What are access policies?
Access policies include the configurations of intelligent Domain Name System (DNS) resolution, primary and secondary address pool sets, and the policy for switching the address pool set in use. You can create multiple access policies for a GTM instance. You can configure different address pool sets for access requests from different networks or regions. This allows visitors to be routed to the nearest node and implements automatic failover.
Types of access policies
Geographical location-based access policies
These policies allow visitors from different regions or networks to access the nearest node and accelerate access based on the geographical locations of these visitors.
Latency-based access policies
These policies allow GTM to detect the access latency between the location of a visitor and the region in which an application service is deployed. Then, GTM routes the requests from the visitor to the application server cluster that has the lowest latency. This policy type is available only for the users who purchase instances of Ultimate Edition.
Geographical location-based access policies
Parameters
Policy Name
When you add or modify an access policy, you can specify an informative name for the access policy.
DNS Request Source
DNS request sources allow you to implement intelligent DNS resolution. After you specify a region for an access policy, access to an application service from this region is routed to the specified address pool set. If you select Global for DNS Request Source, the addresses in the address pool set are returned to all visitors.
Rules:
If you configure only one access policy and no specific business requirements exist, you must set the DNS Request Source parameter to Global.
If you configure multiple access policies, you must specify Global as one of your DNS request sources. Otherwise, the application service may not be accessible in some regions.
If you have selected a Domain Name System (DNS) request source for an access policy, you cannot specify this DNS request source for another access policy.
The preceding rule does not apply when the primary address pool set includes only IPv4 or IPv6 addresses.
For example, you have created a global access policy and set the Address Pool Type parameter to IPv4 in the Primary Address Pool Set section. If you want to create another global access policy, you must set the Address Pool Type parameter to IPv6 for the new access policy.
If you configure multiple access policies, you can set the DNS Request Source parameter only by ISP line or regional line.
The CNAME(Internet) parameter can only be set to Custom Access Domain Name. Therefore, the setting of the DNS Request Source parameter must match the setting of the DNS line for the access domain name. For example, if you specify ISP Line as the DNS line of the access domain name, you must select ISP or Global for the DNS Request Source parameter.
For more information about the DNS request sources that are supported by intelligent DNS resolution, see DNS lines.
NoteSubdivided DNS lines are supported only in GTM Ultimate Edition. In addition, a domain name associated with the GTM instance must be bound to an instance of Alibaba Cloud DNS Enterprise Standard Edition or Ultimate Edition.
Primary Address Pool Set and Secondary Address Pool Set
In most cases, visitors access the primary address pool set by default. The primary address pool set consists of multiple address pools of the same type. If the primary address pool set is unavailable, GTM switches between the primary address pool set and the secondary address pool set based on the switchover policy.
Address Pool Type: Valid values are IPv4, IPv6, and Domain Name.
Address Pool: After you select an address pool type, you can select the required address pool from existing address pools.
Create Address Pool: If you have not created any address pool, you can click Create Address Pool to create one.
Load Balancing Policy(Address Pool): Valid values are Return All Addresses and Return Addresses by Weight. The load balancing policy specified in an access policy takes precedence over the load balancing policy specified for an address pool. See the following table.
Load balancing policy specified for an address pool
Load balancing policy specified in an access policy
Effective load balancing policy
Return all addresses
Return all addresses
Return all addresses
Return addresses by weight
Return addresses by weight
Return addresses by weight
Final weight of addresses = Weight of the addresses in an address pool × Weight of the address pool in the access policy
Return all addresses
Return addresses by weight
Return addresses by weight
Final weight of addresses = Weight of the address pool in the access policy
Return addresses by weight
Return all addresses
Return all addresses
Minimum Available Addresses: specifies the minimum number of available addresses in an address pool set. If the number of available addresses in an address pool set is less than the value of the Minimum Available Addresses parameter, the address pool set is unavailable.
Address Pool Set Switchover Policy
Valid values: Automatic Switchover and Manual Switchover.
NoteAutomatic Switchover: GTM switches between the primary address pool set and the secondary address pool set based on their availability. The primary address pool set is used when both the primary and secondary address pool sets are available.
If both the primary and secondary address pool sets are unavailable, the address pool set with a greater number of available addresses is used.
If both the primary and secondary address pool sets are unavailable and the number of available addresses in the two address pool sets is the same but not zero, the primary address pool set is used.
If both the primary and secondary address pool sets are unavailable and the number of available addresses in the two address pool sets is zero, the following rules apply:
(1) If you select a subdivided DNS line under a non-global line for DNS Request Source, both the primary and secondary address pool sets configured for the subdivided DNS line are invalid and the addresses configured for the global DNS line are returned.
(2) If you select Global for DNS Request Source, the primary address pool set is used and all addresses are returned.
Mode
Condition
Primary address pool set
Secondary address pool set
Manual switchover
The primary address pool set is specified.
✅ (The addresses in the primary address pool set are returned based on the load balancing policy.)
The secondary address pool set is specified.
✅ (The addresses in the secondary address pool set are returned based on the load balancing policy.)
Automatic switchover
A primary address pool set is specified but no secondary address pool set is specified.
✅ (The addresses in the primary address pool set are returned based on the load balancing policy.)
Both the primary address pool set and secondary address pool set are specified. The primary address pool set is available.
✅ (The addresses in the primary address pool set are returned based on the load balancing policy.)
Both the primary address pool set and secondary address pool set are specified. The primary address pool set is unavailable and the secondary address pool set is available.
✅ (The addresses in the secondary address pool set are returned based on the load balancing policy.)
Both the primary address pool set and secondary address pool set are specified, and neither of them is available. The number of available addresses in the primary address pool set is greater than that in the secondary address pool set.
✅ (The addresses in the primary address pool set, including unavailable addresses, are returned based on the load balancing policy.)
ImportantIf the latency-based access policy is used, unavailable addresses are not returned.
Both the primary address pool set and secondary address pool set are specified, and neither of them is available. The number of available addresses in the primary address pool set is less than that in the secondary address pool set.
✅ (The addresses in the secondary address pool set, including unavailable addresses, are returned based on the load balancing policy.)
ImportantIf the latency-based access policy is used, unavailable addresses are not returned.
Both the primary address pool set and secondary address pool set are specified, and neither of them is available. The number of available addresses in the primary address pool set is equal to that in the secondary address pool set.
✅ (The addresses in the primary address pool set, including unavailable addresses, are returned based on the load balancing policy.)
ImportantIf the latency-based access policy is used, unavailable addresses are not returned.
Latency-based access policies
Parameters
Policy Name
When you add or modify an access policy, you can specify an informative name for the access policy.
Primary Address Pool Set and Secondary Address Pool Set
In most cases, visitors access the primary address pool set by default. The primary address pool set consists of multiple address pools of the same type. If the primary address pool set is unavailable, GTM switches between the primary address pool set and the secondary address pool set based on the switchover policy.
Address Pool Type: Valid values are IPv4, IPv6, and Domain Name.
Address Pool: After you select an address pool type, you can select the required address pool from existing address pools.
Create Address Pool: If you have not created any address pool, you can click Create Address Pool to create one.
Minimum Available Addresses: specifies the minimum number of available addresses in an address pool set. If the number of available addresses in an address pool set is less than the value of the Minimum Available Addresses parameter, the address pool set is unavailable.
Maximum Addresses Returned:
The default value is 1. This value indicates that GTM returns an IP address with the lowest access latency if your application service has multiple IP addresses.
If you specify a value between 1 and 8, GTM can return multiple IP addresses with the lowest access latency.
DNS Resolution with Optimal Latency:
You can turn on DNS Resolution with Optimal Latency only if you set the Maximum Addresses Returned parameter to a value greater than 1.
After you turn on DNS Resolution with Optimal Latency, GTM intelligently returns the addresses with optimal latency. The number of returned addresses is less than the value of the Maximum Addresses Returned parameter.
Procedure
Geographical location-based access policies
Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Global Traffic Manager and click the ID of the desired instance. The Basic Settings page appears. In the Access Policy Type section, click Settings in the Geographical Location-based Access Policy card.
On the page that appears, click Create Access Policy. Then, set the required parameters including Policy Name, DNS Request Source, Primary Address Pool Set, and Secondary Address Pool Set.
NoteIf the Address Pool parameter is left empty, click Create Address Pool to add one.
Latency-based access policies
Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Global Traffic Manager and click the ID of the desired instance. The Basic Settings page appears. In the Access Policy Type section, click Settings in the Latency-based Access Policy card.
On the page that appears, click Create Access Policy. Then, set the parameters including Maximum Addresses Returned and DNS Resolution with Optimal Latency based on your requirements. The configurations of the primary and secondary address pool sets are similar to those specified for the geographical location-based access policies.
ImportantYou can create only one latency-based access policy for each address pool type. For example, if you have created a latency-based access policy with an address pool type of IPv4, you are not allowed to create another latency-based access policy with an address pool type of IPv4.