All Products
Search
Document Center

Anti-DDoS:Create a secure acceleration rule

Last Updated:Mar 28, 2024

To create a secure acceleration rule, you must purchase an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan. Then, you can use the instances to route traffic from all Internet service providers (ISPs) in the Chinese mainland, excluding China Mobile, to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan and traffic from China Mobile and regions outside the Chinese mainland to the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.

Prerequisites

Background information

The Sec-CMA mitigation plan accelerates service access in scenarios where your service is deployed outside the Chinese mainland but your users reside in the Chinese mainland. The Sec-CMA mitigation plan also mitigates volumetric DDoS attacks on the networks of ISPs in the Chinese mainland, excluding China Mobile.

If you want to provide quick and stable access for all users, including users in and outside the Chinese mainland and users from various ISPs, such as China Unicom and China Mobile, you can use an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan together with an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan.

For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

Procedure

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select Outside Chinese Mainland.

    If you select this region, you are redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) console.

  3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.

  4. On the General Interaction tab, click Add Rule.

  5. In the Add Rule panel, configure a secure acceleration rule and click Next.

    Parameter

    Description

    Interaction Scenario

    Select Sec-CMA.

    Rule Name

    Enter a name for the rule.

    The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).

    Sec-CMA

    Select the IP address of the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.

    Anti-DDoS Proxy (Outside Chinese Mainland)

    Select an Anti-DDoS Proxy instance.

    After the rule is created, Sec-Traffic Manager assigns a CNAME for the rule. You can view the created rule and CNAME address in the rule list.

  6. Change the DNS records of the domain name as prompted and click Complete.

    For the cloud service interaction rule to take effect, you must change the DNS records of your domain name on the website of your DNS service provider to map the domain name to the CNAME provided by Sec-Traffic Manager. If your DNS service is provided by Alibaba Cloud DNS, you need to only change the DNS records in the Alibaba Cloud DNS console.

    Important

    After you change the DNS record of your domain name, the network acceleration rule takes effect. Before you change the DNS records, we recommend that you modify the hosts file on your on-premises computer to verify the cloud service interaction rule. This helps prevent incompatibility issues caused by inconsistent back-to-origin policies. CDN allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Proxy to change the origin host for back-to-origin requests. If you use CDN together with Anti-DDoS Proxy to retrieve data from an Object Storage Service (OSS) object, the service traffic that is forwarded by Anti-DDoS Proxy cannot be identified by OSS. As a result, your services are interrupted. For more information about origin hosts, see Configure the default origin host.

    For more information about how to verify traffic forwarding rules, see Verify the forwarding configurations on your on-premises computer.

    For more information about how to change the DNS records of a domain name, see Change the CNAME to redirect traffic to Sec-Traffic Manager.

What to do next

After a secure acceleration rule is created, you can perform the following operations on the rule.

Operation

Description

Edit

You can modify the cloud service interaction rule. However, you cannot change the values of Interaction Scenario and Rule Name for the rule.

Delete

You can delete the cloud service interaction rule.

Warning

Before you delete an interaction rule, make sure that the domain name of your website is not pointed to the CNAME of Sec-Traffic Manager. Otherwise, access to your website may fail after you delete the rule.