Help Center/ Anti-DDoS Service/ Best Practices/ Best Practices of Cloud Native Anti-DDoS (CNAD) Advanced/ CNAD Advanced Collaborates with ELB
Updated on 2024-10-09 GMT+08:00
View PDF
Share

CNAD Advanced Collaborates with ELB

CNAD Advanced protection improves the anti-DDoS capability of cloud services on HUAWEI CLOUD, such as Elastic Cloud Server (ECS), Elastic Load Balance (ELB), Web Application Firewall (WAF), and Elastic IP (EIP). ELB automatically distributes incoming traffic across multiple servers to balance their workloads, increasing service capabilities and fault tolerance of your applications.

Application Scenarios

When your website services are deployed on HUAWEI CLOUD ECSs, you can configure the combination of CNAD Advanced and ELB for your services. Deploy ELB on the origin server of your ECS, and add the EIP address of the ELB to the CNAD instance to improve the anti-DDoS capability of the ECS.

Different from the advanced anti-DDoS (AAD) service, this combination discards the traffic of unlistened protocols and ports and provides better defense against different types of DDoS attacks (including reflection attacks such as SSDP, NTP, and Memcached, UDP flood attacks, and SYN flood attacks). This combination greatly improves the security and reliability of your services.

Figure 1 Using CNAD Advanced in combination with ELB

Constraints

  • CNAD Advanced protection is only available for EIP addresses purchased in your region.
  • ELB does not support cross-region deployment. You need to select the region where the backend server is located and select a public network instance.

Prerequisites

An ECS instance has been created (in a region where CNAD Advanced instances can be purchased) and are hosting website services.

Procedure

  1. Create a load balancer.

    Pay attention to the following when creating a load balancer instance:

    • Region: Select the same region as the ECS.
    • Network Type: Select Public network.

  2. Bind a public IP address to the load balancer.
  3. Obtain the public IP address of the created load balancer, as shown in Figure 2.

    Figure 2 Public IP address of the ELB instance

  4. Buy a CNAD Advanced instance in the same region as the ECS.
  5. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Instances. The Instances page is displayed.

    Figure 3 Instance list

  6. In the upper right corner of the target instance box, click Add Protected Object.
  7. In the Add Protected Object dialog box that is displayed, select the elastic IP address of the load balancer obtained in 3 and click OK.

    After adding protected objects, you can configure protection policies for them. Cloud Native Anti-DDoS Advanced provides unlimited protection against DDoS attacks for ECSs. When a DDoS attack occurs, traffic scrubbing is automatically triggered.

    For details about how to configure a protection policy, see Adding a Protection Policy.