This topic describes how to use a Global Accelerator (GA) instance to accelerate multiple domain names over HTTPS by configuring multiple certificates.
Scenarios
The example in this topic is based on the following scenario. An enterprise deployed two servers in the US (Silicon Valley) region for its headquarters. A web application that provides Internet-facing services by using different domain names is deployed on both servers. Most employees of the company need to access the web application from the China (Hong Kong) region. The company faces the following challenges:
The network connections that are established over the Internet are unstable. Network issues, such as network latency, network jitter, and packet loss, may frequently occur.
Multiple servers provide Internet-facing services through two domain names. The company must configure content delivery acceleration for both domain names, which increases costs.
To resolve the issue, you can deploy GA and configure HTTPS listeners. HTTPS listeners support the following features that can accelerate access to multiple HTTPS domain names:
Allows you to associate an HTTPS listener with multiple certificates and multiple domain names.
Supports domain name-based forwarding rules, which are used to match requests against domain names and forward the requests to backend servers based on the match results.
Supports request encryption, which increases the security of data transmission.
The following table describes the web servers of the company and the forwarding rules that are used by the HTTPS listener after the company uses GA to accelerate its web application.
Configuration item | Domain name 1 ( | Domain name 2 ( |
Listener protocol | HTTPS | |
Listener port | 443 | |
Certificate | Default certificate (Certificate A) | Additional certificate (Certificate B) |
Forwarding rule | Default forwarding rule | Custom forwarding rule |
Endpoint group | Default endpoint group | Virtual endpoint group |
Server | Server 1 | Server 2 |
Service protocol | HTTP | HTTPS |
Service port | 80 | 443 |
Server public IP address | 47.XX.XX.62 | 47.XX.XX.34 |
The certificates are used to encrypt data that is transmitted from clients to GA. You can use the certificates that are installed on the backend servers to encrypt data that is transmitted from GA to the backend servers. The certificates on your GA instance can be the same as the certificates on the backend servers.
Prerequisites
An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase an SSL certificate and Submit a certificate application.
The certificate is uploaded to the backend servers. For more information, see Use Cloud Assistant to upload a file to ECS instances.
An HTTP service that uses port 80 is deployed on Server 1 and an HTTPS service that uses port 443 is deployed on Server 2 by using NGINX.
The A records that map backend domain name 1 (
xxx test.cloud
) and backend domain name 2 (xxx test.fun
) to the public IP addresses of the backend servers are created.
In this example, NGINX is used to deploy the backend services and Alibaba Cloud DNS is used to configure DNS records.
For more information about how to deploy NGINX, see Step 2: Install NGINX.
For information about how to configure DNS records, see Add a DNS record. If you use a third-party DNS service, refer to the user guide provided by the service provider.
Procedure
In this topic, a pay-as-you-go standard Global Accelerator instance is used to show how to configure Global Accelerator to accelerate multiple domain names over HTTPS. Before you create a pay-as-you-go standard Global Accelerator instance, take note of the following information:
Pay-as-you-go Global Accelerator instances use the pay-by-data-transfer metering method. You do not need to associate a basic bandwidth plan with pay-as-you-go GA instances. The billing of data transfer over the Global Accelerator network is managed by Cloud Data Transfer (CDT). For more information, see Pay-by-data-transfer.
The first time you use a pay-as-you-go Global Accelerator instance, go to the pay-as-you-go GA activation page and activate Global Accelerator as prompted.
Step 1: Configure basic information about an instance
Log on to the GA console.
On the Instances page, click Create GA Instance. Select Pay-as-you-go Standard Instance or Subscription Standard Instance based on your business requirements.
In this example, Pay-as-you-go Standard Instance is selected.
In the Basic Instance Configuration step, configure the following parameters and click Next.
Parameter
Description
GA Instance Name
Enter a name for the GA instance.
Instance Billing Method
Pay-As-You-Go is selected by default.
You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees for pay-as-you-go standard Global Accelerator instances.
For more information about instance fees and CU fees, see Billing of pay-as-you-go GA instances.
For more information about data transfer fees, see Pay-by-data-transfer.
Resource Group
Select the resource group to which the standard Global Accelerator instance belongs.
The resource group must be created in Resource Management by the current Alibaba Cloud account. For more information, see Create a resource group.
Step 2: Configure an acceleration area
Specify acceleration regions and allocate bandwidth to each acceleration region.Global Accelerator
In the Configure Acceleration Area step, configure the parameters and click Next. The following table describes the parameters.
Parameter | Description |
Acceleration Area | Select one or more regions from the drop-down list and click Add. In this example, the China (Hong Kong) region in the Asia Pacific section is selected. |
Assign Bandwidth | |
Maximum Bandwidth | Specify the maximum bandwidth for the acceleration region. Each acceleration region supports a bandwidth range of 2 to 10,000 Mbit/s. The maximum bandwidth is used for bandwidth throttling. The data transfer fees are managed by CDT. In this example, the default value 200 Mbit/s is used. Important If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify the maximum bandwidth based on your business requirements. |
IP Protocol | Select the IP version that is used to connect to Global Accelerator. In this example, the default value IPv4 is selected. |
ISP Line Type | Select an ISP line type for the Global Accelerator instance. BGP (Multi-ISP) is selected in this example. |
Step 3: Configure a listener
A listener listens for connection requests and distributes the requests to endpoints based on the port and protocol that you specify. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoints in the endpoint group.
In the Configure listener step, configure the following parameters and click Next.
Parameter | Description |
Listener Name | Enter a name for the listener. |
Routing Type | Select a route type. In this example, Intelligent Routing is selected. |
Protocol | Select a protocol for the listener. In this example, HTTPS is selected in this example. |
Port | Specify a port for the listener to receive and forward requests to endpoints. Valid values: 1 to 65499. In this example, the value is set to 443. |
Server Certificate | Select the server certificate that you obtained. In this example, Certificate A is selected. |
TLS Security Policies | Select the TLS security policy required by your service. A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information about TLS security policies, see TLS security policies. In this example, the default policy tls_cipher_policy_1_0 is used. |
Client Affinity | Specify whether to enable client affinity. If client affinity is enabled, requests from the same client are forwarded to the same endpoint when the client connects to a stateful application. In this example, Source IP is selected. |
Custom HTTP Headers | Select the HTTP headers that you want to add. In this example, the default settings are used. |
Step 4: Configure endpoint groups and endpoints
In the Configure an endpoint group step, configure an endpoint group, add endpoints to the endpoint group, and then click Next.
This topic describes only the key parameters. For more information, see Add and manage endpoint groups of intelligent routing listeners.
Parameter
Description
Region
Select the region in which the endpoint group is deployed.
In this example, US (Silicon Valley) is selected.
Endpoint Configuration
Endpoints are destinations of client requests. To add an endpoint, configure the following parameters:
Backend Service Type: Select Alibaba Cloud Public IP Address.
Backend Service: Enter the IP address of the backend service that you want to accelerate. In this example, 47.XX.XX.62 is entered, which is the public IP address of Server 1.
Weight: Enter a weight for the endpoint. Valid values: 0 to 255. Global Accelerator routes network traffic to endpoints based on the weights of the endpoints. In this example, the default value 255 is used.
WarningIf you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution.
Preserve Client IP
By default, client IP address preservation is enabled for HTTPS listeners. This feature allows you to view client IP addresses on backend servers. HTTP listeners can retrieve client IP addresses from the X-Forwarded-For HTTP header. For more information, see Preserve client IP addresses.
Backend Service Protocol
Select the protocol that is used by backend servers.
In this example, the default value HTTP is used.
Port Mapping
If the listener port is not the same port over which the endpoint provides services, you must set this parameter.
Listener Port Enter the port of the current listener. In this example, the value is set to 443.
Endpoint Port Enter the port over which the endpoint provides services. In this example, 80 is used.
Traffic Distribution Ratio
Specify a traffic distribution ratio for the endpoint group.
Valid values: 0 to 100.
In this example, the default value 100 is used.
Health Check
Specify whether to enable or disable the health check feature.
After you enable the feature, you can use health checks to check the status of endpoints. For more information about the health check feature, see Enable and manage health checks.
In this example, the health check feature is disabled.
In the Configuration Review step, check the configurations and click Submit.
NoteIt takes 3 to 5 minutes to create a Global Accelerator instance.
(Optional) After you create a GA instance, you can click the instance ID on the Instances page to view the configurations of the instance. On the instance details page, you can click tabs, such as Instance Information, Listeners, and Acceleration Areas, to view more details.
Configure a virtual endpoint group.
On the instance details page, click the Listeners tab.
On the Listeners tab, find the listener that you want to manage and click the endpoint group ID in the Default Endpoint Group column.
On the Endpoint Group tab, click Add Virtual Endpoint Group in the Virtual Endpoint Group section.
On the Add Endpoint Group page, configure the parameters based on the following information and click Create.
The configurations of the virtual endpoint group are the same as those of the default endpoint group that you created in Step 4-1, except for the following parameters.
Backend Service Type: Select Alibaba Cloud Public IP Address.
Backend Service: Enter 47.XX.XX.34, which is the public IP address of Server 2.
Backend Service Protocol: Select HTTPS.
Port Mapping: You do not need to add a port mapping.
If the listener port is the same as the port over which the endpoint provides services, you do not need to add a port mapping. Global Accelerator automatically forwards client requests to the listener port of the endpoint.
Step 5: Associate an additional certificate
You can associate multiple domain names with an HTTPS listener by associating an additional certificate with the listener. Based on the additional certificate and forwarding rules, GA can distribute requests that are destined for different domain names to different virtual endpoint groups.
You can perform the following operations to associate Certificate B with an HTTPS listener to associate domain name 2 (xxx test.fun
) with the HTTPS listener.
On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.
On the listener details page, click the Certificates tab.
On the Certificates tab, click Associate Certificate in the Additional Certificate section.
In the Associate Certificate dialog box, configure the additional certificate and click OK.
Certificate: Select the certificate that you want to associate. In this example, Certificate B is used.
Associated Domain Name: Select one or more domain names that you want to accelerate by using Global Accelerator. The certificate will be associated with the selected domain names. In this example,
xxx test.fun
is selected, which is domain name 2.
Step 6: Add a forwarding rule
When an HTTPS listener receives requests, it forwards requests that meet the conditions in forwarding rules to the associated endpoint groups. If the requests do not match any custom forwarding rule, the HTTPS listener forwards the requests to the default endpoint group in the default forwarding rule.
You can perform the following operations to add a custom forwarding rule for the virtual endpoint group that is associated with Server 2. This way, the requests that are destined for xxxtest.fun
can be forwarded to Server 2.
On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.
On the listener details page, click the Forwarding Rule tab.
On the Forwarding Rule tab, click Add Forwarding Rule.
In the Add Forwarding Rule section, configure the parameters and click OK. The following table describes the parameters.OK
Parameter
Description
Name
Enter a name for the forwarding rule.
If (Matching All Conditions)
Select a match condition for the forwarding rule.
In this example, Host is selected and the xxxtest.fun domain name is entered.
Then
Select a forwarding action.
In this example, Forward is selected and the virtual endpoint group that you created in Step 4: Configure an endpoint group and endpoints is selected.
Step 7: Configure CNAME records
Before the requests that are destined for domain name 1 and domain name 2 can be forwarded to GA, you must map xxxtest.cloud
and xxxtest.fun
to the CNAME record of the GA instance.
- Log on to the Alibaba Cloud DNS console.
If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS.
NoteIf your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS before you configure a DNS record. For more information, see the "Add a domain name" section of the Manage domain names topic. If your domain name is registered by using Alibaba Cloud Domains, skip this step.
On the Domain Name Resolution page, find domain name 1 (
xxxtest.cloud
) and click DNS Settings in the Actions column.On the DNS Settings page, find the A record and click Modify in the Actions column.
In the Modify DNS Record panel, set Record Type to CNAME, set Record Value to the CNAME assigned to the Global Accelerator instance, and then click OK.
You can view the CNAME assigned to the Global Accelerator instance on the Instances page.
Modify the A record of domain name 2 (
xxxtest.fun
) and add a CNAME record for the domain name.
If you want to return resolution results based on the region where a client resides, make sure that Alibaba Cloud DNS is upgraded to Enterprise Standard Edition or Enterprise Ultimate Edition. For more information, see Renewal and upgrade.
After the upgrade is complete, you can change the default ISP line of the existing A record to the ISP line of a specific region and add a CNAME record that maps the website domain name to the CNAME assigned to the Global Accelerator instance.
Step 8: Test the connectivity
Use both domain names to test the connectivity to the web application that is deployed in the US (Silicon Valley) region. Then, check whether access to the domain names is accelerated.
In this example, the Alibaba Cloud Linux 3 operating system is used. The command that is used to test the connectivity varies based on the operating system that you use. For more information, see the user guide of your operating system.
The test result varies based on the actual workloads. Global Accelerator
Test the network connectivity
Open the CLI on an on-premises machine in the China (Hong Kong) region.
Run the following command to ping domain name 1 (
xxx test.cloud
) and domain name 2 (xxx test.fun
) to check whether the CNAME records take effect:ping <Website domain name>
If the CNAME in the output is the same as the CNAME assigned by GA, the CNAME record takes effect.
Run the following command for domain name 1 (
xxx test.cloud
) and domain name 2 (www. xxx test.cloud
) to test the network connectivity:curl -v https://<The domain name> --resolve <The domain name>:<The listener port>:<The accelerated IP address>
In this example, the test result of domain name 1 (
xxx test.cloud
) is used. If the response contains the server certificate information and HTTPS response information, the domain name is accessible.
Test the acceleration performance
For more information about how to verify the acceleration performance, see Perform instant detection to test the acceleration performance of GA.