All Products
Search
Document Center

Alibaba Cloud DNS:Access policies

Last Updated:Dec 03, 2024

What are access policies?

Access policies include the configurations of intelligent Domain Name System (DNS) resolution, primary and secondary address pool sets, and the policy for switching the address pool set in use. You can create multiple access policies for a Global Traffic Manager (GTM) instance. You can configure different address pool sets for access requests from different networks or regions. This allows visitors to be routed to the nearest node and implements automatic failover.

Types of access policies

  1. Geographical location-based access policies

    These policies allow visitors from different regions or networks to access the nearest node based on the geographical locations of these visitors.

  2. Latency-based access policies

    These policies allow GTM to detect the access latency between the location of a visitor and the region in which an application service is deployed. Then, GTM routes the requests from the visitor to the application server cluster that has the lowest latency. This policy type is available only for the users who purchase instances of Ultimate Edition.

    Warning
    1. Alibaba Cloud deploys multiple nodes around the world and selects several IP addresses in each region. When you send a request from these nodes to these IP addresses, the average value of latency for each dial test serves as the latency between the region where the node is deployed and the region where the destination server resides.

    2. When a client in a specific region initiates a DNS request, the results are returned from the IP address with the lowest access latency. The IP address is determined based on the detected latency if the region where the client is deployed matches a region where an Alibaba CLoud detection point is deployed. The detected latency is not the real-time access latency between the actual client and the server that the client accesses.

    3. GTM may route the request from the visitor in specific region to a server that does not have the lowest latency due to the low accuracy of delayed scheduling and high latency of incremental data synchronization.

    4. In a failover scenario where the accuracy of delayed scheduling cannot be ensured, the requests from multiple users may be routed to the same IP address. Therefore, the IP address of each server is able to handle all traffic.

Geographical location-based access policies

Parameters

  1. Policy Name

    When you add or modify an access policy, you can specify an informative name for the access policy.

  2. DNS Request Source

    DNS request sources allow you to implement intelligent DNS resolution. After you specify a region for an access policy, access to an application service from this region is routed to the specified address pool set. If you select Global for DNS Request Source, the addresses in the address pool set are returned to all visitors.

    Rules:

  • If you configure only one access policy and no specific business requirements exist, you must set the DNS Request Source parameter to Global.

  • If you configure multiple access policies, you must specify Global as one of your DNS request sources. Otherwise, the application service may not be accessible in some regions.

  • If you have selected a Domain Name System (DNS) request source for an access policy, you cannot specify this DNS request source for another access policy.

    • The preceding rule does not apply when the primary address pool set includes only IPv4 or IPv6 addresses.

      • For example, you have created a global access policy and set the Address Pool Type parameter to IPv4 in the Primary Address Pool Set section. If you want to create another global access policy, you must set the Address Pool Type parameter to IPv6 for the new access policy.

  • If you configure multiple access policies, you can set the DNS Request Source parameter only by ISP line or regional line.

  • The CNAME(Internet) parameter can only be set to Custom Access Domain Name. Therefore, the setting of the DNS Request Source parameter must match the setting of the DNS line for the access domain name. For example, if you specify ISP Line as the DNS line of the access domain name, you must select ISP or Global for the DNS Request Source parameter.

    For more information about the DNS request sources that are supported by intelligent DNS resolution, see DNS lines.

    Note

    Subdivided DNS lines are supported only in GTM Ultimate Edition. In addition, a domain name associated with the GTM instance must be bound to an instance of Alibaba Cloud DNS Enterprise Standard Edition or Ultimate Edition.

  1. Primary Address Pool Set and Secondary Address Pool Set

    In most cases, visitors access the primary address pool set by default. The primary address pool set consists of multiple address pools of the same type. If the primary address pool set is unavailable, GTM switches between the primary address pool set and the secondary address pool set based on the switchover policy.

    Address Pool Type: Valid values are IPv4, IPv6, and Domain Name.

    Address Pool: After you select an address pool type, you can select the required address pool from existing address pools.

    Create Address Pool: If you have not created any address pool, you can click Create Address Pool to create one.

    Load Balancing Policy(Address Pool): Valid values are Return All Addresses and Return Addresses by Weight. The load balancing policy specified in an access policy takes precedence over the load balancing policy specified for an address pool. See the following table.

    Load balancing policy specified for an address pool

    Load balancing policy specified in an access policy

    Effective load balancing policy

    Return all addresses

    Return all addresses

    Return all addresses

    Return addresses by weight

    Return addresses by weight

    Return addresses by weight

    Final weight of addresses = Weight of the addresses in an address pool × Weight of the address pool in the access policy

    Return all addresses

    Return addresses by weight

    Return addresses by weight

    Final weight of addresses = Weight of the address pool in the access policy

    Return addresses by weight

    Return all addresses

    Return all addresses

    Minimum Available Addresses: specifies the minimum number of available addresses in an address pool set. If the number of available addresses in an address pool set is less than the value of the Minimum Available Addresses parameter, the address pool set is unavailable.

  2. Address Pool Set Switchover Policy

    Valid values: Automatic Switchover and Manual Switchover.

    Note

    Automatic Switchover: GTM switches between the primary address pool set and the secondary address pool set based on their availability. The primary address pool set is used when both the primary and secondary address pool sets are available.

    • If both the primary and secondary address pool sets are unavailable, the address pool set with a greater number of available addresses is used.

    • If both the primary and secondary address pool sets are unavailable and the number of available addresses in the two address pool sets is the same but not zero, the primary address pool set is used.

    • If both the primary and secondary address pool sets are unavailable and the number of available addresses in the two address pool sets is zero, the following rules apply:

      (1) If you select a subdivided DNS line under a non-global line for DNS Request Source, both the primary and secondary address pool sets configured for the subdivided DNS line are invalid and the addresses configured for the global DNS line are returned.

      (2) If you select Global for DNS Request Source, the primary address pool set is used and all addresses are returned.

    Mode

    Condition

    Primary address pool set

    Secondary address pool set

    Manual switchover

    The primary address pool set is specified.

    • ✅ (The addresses in the primary address pool set are returned based on the load balancing policy.)

    The secondary address pool set is specified.

    • ✅ (The addresses in the secondary address pool set are returned based on the load balancing policy.)

    Automatic switchover

    A primary address pool set is specified but no secondary address pool set is specified.

    • ✅ (The addresses in the primary address pool set are returned based on the load balancing policy.)

    Both the primary address pool set and secondary address pool set are specified. The primary address pool set is available.

    • ✅ (The addresses in the primary address pool set are returned based on the load balancing policy.)

    Both the primary address pool set and secondary address pool set are specified. The primary address pool set is unavailable and the secondary address pool set is available.

    • ✅ (The addresses in the secondary address pool set are returned based on the load balancing policy.)

    Both the primary address pool set and secondary address pool set are specified, and neither of them is available. The number of available addresses in the primary address pool set is greater than that in the secondary address pool set.

    • ✅ (The addresses in the primary address pool set, including unavailable addresses, are returned based on the load balancing policy.)

    Important

    If the latency-based access policy is used, unavailable addresses are not returned.

    Both the primary address pool set and secondary address pool set are specified, and neither of them is available. The number of available addresses in the primary address pool set is less than that in the secondary address pool set.

    • ✅ (The addresses in the secondary address pool set, including unavailable addresses, are returned based on the load balancing policy.)

      Important

      If the latency-based access policy is used, unavailable addresses are not returned.

    Both the primary address pool set and secondary address pool set are specified, and neither of them is available. The number of available addresses in the primary address pool set is equal to that in the secondary address pool set.

    • ✅ (The addresses in the primary address pool set, including unavailable addresses, are returned based on the load balancing policy.)

      Important

      If the latency-based access policy is used, unavailable addresses are not returned.

Latency-based access policies

Parameters

  1. Policy Name

    When you add or modify an access policy, you can specify an informative name for the access policy.

  2. Primary Address Pool Set and Secondary Address Pool Set

    In most cases, visitors access the primary address pool set by default. The primary address pool set consists of multiple address pools of the same type. If the primary address pool set is unavailable, GTM switches between the primary address pool set and the secondary address pool set based on the switchover policy.

    Address Pool Type: Valid values are IPv4, IPv6, and Domain Name.

    Address Pool: After you select an address pool type, you can select the required address pool from existing address pools.

    Create Address Pool: If you have not created any address pool, you can click Create Address Pool to create one.

    Minimum Available Addresses: specifies the minimum number of available addresses in an address pool set. If the number of available addresses in an address pool set is less than the value of the Minimum Available Addresses parameter, the address pool set is unavailable. ​

    Maximum Addresses Returned:

  • The default value is 1. This value indicates that GTM returns an IP address with the lowest access latency if your application service has multiple IP addresses.

  • If you specify a value between 1 and 8, GTM can return multiple IP addresses with the lowest access latency.

    DNS Resolution with Optimal Latency:

  • You can turn on DNS Resolution with Optimal Latency only if you set the Maximum Addresses Returned parameter to a value greater than 1.

  • After you turn on DNS Resolution with Optimal Latency, GTM intelligently returns the addresses with optimal latency. The number of returned addresses is less than the value of the Maximum Addresses Returned parameter.

Procedure

Geographical location-based access policies

  1. Log on to the Alibaba Cloud DNS console.

  2. In the left-side navigation pane, click Global Traffic Manager and click the ID of the desired instance. The Basic Settings page appears. In the Access Policy Type section, click Settings in the Geographical Location-based Access Policy card.

  3. On the page that appears, click Create Access Policy. Then, set the required parameters including Policy Name, DNS Request Source, Primary Address Pool Set, and Secondary Address Pool Set.

    Note

    If the Address Pool parameter is left empty, click Create Address Pool to add one.

    image.png

    image.png

    image.png

Latency-based access policies

  1. Log on to the Alibaba Cloud DNS console.

  2. In the left-side navigation pane, click Global Traffic Manager and click the ID of the desired instance. The Basic Settings page appears. In the Access Policy Type section, click Settings in the Latency-based Access Policy card.

  3. On the page that appears, click Create Access Policy. Then, set the parameters including Maximum Addresses Returned and DNS Resolution with Optimal Latency based on your requirements. The configurations of the primary and secondary address pool sets are similar to those specified for the geographical location-based access policies. image.png

    Important

    You can create only one latency-based access policy for each address pool type. For example, if you have created a latency-based access policy with an address pool type of IPv4, you are not allowed to create another latency-based access policy with an address pool type of IPv4.