AAD and CDN Interworking
Scenarios
If you have plenty of resources, for example, images or videos on the video or e-commerce platform, to present to your customers and want them to be quickly acquired by the customers, you can use a joint solution containing the AAD and CDN services to enable the quick access to the resources, and enhance network capabilities for the service systems, such as user login platform and payment platform, to ensure the platform stability.
Constraints and Limitations
- When users' video and e-commerce service systems can distinguish dynamic and static resources by domain name, the AAD+CDN interworking solution is recommended. For details about dynamic and static resources, see Table 1.
- This joint solution is not suitable for the platforms that do not distinguish between dynamic and static resources and apply the same set of domain names to the resources. In this case, refer to the instructions described in Alternative Solution.
|
Type |
Description |
Example |
Solution |
|---|---|---|---|
|
Dynamic resource |
A service that the server needs to interact with the database before responding to a user request |
|
The domain name of a dynamic resource is resolved into the AAD CNAME. AAD protects functional platforms, such as login and payment platforms, against DDoS attacks and ensures their stable running. |
|
Static resource |
A fixed resource that can be obtained from the Object Storage Service (OBS) |
|
The domain name of a static resource is resolved into the CDN CNAME. CDN accelerates content delivery and enables customers to quickly obtain resources such as videos and images with better experience. |
- For a static resource, for example, an image service whose domain name is image.abc.com, DNS will resolve image.abc.com into the CDN CNAME to accelerate the content delivery of the static resource.
- For dynamic resources such as the login domain, login.abc.com, DNS resolution directs it to AAD's CNAME. This ensures the stable running of the login function.
Alternative Solution
This alternative solution applies to the service systems where dynamic and static resources are not separated. When services are suffering from heavy DDoS attacks, you can configure high-defense IP addresses to divert attack traffic for scrubbing, ensuring the stable and reliable running of services on origin servers. If no attack is launched, you can use CDN to accelerate content delivery and improve user experience.
Can I Deploy AAD at the Downstream or Upstream of CDN?
The following options are not allowed:
- Scenario 1: AAD is deployed at the downstream of CDN, namely, traffic goes through CDN and then reaches to AAD.
Result: AAD protection becomes ineffective.
Cause: The attack traffic reaches CDN first. CDN will process it before forwarding it to AAD. In this deployment mode, AAD does not scrub attack traffic in a timely manner.
Figure 2 Deploying AAD at the downstream of CDN
- Scenario 2: AAD is deployed at the upstream of CDN, namely, traffic goes through AAD and then reaches to CDN.
Result: CDN acceleration function becomes ineffective.
Cause: CDN delivers network content from origin servers to scattered CDN nodes and enables users to access their nearest CDN nodes, thereby accelerating content delivery. If the access requests are first directed to AAD, users cannot obtain desired content from the nearest CDN nodes.
Figure 3 Deploying AAD at the upstream of CDN
Procedure
For details about how to connect static resources, see Adding a Domain Name.
For details about how to connect dynamic resources, see Connecting Domain Name Website Services to Advanced Anti-DDoS.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
