Accelerate and Protect Your Website/App with Anti-DDoS Premium Mainland China Acceleration and Global Traffic Manager Smart Resolution Service
When you finish building your web application or mobile app and launch your product, you may start worrying about protection against external threats, such as DDoS attacks. DDoS attacks will make your application unavailable. In some cases, the Internet service provider (ISP) could blackhole the website.
In this article, I will explain how to use Alibaba Cloud’s Anti-DDoS Premium to protect your applications against DDoS attacks and CC attacks. This accelerates the access from Mainland China users to applications hosted outside of Mainland China. I previously wrote a similar article on Anti-DDoS, but in this article, we’ll be adding the capabilities of Alibaba Cloud’s Global Traffic Manager (GTM)
Even if your company doesn’t have a Geo-DNS enabled DNS, we can resolve different endpoint IPs according to the location of the end user with the capabilities of the Global Traffic Manager (GTM). This is a very useful feature for many enterprises.
This requires Alibaba Cloud Anti-DDoS Premium + MCA/Global Traffic Manager. You should also have an original website and DNS.
The following section details a step-by-step explanation about configuring the setup within 30 minutes:
1. We have set up an Internet accessible website hosted on Alibaba Cloud OSS. You can also access it here.
Imagine this is your website. Now, you want to protect and accelerate it.
2. Access the Anti-DDoS console and purchase the Anti-DDoS Premium Service together with the Mainland China Acceleration Instance. Please contact Alibaba Cloud to assist you if necessary.
Locate “Anti-DDoS Pro” in the Products and Services section
Click the “Purchase instances”
Purchase the Anti-DDoS Instance. In this scenario, we will use the Insurance Plan with Standard Function. Please click here for details about the enhanced features.
After the purchase, go back to the Anti-DDoS Premium console: https://yundun.console.aliyun.com/?spm=5176.12818093.0.0.bc65BCf1BCf1St&p=ddoscoo#/instance/ap-southeast-1
The Anti-DDoS Premium instance is ready, but we want to add the “Mainland China Acceleration” to Chinese users the best experience.
Click “Purchase Instances” again and purchase the “MCA Instance”
Select the “Anti-DDoS Premium MCA” and your desired bandwidth. In this example, we used 10MB. Most of the customers use this option. Then, click “Purchase.” You can enable “auto-renewal” if necessary.
Now, the two instances are ready with one Anti-DDoS dedicated IP (170.33.9.160) and one MCA IP (170.33.2.3).
3. Click “Website Config” to start configuring the Anti-DDoS Premium with MCA services
Select your purchased “Function Plan,” and click both instances
Website Domain: osswebsitedemo.alibabacloudhk.com
Protocol: HTTP + HTTPS. It can also support WebSockets and other protocols.
Origin Server: Input your original server IP address. Then, click “Add.”
The setup is already halfway finished.
The website domain is configured for Anti-DDoS and MCA Instance IPs.
4. Since the website needs to be HTTPS protected, you need to upload the certificate and the key into the “Website Config.”
5. Upload your certificate and key in PEM format. Remember to include the intermedia certificate and root CA cert information in the Certificate File
After that, you should see the certificate status become “Normal.”
Configure the Mainland China Acceleration Selector
6. Next, we will configure the MCA CNAME. Mainland China users will use the MCA first, and failover to the Anti-DDoS IP in case the MCA is under attack.
Switch to the Sec-Traffic Manager :arrow_right: Create Rule
Select “Network Acceleration.” Specify the Name, choose the instances purchased, and then click Next.
7. The “Security Traffic Manager” will generate a CNAME record (q7dc41q4862rxsw0.aliyunddos0025.com). In this scenario, it will do the traffic failover between the MCA IP and the Anti-DDoS Premium IP address if necessary.
The CNAME is generated :arrow_right: q7dc41q4862rxsw0.aliyunddos0025.com. This CNAME should be used for Chinese end users.
8. We can ping the CNAME in any host (e.g. the ping from Shenzhen ECS VM) in about 12ms
Setup the GTM for Mainland Users With the GEO Smart Routing Capabilities
9. Access the Alibaba Cloud DNS console. Then, click “Global Traffic Manager and “Create Instance.” :arrow_right: https://dns.console.aliyun.com/
10. The Standard Edition already supports the Geo Smart Routing feature. Purchase it now
11. After purchasing, you will see one GTM instance. Click “Configure”
12. We will use the “Advanced Settings to help you learn all of the steps for setting a GTM.
13. Set up the domain of this GTM and click “Edit.”
14. Give the GTM instance a name. Then, input the Anti-DDoS website domain name (osswebsitedemo.alibabacloudhk.com) into the Domain Name, and click “Confirm.”
15. You should see a GTM CNAME. Now, we will configure the GEO smart routing feature.
16. Go to the Address Pool Configurations tab and click “Create Address Pool.”
17. First, let’s configure the “ddosoversea.” Input the Dedicated Anti-DDoS Premium IP “170.33.9.160” and click “Confirm.”
18. Next, we want to create the address pool for Mainland China users.
19. Input the name of the address pool and change the address pool type to “Domain.” Input the CNAME of the Security Traffic Manager (q7dc41q4862rxsw0.aliyunddos0025.com) and click “Confirm.”
20. Now, the two address pools are ready:
21. Next, we will configure the GEO Smart Routing feature. Point to the address pools that we created, click “Set Access Policy”
Click “Add Access Policy”
22. Input the Policy Name “ResolveMainland” and choose all regions in the Mainland China sources section
23. Scroll down and select “Domain” as the address pool type. Select the “mcaCNAME” address pool that we created before. Click “Confirm”
24. Then, click “Add Access Policy” again for overseas smart routing. After this, the configuration is finished.
25. Click “Outside Mainland China”
Then, scroll down, choose the “ddosoversea” address pool, and click “Confirm”
26. The configuration is finished! You can try to ping the GTM CNAME “gtm-sg-ik821htd705.gtm-i2d6.com” overseas and in China
When we ping this CNAME in China, it will return the Security Traffic Manager CNAME, and then resolve to the MCA IP (170.33.2.3).
If we ping the same CNAME in Hong Kong, it will return the Anti-DDoS Dedicated IP (170.33.9.160)
27. Next, you can use the GTM CNAME in your DNS.
Configure the GTM CNAME Into the DNS
Now, we will configure the GTM CNAME into our Alibaba Cloud DNS. For this exercise, imagine it is your DNS service.
Go to the Alibaba Cloud DNS service and add the CNAME record of the GTM to the Host (osswebsitedemo)
The configuration is finished.
Verify the Results from Mainland China and Overseas
28. You can find any machine located in China to ping the hostname. The hostname will be resolved to the CNAME and connect to the MCA (170.33.2.3) extremely fast (~ 13ms from SZ to Hong Kong.)
If you ping from overseas, it will not necessarily go to the MCA IP and will resolve to the Anti-DDoS Premium Anycast IP (170.33.9.160)
The website is now accelerated with MCA and protected by Anti-DDoS Premium. It leverages GTM Geo Smart Routing capabilities and Geo-DNS features that your on-premises DNS doesn’t have.
