How to associate an NLB instance with an EIP protected by Anti-DDoS Pro/Premium - Server Load Balancer

Alibaba Cloud provides elastic IP addresses (EIPs) that are protected by Anti-DDoS Pro/Premium. EIPs protected by Anti-DDoS Pro/Premium can mitigate DDoS attacks at the Tbit/s level, and are ideal for scenarios that require high security and low latency, such as large-scale gaming and live streaming activities. This topic describes how to associate a Network Load Balancer (NLB) with an EIP protected by Anti-DDoS Pro/Premium to enable the NLB instance to access the Internet. image..png

Overview of EIPs protected by Anti-DDoS Pro/Premium

Alibaba Cloud provides EIPs that are protected by Anti-DDoS Pro/Premium. You can purchase EIPs that are protected by Anti-DDoS Pro/Premium in the EIP console. EIPs protected by Anti-DDoS Pro/Premium can mitigate DDoS attacks at the Tbit/s level. If you use EIPs protected by Anti-DDoS Pro/Premium, you do not need to perform additional configurations or change the IP address that is used by your NLB instance to provide services. For more information, see Best practices for using EIPs protected by Anti-DDoS Pro/Premium.

Limits

The NLB instance and the EIP protected by Anti-DDoS Pro/Premium must be deployed in the same region.

Limits on EIPs protected by Anti-DDoS Pro/Premium

Only pay-as-you-go EIPs of the BGP (Multi-ISP) type support Anti-DDoS Pro/Premium
.
If you specify an IP address pool to create EIPs protected by Anti-DDoS Pro/Premium, the IP address pool must be of the Anti-DDoS Pro/Premium type.

The following regions support Anti-DDoS Pro/Premium:

Regions that support EIPs protected by Anti-DDoS Pro/Premium

Area	Region
China	China (Beijing), China (Hangzhou), China (Shanghai), and China (Hong Kong)
Asia Pacific	Philippines (Manila), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe & Americas	US (Virginia), US (Silicon Valley), Germany (Frankfurt), and UK (London)

Regions that support IP address pools of the Anti-DDoS Pro/Premium type

Area	Region
China	China (Hong Kong)
Asia Pacific	Philippines (Manila), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe & Americas	US (Virginia), US (Silicon Valley), Germany (Frankfurt), and UK (London).

Limits on associating an NLB instance with an EIP protected by Anti-DDoS Pro/Premium

To associate an EIP protected by Anti-DDoS Pro/Premium with an NLB instance, make sure that the EIP is not associated with an Internet Shared Bandwidth instance. If you want to associate the EIP with an Internet Shared Bandwidth instance, you can associate the EIP with the NLB instance and then associate the EIP with an Internet Shared Bandwidth instance in the Server Load Balancer (SLB) console. EIPs protected by Anti-DDoS Pro/Premium can be associated only with Internet Shared Bandwidth instances that use BGP (Multi-ISP) lines.

Billing

After an NLB instance is associated with an EIP protected by Anti-DDoS Pro/Premium, Anti-DDoS Pro/Premium charges protection fees. NLB绑定高防EIP

Billable item	Calculation formula	References
Instance fee	`Instance fee = Instance unit price (USD per hour) × Duration of usage (hours)`	Instance fee
Load Balancer Capacity Unit (LCU) fee	`LCU fee = max{Number of LCUs consumed by new connections, Number of LCUs consumed by concurrent connections, Number of LCUs consumed by data scrubbing, Number of LCUs consumed by rule evaluations} × Duration of usage (hours)`	LCU fee
Internet data transfer fee	You are not charged for data transfer over the Internet if you use internal-facing NLB instances. You are charged for data transfer over the Internet only if you use Internet-facing NLB instances. After an NLB instance is associated with an EIP protected by Anti-DDoS Pro/Premium, EIP charges an instance fee and a data transfer fee for the EIP instance. For more information, see Pay-as-you-go.
Protection fee	After an NLB instance is associated with an EIP protected by Anti-DDoS Pro/Premium, you are charged a protection fee. For more information, see Anti-DDoS Origin 2.0 (Pay-as-you-go). Warning To purchase an EIP protected by Anti-DDoS Pro/Premium, you must activate Anti-DDoS Origin on a pay-as-you-go basis for at least 30 days. You are charged for Anti-DDoS Origin on a monthly basis. You cannot deactivate Anti-DDoS Origin before the first 30 days elapse.

Prerequisites

A virtual private cloud (VPC) named VPC1 is created. For more information, see Create a VPC.
Elastic Compute Service (ECS) instances named ECS01 and ECS02 are created in VPC1. An NGINX service is deployed on each ECS instance.
- For more information about how to create an ECS instance, see Create an instance by using the wizard.
- For more information about how to deploy an NGINX service, see Deploy an LNMP environment on CentOS 7.
A server group named RS01 is created for the NLB instance. ECS01 and ECS02 are specified as backend servers. For more information, see Create and manage a server group.
If you want to associate the NLB instance with an Internet Shared Bandwidth instance, you must purchase an Internet Shared Bandwidth instance. In this example, an Internet Shared Bandwidth instance that uses BGP (Multi-ISP) lines is purchased. For more information, see Create an Internet Shared Bandwidth.

Procedure

配置流程

Step 1: Create an EIP protected by Anti-DDoS Pro/Premium

Before you can associate the NLB instance with an EIP protected by Anti-DDoS Pro/Premium, you must purchase an EIP protected by Anti-DDoS Pro/Premium in the EIP console.

Log on to the Elastic IP Address console .
On the Elastic IP Addresses page, click Create EIP.
If this is the first time you purchase an EIP protected by Anti-DDoS Pro/Premium, click Anti-DDoS Origin (Pay-as-you-go) to activate Anti-DDos Origin that uses the pay-as-you-go billing method.
Warning
To purchase an EIP protected by Anti-DDoS Pro/Premium, you must first activate Anti-DDoS Origin on a pay-as-you-go basis. Anti-DDoS Origin is billed on a monthly basis. The minimum subscription duration is 30 days. You cannot disable Anti-DDoS Origin before the first 30 days end.
After you activate pay-as-you-go Anti-DDoS Origin, log on to the Traffic Security console. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Billing Center or Network Security > Anti-DDoS Origin > Instance Management to view the details about the Anti-DDoS Origin instance.

Configure the parameters on the EIP buy page, click Buy Now, and then complete the payment.

The following table describes the parameters that are involved in this topic. For more information, see Apply for an EIP.

Parameter	Description
Billing Method	Select a billing method for the EIP. In this example, Pay-as-you-go is selected.
Region	Select the region where you want to create the EIP. The EIP and the NLB instance must be deployed in the same region. In this example, China (Hangzhou) is selected.
Internet Connection Type	Select a line type for the EIP. In this example, BGP(Multi ISP) is selected.
Security Protection	Select an edition of Anti-DDoS based on your business requirements. In this example, Anti-DDoS (Enhanced Edition) is selected. Valid values: Default: Anti-DDoS Origin, which can mitigate DDoS attacks at up to 5 Gbit/s. Anti-DDoS (Enhanced Edition): Anti-DDoS Pro/Premium, which can mitigate DDoS attacks at the Tbit/s level.
Network Traffic	Select a metering method for data transfer. In this example, By traffic is selected.
Quantity	Select the number of EIPs that you want to purchase.

Step 2: Associate the NLB instance with the EIP protected by Anti-DDoS Pro/Premium

You can associate an NLB instance with an EIP protected by Anti-DDoS Pro/Premium when you purchase the NLB instance or change the network type of the NLB instance. Select one of the following methods based on the scenario.

Purchase an NLB instance

You can associate an NLB instance with an EIP protected by Anti-DDoS Pro/Premium when you purchase the NLB instance.

Log on to the NLB console.
In the top navigation bar, select the region in which you want to deploy the NLB instance. In this example, China (Hangzhou) is selected.
On the Instances page, click Create NLB.
On the NLB (Pay-As-You-Go) International Site page, configure the following parameters, click Buy Now, and then complete the payment as prompted.
The following section describes only the parameters that are relevant to this topic. For more information, see Create an NLB instance.
- Network Type: Select Internet-facing.
- VPC: Select VPC1.
- Zone: Select a zone and a vSwitch. The EIP protected by Anti-DDoS Pro/Premium is created in the specified zone.
  Note
  NLB supports multi-zone deployment. If the selected region supports two or more zones, select at least two zones to ensure high availability. No additional fee is charged by NLB.
  If no vSwitch is available in a zone, create a vSwitch in the zone in the NLB console as prompted.
  An NLB instance can be associated with an EIP protected by Anti-DDoS Pro/Premium and an EIP protected by Anti-DDoS Origin at the same time. If you select the default option Automatically assign EIP, a pay-as-you-go EIP that uses the pay-by-data-transfer metering method and BGP (Multi-ISP) lines is created. The EIP is protected by Anti-DDoS Origin.
Configure a listener for the NLB instance. In this example, a TCP listener is configured and associated with RS01.
1. On the Instances page, find the NLB instance that you want to manage and click Create Listener in the Actions column.
2. In the Configure Listener step, configure the following parameters and click Next.
  The following section describes the parameters that are involved in this topic. Use the default values for other parameters. For more information, see Add a TCP listener.
  - Listener Protocol: the listener protocol. Select a protocol based on your business requirements. In this example, TCP is selected.
  - Listener Port: the port on which the NLB instance listens. In this example, port 80 is specified.
3. In the Server Group step, select RS01 and click Next.
4. In the Confirm step, confirm the configurations and click Submit.

Use an existing internal-facing NLB instance

If you need to associate an existing NLB instance with an EIP protected by Anti-DDoS Pro/Premium, perform the association by changing the network type of the NLB instance.

Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
On the Instances page, find the internal-facing NLB instance that you want to manage and click the instance ID.
On the Instance Details tab of the instance details page, go to the Basic Information section, and click Change Network Type next to IPv4 on the right side of the Network Type parameter.
In the Change Network Type dialog box, set the IP Type parameter to EIP, select the EIP that you created in Step 1: Create an EIP protected by Anti-DDoS Pro/Premium from the Assign EIP drop-down list, and then click OK.
An NLB instance can be associated with an EIP protected by Anti-DDoS Pro/Premium and an EIP protected by Anti-DDoS Origin at the same time. If you select Purchase EIP, a pay-as-you-go EIP that uses the pay-by-data-transfer metering method and BGP (Multi-ISP) lines is created. The EIP is protected by Anti-DDoS Origin.

Use an existing Internet-facing NLB instance

If an Internet-facing NLB instance has been associated with an EIP protected by Anti-DDoS Origin, and you want to associate the NLB instance with an EIP protected by Anti-DDoS Pro/Premium, perform the following operations:

Change the network type of the NLB instance from Internet-facing to internal-facing.
When you change the network type, associate the NLB instance with an EIP protected by Anti-DDoS Pro/Premium.

Note

If you select the default option Automatically assign EIP when you create an Internet-facing NLB instance, the NLB instance is associated with a pay-as-you-go EIP that uses the pay-by-data-transfer metering and BGP (Multi-ISP) lines, and the EIP is protected by Anti-DDoS Origin.

公网ALB实例绑定高防EIP

Step 1: Change the network type of the NLB instance from Internet-facing to internal-facing

On the Instances page, find the Internet-facing NLB instance that you want to manage and click the instance ID.
On the Instance Details tab of the instance details page, go to the Basic Information section, and click Change Network Type next to IPv4 on the right side of the Instance Details parameter.
In the Change Network Type message, confirm the information and click OK.
It takes about 1 minute for the change to take effect. When the value of the Network Type parameter on the Instance Details tab changes to Private, the network type is changed.

Step 2: Change the network type of the NLB instance from internal-facing to Internet-facing

On the Instances page, find the internal-facing NLB instance that you want to manage and click the instance ID.
On the Instance Details tab of the instance details page, go to the Basic Information section, and click Change Network Type next to IPv4 on the right side of the Network Type parameter.
In the Change Network Type dialog box, set the IP Type parameter to EIP, select the EIP created in Step 1: Create an EIP protected by Anti-DDoS Pro-Premium from the Assign EIP drop-down list, and then click OK.
An NLB instance can be associated with an EIP protected by Anti-DDoS Pro/Premium and an EIP protected by Anti-DDoS Origin at the same time. If you select Purchase EIP, a pay-as-you-go EIP that uses the pay-by-data-transfer metering method and BGP (Multi-ISP) lines is created. The EIP is protected by Anti-DDoS Origin.

(Optional) Step 3: Associate an Internet Shared Bandwidth instance with the NLB instance

If the NLB instance is not associated with an Internet Shared Bandwidth instance, the bandwidth of the NLB instance deployed in two zones can reach 400 Mbit/s by default. If you require a higher bandwidth, you can associate the NLB instance with an Internet Shared Bandwidth instance.

On the Instances page, find the NLB instance that you want to manage and use one of the following methods to associate the NLB instance with an Internet Shared Bandwidth instance:
- Click the icon in the Actions column and select Associate with EIP Bandwidth Plan. Alternatively, click Associate in the EIP Bandwidth Plan column.
- Click the ID of the NLB instance that you want to manage. On the Instance Details tab of the instance details page, click Associate with EIP Bandwidth Plan in the Billing Information section.
In the Associate with EIP Bandwidth Plan dialog box, select an Internet Shared Bandwidth instance from the drop-down list and click OK.

Step 4: Create a DNS record

NLB allows you to map your frequently visited domain names to the publicly accessible domain name of the NLB instance by using CNAME records. This facilitates access to network resources.

In the left-side navigation pane, choose NLB > Instances.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
On the Instances page, copy the domain name of the NLB instance that you want to manage.

Perform the following steps to create a CNAME record:

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click the Authoritative Domain Names tab. On the Authoritative Domain Names tab, click Add Domain Name.
In the Add Domain Name dialog box, enter your domain name and click OK.
Important
Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click Configure in the Actions column.
On the DNS Settings tab of the domain name details page, click Add DNS Record.

In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of the domain name. In this example, `@` is entered.
DNS Request Source	Select Default.
Record Value	Enter the CNAME, which is the domain name of the NLB instance.
TTL	The time-to-live (TTL) value for the CNAME record to be cached on the DNS server. In this example, the default value is used.

Note

Newly created CNAME records immediately take effect. The amount of time that is required for a modified CNAME record to take effect is determined by the TTL value, which is 10 minutes by default.
If the CNAME record that you want to create conflicts with an existing record, specify another domain name.

Step 5: Test network connectivity

In this example, the TCP listener of the NLB instance and the server group RS01 are used to test network connectivity. For more information, see the following topics:

After you create a DNS record for the NLB instance, you can visit the domain name configured in Step 4: Create a DNS record from your browser to test whether the NLB instance can use the EIP protected by Anti-DDoS Pro/Premium to access the Internet.

The following figures show that the requests can be forwarded to ECS01 and ECS02. 访问测试图1 访问测试图2