Proxy (Outside Chinese Mainland) to mitigate the DDoS attacks.

Traffic from all ISPs in the Chinese mainland: an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan

Traffic from Internet service providers (ISPs) in the Chinese mainland, excluding traffic from China Mobile.

To provide quick and stable access for users who use Internet Service Providers (ISPs) in the Chinese mainland, excluding China Mobile, you can use only an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

Note

Users of China Mobile or outside the Chinese mainland cannot access your service by using the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For information about how to accelerate access for these users, see Protect traffic from all ISPs.

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select Outside Chinese Mainland.

    If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.

  3. Add your website or non-website service to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

    • Website configuration: Select the dedicated IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Add one or more websites.

    • Port configuration for non-website services: Configure a port forwarding rule for the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Configure port forwarding rules.

  4. Redirect traffic to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan to protect your service.

    • Website configuration: Change the CNAME record to map the domain name of the website to the CNAME that is assigned by Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Change DNS records to protect website services.

    • Port configuration for non-website services: After you create a port forwarding rule, set the IP address to be protected to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

Protect traffic from all ISPs

If you want to provide quick and stable access for users in and outside the Chinese mainland, regardless of ISPs, you can use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan together with an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan. You must create a secure acceleration rule in Sec-Traffic Manager.

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select Outside Chinese Mainland.

    If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.

  3. Add your website or non-website service to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.

    Note

    In this step, you do not need to change the DNS record.

    • Website configuration: You must select the dedicated IP addresses of both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Add one or more websites.

    • Port configuration for non-website services: You must configure a port forwarding rule in both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan. For more information, see Configure port forwarding rules.

    Note

    Before you add your non-website service to an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan, make sure that the service can be accessed by using domain names. If your service is accessed by using IP addresses, traffic cannot be automatically redirected.

  4. Choose Provisioning > Sec-Traffic Manager. On the page that appears, click the General Interaction tab.

  5. Click Add Rule. In the dialog box that appears, configure the following parameters and click Next.

    • Interaction Scenario: Select Sec-CMA.

    • Rule Name: Enter the name of the rule.

    • Sec-CMA: Select an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

    • Anti-DDoS Pro: Select an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.

    After you create a port forwarding rule, the system generates a CNAME. You need to only change the DNS record to map the domain name to the CNAME.

    • Traffic from ISPs in the Chinese mainland, excluding traffic from China Mobile, is redirected to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

    • Traffic from China Mobile and regions outside the Chinese mainland is redirected to the IP address of Anti-DDoS Proxy (Outside Chinese Mainland).

    Note

    When you add your service, make sure that you have selected the dedicated IP addresses of both the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

  6. Change the DNS record for the domain name at your DNS service provider.

    After you map your domain name to the CNAME generated in Sec-Traffic Manager, traffic is automatically redirected to Sec-Traffic Manager.

    Note

    Traffic is automatically redirected based on the CNAME. Therefore, you must use the CNAME record.