Anti-DDoS Origin allows enterprises that own multiple Alibaba Cloud accounts to purchase an instance by using one account and share the instance with other accounts. This helps reduce costs and protect assets in a comprehensive manner. In this topic, assets that are assigned public IP addresses are referred to as assets for short. This topic describes how to use the multi-account management feature to allow multiple accounts to share one instance.
Supported instance types
Anti-DDoS Origin 2.0 Enterprise (Subscription) and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances support the multi-account management feature.
If you want to use the feature, you must first submit an application for approval. You can contact your account manager for consultation.
Account types
Before you use the multi-account management feature, you must enable a resource directory. A resource directory supports the following account types. For more information about Resource Directory, see Resource Directory overview.
Management account: A management account is used to enable a resource directory. The management account is the super administrator of the resource directory and has all permissions on the resource directory and the folders and members in the resource directory.
Delegated administrator account: A management account can be used to specify a member in the resource directory as a delegated administrator account. The delegated administrator account is authorized by the management account to access the organizational structure and member information about the resource directory.
Member: You can create a member in the resource directory or invite an existing Alibaba Cloud account to join the resource directory.
You can use the Anti-DDoS Origin instances of a management account or a delegated administrator account to protect the assets of members. However, we recommend that you use the management account to perform the organization management tasks of the resource directory and use the delegated administrator account to perform business management tasks. This way, organization management tasks are separated from business management tasks. This improves management flexibility and efficiency.
After you enable a resource directory, you must associate the members with the management account or the delegated administrator account in the Traffic Security console. This way, Anti-DDoS Origin can protect the assets of the members.
A member can be associated with only one of the management account and the delegated administrator account.
The Anti-DDoS Origin instances of the management account can protect only the assets of the members that are associated with the management account. The Anti-DDoS Origin instances of the delegated administrator account can protect only the assets of the members that are associated with the delegated administrator account.
Usage notes
Your management account, delegated administrator account, and member must belong to the same resource directory and pass the real-name verification of the same enterprise.
A member can also purchase Anti-DDoS Origin instances. However, you can add an asset to only one Anti-DDoS Origin instance for protection.
For example, if the assets of a member are added to an Anti-DDoS Origin instance of the member for protection and you want to use an Anti-DDoS Origin instance of the delegated administrator account to protect all assets, you must remove the assets from the Anti-DDoS Origin instance of the member first.
If you use a management account or a delegated administrator account to disassociate a member in the Traffic Security console, the protected assets of the member are automatically removed, and the Anti-DDoS Origin instances of the management account or the delegated administrator account no longer protect the assets of the member.
Billing
If you use an Anti-DDoS Origin instance of a management account or a delegated administrator account to protect the assets of a member, you are charged based on the type of the Anti-DDoS Origin instance.
Anti-DDoS Origin 2.0 Enterprise (Subscription) instance: No additional fees are generated for the member.
Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: Fees are generated and deducted from the balance of the management account or delegated administrator account.
View information about the assets of a member
The following table describes whether the statistics about the assets of a member are included on the pages of the console of each type of account when you use the Anti-DDoS Origin instances of a management account or a delegated administrator account to protect the assets.
×: indicates that the statistics about the assets are not included.
√: indicates that the statistics about the assets are included.
Console page | Management account or delegated administrator account | Member |
Overview | × | √ |
Assets | × | √ |
Event Center | × | × |
Business Monitoring | √ | × |
Protected Objects | √ | × |
Mitigation Settings | √ | × |
Attack Analysis | √ | × |
Mitigation Logs | √ | × |
CloudMonitor Alerts | √ | × |
Billing Management | √ | × |
In the following steps, a management account is used to perform the organization management tasks of a resource directory, and a delegated administrator account is used to perform business management tasks. If no delegated administrator account is configured, you can use a management account to perform the business management tasks in the following steps.
Step 1: Enable a resource directory and build an organizational structure for your enterprise
Before you use the multi-account management feature, you must add multiple Alibaba Cloud accounts to a resource directory.
Log on to the Resource Management console with an Alibaba Cloud account and enable a resource directory. The Alibaba Cloud account that you use is the management account of the resource directory. For more information, see Enable a resource directory.
In the Resource Management console, build an organizational structure for your enterprise. You can create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory.
For more information, see Create a folder, Create a member, and Invite an Alibaba Cloud account to join a resource directory.
In the Resource Management console, use the management account to specify a member as a delegated administrator account. For more information, see Manage a delegated administrator account.
Step 2: Associate a member with a delegated administrator account
To view the assets of a member, you must associate the member with a delegated administrator account.
Log on to the Traffic Security console with a delegated administrator account.
In the left-side navigation pane, choose .
Click Add Member. In the message that appears, read the prompt and click Next.
ImportantAfter members are added, the delegated administrator account can access and query the assets of the members.
Select the members that you want to add, click the
icon, and then click OK. After the members are added, you can use the Anti-DDoS Origin instances of the delegated administrator account to protect the assets of the members.
Step 3: Use the Anti-DDoS Origin instance of the delegated administrator account to protect the assets of a member
To enable protection for the assets of a member, you must add the assets to an Anti-DDoS Origin instance of the delegated administrator account for protection.
If the delegated administrator account uses an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance and the asset that you want to add is an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled, skip this step. In this scenario, the system automatically adds the EIP with Anti-DDoS (Enhanced) enabled of the member to the Anti-DDoS Origin instance of the delegated administrator account.
However, if the member purchases the EIP with Anti-DDoS (Enhanced) enabled before you associate the member with the delegated administrator account, the EIP is not automatically added to the Anti-DDoS Origin instance of the delegated administrator account. If you want to use the Anti-DDoS Origin instance of the delegated administrator account for protection, you can use the member to perform the following operations: Release the EIP with Anti-DDoS (Enhanced) enabled, release the Anti-DDoS Origin (Pay-as-you-go) instance, and then purchase an EIP with Anti-DDoS (Enhanced) enabled.
Log on to the Traffic Security console with a delegated administrator account.
In the left-side navigation pane, choose .
Select the Anti-DDoS Origin instance that you want to manage, click Add Object for Protection, and then click the Add Assets of Members tab.
Select the members whose assets you want to protect. In the Objects to Select section, select the assets that you want to protect, click the
icon, and then click OK.
Step 4: Configure mitigation policies for the assets of a member
If Default is displayed in the Mitigation Policy column after you add the assets of a member for protection, the default mitigation capabilities of Anti-DDoS Origin are provided for the assets.
If you want to allow or discard service traffic that has specific characteristics based on your business requirements, you can log on to the Traffic Security console with the delegated administrator account and attach a custom mitigation policy to the assets. For more information, see Use the mitigation settings feature.
Step 5: View the attack events on the assets of members
Log on to the Traffic Security console with a delegated administrator account.
In the left-side navigation pane, choose .
On the Attack Analysis page, select an account scope to view the details of attack events.
All accounts: You can view the attack events of assets that belong to a management account and members.
Delegated administrator account: You can view the attack events of assets that belong to a delegated administrator account.
Member: You can view the attack events of assets that belong to a member.
