All Products
Search

This Product

    Server Load Balancer:Associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance

    Document Center

    Server Load Balancer:Associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance

    Last Updated:May 27, 2024

    Alibaba Cloud provides elastic IP addresses (EIPs) that are protected by Anti-DDoS Pro/Premium. EIPs protected by Anti-DDoS Pro/Premium can mitigate DDoS attacks at the Tbit/s level, and are ideal for scenarios that require high security and low latency, such as large-scale gaming and major livestreaming activities. This topic describes how to associate an EIP protected by Anti-DDoS Pro/Premium with an Application Load Balancer (ALB) instance. This way, the ALB instance can access the Internet by using the EIP.

    Introduction to EIPs protected by Anti-DDoS Pro/Premium

    Alibaba Cloud provides EIPs that are protected by Anti-DDoS Pro/Premium. You can purchase EIPs that are protected by Anti-DDoS Pro/Premium in the EIP console. EIPs protected by Anti-DDoS Pro/Premium can mitigate DDoS attacks at the Tbit/s level. If you use EIPs protected by Anti-DDoS Pro/Premium, you do not need to perform additional configurations or change the IP address that is used by your ALB instance to provide services. For more information, see Best practices for using EIPs protected by Anti-DDoS Pro/Premium.

    Limits

    The ALB instance and the EIPs protected by Anti-DDoS Pro/Premium must belong to the same region.

    Limits on EIPs protected by Anti-DDoS Pro/Premium

    • Only pay-as-you-go EIPs of the BGP (Multi-ISP) type support Anti-DDoS Pro/Premium.

    • If you specify an IP address pool to create EIPs protected by Anti-DDoS Pro/Premium, the IP address pool must be of the Anti-DDoS Pro/Premium type.

    • The following regions support Anti-DDoS Pro/Premium:

      Regions that support EIPs protected by Anti-DDoS Pro/Premium

      Area

      Region

      China

      China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Hong Kong)

      Asia Pacific

      Philippines (Manila), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta)

      Europe & Americas

      US (Virginia), US (Silicon Valley), Germany (Frankfurt), and UK (London)

      Regions that support IP address pools of the Anti-DDoS Pro/Premium type

      Area

      Region

      Europe & Americas

      US (Virginia), US (Silicon Valley), and Germany (Frankfurt)

    Limits on associating EIPs protected by Anti-DDoS Pro/Premium with ALB instances

    • You must specify an EIP that is protected by Anti-DDoS Pro/Premium for each zone of the ALB instance.

    • The EIP protected by Anti-DDoS Pro/Premium that you want to associate with an ALB instance cannot be associated with an Internet Shared Bandwidth instance. After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you can associate an Internet Shared Bandwidth instance with the ALB instance in the ALB console. Only Internet Shared Bandwidth instances that use BGP (Multi-ISP) lines are supported.

    Billing rules

    After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you are charged a security protection fee by Anti-DDoS.计费说明

    Billable item

    Calculation formula

    References

    Instance fee

    Instance fee = Instance unit price (USD/hour) × Duration of usage (hours)

    Instance fee

    Load Balancer Capacity Unit (LCU) fee

    LCU fee = max {LCUs for new connections, LCUs for concurrent connections, LCUs for data transfer, LCUs for rule evaluations} × Unit price of LCUs × Duration of usage (hours)

    LCU fee

    Internet data transfer fee

    You are not charged Internet data transfer fees if you use internal-facing ALB instances. You are charged Internet data transfer fees only if you use Internet-facing ALB instances. After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you are charged an instance fee and a data transfer fee for the EIP. For more information, see Pricing.

    Security protection fee

    After you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you are charged a security protection fee. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go).

    Warning

    To purchase an EIP protected by Anti-DDoS Pro/Premium, you must activate pay-as-you-go Anti-DDoS Origin. Pay-as-you-go Anti-DDoS Origin is activated on a monthly basis. You must use the service for at least 30 days before you can disable the service.

    Prerequisites

    • A virtual private cloud (VPC) named VPC1 is created. For more information, see Create a VPC.

    • A virtual private cloud (VPC) named VPC1 is created. Two Elastic Compute Service (ECS) instances named ECS01 and ECS02 are created in VPC1.

      • For more information about how to create an ECS instance, see Create an instance by using the wizard.

      • The following code blocks show how to deploy testing applications on ECS01 and ECS 02.

        Deploy applications on ECS01

        yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS01." > index.html

        Deploy applications on ECS02

        yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS02." > index.html

    • An ALB server group named RS01 is created and ECS01 and ECS02 are added to the server group as backend servers. For more information, see Create and manage a server group.

    • If you want to associate the ALB instance with an Internet Shared Bandwidth instance, you must purchase an Internet Shared Bandwidth instance. In this example, an Internet Shared Bandwidth instance that uses BGP (Multi-ISP) lines is purchased. For more information, see Purchase an Internet Shared Bandwidth instance.

    Procedure

    ALB绑定高防EIP

    Step 1: Create an EIP protected by Anti-DDoS Pro/Premium

    Before you associate an EIP protected by Anti-DDoS Pro/Premium with an ALB instance, you must purchase an EIP protected by Anti-DDoS Pro/Premium in the EIP console.

    1. Log on to the Elastic IP Address console .

    2. On the Elastic IP Addresses page, click Create EIP.

    3. The first time that you purchase an EIP protected by Anti-DDoS Pro/Premium, click

      Anti-DDoS Origin (pay-as-you-go) on the Elastic IP page to activate pay-as-you-go Anti-DDoS Origin.

      Warning

      To purchase an EIP protected by Anti-DDoS Pro/Premium, you must activate pay-as-you-go Anti-DDoS Origin. Pay-as-you-go Anti-DDoS Origin is activated on a monthly basis. You must use the service for at least 30 days before you can disable the service.

      After you activate pay-as-you-go Anti-DDoS Origin, you can log on to the Traffic Security console and choose Network Security > Anti-DDoS Origin > Billing Management or Network Security > Anti-DDoS Origin > Instance Management to view the details of the Anti-DDoS Origin instance.

    4. After Anti-DDoS Origin is activated, configure the EIP based on the following information, click Buy Now, and then complete the payment.

      The following table describes the parameters that are relevant to this topic. For more information, see Apply for an EIP.

      Parameter

      Description

      Billing Method

      Select a billing method for the EIP. In this example, Pay-as-you-go is selected.

      Region

      Select the region where you want to create the EIP.

      Make sure that the EIP is deployed in the same region as the ALB instance. In this example, China (Hangzhou) is selected.

      Line Type

      Select a line type for the EIP. In this example, BGP(Multi ISP) is selected.

      Security Protection

      Select an edition of Anti-DDoS based on your business requirements. In this example, Anti-DDoS (Enhanced) is selected.

      • Default: Anti-DDoS Origin Basic, which can mitigate DDoS attacks at up to 5 Gbit/s.

      • Anti-DDoS (Enhanced): Anti-DDoS Pro/Premium, which can mitigate DDoS attacks at the Tbit/s level.

      Data Transfer

      Select a metering method for data transfer. In this example, Pay-By-Data-Transfer is selected.

      Quantity

      Select the number of EIPs that you want to purchase. The number of EIPs that you want to purchase must be the same as the number of zones of the ALB instance.

    Step 2: Associate EIPs protected by Anti-DDoS Pro/Premium with an ALB instance

    New ALB instance

    When you purchase an ALB instance, you can associate EIPs protected by Anti-DDoS Pro/Premium with the ALB instance.

    1. Log on to the ALB console.

    2. On the Instances page, click Create ALB.

    3. On the

      Application Load Balancer page, configure the following parameters and click Buy Now.

      The following section describes the parameters that are relevant to this topic. For more information about the other parameters, see Create an ALB instance.

      • Network Type: Select Internet.

      • VPC: Select VPC1.

      • Zone: Select zones and vSwitches, and assign an EIP protected by Anti-DDoS Pro/Premium to each zone.

        Note

        • ALB supports multi-zone deployment. If the selected region supports two or more zones, select at least two zones to ensure high availability. ALB does not charge additional fees.

        • If no vSwitch is available in a zone, follow the instructions in the ALB console to create a vSwitch.

    4. Configure a listener for the ALB instance. In this example, an HTTP listener is configured and the ALB server group RS01 is selected.

      1. Return to the Instances page. Click Create Listener in the Actions column of the instance that you want to manage.

      2. In the Configure Listener step, configure the parameters and click Next.

        The following section describes the parameters that are relevant to this topic. Use default values for the other parameters. For more information, see Add an HTTP listener.

        • Listener Protocol: Select HTTP.

        • Listener Port: Enter 80.

      3. In the Server Group step, select RS01 and click Next.

      4. In the Configuration Review step, confirm the configurations and click Submit.

    Existing internal-facing ALB instance

    If you want to associate EIPs protected by Anti-DDoS Pro/Premium with an internal-facing ALB instance, you can change the network type of the ALB instance, and then assign EIPs protected by Anti-DDoS Pro/Premium to the ALB instance.

    1. Log on to the ALB console.

    2. In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Hangzhou) is selected.

    3. On the Instances page, find the internal-facing ALB instance that you want to manage and click the instance ID.

    4. On the Instance Details tab, find Network Type in the Basic Information section, and click Change Network Type on the right side of the private IPv4 address.

    5. In the Change Network Type dialog box, select the EIP protected by Anti-DDoS Pro/Premium that is created in Step 1: Create an EIP protected by Anti-DDoS Pro/Premium from the Assign EIP drop-down list. After you assign an EIP protected by Anti-DDoS Pro/Premium to each zone, click OK.

    Existing Internet-facing ALB instance

    If EIPs protected by Anti-DDoS Origin Basic are associated with your Internet-facing ALB instance, and you want to associate EIPs protected by Anti-DDoS Pro/Premium with the ALB instance, perform the following steps:

    1. Change the network type of the ALB instance from Internet-facing to internal-facing.

    2. Change the network type again and assign EIPs protected by Anti-DDoS Pro/Premium to the internal-facing ALB instance.

    Note

    By default, a new Internet-facing ALB instance is associated with pay-as-you-go EIPs that use the pay-by-data-transfer metering method. The EIPs use BGP (Multi-ISP) lines and are protected by Anti-DDoS Origin Basic.

    公网ALB实例绑定原生高防EIP

    Step 1: Change the Internet-facing ALB instance to an internal-facing ALB instance

    1. On the Instances page, find the Internet-facing ALB instance, and then click the instance ID.

    2. On the Instance Details tab, find Network Type in the Basic Information section, and click Change Network Type on the right side of the public IPv4 address.

    3. In the Change Network Type message, confirm the impacts of the change and click OK.

      It takes about 1 minute for the change to take effect. When the Network Type parameter on the Instance Details tab displays Private, the network type is changed.

    Step 2: Change the internal-facing ALB instance to an Internet-facing ALB instance

    1. On the Instances page, find the internal-facing ALB instance that you want to manage and click the instance ID.

    2. On the Instance Details tab, find Network Type in the Basic Information section, and click Change Network Type on the right side of the private IPv4 address.

    3. In the Change Network Type dialog box, select the EIP protected by Anti-DDoS Pro/Premium that is created in Step 1: Create an EIP protected by Anti-DDoS Pro/Premium from the Assign EIP drop-down list. After you assign an EIP protected by Anti-DDoS Pro/Premium to each zone, click OK.

    Step 3: (Optional) Associate an Internet Shared Bandwidth instance with the ALB instance

    If you require higher bandwidth, you need to associate the ALB instance with an Internet Shared Bandwidth instance.

    1. On the Instances page, find the instance that you want to manage and associate an Internet Shared Bandwidth instance with the ALB instance by using one of the following methods:

      • Choose 更多操作 > Associate EIP Bandwidth Plan in the Actions column or click Associate in the Internet Shared Bandwidth column.

      • Click the ID of the ALB instance that you want to manage. On the Instance Details tab, find the Billing Information section and click Associate with Internet Shared Bandwidth.

    2. In the Associate EIP Bandwidth Plan dialog box, select an Internet Shared Bandwidth instance and click OK.

    Step 4: Create a DNS record

    ALB allows you to map common domain names to the public domain name of the ALB instance by using CNAME records. This facilitates access to network resources. For more information, see Configure a CNAME record.

    1. In the left-side navigation pane, choose ALB > Instances.

    2. On the Instances page, copy the domain name of the ALB instance.

    3. To create a CNAME record, perform the following operations:

      1. Log on to the Alibaba Cloud DNS console.

      2. On the Manage DNS page, click Add Domain Name.

      3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.

        Important

        Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.

      4. Find the domain name that you want to manage and click DNS Settings in the Actions column.

      5. On the DNS Settings page, click Add Record.

      6. In the Add DNS Record panel, configure the following parameters and click OK.

        Parameter

        Description

        Record Type

        Select CNAME from the drop-down list.

        Hostname

        Enter the prefix of your domain name.

        DNS Request Source

        Select Default.

        Record Value

        Enter the CNAME, which is the domain name of the ALB instance.

        TTL

        Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

        Note

        • After you create a CNAME record, it immediately takes effect. After you modify a record, the record takes effect based on the TTL of the record. By default, the TTL is 10 minutes.

        • If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name. For more information, see Rules for conflicting DNS records.

    Step 5: Test network connectivity

    In this example, an HTTP listener is configured for the ALB instance and the ALB server group RS01 is selected. For more information, see Add an HTTP listener.

    After you configure a CNAME record for the ALB instance, you can enter the domain name that is specified in Step 4: Create a DNS record in the browser to check whether the ALB instance can provide Internet-facing services by using the EIPs protected by Anti-DDoS Pro/Premium.

    If you refresh the page, requests are switched between ECS01 and ECS02. You can view the following messages returned by the ECS instances.访问测试图1访问测试图2

    References