What is Sec-Traffic Manager? - Anti-DDoS - Alibaba Cloud Documentation Center

Sec-Traffic Manager is provided by Anti-DDoS Proxy to help you configure rules on the interaction between Anti-DDoS Proxy and cloud services. The rules take effect only in specific scenarios. Sec-Traffic Manager ensures service continuity if no DDoS attacks occur and helps mitigate DDoS attacks. Sec-Traffic Manager provides features such as cloud service interaction, tiered protection, Alibaba Cloud CDN (CDN) interaction, Dynamic Content Delivery Network (DCDN) interaction, network acceleration, and secure acceleration.

Scenarios

If you add website services to Anti-DDoS Proxy, you need to only add the domain names of the website services. For more information, see Add one or more websites. If you add non-website services to Anti-DDoS Proxy, you need to only add the ports of the non-website services. For more information, see Configure port forwarding rules.

After you add services to Anti-DDoS Proxy, all traffic, including service and attack traffic, is forwarded to Anti-DDoS Proxy. Attack traffic is filtered out, and only service traffic is forwarded to the origin server. During normal service access, service traffic is also forwarded by Anti-DDoS Proxy. This may cause a low service latency.

To resolve this issue, you can enable the cloud service interaction feature of Sec-Traffic Manager. If no attacks occur, service traffic is directly forwarded to the origin server without increasing latency. If attacks occur, traffic is switched to Anti-DDoS Proxy for scrubbing and forwarding.

In addition to the preceding scenarios, Sec-Traffic Manager enables interactions between Anti-DDoS Proxy and Anti-DDoS Origin, CDN, DCDN, the Chinese Mainland Acceleration (CMA) mitigation plan, and the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan. For more information, see Interaction scenarios.

Note

Anti-DDoS Proxy provides Sec-Traffic Manager to help you to configure rules for your service access. Whether you use Sec-Traffic Manager does not affect the billing of Anti-DDoS Proxy. For more information about the billing methods of Anti-DDoS Proxy, see Billing of Anti-DDoS Proxy (Chinese Mainland) and Billing of Anti-DDoS Proxy (Outside Chinese Mainland) of the Insurance and Unlimited mitigation plans.

Interaction scenarios

The following table describes the interaction scenarios of Sec-Traffic Manager and the related topics.

A cross (×) indicates that Anti-DDoS Proxy (Chinese Mainland) does not support the interaction scenario.

Interaction scenario	Description	Anti-DDoS Proxy (Chinese Mainland)	Anti-DDoS Proxy (Outside Chinese Mainland)	References
Cloud service interaction	Your services use Alibaba Cloud public IP addresses and are protected by Anti-DDoS Proxy to achieve the following effects: If no DDoS attacks occur, service traffic is directly forwarded to the origin server. Anti-DDoS Proxy is dormant to prevent a high latency. If DDoS attacks occur, Anti-DDoS Proxy scrubs traffic and forwards service traffic to the origin server. Note Anti-DDoS Proxy can interact with Alibaba Cloud Global Accelerator (GA). For more information, see What is Global Accelerator?.	√	√	Use the cloud service interaction feature
Tiered protection	Your services are protected by Anti-DDoS Origin Enterprise and Anti-DDoS Proxy to achieve the following effects: Anti-DDoS Origin Enterprise protects your services against low-volume DDoS attacks. Service traffic is directly forwarded to the origin server without increasing latency. If volumetric DDoS attacks are detected, Anti-DDoS Proxy scrubs traffic and forwards service traffic to the origin server.	√	√	Use the tiered protection feature
CDN or DCDN interaction	Your website services use Alibaba Cloud CDN or DCDN and are protected by Anti-DDoS Proxy to achieve the following effects: If no DDoS attacks occur, the nearest CDN or DCDN node is used for acceleration. If DDoS attacks occur, Anti-DDoS Proxy is automatically used.	√	√	Use the CDN or DCDN interaction feature
Network acceleration	Your services are protected by an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan to achieve the following effects: If no DDoS attacks occur, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan is used to accelerate service access. If DDoS attacks occur, the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan is automatically used. Note Network acceleration is suitable for scenarios in which services are deployed outside the Chinese mainland and the users of the services are from the Chinese mainland. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the CMA mitigation plan.	×	√	Use the network acceleration feature
Secure acceleration	Your services are protected by an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan and an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan to achieve the following effects: The traffic from Internet service providers (ISPs) in the Chinese mainland, excluding China Mobile, is redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-MCA mitigation plan. The traffic from China Mobile and ISPs outside the Chinese mainland is redirected to the Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Insurance or Unlimited mitigation plan. Note An Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan accelerates access of users in the Chinese mainland to services in regions outside the Chinese mainland. The instance also mitigates volumetric DDoS attacks on the networks of ISPs in the Chinese mainland, excluding China Mobile. For more information, see Configure an Anti-DDoS Proxy (Outside Chinese Mainland) instance of the Sec-CMA mitigation plan.	×	√	Create a secure acceleration rule